Audit of Private Pension Plans
Table of contents
1. Background
Employer-sponsored private pension plans (PPPs) are voluntary arrangements that provide an important source of retirement income for employees and their families. Once a pension plan is established, it must be funded and administered in compliance with applicable tax, pension laws and regulations.
There are various types of pension plans, and they generally fall under either federal or provincial jurisdiction. Examples of pension plans within federal jurisdiction include banking, cross-border transportation, and communication. OSFI supervises more than 1,200 federally regulated PPPs to ensure that they can meet the minimum funding requirements and their compliance with applicable laws and regulations in order to protect the rights and interest of pension plan beneficiaries.
The supervision of PPPs takes a risk-based approach, where the degree of supervisory activities and frequency of interventions is based on the net risk of a pension plan. Key supervisory framework and guidance for PPP include OSFI’s Risk Assessment Framework for Federally Regulated Private Pension Plans and Guide to Intervention for Federally Regulated PPP. Supervision procedural manuals have also been developed within the PPP Supervision Team to support the framework and to ensure consistency of supervisory work. The supervisory processes consist of annual planning, on-going monitoring, in-depth reviews, intervention, and follow-up of recommendations. These supervisory activities are facilitated by the Risk Assessment System for Pension (RASP).
Text description - Supervision of PPPs
The supervision of PPPs is guided by The Risk Assessment Framework, Guide to Intervention, and Internal Procedural Manuals. It is a continuous process consisting of annual planning, on-going monitoring, in-depth reviews, intervention and recommendation follow-up, and facilitated by RASP.
Operational structure
After the organizational restructuring in March 2022, the original PPP Division was divided into two separate teams, with the PPP Supervision Team now embedded within the Insurance & Pensions Supervision Group, and the PPP Policy and Approval team embedded within the Policy, Innovation and Stakeholder Affair sector. The audit focused on the PPP Supervision Team, which includes a system team that supports the use and functionality of RASP, and the Actuarial team, which provides specialist support.
Within the PPP Supervision Team, the Relationship Manager (RM), recently changed to Lead Supervisor (LS), is the main point of contact for the PPPs and is responsible for the supervisory activities which can be supported by specialists’ teams (i.e., Policy, Actuarial, and Approval) where necessary. The Supervision Managers (SMs) act as the gatekeeper for the Supervision Team to ensure that supervisory work meets procedural manuals requirements and management expectations, and identified risks are communicated and escalated to internal and external stakeholders as needed.
Previous audit coverage
The last audit in this area was the 2014 Audit of Private Pension Plans Division, which identified two recommendations related to enhancing the Risk Assessment Summary and granting of system access. Both recommendations have been closed prior to the start of this audit engagement.
2. About the audit
2.1 Objective
The objective of the audit was to assess the adequacy, effectiveness, and efficiency of the control activities related to OSFI’s supervisory processes of PPPs.
2.2 Scope
The audit covered the PPPs Supervision Team and its supervisory activities conducted between April 1, 2020 and July 31, 2022, and focused on assessing the following:
- Design and operating effectiveness of key supervisory processes and controls, including annual planning, on-going monitoring, in-depth reviews, intervention, and recommendations follow-up; and
- Compliance with applicable supervisory framework, standards, and policies.
2.3 Approach and methodology
The audit was conducted through performance of the following procedures:
- Reviews of applicable PPPs frameworks, standards, and policies;
- Walkthroughs and interviews with management and Supervision Team members; and
- Sample testing using both statistical and judgmental sampling for key supervisory controls and activities.
The results of this audit will help management identify design and operating effectiveness gaps in significant supervisory process and controls.
2.4 Statement of conformance
This audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.
3. Overview of audit results
3.1 Summary of results
Supervisory activities conducted by the PPP Supervision Team were generally in adherence to existing formalized processes and were risk-based with adequate documentation to support the analysis. However, the audit identified a few areas in the significant supervisory processes and controls that can be strengthened including formalizing the annual planning and recommendation follow-up processes, enhancing management oversight and reporting of PPP key risks and performance indicators, improving review and approval evidence of key supervisory activities, and strengthening user access controls.
While recommendations in this audit report are directed to supervision of the PPPs, all OSFI Supervision Teams are encouraged to review the findings for applicability.
Since the scope of the audit period, there have been significant changes within the Supervisory sector, including the Blueprint transformation and the Supervisory Framework Renewal project. As a result of these changes, many processes have undergone review and may not exist as they did during the audit scope. The results of this audit can provide management additional information on operational process issues and support changes, for those that are already underway.
