Post Office Limited
POST OFFICE LIMITED
(Company Number 2154540)
Meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
to be held at 14.00 on Thursday 12” September 2013
at 148 Old Street, London, EC1V 9HQ in the Board Room
14.00 1 Minutes of the last meetings and matters arising Alasdair Marnoch
e Minutes of the meetings held on 21 May
and 5 June 2013
e Matters arising:
- Actions List
- Key issues covered by Risk &
Compliance, and Regulatory Risk
Committees (including activity report
from Risk & Compliance Committee)
2 Risk Management
e Status of Risk Strategy and Framework
« Executive Committee Risk Map #1 and
action plan
3 Internal Audit
« Update and key outcomes
*¢ Q3 Plans
¢ — Status of recommendations
implementation
* Technical Update
4 Information Security Update
5 The Interim Report
e The plan for half year financial reporting
6 Any other business
7 Dates of Next Meetings
Wednesday 6 November 2013 14.00-16.30
Proposed dates for 2014
PRESENT: Alasdair Marnoch (Chairman)
Neil McCausland (Non-executive director)
Tim Franklin (Non-executive director)
SECRETARY: Alwen Lyons (Company Secretary)
IN ATTENDANCE: Alice Perkins (Company Chairman)
Paula Vennells (Chief Executive)
Chris Day (CFO)
Susan Crichton (General Counsel)
Malcolm Zack (Head of Internal Audit)
David Mason (Head of Risk Governance)
Susan Crichton
Chris Day/ David
Mason
Malcolm Zack
Lesley Sewell
Sarah Long
Alwen Lyons
Lesley Sewell (Chief Information Officer) (Item 4 only)
Sarah Long (Financial Accounting Governance Manager) (Item 5 only)
POL00397990
POL00397990
Action
Requested
Approve
Note
Note
Note
Note and
Approve
Note
Approve
Note
Approve
POL00397990
POL00397990
Post Office Limited — Strictly confidential
POLARC13 (3rd)
POLARC13/16-13/22
POST OFFICE LIMITED
(Company no. 2154540)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held
on Tuesday 21 May 2013
at 148 Old Street, London EC1V 9HQ
Present:
Alasdair Marnoch Chairman of Committee
Neil McCausland Senior Independent Director
Tim Franklin Non-Executive Director
In attendance:
Alice Perkins Chairman, Post Office Limited
Paula Vennells Chief Executive (13/16 — 13/19 only)
Chris Day Chief Financial Officer (13/16 — 13/19 only)
Sarah Hall Head of Financial Control and Compliance (13/16 — 13/19 only)
Alwen Lyons Company Secretary
Angus Grant Ernst & Young
Jeremy Midkiff Ernst & Young
Apologies for absence:
Susan Crichton HR & Corporate Services Director
POLARC13/16 INTRODUCTION
(a) A quorum being present, the Chairman of the Committee opened the
meeting and welcomed all those present emphasising the that the
Committee had been called to review the first set of Annual Accounts
as a business operating independent of Royal Mail Group, which they
would then recommend to the Post Office Board for approval.
(b) It was noted following the Board meeting on the 20" March Susannah
Storey had relinquished her role on the Audit and Accounts
Committee.
POLARC13/17 PRESENTATION OF DRAFT ANNUAL REPORT AND FINANCIAL
STATEMENTS FOR THE 53 WEEKS ENDED 31 MARCH 2013
(a) The CFO introduced the Post Office Limited Annual Report and
Financial Statements for the 2012-13 financial year and the supporting
briefing book. He explained that the accounts had been prepared as a
stand-alone group to best practice plc reporting standards.
(b) The CFO led the Committee through key points of note in the briefing
book. They discussed the rise in ‘other operating costs’ driven by
investment in brand and future growth and asked the business to
ensure that a clear explanation was included in the document. The
Committee discussed the segmental analysis of product pillar costs
and the possible misunderstanding about the direct allocations of costs
POL00397990
POL00397990
Post Office Limited — Strictly confidential
to products. It was agreed that the information had to be included but
that the introduction of product P&L reporting would help to make
things clearer in the future although this might take 2-3 years to
complete. The Chairman asked the business to expand on the
ACTION: Sarah explanation of the cost of sales to make it clear that they are directly
Hall attributable costs only.
ACTION: Sarah (c) The increase in headcount was raised and Sarah Hall explained that
Hall this was partly driven by the Network Transformation programme and
that a further disclosure note breaking down the headcount was
required and would be added.
