Internal controls – are they operating effectively?

The latest survey by RSM suggests there is a high level of complacency amongst Trustees in their attitude towards internal controls and the importance of testing those controls – which are in place to safeguard the assets of the scheme and to protect the interests of scheme members.

The survey offers further insight into attitudes, for example for those schemes where the administration is in-house, only 50 per cent of respondents answered in the affirmative that internal controls had been tested within the last 12 months, and 24 per cent answered that they have never tested internal controls.

Perhaps it is the case that Trustees are assuming the AAF or ISAE reports are sufficient. However, we question how Trustees are adhering to the recommendations of Code of Practice 09 if they are not asking their own administrators and advisors about internal controls and how regularly and how extensively they are being tested. And what about those Trustee boards where no one looks at the contents of the AAF reports?

To demonstrate good governance, trustees should know the answers to such questions as:

  • Does the service organisation obtain an internal controls report by an external auditor?
  • If not, why not?
  • Was the latest auditor’s report qualified or modified?
  • Does the service organisation operate from a number of sites? If so, which locations were visited (and does this cover their scheme)?
  • Was their scheme captured by the sample tested?
  • Are any areas of the operations outsourced overseas? Are these tested?
  • Did any of the exceptions noted in the report affect their scheme?
  • Has the organisation suffered from any form of fraud?

Trustees should be meeting with their service organisations on a regular basis and asking them about how they are responding to new fraud threats, such as cyber crime and online attacks. Fraudsters are changing their approach all the time – are trustees happy with how service organisations are responding to these frequent and changing attacks, and how are trustees demonstrating this?

Trustees must be mindful that they retain responsibility for the system of internal control in place for their scheme, and this extends to the controls in place within their advisors’ businesses. Frauds can and do happen within service organisations, and Trustees must not be complacent.

Our advice to Trustees is to ensure that a review of internal controls is on the agenda at least once a year. This is sensibly undertaken as part of the review of the risk register, but being able to answer the questions above will enable the Trustees to demonstrate good governance, safeguarding scheme assets and protecting the interests of members.

If you would like any advice or would be interested in a facilitated risk workshop to review your internal controls and risk register, please contact Elisabeth Storey or your usual RSM contact.