3.2 Management response
Management accepts the findings and has identified Management Action Plans for each recommendation as outlined in the relevant sections, with all recommendations to be addressed by Q2 2024-25.
4. Observations and recommendations
4.1 Annual planning
The annual planning process was conducted with collaboration in the PPP Supervision Team members. The process should be strengthened to increase oversight of resource capacity and support agility in a dynamic risk environment.
The annual planning process establishes the supervisory work for the upcoming year, through a risk-based approach. The process consists of identifying PPPs that warrant in-depths reviews based on concerns raised from on-going monitoring throughout the year. The entire Supervision Team is involved in the annual planning process to discuss key risks and prioritization of work.
Oversight of resource planning and tracking plan changes
As per the Selecting Plans to Examine procedural manual, there are established principles and criteria to guide the Supervision Team on the selection and prioritization of plans to be examined. Also, the LS is expected to determine the type of in-depth reviews to conduct (i.e. desk versus on-site) in consultation with the SM. The audit noted there is a target number of in-depth reviews that are risk-based and planned based on available resources in the year. However, the existing process did not include documentation on the variance between the resources required for the risk driven supervisory work and the available resources. Also, there was no evidence of documentation around the progress of resource utilization of supervisory activities (e.g. examination reviews, interventions, etc.). Given the large volume of pension plans that LSs supervise, inadequate oversight of resource constraints and utilization may restrict management’s ability to make informed resource decisions on a timely basis.
In addition, the planning spreadsheet is designed to capture key progress information on the supervisory activities. Management expects LSs to track and document examination progress and plan changes in this spreadsheet, and obtain approval by the Director. For both years tested, the rationale of the original plan was documented within these spreadsheets. However, due to the rapidly changing risk landscape during the pandemic, changes and their rationale, including any resource tradeoffs based on risk-based decisions were not documented. This reduced the ability to follow and trace for continuity and supporting work coverage based on risk priorities. Moreover, testing identified that approvals of the original plan or subsequent changes were not evidenced for both years, which may lead to unauthorized changes to supervisory work.
While the current practice does require the Director to approve both the original plan and subsequent changes, there is no defined requirement for distributing the plan and any changes along with the resource requirements for planned work to senior management. Also, for the two years tested, there was no evidence of senior management oversight over the resources for annual planning. Without adequate oversight over the resources required to perform planned activities, management may not be in a position to understand how the resource constraints align with established risk tolerances and priorities for the year.
Recommendation 1 (High Risk)
Management should establish and document a process that enables identification, reporting and oversight over resource capacity of planned supervisory activities. In addition, management should revisit existing requirements to track and approve plan changes during the year.
4.2 Recommendations follow-up
Issues and recommendations are tracked and closed with supporting rationale by the responsible LS. However, the recommendation follow-up process could be strengthened for timely follow-up, closure, and approval of target date extensions.
Through supervisory work, specific concerns about PPPs are identified and communicated to the plan administrator as “findings”. Recommendations are used to formally communicate OSFI’s view of of how the PPPs can remediate the risks identified in supervisory activities. It is critical that recommendations are followed up and closed in a timely manner to ensure that supervisory concerns are appropriately addressed.
Creation of examination recommendations in RASP
Per the PPPD Examination Handbook, LSs are expected to create a separate examination recommendation within RASP to enable monitoring and follow-up of recommendations. The expected timeline to create examination recommendation is generally after the issuance of management letter, and upon receipt of acknowledgement letter which is generally within 30 days from issuance of the management letter. For seven out of the twelve samples tested, examination recommendations were not created in RASP in a timely manner, ranging from 97 to 623 days post the issuance of management letters. As a result, among the seven samples, six either did not have evidence of recommendation follow-up or were not followed up. Moreover, one recommendation from a 2020 management letter was not entered in RASP. The missed entry in RASP was because a non-recommendation intervention with the same context had already been created.
Untimely and incomplete input of recommendations in RASP could lead to missed follow-up of remediation by the targeted due dates, resulting in prolonged risk exposure for the issues identified within the pension plans.
Recommendation 2 (Medium Risk)
Management should revisit communication and training to staff on the existing requirements for the adequate and timely creation of recommendations.