(d) The Quality of Earnings section of the briefing book was discussed and
it was noted that, excluding the increased investment in projects of
£27m, the earnings had improved by £30m. Once adjustments for
timing and other corrections were made the underlying earnings
improvement was reduced to £24m. It was noted that this was internal
analysis for information and was agreed that the Quality of Earnings
would not be included in this year’s Report and Accounts but would be
monitored by the business, along with benefit realisation, for possible
inclusion in a future year’s accounts.
ACTION: CFO (e) Sarah Hall was asked to include an explanation on the movement in
the client receivables and payables within working capital in the
Financial Review
ACTION: CFO (f) The Committee discussed the proposed changes to the Going
Concern evaluation in the Corporate Governance Code and the
possible effect on the business in future years. Angus Grant reported
that the changes were still out to consultation. The Chairman asked
that the proposals be brought to a future Committee for discussion.
ACTION: (g) The Committee agreed the Annual Report and Financial Statements
Chairman and agreed that the Chairman of the Committee would give a verbal
recommendation to the Board that:
e the Annual Report and Financial Statements should be
approved; and
e authority be delegated for reviewing final amendments and
completing the Annual Report and Financial Statements on
behalf of Post Office Limited to a Sub-Committee, the quorum
for which to comprise any three of Alice Perkins, Paula
Vennells, Chris Day and Alasdair Marnoch, with final signoff
from the Board Chairman.
POLARC13/18 AUDIT RESULTS REPORT
(a) Copies of the report produced by Ernst & Young, setting out the
external auditor's preliminary conclusions on the financial position and
results of operations of POL for the financial year ended 31 March
2013, had been circulated to all those present at the meeting..
(b) Angus Grant confirmed the independence of the external auditor and
POL00397990
POL00397990
Post Office Limited — Strictly confidential
commented on the approach to the audit and its scope.
(c) The significant audit and accounting issues set out in the report were
discussed in detail, together with the key internal control findings. It
was recognised that despite the significant challenges facing the
business in separating from Royal Mail Group and delivering Network
Transformation, Ernst & Young reported a very smooth audit process
and anticipated that an unqualified audit report would be issued
(d) The auditors had reviewed and agreed the appropriateness of the
Going Concern basis for preparation of the financial statements.
(e) They congratulated the business for the improvements in the IT
controls, stressing that this had been driven by good governance and a
tight control framework. The co-ordinated audit between Finance and
IT was highlighted as a success and Sarah Hall and Lesley Sewell
were to be thanked for their input.
(f) The auditors raised one legacy issue which had been highlighted in the
HRSAP (an RMG system) with in appropriate access available to
individuals. The change had been requested of RMG but would take
some time to deploy, so check controls had been put in place in the
interim.
(g) There was discussion around the classification of accruals and
provisions for Subpostmasters and Crown staff payments. The
business explained that the amounts were measureable and were
intended to be paid after negotiations with the CWU and NFSP were
completed and therefore stood by their classification as an accrual.
(h) Angus Grant summarised that the audit was complete. There would be
a review for post balance sheet events just prior to signing. He
expected the report to show a clean audit. He congratulated the
business on the progress in the last year, with all issues closed off and
tighter controls in place.
(i) The Chairman thanked Ernst & Young for their report, which would
now be made final.
(j) Angus Grant reiterated the independence of the external auditor and
explained that he had contacted the Chairman of the Committee to
report that a different team at Ernst & Young were bidding for work
which might cause a possible conflict. The Chairman was comfortable
with the independence and thanked Angus for the transparency in
highlighting the possible issue.
(k) The Committee noted the report.
POLARC13/19 UPDATE ON VARIOUS FINANCIAL SERVICES MATTERS,
INCLUDING BANK OF IRELAND (UK) PLC CAPITAL & LIQUIDITY
(a) The Committee noted the update on various Financial Services
matters, including Bank of Ireland (UK) plc capital & liquidity.
POLARC13/20
ACTION: CFO
ACTION: CFO
POLARC13/21
POLARC13/22
(a)
(b)
(c)
(a)
POL00397990
POL00397990
Post Office Limited — Strictly confidential
The Post Office Limited executives left the meeting.
OPPORTUNITY FOR AUDITOR COMMENTS
The auditors reported that the business always engaged in good
constructive dialogue and was easy to work with. The Committee
asked how the control environment would benchmark against the
market. Angus Grant reported that in his opinion, after the
improvements in the IT controls, both the control environment and
management capability were on the border of 1° and 2" top quartile.
Even whilst managing the separation the controls had remained in
place.
When asked where improvements could be made Jeremy Midkiff
suggested that the business could further develop its skills in the
tax/treasury area. Angus Grant also proposed that the Business focus
on developments in the regulatory landscape, and suggested he brief
the CFO and Susan Crichton (HR & Corporate Services Director).
