Skip to main content

Evidence Pack Generation Runbook

What Is an Evidence Pack?

A compliance evidence pack is a structured, exportable bundle of compliance artifacts that demonstrates a pension scheme’s IORP II readiness at a specific point in time. It is the primary document produced when a trustee board, regulator, auditor, or scheme adviser needs to review the scheme’s compliance posture.

Trustee Board Review

The board reviews the evidence pack at scheduled meetings to confirm ongoing compliance. The pack provides the factual basis for trustee resolutions on governance matters.

Regulatory Enquiries

When the Pensions Authority requests evidence of compliance with specific IORP II provisions, the evidence pack provides a structured, defensible response. Each artifact is timestamped and integrity-protected.

Auditor Requests

Internal and external auditors can review the evidence pack as part of their audit of the scheme’s governance and risk management systems. Audit-ready formatting reduces engagement time.

Scheme Adviser Due Diligence

Actuaries, pension consultants, and legal advisers reviewing the scheme’s governance position use the evidence pack as the primary input. Consistent format enables rapid adviser review.

Standard Evidence Pack Contents

A complete IORP II evidence pack contains eight categories of evidence:
Scope: All written policies required by IORP II Article 29 (S.I. 128/2021, Reg. 29 / Section 64AA Pensions Act), plus supporting governance records.Contents:
  • Investment policy statement (IPS / SIPP)
  • Risk management policy
  • Internal audit policy (with independence statement)
  • Compliance policy
  • Remuneration policy
  • Business continuity / contingency plan
  • Data strategy policy (GDPR alignment documentation)
  • Trustee board meeting minutes (prior 12 months)
  • Trustee resolution records
  • Scheme trust deed and rules (current version)
Currency requirement: All policies must reflect the current approved version. Policies not reviewed within 12 months will be flagged amber in the evidence pack.
Scope: Records for all Key Function Holders (KFHs) appointed under IORP II Article 23 (S.I. 128/2021, Reg. 23 / Section 64V Pensions Act).Key Functions: Risk Management Function, Compliance Function, Internal Audit Function, Actuarial Function.Contents:
  • Appointment letters for each KFH
  • Fit and proper declarations (initial + annual renewal)
  • CPD records for the preceding 12 months
  • Regulatory history declarations
  • Independence statements for Internal Audit KFH (demonstrating no operational conflict)
  • Organisational chart showing KFH reporting lines and separation of duties
Currency requirement: F&P declarations must be renewed annually. CPD must meet the minimum hours required under the Pensions Authority’s Trustee Knowledge and Understanding framework.
Scope: The Own Risk Assessment required by IORP II Article 28 (S.I. 128/2021, Reg. 28 / Section 64AL Pensions Act).Contents:
  • Current ORA report (including all required sub-assessments: investment risk, operational risk, liquidity risk, counterparty risk, ESG risk, ICT risk)
  • Risk register underlying the ORA
  • Trustee board sign-off record (resolution recording board approval of ORA)
  • Prior ORA reports (minimum 3 years, demonstrating evolving risk management)
  • Risk treatment action log showing progress on identified risk mitigants
Currency requirement: The ORA must be updated at any material change to the scheme’s risk profile and reviewed at least at each significant change to investment strategy or operating model. The Pensions Authority expects schemes to be able to demonstrate that the ORA is a living document, not a one-time exercise.
Scope: The Actuarial Compliance Statement required for schemes that have an actuarial function under IORP II Article 27 (S.I. 128/2021, Reg. 27 / Section 64Z Pensions Act).Contents:
  • Current ACS report
  • Actuarial assumptions documentation and methodology statement
  • Trustee sign-off record
  • Actuarial Funding Certificate (for DB schemes) — current and any in force during the preceding 3 years
Note: The ACS is primarily relevant for DB schemes and schemes with guaranteed benefits. DC schemes without guarantees may not require an ACS; confirm with your scheme actuary.
Scope: Documentation of all outsourced functions as required by IORP II Article 31 (S.I. 128/2021, Reg. 31 / Section 64AK Pensions Act).Contents:
  • Outsourcing register listing all outsourced functions and providers
  • Written outsourcing agreements for each outsourced function (or confirmation that existing contracts have been assessed for IORP II compliance)
  • Data Processing Agreements (DPAs) with all data processors
  • Pensions Authority notification records for material outsourcing arrangements
  • Annual outsourcing review records
Currency requirement: The outsourcing register must be current and reflect any changes to provider arrangements in the period covered by the pack.
Scope: GDPR and IORP II data strategy compliance documentation.Contents:
  • Data strategy policy (IORP II Reg. 29 / GDPR Article 5 alignment)
  • Records of Processing Activities (RoPA) as controller
  • Data Processing Agreement with PensionPortal.ai
  • Data Protection Impact Assessment (DPIA) — where applicable
  • Data breach register (including incidents assessed as not meeting the DPC notification threshold)
  • Member data quality assessment
Note: The RoPA must identify all processing activities, their legal basis, data categories, retention periods, and third-party recipients. This is a GDPR Article 30 obligation for all controllers.
Scope: Evidence of compliance with disclosure and transparency obligations.Contents:
  • Privacy notice (current version) — GDPR Article 13/14
  • Scheme information document (SID / SIIN)
  • Most recent annual benefit statements (confirmation of dispatch)
  • Any significant event communications (wind-up notices, material change notifications)
Currency requirement: Privacy notice must be current and reflect actual processing activities. Benefit statements must have been dispatched within the applicable deadline.
Scope: Export of the PensionPortal.ai platform audit log for the period covered by the evidence pack.Contents:
  • Audit log export covering the specified period
  • Log integrity verification record (SHA-256 hash of export)
  • User access report (list of users with access to the scheme during the period, and their roles)
Purpose: Demonstrates the accountability and governance trail for all actions taken within the compliance platform. Supports IORP II Article 21 accountability obligations and GDPR Article 5(2) accountability principle.