Follow-up of acknowledgement letter and closure evidence
The PPPD Examination Handbook requires the LSs to ensure that the plan administrator provides an acknowledgement letter to OSFI within 30 days after issuance date as outlined in the management letter. If the plan administrator does not acknowledge the findings and recommendations within the required timeline, the LSs are expected to follow up. Of the 12 samples tested, the LSs performed follow-up 17 days after the required submission deadline for two samples. While the acknowledgement letters were ultimately received, untimely follow-up may result in delayed risk mitigation as the plan administrator may not have understood or took the appropriate actions to address the risks raised by OSFI.
The management letter also outlines the target dates of when recommendations need to be addressed by the PPPs. Management expects the LSs to conduct follow-up prior to and post the submission deadline when closure evidence is not submitted on time. All 9 samples where closure evidence was submitted after the submission deadline or has not been submitted as of audit fieldwork date, had no evidence of follow-up within these required timelines.
Without adequate acknowledgement on issues identified in the management letter and timely follow-up for closure evidence, there is a risk that plan administrators may not take timely and adequate action to address the risks identified.
Target date extension
As indicated by the management letters issued to the PPPs, plan administrators are responsible for providing closure evidence to OSFI within the specified submission deadlines. Where plan administrators are unable to meet these timelines, they may request OSFI to extend the target submission dates. Extension requests are generally submitted via email and must be approved by the authorized authority (i.e., SM and Director).
The audit tested 5 samples with extensions to the target submission dates. While all 5 samples had adequate documentation to support the extension, one sample did not have evidence of approval. Unauthorized extensions to the original issue submission dates may increase the plan administrator’s risk exposure beyond OSFI’s risk tolerance level.
Closure of recommendations
Management expects the LSs to assess the evidence, obtain SM’s approval on the assessment, and respond to the plan administrator about the assessment results within 45 days upon receipt of closure evidence submitted by the plan administrator. Of the 12 samples tested, where closure evidence was submitted for 6, assessment of evidence were supported with documentation. However, only one sample was assessed and closed within the expected timeline. The remaining 5 samples were either not assessed as of the audit fieldwork date or assessed and/or approved late between 50 to 282 days after receiving the closure evidence from the plan administrators.
The delay in recommendations follow-up and closing as indicated by management was caused by the turnover within the Supervision Team, coupled with the lack of tracking and monitoring of key recommendation milestones (illustrated further below under 4.4 Key Performance Indicators).
Without a defined process to promote consistent and timely issues management, there may be prolonged risks that the plan administrators are exposed to.
Recommendation 3 (Medium Risk)
Management should establish and document a process to track and monitor key milestones dates against target dates and ensure evidence of approval of target date extension is obtained and retained.
4.3 Oversight of the private pension plans risk profile
The Supervision Team conducts a continuous and dynamic monitoring of industry risks. However, the process can be strengthened to ensure that monitoring is completed consistently and integrated with existing reporting used for risk oversight.
The PPP Supervision Team monitors industry risks to identify and assess risks impacting the PPPs overall risk profile on an on-going basis. These activities contribute to the identification of supervisory concerns and related intervention activities.
Until fiscal 2019, the PPP Supervision Team conducted industry monitoring and rating assessments at a minimum of semi-annual periods. However, after recognizing that the frequency of the control did not always provide timely feedback and insights, management revised to a continuous and dynamic industry risk monitoring approach. Through this, the LSs were encouraged to establish news alerts relevant to their portfolio’s and to promptly assess the impact on the pension portfolios. However, this was not a formal requirement and there was no guidance on the parameters used to generate news alerts or how to integrate the results of these news alerts into the PPPs risk assessment. This may limit LSs ability to identify and assess relevant industry risks in a consistent and timely manner.
Moreover, there is no reporting on the aggregated or sector-based results and trends of the PPP overall risk profiles. This may limit management’s holistic view and oversight of the risk trends and macro-environmental risks applicable to PPPs to support adequate and timely decision making for further supervision action.
Recommendation 4 (High Risk)
Management should establish and document a process to support consistent assessment and integration of industry monitoring risks for effective oversight of PPPs. The results of the PPP risk profiles should be monitored and reported to senior management on an ongoing basis.
4.4 Oversight of supervisory activities
Performance of some supervisory activities are tracked and monitored on a regular basis by management. However, reporting can be strengthened to have metrics that include comprehensive oversight over supervision activities and controls around data used for these metrics.
Key Performance Indicators
The PPP Supervision Team has established internal Key Performance Indicators (KPIs) to track and monitor the monthly performance of certain supervisory activities and operations such as outstanding external plan enquiries, triggered alerts and responses to external administrators.