The Chairman asked the CFO to update the Board in September.
DATE OF NEXT MEETING
Wednesday 5 June 2013 14.00-16.00
CLOSE
There being no further business, the meeting was declared closed.
POL00397990
POL00397990
Strictly Confidential
POLARC13 (4")
13/23-13/26
POST OFFICE LIMITED
(Company no. 2154540)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held
on Wednesday 5 June 2013
By correspondence
Present:
Alasdair Marnoch Chairman of Committee
Neil McCausland Senior Independent Director
Tim Franklin Non-Executive Director
In attendance:
Alwen Lyons Company Secretary
POLARC INTRODUCTION
13/23
(a) It was noted that a meeting of the Committee was to be held by
correspondence to consider three items of business.
POLARC BENEFITS REALISATION GOVERNANCE
13/24
(a) A Benefits Realisation Governance paper had been circulated to the
Committee on 30 May 2013 for its consideration and input. The Committee
noted the recommended approach for the measurement of financial benefits
and post investment reviews.
(b) Tim Franklin asked that, emphasis be given, through personal objectives, to
ensure individuals understood their responsibility for benefits realisation.
(c) Committee members responded in writing to the Company Secretary
approving the proposed governance approach for managing and reviewing
the delivery of financial benefits derived from business investments.
POLARC INTERNAL AUDIT ACTIVITY UPDATE AND REVISED Q2 PLAN
13/25
(a) The Internal Audit Activity Update and Revised Q2 Plan had been circulated
to the Committee on 30 May 2013 for its consideration and input.
(b) Committee members responded in writing to the Company Secretary noting
the Internal Audit Activity update and revised Q2 plan.
POLARC INTERNAL AUDIT TRANSITION - AUDIT DEFINITIONS AND REPORTING
13/26
(a) The Internal Audit Transition — Audit Definitions and Reporting paper had
been circulated to the Committee on 30 May 2013 for its consideration and
input.
(b) Committee members responded in writing to the Company Secretary noting
the changes of reporting styles from Royal Mail to Post Office Internal Audit.
Page 1 of 1
Strictly Confidential
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE
ACTIONS LIST AS AT 5 SEPTEMBER 2013
POL00397990
POL00397990
No. I REFERENCE ACTION BY WHOM STATUS
Al November 2012 The approach to risk management would be a matter for particular focus I Susan Crichton Next stage of ERM development
POLARC12/8 at the next meeting in February. and Treasury Risk Management to
be recommended to POL Board.
Risk Management Strategy for
2013-2014 — Board and Business
to identify key material risks. On
September Agenda.
A2 November 2012 The CFO and HR & Corporate Services Director would then lead a Chris Day/ On September Agenda.
POLARC12/9(g) session at the Board to give comfort that the Business understands its Susan Crichton
regulatory risks and has the policies in place to monitor and mitigate.
A3 November 2012 The Committee asked that the minutes of future Regulatory Risk Susan Crichton Completed
POLARC12/13(a) I Committees (RRC) be provided for the ARC.
A4 I November 2012 Governance of Eagle Contract Nick Kennett To November 2013 Board
POLARC12/13(f) The Committee asked NK to provide an interim update on the
regulatory position in September 2013, 6 months after the changes had
taken effect.
AS November 2012 The Chairman noted that it would be useful at the same meeting to look I Nick Kennett To November 2013 Board
POLARC12/13(g) at scenarios in which Post Office would need to respond to a
termination event relating to the Eagle Contract.
AG November 2012 Company Secretary to reconfirm and recirculate meeting dates for Alwen Lyons 13 February, 20 March, 21 May, 12
POLARC12/14 2013 in February, May, September and November September, 6 Nov
AT February 2013 One final item to agree on external audit fees payable for 2012/13 but Chris Day Completed
POLARC13/2 content with value being offered. To report final fee to Committee once
finalised.
Summary of key issues covered by Risk & Compliance Committee to Susan Crichton Completed
be provided to ARC
ARC Actions List 15 August 2013
Alwen Lyons
Page 1 of 4
Strictly Confidential
POL00397990
POL00397990
Speak Up policy (Whistleblowing) to be communicated to Staff in April.
Report to be provided to ARC on issues raised at the end of 2013-14
with any significant matters highlighted in the interim.
Susan Crichton
Completed
A8 I February 2013 Following completion of the Risk Management Strategy for 2013-14 Susan Crichton/ On Agenda September 2013
POLARC13/3 both the Business and the POL Board would identify the key material Alisdair Marnoch
risks (top 5-10).
Committee to review Regulatory Risk Framework later in the year once I Susan Crichton/
the risk appetite work had been completed. Alisdair Marnoch
Consider the need for Professional Indemnity cover as it moved into the I Susan Crichton
area of financial services advice.