Generating an Evidence Pack: Step-by-Step

2
From the Compliance Dashboard, select Evidence Pack in the left navigation, then click New Pack.
3
You must have the Trustee Admin or Compliance Officer role to generate evidence packs.
4
Select Pack Scope
5
Define the scope of the evidence pack:
6
  • Full scheme pack: All eight evidence categories for the entire scheme — for annual governance reviews, major regulatory enquiries, or full due diligence
  • Period-specific pack: All evidence for a defined date range — for audit periods or regulatory review of a specific period
  • Requirement-specific pack: Evidence for a specific IORP II Article or regulatory requirement — for targeted Pensions Authority queries or internal audit scope
    • 7
    Enter the scheme year or date range. The system will use this to determine which artifacts are in scope and whether time-sensitive items (e.g., benefit statements, policy reviews) are current for that period.
    8
    System Status Assessment
    9
    The system automatically pulls the current status of each evidence category and every artifact within it. Each item is assigned a RAG status:
    10
  • 🟢 Green: Artifact is present, current, and complete
  • 🟡 Amber: Artifact is present but approaching expiry, or has a minor completeness gap flagged for review
  • 🔴 Red: Artifact is missing, expired, or has a material completeness gap that must be resolved
    • 11
    The status assessment runs in real time from the platform’s data. No manual data entry is required for items already managed in PensionPortal.ai.
    12
    Review Amber and Red Items
    13
    Review each amber and red item in the gap report. For each:
    14
  • Red — missing artifact: Upload the artifact or complete the relevant module to generate it
  • Red — expired artifact: Complete the renewal process (e.g., obtain updated F&P declaration; complete policy review; obtain trustee sign-off on ORA)
  • Amber — approaching expiry: Either complete renewal now, or mark with an explanatory note if the item is not due for renewal before the pack date
  • Amber — minor gap: Review the gap description and either resolve it or document a reasoned explanation
    • 15
    Do not proceed to pack generation with unresolved red items unless you are generating a pack explicitly to show the current compliance gap status for internal escalation purposes.
    16
    Document Any Gaps with Explanatory Notes
    17
    For any item that remains incomplete at pack generation time, add a structured explanatory note covering:
    18
  • Why the item is incomplete
  • The trustee’s plan to resolve it
  • The target completion date
  • The name of the trustee or adviser responsible
    • 19
    These notes are included in the evidence pack and demonstrate that the trustees are aware of the gap and managing it — which is itself evidence of good governance.
    20
    Generate the Pack
    21
    Click Generate Pack. The system:
    22
  • Compiles all in-scope artifacts into a structured PDF bundle
  • Applies a timestamp recording the exact date and time of generation
  • Calculates a SHA-256 checksum of the complete pack for integrity verification
  • Applies a pack identifier for tracking and version control
  • Records the generating user in the audit log
    • 23
    Generation typically completes within 30–90 seconds depending on pack size. Large packs (full scheme with 3-year history) may take up to 5 minutes.
    24
    Download and Review
    25
    Download the generated pack and review it before distribution. Check:
    26
  • Cover page shows correct scheme name, pack date, and pack scope
  • All eight evidence categories are present (or the absence of a category is documented)
  • All artifacts are legible and complete
  • Explanatory notes for gaps are included where applicable
  • The SHA-256 checksum is recorded on the cover page
    • 27
    If you identify any error, do not distribute the pack. Return to step 4, resolve the issue, and regenerate.
    28
    Distribute Under Controlled Access
    29
    Distribute the evidence pack using one of two controlled methods:
    30
    Option A — Expiring download link: Generate a secure download link with a defined expiry (1, 7, or 30 days). Share the link directly with the recipient. Link activity is logged.
    31
    Option B — Trustee portal access: Grant the recipient direct access to the pack within the PensionPortal.ai trustee portal. Access is logged. Access can be revoked at any time.
    32
    Do not distribute evidence packs via unencrypted email as attachments. Evidence packs contain personal data and confidential governance information.

