Practical knowledge of the 2013 COSO Internal Control – Integrated Framework (the Framework) is needed for pension scheme entities wanting to demonstrate to the Pensions Regulator (TPR) and stakeholders that it is taking the EU Directive IORP II on internal controls seriously.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a US business collective body that has taken the lead in breaking down the important elements of what good internal audit and internal control procedures looks like for over 20 years. The Framework has become more important to UK pension schemes because it is now a requirement for SOC 2 IT controls reporting from 16 December 2018. SOC 2 reporting is a US standard of independent assurance that is used in a number of instances in the UK to demonstrate that IT controls are robust for service organisations processing client data.
Principle 1. Demonstrates commitment to integrity and ethical values
Principle 2. Exercises oversight responsibility
Principle 3. Establishes structure, authority, and responsibility
Principle 4. Demonstrates commitment to competence
Principle 5. Enforces accountability
Principle 6. Specifies suitable objectives
Principle 7. Identifies and analyses risk
Principle 8. Assesses fraud risk
Principle 9. Identifies and analyses significant change
Principle 10. Selects and develops control activities
Principle 11. Selects and develops general controls over technology
Principle 12. Deploys through policies and procedures
Principle 13. Uses relevant information
Principle 14. Communicates internally
Principle 15. Communicates externally
Principle 16. Conducts ongoing and/or separate evaluations
Principle 17. Evaluates and communicates deficiencies
SOC2 reports apply a detailed set of focused points using the COSO Principles listed in the ‘The Trust Service Criteria’ (The Criteria) which are now set up around the COSO 2013 Framework. The Criteria is issued by the US body – the AICPA Assurance Services Executive Committee.
For example, from Principle 11 regarding general controls over technology there are four points of focus stated:
With TPR’s great interest in cyber security and internal control for master trusts and other pension schemes, now is the time for trustees to ask are three killer questions: