Perspectives

Internal control system

and internal audit function
for IORPs
As outlined in IORP Review – a shift of focus,
this series of publications considers aspects
of the IORP Directive review other than capital
adequacy requirements. There has been little
consideration of these other issues. Rather
there has been a casual acceptance that a new
IORP Directive based on these would be an
acceptable compromise for an absence of capital
requirements. We do not believe that this is a
sensible approach.
In this document, we consider the advice that
EIOPA provided to the Commission on both the
internal control system and internal audit function
for IORPs.
Background
Internal controls
The existing IORP Directive requires IORPs ‘to have
sound administrative and accounting procedures
and adequate internal control mechanisms’.
EIOPA’s advice is to build on this and incorporate
much of article 46 of the Solvency II Directive,
including the creation of a ‘compliance function’.
An edited version of article 46 is set out below for
ease of reference.
Article 46 Solvency II:
1 [Insurers] shall have in place an effective
internal control system. That system
shall at least include administrative
and accounting procedures, an internal
control framework, appropriate reporting
arrangements…and a compliance function.
2. The compliance function shall include
advising [those managing the insurer]
on compliance with the laws, regulations
and administrative provisions adopted
pursuant to this Directive. It shall also
include an assessment of the possible
impact of any changes in the legal
environment on the operations of the
[insurer] and the identification and
assessment of compliance risk.
Internal audit
The existing IORP Directive has no explicit
provision concerning an internal audit function.
EIOPA’s advice is to build on article 47 of the
Solvency II Directive; again an edited version is
set out opposite for ease of reference.
1
 ttps://eiopa.europa.eu/fileadmin/tx_dam/files/
h governing board.
publications/reports/2010112-CEIOPS-Report-on-
Management-Oversight-and-Internal-Controls-in-IORPs.pdf
2 Internal control system and internal audit function for IORPs
Article 47 Solvency II:
1. [Insurers] shall provide for an effective
internal audit function…[which] shall
include an evaluation of the adequacy
and effectiveness of the internal control
system and other elements of the system
of governance.
2. The internal audit function shall be
objective and independent from the
operational functions.
3. Any findings and recommendations…
shall be reported to the [board] which
shall determine what actions are to be
taken…and shall ensure that those
actions are carried out.
Proportionality
EIOPA suggests that IORPs that are of a
‘less complex nature, smaller scale and lower
complexity’ may be able to fulfil the compliance
function within the IORP’s management board or
by outsourcing to an appropriate third party.
The position for the audit function is less
clear, although outsourcing remains an option.
The advice states that smaller and less complex
IORPs ‘should be allowed to elect to implement
alternative measures meeting the general
objectives of an internal audit function’.
However, it later states that the audit function
must be independent of the IORP’s management
board. The advice is silent on what would be
considered suitable ‘alternative measures’ to
the appointment of an independent internal or
outsourced audit function.
EIOPA’s advice
Internal control system and its components
In November 2010 1 EIOPA’s predecessor
(CEIOPS – the Committee of European Insurance
and Occupational Pensions Supervisors) published
a report on management oversight and internal
controls within IORPs. Amongst other information,
this identified that many IORPs outsource one or
more critical or important functions. EIOPA’s advice
is that article 46 can be applied to IORPs with the
addition that the internal control system should
cover ‘outsourcing arrangements and appropriate
controls for outsourcing’.
IORPs should be left to determine how they fulfil the
compliance function – including being able to
•• Appoint a named individual – whether a
member of ‘staff’ or a member of the IORP’s
•• Outsource that function to a third party.
towerswatson.com
•• (On the grounds of proportionality) conduct
this by means of discussion by the IORP’s
governing board, at least annually, and
specifically referenced in the minutes.
It appears that EIOPA will expect larger and more
complex IORPs to have a designated function
separate from the governing board. Whoever
is fulfilling the function – whether internally or
externally – would advise the board ‘on compliance
with the laws, regulations and administration
provisions’. Moreover, the compliance function
would have a duty to whistle-blow to supervisors
in the event that the IORP’s board fails to
‘take appropriate and timely remedial action’ to
redress any shortcoming.
EIOPA highlights the importance of the compliance