While these KPIs are reported monthly to the Director, they do not capture the progress of other key supervisory activities such as the status of examinations and recommendations against targeted timelines. Inadequate reporting of progress of all supervision activities may lead to ineffective oversight and untimely completion of examinations, and closure of recommendations.
Also, intervention activities are needed to ensure that the PPPs overall risk profiles remain current so that downstream supervision activities, including increased interactions with the PPPs, are adequate and timely. Intervention activities are triggered based on the results of on-going monitoring of RASP driven triggers. The PPP Supervision team creates and documents these intervention activities, such as Sponsor at Risk and Late Remittance, in RASP. However, there is currently no reporting on the progress of these activities to management within the monthly KPI report. Consequently, management may not have oversight over the timeliness and adequacy of these intervention activities.
Another metric that is monitored is the timely completion of triaging and responding to external plan administrator enquiries within OSFI’s required 15 days service standard. These enquiries may involve both the Supervision and as needed, additional support from the Policy Team for complex enquires. However, the Policy Team’s response target of 30 days, conflicts with OSFI’s 15 days service standard. Based on sample testing, approximately 54% of the overdue enquiries required investigation by the Policy Team and all enquiries were late. However, these overdue results were attributed to the Policy Team and not the Supervision Team, causing misalignment in accountability. Both misaligned accountability and inconsistent targets for actioning external plan enquiries may increase reputational risk for OSFI and prolong unaddressed risks and questions for plan members.
Validation of data used for Key Performance Indicators
Currently, the key supervisory system used, RASP, has date fields to capture actual key milestone dates, e.g., examination date, wrap-up meeting date, management letter issuance date. These date fields can be used to generate KPI and other risk reporting for the PPP Supervision team. However, there are no validation controls to ensure accurate and complete data. For all four examinations tested, exceptions were noted between the dates in RASP and dates within the supporting documentation. Without validation of the data used in oversight reporting, there is a risk that this information is inaccurate and incomplete and may lead to misinformed decision making.
In addition, it was noted that for certain sampled KPIs reported in the monthly reports, supporting documentation to substantiate the reported KPI results was unavailable. Specifically, no source documentation was retained for 3 out of the 8 months for the Outstanding TRIs metric to support progress of on-going monitoring. Without the retention of source documents, it may risk inadequate support on the accuracy of the metrics reported to management.
Recommendation 5 (Medium Risk)
Management should revisit the metrics and thresholds on an ongoing basis to remain relevant to monitor performance of supervisory activities and align with expected objectives. Where applicable, data validation controls should be established to support accurate and complete reporting.
4.5 Review and approval
Review and approval are performed on key supervisory activities and documents to ensure quality of work. However, the existing process and controls to evidence review and approval can be strengthened to support supervisory activities and adequate risk assessments of the PPPs.
Adequate management review and approval of key supervisory work ensures that supervisory activities and documents adhere to the established standards, guidance, and meet management expectations. It also ensures that the on-going monitoring of triggered alerts is effective and risk profiles of the PPPs is accurate and complete. Review and approval evidence is captured directly in RASP or by emails retained in eSpace.
Risk Assessment Summary
The Risk Assessment Summary (RAS) within RASP documents the rationale of the risk and stage ratings of the PPPs. Per the PPP Supervision Authority Matrix, RAS requires Director and/or Managing Director's approval if the stage rating is above zero prior to a rating change. For one out of the eight samples tested, the RAS with a stage 1 rating prior to change was not approved by the Director as required.
Additionally, per the PPPD Examination Handbook, a post-examination RAS must be completed and reviewed to reflect any changes from the examination results. For all three examinations tested, the overall examination results were reviewed and approved, but the post-examination RAS was not completed. Upon further corroboration with management, it was noted that these examinations did not require an immediate update to RAS as examination results did not drive any changes to the ratings. However, without timely updates to the post-examination RAS, risk assessments for the PPPs may be outdated and may impact future planned supervisory activities.
Annual review controls over triggers
RASP facilitates the supervisory processes by performing an initial review of the PPPs’ annual filed returns based on a pre-determined set of criteria and formulas. When a pension plan exceeds these criteria, the RASP system will trigger alerts for the PPP Supervision Team to investigate and validate. To ensure that RASP is operating effectively and as intended to support investigation and monitoring, there are annual controls to review RASP’s triggers and criteria.