AQ February 2013 Compare POL’s Report and Accounts to those produced by mid-cap or I Mark Davies All Completed
POLARC13/4 small private limited companies.
Check with ShEx that POL’s proposed level of disclosure of Directors’ Neil McCausland/
Remuneration is in line with other companies in which ShEx hold a Susannah Storey
share.
Comments on Board Chairman’s foreword to Mark Davies/Alice All
Perkins.
x ee : 2 Mark Davies/Alwen
Business to consider if it wanted to make a public statement in the L
yons
Report and Accounts.
A10 I February 2013 Business to ensure it had enough focus on the major transformation Malcolm Zack The Transformation Programme
POLARC13/5 programmes in both Network and IT within the internal audit plan for focus will be subject to detailed
2013-14.
planning and on-going terms of
reference. This will commence
after the relevant Internal Audit
Manager has been recruited and
inducted. UPDATE Sept 2/13. IT
audit programme underway, IT
Audit manager now an attendee to
the IT Transformation Delivery
Board. Audit work in NTP yet to be
planned. Focus is currently on
ARC Actions List 15 August 2013
Alwen Lyons
Page 2 of 4
Strictly Confidential
POL00397990
POL00397990
FRP. Audit Work on SPMO has
been completed.
Remaining contracted 100 man days from the Royal Mail Internal audit
function be utilised in the first quarter of 2013-14 with a view to exiting
from the Royal Mail support by 30 June 2013 latest.
Malcolm Zack
The Director or Audit and Risk at
Royal Mail (Derek Foster) has
been informed and is supportive.
A meeting between Malcolm Zack
and Stephen Collins of the Royal.
Mail Internal Audit team is being
scheduled to agree work on 2012
audit follow ups, LINK and possible
assistance to the Swindon
Operations Review. UPDATE sept
2/13 - Service now transitioned.
RMG led audits for Q1 activity
completed during Q1 and cleared
during Q2. Action now completed
Circulate copy of approved Internal Audit plan to Risk & Compliance
Committee and Executive Committee.
Malcolm Zack
A copy will be sent to the R&CC
members for noting at the planned
R&CC scheduled for the 18"
March. Exec members whose
areas were under specific review
have been re briefed individually. A
finalised plan will be sent for
information after the R&CC.
Completed during March 2013
A11 I March 2013 Business to ensure that the Annual Report and Accounts timetable Mark Davies Both Completed
POLARC13/11 (b) I included enough time for ARC/Board members to review the reports,
and anyone with responsibility for signing off a part of the Report has
sufficient time and understands their deadline.
Timetable to be updated and circulated to the Board. Mark Davies
A12_ I March 2013 Business to revisit language in Going Concern Statement to make it Chris Day Completed
POLARC13/11(c) clear that the Business was operating at a loss before NSP.
ARC Actions List 15 August 2013
Alwen Lyons
Page 3 of 4
POL00397990
POL00397990
Strictly Confidential
A13 I March 2013 Segmented pillar income not to be disclosed in 2013 Accounts. Sarah Hall Both Completed
POLARC13/11(d)
Business to check template for Financial Statements to ensure that all I Sarah Hall
public disclosures were necessary.
A14 I 20 March 2013 Review of allocation and focus of internal audit resource. Malcolm Zack UPDATE Sept 2/13 — 3 person
POLARC13/12(d) Team in place since June 2013.
2013/14 audit plan underway since
April 2013. Completed
A review of the Branch audit
capability has been completed in
mid August. After consultation with
Chris Day a paper to the ExCo is
being drafted for October ExCo so
a business view can be discussed
with the Nov ARC. Verbal update
to September ARC.
ARC Actions List 15 August 2013 Alwen Lyons Page 4 of 4
POL00397990
POL00397990
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Risk & Compliance Committee Report August 2013
1. Purpose
The purpose of this paper is to:
1.1 Provide the Audit, Risk and Compliance Committee (ARC) with an update on the
activities of the Risk & Compliance Committee (R&CC).
2. Background
2.1 The R&CC is a sub-committee of the Post Office Executive Committee (ExCo),
chaired by the General Counsel and comprises: the Finance Director, Strategy
Director and the Director of IT & Change. Also in attendance are the Heads of
Risk and Internal Audit.
3. Current Activity Summary
3.1. The R&CC has provided oversight for the implementation of the risk
management strategy in Post Office to ensure that progress continues to be
made. The plan for the first quarter of the year was approved and has been
delivered. The plan for the second quarter was approved and delivery is currently
being monitored. There are no concerns with the current implementation and
that significant progress has been made.