function in ensuring compliance with the social and
labour law of ‘host States’ in cases of cross-border
activity. It also alludes to requiring cross-border
plans to have a separate compliance function,
irrespective of whether ‘proportionality’ arguments
might otherwise militate in favour of this function
being carried out by the governing board, as set
out above.
Internal audit
Despite the absence of any specific provision
in the existing IORP Directive, the 2010 CEIOPS
report on management oversight and internal
controls 1 revealed that the supervisory regime
within 15 of 22 responding countries already
provided for an internal audit function. EIOPA
recommends such a function be introduced in
the revised IORP Directive – harmonising both the
treatment of IORPs across the different countries
of Europe and the treatment of IORPs with that
of insurers.
As noted above in relation to internal control
systems, research showed that many IORPs
outsource one or more critical or important
functions. EIOPA’s advice is that such outsourcing
should fall under the scope of the internal audit.
This should, in turn, check whether the third party
has a ‘well-adapted and effective internal audit
system’ and if not, the IORP should ‘monitor
[the third party’s] activities and urge [them] to
take the appropriate measures…to comply with
the… internal audit [principle]’. Outsourcing does
not diminish the IORP’s responsibility.
As with internal control systems, IORPs should be
left to determine how they carry out the internal
audit function – including being able to:
•• Appoint a named individual. However, in contrast
with the ‘compliance function’ within the internal
control system, EIOPA states that ‘the internal
auditor must be independent and…cannot be
involved with the management of the IORP’.
•• Outsource that function to a third party.
•• (On the grounds of proportionality) implement
alternative measures meeting the general
objectives of an internal audit function.
towerswatson.com
EIOPA states that the ‘professional competence
of [the auditor] is essential’ and ‘strongly
recommends’ that IORPs be able to outsource this
function ‘regardless of…size’.
EIOPA does not specify what the alternative
measures might be, but recommends that
supervisors should have the power to review them.
EIOPA also hints that special provisions might
apply where cross-border activity occurs.
As with the internal controls system
recommendations, EIOPA sees no fundamental
difference between defined benefit and defined
contribution IORPs in the requirement for an
independent auditor – albeit ‘it is inevitable
that the implementation of [the] function
will be different’. The differing requirements
might be developed further in Level 2
implementing measures.
Again as is the case for internal control
systems, the auditor should report to the
IORP’s management board, but underpinned
with whistle-blowing provisions and the power for
supervisors to obtain reports from the auditor.
What does it all mean?
For many IORPs it would appear that there will be
little that is likely to change in regard to existing
internal control systems. For larger, more complex
IORPs and those carrying out cross-border activity,
it is likely that a formal, independent compliance
function will be created (whether in-house or
outsourced) – with a formal advisory role to the
IORP’s governing board and explicit whistle-blowing
duties to supervisors.
For many countries it would also appear that
the introduction of an internal audit function
will represent no change from the present.
Whether the detail of the proposals, particularly
the Level 2 implementing measures, necessitates
change remains to be seen. For other countries,
however, an internal audit function will be a new role
and likely to lead to an increase in costs.
Further information
For further information, please contact your
Towers Watson consultant, or
Dave Roberts
+44 20 7227 2008
dave.roberts@towerswatson.com
Mark Dowsey
+44 1737 274535
mark.dowsey@towerswatson.com
Paul Kelly
+44 20 7170 2544
paul.kelly@towerswatson.com
Internal control system and internal audit function for IORPs 3
About Towers Watson
Towers Watson is a leading global professional services
company that helps organisations improve performance
through effective people, risk and financial management.
With 14,000 associates around the world, we offer solutions
in the areas of benefits, talent management, rewards, and
risk and capital management.

Towers Watson is represented in the UK by Towers Watson Limited

and Towers Watson Capital Markets Limited.
The information in this publication is of general interest
and guidance. Action should not be taken on the basis of
any article without seeking specific advice.
To unsubscribe, email eu.unsubscribe@towerswatson.com
with the publication name as the subject and include your
name, title and company address.

Copyright © 2013 Towers Watson. All rights reserved.

TW-EU-2013-32143. June 2013.

towerswatson.com