Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Maintenance of IT systems

General code in force: 28 March 2024

This module forms part of our expectations for trustees of those schemes required to operate an effective system of governance, see Systems of governance.

  1. Governing bodies need to have processes to ensure information transmission. Having put the appropriate IT systems in place, (see Financial transactions and Record- keeping) it is important that they are reviewed and maintained regularly.
  2. Under section 249A of the Pensions Act 20041, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls (see Internal controls). However, there are certain exemptions2. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
  3. Under section 249B of the Pensions Act 20043, scheme managers of public service pension schemes4 are required to establish and operate internal controls, which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules5, and with the requirements of the law.
  4. Internal control processes should ensure that IT systems are able to meet the scheme’s current needs and legal requirements. Governing bodies should take steps to make sure their service providers can prove they meet our expectations for maintaining IT systems as listed below. Governing bodies should challenge providers and push for improvements where expectations are not being satisfactorily met. If considering expert advice or assurance reporting, governing bodies can read Assurance reports on internal controls for further information.
  5. Standards for maintaining IT systems:
    1. Cyber security measures and procedures should be in place and functioning. See Cyber controls.
    2. Record evidence of how changes are planned and executed within the system.
    3. Scheme and member data should be backed up regularly.
    4. Disaster recovery processes are in place and tested over appropriate periods.
    5. Written policies should be in place for maintaining, upgrading, and replacing hardware and software.
    6. Request evidence to show there is a schedule for the system to be replaced or updated, to cope with events such as changes to tax thresholds.
    7. Be satisfied that adequate and sufficient hardware and personnel resources, with appropriate functionality and/or skills, exist to carry out the work.
    8. Secure evidence that the IT system can meet current and anticipated system requirements.
    9. Manage planned and potential future upgrades within the administration system.

Glossary and legal information

Internal controls

  • Arrangements and procedures to be followed in the administration and management of the scheme,
  • Systems and arrangements for monitoring that administration and management, and
  • Arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.


Information technology. The systems (especially computers and telecommunications) used for storing, retrieving and sending information.

1Article 226A of The Pensions (Northern Ireland) Order 2005

2Section 249A(3) of the Pensions Act 2004 [Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

3Articles 226B of The Pensions (Northern Ireland) Order 2005

4As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]

5As defined in Section 318(2) of the Pensions Act 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]