3.2 I The R&CC has reviewed the outputs of the ExCo risk workshop and developed
the content.
3.3 The committee has reviewed the major risks identified in the business through
the risk management tool and from the Strategic Programme Management
Office (SPMO) and endorsed the actions in place to manage the risks.
3.4 A number of business policies have been reviewed by the committee and
endorsed for subsequent adoption by the ExCo, including the Risk Management
Policy, Business Continuity Policy and a range of information security policies.
4. Recommendations
44 The Audit, Risk and Compliance Committee is asked to note this update.
Risk & Compliance Committee update David Mason — Head of Risk Governance Page 1of1 23" August
POL00397990
POL00397990
Confidential
POST OFFICE LTD AUDIT AND RISK COMMITTEE
Risk Management Strategy 2013-2014
1. Purpose
The purpose of this paper is to:
1.1 Update the committee on the current status of the Enterprise Risk Management
(ERM) framework in Post Office Limited.
1.2 Provide the committee with the Executive Committee’s (ExCo) view of the risks
faced by the company in pursuing its objectives.
2. Background
2.1 A risk management strategy paper was presented to the committee in February
2013.
2.2 The paper set out a plan of activity to develop a risk management framework in
Post Office. The plan is included at Appendix A for reference, together with the
current status for each of the plan actions.
3. Summary of current plan status
3.1 Stage 1 of the plan is complete.
3.2 Stage 2 is in progress:
« ExCo have held a risk workshop in June 2013 with a follow-up review in
July 2013 and developed a risk map with identified owners, controls and
action plans;
¢ three directorates (Finance, Financial Services and Commercial) have
held workshops;
¢ areview has been completed of the risk management software tool.
3.3 In addition to the plan elements, a restructure of the Risk & Compliance team
has been carried out and recruitment is underway to fill the new roles which are
more directly targeted to the delivery of the risk management agenda.
3.4 Once the team is sufficiently resourced the remaining components of stage 2 of
the plan will be delivered, e.g. risk library, training materials etc.
4. Summary of Executive Risk Map
4.1. The Executive Committee risk map is included in Appendix B with the detailed
tisk profile table in Appendix C.
4.2 The current risk map reflects the stage Post Office is at in relation to the
strategic plan, with a number of uncertainties on the horizon.
Risk Management Strategy David Mason — Head of Risk Governance Page 10f2 September 2013
POL00397990
POL00397990
Confidential
4.3. The risks have been separated into two groups: those relating to running the
business (yellow) and those relating to the strategic plan (white). The most
significant risk in the running of the business is currently in relation to regulatory
breach and is focused on public procurement (risk 15).
4.4 Looking at the critical risks, two of these relate to external factors:
* support and engagement of stakeholders (risk 1); and
* responding with pace to competitors (risk 19).
4.5 The other critical risks relate to internal factors:
* Post Office dependency on a small number of service or commercial
contracts (risk 2); and,
¢ The potential failure of one or more major 3° parties (risks 11, 12, 13 &
21)
4.6 Internal controls have been identified for the majority of risks and action plans
will be put in place to address any gaps. These controls will be monitored by the
Risk & Compliance Committee to enable tracking of risks.
4.7 A governance framework is in place whereby risks identified within directorates
or strategic programmes are compiled and aggregated by the Risk &
Compliance team to give an enterprise view; critical risks identified through this
process are escalated via the Risk & Compliance Committee to ExCo.
48 ExCo will review the risk map and profile on a quarterly basis.
5. Recommendations
The Audit and Risk Committee is asked to:
5.1 acknowledge the progress made so far;
5.2 support the continued ERM development in line with plan;
5.3 provide direction with regard to the assessment and review of risks; and
5.4 receive an ExCo review of risks on a 6-monthly basis.
Risk Management Strategy David Mason — Head of Risk Governance Page 20f2 September 2013
POL00397990
POL00397990
Confidential
Appendix A: Risk strategy plan
Plan
Stage 1 — Target: To commence in February 2013
1.1 The Risk and Compliance function will draft a Risk Management Policy to apply
across the organisation. - complete July 2013
1.2 The Executive Committee will review and approve the policy and recommend its
approval by the Board. — risk management policy adopted by ExCo July 2013
1.3 Confirm the Governance Structure of the Risk Management Framework
Agree the position, relationship and relative risk responsibilities of the Audit
and Risk Committee, (ARC) and the Risk and Compliance Committee
(R&CC). -in place
The R&CC will finalise the Terms of Reference for the R&CC and primary
content of meetings. - complete June 2013
Agree the linkage between Head of Internal Audit and Head of Risk. — in
place
1.4 Appoint the new permanent Head of Risk. — interim appointment in place from
Jan 2013
1.5 Strengthen the risk management framework. — ongoing
Stage 2 - Target to commence April 2013
2.1 The Executive Committee to establish its top level business wide view of risk.
e Identify and assess the top 15-20 risks to achieving the strategic objectives.
e Create first Executive “Board Level” Risk Map.