The Annual Review Criteria for Waiving RAS Requirement and Appropriateness of TRIs Triggering RAS Requirements procedural manual lists the review requirements and process that governs the annual refresh and review of risk criteria that triggers alerts. These RAS triggers may require supervisors to investigate and update the PPPs risk profile, which can then trigger additional downstream supervisory activities (i.e. on-going monitoring and/or intervention). Specifically, the manual requires that RAS triggers are refreshed annually and approved by the Director prior to August 15th of each year.
For one (2022-23 fiscal review) out of the three years tested, the annual review and approval was not performed. Management confirmed that they had decided to omit this annual review, as the prior year’s trigger review overlapped with the 2022-23 cycle. However, there was no evidence of approval of this decision by the Director or above for this decision. Consequently, there may be unauthorized decisions and/or inadequate oversight over the RAS triggers used to support supervisory investigation and monitoring.
Another annual control is the review of the TRI criteria and formulas that trigger the TRI alerts in RASP. To ensure that the TRI criteria are coded in RASP in accordance with the approved criteria, user acceptance testing controls exist. Per the RASP Change Management Process procedural manual, TRI trigger changes in RASP require the approval of the Director if changes are made by Supervision Team or Managing Director if changes are made by IM/IT. For any changes made, supporting documentation is required to be retained. For five out of nine samples, user acceptance testing was completed and evidenced; however, there was no evidence of approval on the TRI trigger changes by the Director or Managing Director.
Without adequate oversight of the triggers, there is a risk that changes to the criteria in RASP may be inappropriate to trigger downstream supervision activities for investigation and assessment.
Recommendation 6 (Medium Risk)
Management should revisit the current Supervision procedure manuals to reflect existing processes and that appropriate training is provided to staff to promote adherence to these requirements.
4.6 User access
The PPP Supervision Team manages and monitors user access of RASP. User access controls can be strengthened to ensure timely identification and adequate oversight of access changes.
RASP is a key system used by the Supervision Team to facilitate supervisory work. It contains a wide range of plan- and supervision work-related information such as plan details, risk and stage ratings, significant dates, etc. Moreover, through the use of specific criteria, it also triggers downstream supervisory activities such as investigation and monitoring. Aside from the PPP teams, there are other groups within OSFI (e.g., Application Services, Communication, Finance, etc.) who require access to RASP for their supporting roles. As access needs change from time to time, it is critical to ensure access is authorized, assigned on a need-to-know basis, and updated in a timely manner.
Ad-hoc user access requests
Per the Risk Assessment System Access Management procedural manual, the Senior Officer, Pension System is responsible for processing user access requests for RASP after obtaining approval and retaining them in eSpace. The current process also requires the approval by the SM after the initial review is conducted by the Senior Officer. However, all ten samples tested did not have evidence of SM approval and 50% of samples did not have evidence of initial request approval. Moreover, not all access requests were adequately retained in eSpace, as required, however, were provided upon further audit enquiry.
The lack of adequate approval may result in inappropriate access to RASP and the sensitive and critical data that it holds.
System access review
Per the Risk Assessment System Access Management procedural manual, the Senior Officer, Pension System is also responsible for the periodic monitoring of user access in RASP to ensure that user access is appropriate and supporting documents (i.e., user access listing) are properly retained in eSpace.
The current periodic monitoring includes an overall monthly review of user access list for general reasonability and a subsequent quarterly review for all period over period access changes. For 16 out of the 28 monthly access review samples, evidence of the control performance was not retained. In addition, for one of two monthly sampled reviews, access changes were identified, but evidence of approval of these changes was not retained.
While management has recently started to revise the process to retain evidence of access reviews and approval, this was not operationalized during the audit scope period.
Internal Audit reperformed the August 2022 monthly review of the RASP user access listing and noted that there were 12 instances that required user access to be removed along with four exceptions where users were granted duplicate roles that were not identified in management’s monthly review. While these exceptions were ultimately resolved during the following quarterly review cycle in September, they were not identified and remediated in a timely manner.
Ineffective and untimely monitoring of user access reviews may lead to inappropriate and prolonged access to sensitive and confidential information of PPPs.
Recommendation 7 (Medium Risk)
Management should revise the user access review controls, including ad-hoc user and periodic access reviews for timely oversight of access to sensitive and confidential information within RASP.
Appendix A – Recommendation ratings
Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.
Recommendations are ranked according to the following definitions:
- High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e., control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
- Medium Risk: a control weakness or operational improvement that should be addressed in the near term.
- Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.