Practical knowledge of the 2013 COSO Internal Control – Integrated Framework (the Framework) is needed for pension scheme entities wanting to demonstrate to the Pensions Regulator (TPR) and stakeholders that it is taking the EU Directive IORP II on internal controls seriously.
COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a US business collective body that has taken the lead in breaking down the important elements of what good internal audit and internal control procedures looks like for over 20 years. The Framework has become more important to UK pension schemes because it is now a requirement for SOC 2 IT controls reporting from 16 December 2018. SOC 2 reporting is a US standard of independent assurance that is used in a number of instances in the UK to demonstrate that IT controls are robust for service organisations processing client data.
The original COSO Framework with 5 components and 17 principles
Component 1 – Control Environment
Principle 1. Demonstrates commitment to integrity and ethical values
Principle 2. Exercises oversight responsibility
Principle 3. Establishes structure, authority, and responsibility
Principle 4. Demonstrates commitment to competence
Principle 5. Enforces accountability
Component 2 – Risk Assessment
Principle 6. Specifies suitable objectives
Principle 7. Identifies and analyses risk
Principle 8. Assesses fraud risk
Principle 9. Identifies and analyses significant change
Component 3 – Control Activities
Principle 10. Selects and develops control activities
Principle 11. Selects and develops general controls over technology
Principle 12. Deploys through policies and procedures
Component 4 – Information & Communication
Principle 13. Uses relevant information
Principle 14. Communicates internally
Principle 15. Communicates externally
Component 5 – Monitoring
Principle 16. Conducts ongoing and/or separate evaluations
Principle 17. Evaluates and communicates deficiencies
SOC2 reports apply a detailed set of focused points using the COSO Principles listed in the ‘The Trust Service Criteria’ (The Criteria) which are now set up around the COSO 2013 Framework. The Criteria is issued by the US body – the AICPA Assurance Services Executive Committee.
For example, from Principle 11 regarding general controls over technology there are four points of focus stated:
- Management can understand the dependencies between business processes and technology general controls
- Management control activities help ensure the completeness, accuracy and availability of technology processing
- Management control activities restrict access only to authorized users and protect against external threats
- Management control activities cover acquisition, development and maintenance of technology
Time to ask
With TPR’s great interest in cyber security and internal control for master trusts and other pension schemes, now is the time for trustees to ask are three killer questions:
- Do we have a document that breaks down our internal controls framework in the easy to understand COSO Framework of 5 components and 17 Principles?
- What key controls from The Criteria used in SOC 2 reports would I expect my key IT service providers to be operating to meet the requirements expected of our Scheme from TPR?
- Who is/are specifically identified in the Scheme risk register to make sure that the Scheme internal controls are being managed and monitored?