¢ Create the initial action plan.
e Assign ExCo members to each risk and action plan.
e Assign an ExCo member to present first draft to the ARC or to the Board.
¢ Agree to review and update the ExCo risk map and action plans each
quarter.
Complete
2.2 Commence integration to next level - in progress
Share the ExCo Risk map with the SLT and risk champions.
Implement in Directorates using workshop and risk map approach
2.3 In each Directorate - Flow down the top risks from the Executive - in progress
Identify which ones does the business unit under review link to.
Identify own top risks related to own top objectives.
Identify if there are risks at this level that should be promoted upwards.
2.4 Refine the library of risk maps, action plans — in plan.
Quarterly each Directorate will review its risks and input to the ERM tool.
Risk Management Strategy Malcolm Zack ~ Head of internal Audit Page 1 of3 February 5" 2013
POL00397990
POL00397990
Confidential
« Improve the quality of Directorate review of business risks at the Risk and
Compliance Committee and/or ARC where appropriate.
e The Transformation Board will review and manage the risks and
interdependences of the Transformation Programme
2.5 Alongside risk map roll out: - in plan
« Work with the Executive Committee to define the company’s risk appetite
and risk tolerance concepts to be ratified by the Board. (Head of Risk)
e« Review Stratex model and populate with output from risk workshops
(ongoing — Head of Risk to lead).
« Develop the Business Controls Framework which supports the management
of risk.
¢ Track risks arising from results of audits (internal, external) and input these
into the risk management framework.
« Develop Workshop material and training where needed.
2.6 The Executive Committee will start its quarterly reviews and update the ARC or
Board, explaining movements in the key risks and highlighting new ones.
Stage 3 — January 2014 —-onwards
3.1 Develop the next stage of strategy. (Head of Risk)
3.2 Assess status, benchmark, consider longer term move towards recognised ISO risk
Management standards. (Head of Risk)
3.3 Identify if some Directorates require more sophisticated techniques (e.g Financial
Services). — (Head of Risk)
3.4 Establish ongoing auditing of risk management framework and_ provide
advice/support where required. (Head of Internal Audit)
Risk Management Strategy Malcolm Zack ~ Head of internal Audit Page 20f3 February 5" 2013
POL00397990
POL00397990
Confidential
Appendix 1
Board
Receives Audit Committee
Chairman's report
Each Periodic
Meeting _, Audit and Risk Committee
¢ Summaries of
__ Oversees: audit work done
System of Financial and Operational control by business
F ial Reporting Practices and Disclosure areas. (e.g
° Mattes Oversight of risk management framework Branch/Supply
employed by the business Chain audit
e Internal Audit : as
. Give Direction to Internal Audit/External audit teams)
e External Audit Fraud risk
¢ Board referred o Trane ns
Risk I fe * Ethics and code
ISK issues Tor Meet at least 4 times a year. of conduct
the Audit ExCo risk
Committee 6 EXCO TSK
presentations
« Delegated Board
issues
Report Report
e Summary of Activity e Key highlights to
e Risk Highlights for Audit ExCo where
Committee attention required. (e.g
e Key risk maps Reputational Risk)
Each Periodic
Meeting Risk and Compliance Committee
___
Oversee identification, assessment of risks and
¢ Status of management of risks.
Strategic risk Directorate risk review
e Risk & Risk Management Framework assessments and
Compliance Risk Policy presentations.
Activity. Risk Appetite
e Status of Risk Risk Acceptance
Management
Framework Meet at least 4 times a year
° 3rd Party Risk 3-4 weeks prior to ARC
and Compliance Transformation Board
Activities Risks of
e Risk highlights Transformation
from Internal Programme
Audit
Ongoing through the year:
Directorates identify, assess and
manage their risks
Risk Management Strategy Malcolm Zack ~ Head of Internal Audit Page 3 0f3 February 5" 2013