    Regulatory Considerations

    Evidence packs are confidential documents. They contain personal data (member records, KFH declarations), commercially sensitive information (investment strategy, risk assessments), and governance information that may be legally privileged in some contexts. Apply access controls proportionate to the sensitivity of the pack.

    Member Data Redaction

    If an evidence pack is to be shared outside the scheme’s control environment — for example, with an external auditor, scheme adviser, or regulator — consider whether member-level personal data should be redacted. The pack generation tool includes a redaction option that removes member personal data while retaining aggregate compliance evidence.

    Version History

    Maintain version history for all evidence packs. Regulators and auditors may ask about your compliance position at a specific point in time (e.g., as at the scheme year end, or as at the date of a regulatory submission). The platform retains all generated packs with their timestamps and checksums.

    Pack Integrity

    Each evidence pack is accompanied by a SHA-256 checksum. This provides tamper-evidence: any modification to the pack after generation will produce a different checksum. Recipients can verify the checksum against the value on the cover page to confirm the pack has not been altered.

    Regulatory Requests

    When responding to a Pensions Authority information request, reference the pack identifier and generation timestamp in your response. This creates a clear audit trail linking your response to the specific evidence produced. Retain a copy of all regulatory correspondence in the Governance module.

    Evidence Pack and IORP II Obligations

    Each section of the evidence pack maps directly to an IORP II Article:
    Evidence CategoryPrimary IORP II ArticleIrish Reference
    Governance documentation + policiesArticle 29 (written policies)S.I. 128/2021, Reg. 29
    KFH recordsArticle 23 (fit and proper)S.I. 128/2021, Reg. 23
    Own Risk AssessmentArticle 28 (ORA)S.I. 128/2021, Reg. 28
    Actuarial Compliance StatementArticle 27 (actuarial function)S.I. 128/2021, Reg. 27
    Outsourcing registerArticle 31 (outsourcing)S.I. 128/2021, Reg. 31
    Data strategy evidenceArticle 29 + GDPR Article 30S.I. 128/2021, Reg. 29
    Member communicationsArticle 41 (disclosure)S.I. 128/2021, Reg. 41
    Platform audit trailArticle 21 (accountability) + Article 26 (internal audit)S.I. 128/2021, Regs. 21, 26
    The Evidence Pack function is available on Professional and Enterprise subscription tiers. Starter tier customers have access to individual artifact downloads but not the bundled, timestamped pack generation. Upgrade your subscription to access full evidence pack functionality.