POL00397990
POL00397990
Appendix B: —_ ExCo risk map — 1% July 2013 II aakdeseistion I
1 Plans are significantly hindered, redirected or otherwise changed
by major stakeholders
2 Dependency on small number of service or commercial contracts
£100m 21) 115 : ous
3 Risk that income fails to materialise (e.g. Govt depts do not.
provide business)
4 Risk of rating change for ATMs and/or interchange rate
H i h 5 Failure to finance transformation through loss of state aid or
g§ other investment stream
6 __Fallure to take action on central costs and/or sustain lower cost
base
ao) 7 Post Office cannot develop sufficient capacity or capability to
co) deliver plans
2
ira £50m 8 Risk that culture does not change effectively
oO 9 Risk that Post Office does not deliver 2015 commitments
a 10 Risk and opportunities with bringing in more of value chain
x internally (e.g. insurance)
2 Med 11 Failure of a major counterparty
a 12 Fail f IT ier
- ‘ilure of a major IT supplier
_ 13 Infrastructure failure or business continuity/disaster recovery
oO failure
gS 14 Separation increases business continuity risk
E 15 Non-compliance with regulatory frameworkor contractual
£ £10m obligations
16 Actions of BOI in their own markets has collateralimpact on Post
Office
17 Increased risk of competition from known operators or unknown:
coalition
L 18 Failure to deliverthe new models through agreements with
OW multiples/symbols
19 Failure to respond to the competitive environment with pace
inning the business ris Ae we 20 Failure to fully engage operators in the plans for Network
7 “ Transformation
@ Strategic plan risk
a1 Risk that PO cannot pick up BOI business on termination or
break of Eagle agreement
. . 22 Risk that current investigations identify systemic weaknesses in.
Unlikely Possible Probable systems and/or processes
Likelihood of Risk Realising
16 Pence vgiteytnennaronacaanion [sc en ia ae
POL00397990
POL00397990
POL00397990
POL00397990
Strictly Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit — Activity Update and revised Q3 plan
1. Purpose
The purpose of this paper is to:
1.1. Update the Committee on the outcome of the final audit activity conducted by the
Royal Mail Internal Audit function (RMG IA) on behalf of POL IA as part of the
2013/2014 internal audit plan and the POL IA audit activity that has got
underway.
1.2 Outline the planned, requested and proposed audit and advisory work for Q3.
1.3 The committee is requested to note and provide directions as necessary.
2. Outcome of recent audits (RMG IA led)
2.1. RMG IA conducted an audit of the Financial Controls around payments made to
agents as part of the Network Transformation Programme. The review focused
on the controls over payments to agents for conversion of branches under the
Network Transformation Programme, including authorisation pre conversion,
evidence of works completion, any deductions for outgoing agents or debt, and
evidence for final payment.
* The outcome of the audit was satisfactory.
¢ xtra controls needed to check for duplicate payments prior to approving
payments, stronger checks and evidence needed for financial assessments
of agents who had multiple branches.
¢ Observation made to improve consistency over Health and Safety checks on
site.
e At POL IA’s request, RMG IA also followed up the actions reported in the
NTP Financial controls report issued in November 2012 (summarised at the
February 2013 ARC) and concluded all recommendations had been
implemented to a satisfactory level.
2.2 The Committee is advised that at time of writing, two audits run by the RMG IA
have run passed the 30" June transition date. The follow up on Information
Security (August 2012) was completed in early July but due to meeting
postponements and then holidays, clearance with Lesley Sewell did not occur
until mid August 2013.
Secondly an audit of the IT Separation Governance around separation that had
been requested by IT and agreed with Internal Audit/ARC did not complete
fieldwork until July and reporting was not made available until August. RMG will
absorb any overrun above the originally agreed 120 unused days carried over
from 2012/13.
Internal Audit update Malcolm Zack — Head of Internal Audit Page 1 of 6
12" September 2013
POL00397990
POL00397990
Strictly Confidential
Outcomes
IT Separation Governance
« Adocumentation based assessment of the governance over the POL Separation
programme including Governance and structure, project management and
controls, resourcing, capability, risk and issue management, change control, and
programme reporting.
© Satisfactory conclusion, with action needed to fill some resource gaps.
No major recommendations raised.
Information Security
¢ Of the original 8 actions, 3 were assessed as complete. Of the 5 remaining,
activity has been underway but is yet to be completed. The report refined those
remaining actions and these will be tracked going forward.
2.3. As part of the transition, RMG were requested to conduct follow ups of all audits
conducted in 2012 so that POL IA would have a clear view of what is outstanding
and yet to be addressed as at June 30 2013. The following follow ups have been
completed
o POLSAP — POLSAP receives customer transactions from the Horizon
POS system in branches and computes branch balances, and settlement
information. Data is also fed onto the current financial system run by
RMG - ESFS upon which financial and management accounting is
based. Review followed up 11 issues identified from work in 2012. 8
cleared and 3 in progress. (Of which 1 has since been cleared. — Actions
remaining are minor.
o Horizon — Three items remain of which two are work in progress.
o Please see the separate IA measures paper showing the follow up
statistics for items brought forward from June 2013 and raised by post
June Audits to end of August 2013.
3. POL Internal Audit - Audit and advisory work
3.1 Branch Audit Function. The audit of the branch auditing function which is part
of Network Operations completed in late July and at time of writing is being
cleared with senior management in August. This is now to be further discussed
at the upcoming Executive Committee so that a full recommendation to the
shape of network auditing within overall POL auditing principles can be made by
management to the ARC.
3.2 Strategic Programme Management Office
« This audit focused on how the SPMO is managing the overall strategic
programme of change as part of Internal Audit’s project and programme
assurance work. The overall conclusions were a medium to high level of
assurance but 12 actions have been agreed to collectively:
Internal Audit update Malcolm Zack — Head of Internal Audit Page 2 of 6
12" September 2013
POL00397990
POL00397990
Strictly Confidential
o Strengthen Risk management discussions and general challenge
o Implement the lessons learnt tracking as required by the board paper on
benefits realisation tracking
o Improve documentation material
o Clarify remit and awareness of role of SPMO among stakeholders
* The one page Executive Summary is in appendix 2. The full report including the
risk assessment is available upon request.
3.3 Underway — due for clearance by October 2013.
¢ Software Licencing
e Identify and Access Management
o Asummary of the outcomes will be reported at the October or November
ARC
3.4 Advisory work.
Separate from designated Audit work, Internal Audit has conducted the following:
Information Security Policies
e The Information Security and Assurance Group have developed fourteen
information security policies. IA has provided detail feedback to assist the
finalisation of these policies.
Management Requests
« Where possible, the IA team will accommodate management requests providing
the risks are commensurate and resource is able to flex.
Logged requests
Segregation of Mails — assistance to approach.
Information Security Policies
Lessons from recent external review (Second Sight)
Financial Controls — governance template review for Finance Road Map
Support to the Business Continuity Plan developments for the Finance
Directorate. (Joint with Finance Governance Manager).
e Process “to be” workshops on HR SAP upgrade.
4. Project/Programme Assurance
Project Assurance is a key element of the Post Office Internal Audit strategy. An on-
going involvement in key high risk projects at project and steering level enables Internal
Audit to:
Identify potential risk and control issues early on.
Advise management and staff on potential solutions.
Provide steering groups with on-going assurance and challenge.
.
.
°
e Assist management in establishing risk management methods
Internal Audit update Malcolm Zack — Head of Internal Audit Page 3 of 6
12" September 2013
POL00397990
POL00397990
Strictly Confidential
e Ensure that appropriate controls are built in.
« Ensure key decision points such as gateways from stage to another or Go/No go
decisions are effectively managed
* Project Assurance began in April 2013 in the Core Finance System led initially by
the Head of Internal Audit.
e Since the arrival of Safia Saeed — Audit Manager Projects and Programmes day
to day leadership of the audit has been passed to Safia with support from the IT
Audit Manager on IT aspects.
e As project assurance is on-going, full audit reports along the lines of themed
audits are not produced. In contrast the team reports to the Programme Board
using “highlight reports” outlining work done and upcoming and any
recommendations made during the previous 4-6 weeks.
o The most recent published highlight report (July) recommended action to
improve the briefing of senior Finance team members so that they would
be in a better position to make decisions and approve the final business
process design meetings during August and that the risk management
processes and reporting be reviewed and upgraded. We have seen
evidence of the first action. There has been a change of programme
office management during July/August and Internal Audit will be assisting
this team with the second action.
e POL IA will be developing an overall assessment scorecard during Q3/4 for
major programmes/projects.
5. Risk Management
e The next stage of the Risk Management Strategy for 2013 was the first
Executive Committee Risk Workshop. This was facilitated by the Head of
Internal Audit and the Head of Risk Governance on June 18". It was followed by
a process of 1:1s with ExCo members and further ExCo meetings in July and
August.
« Although the original plan agreed with the ARC/ExCo was to commence
Directorate workshops following ARC review of the first Executive Level risk
map, this process got underway in August 2013.
o Workshops with Financial Services and Commercial have taken place
and whilst still finalising output have informed the Executive Level
assessment. The executive level assessment provided the top down
structure for these workshops.
e The risk mapping technique has also been implemented in the Finance Road
Map Programme and to assist a workshop for the actions arising from the
Second Site interim result.
e The results are documented in the separate agenda item. Internal Audit will
continue to support the development of the Risk Management Framework. This
is not in conflict with internal auditing standards which do specifically provide for
IA involvement in risk management framework and strategy development with
safeguards.
Internal Audit update Malcolm Zack — Head of Internal Audit Page 4 of 6
12" September 2013
POL00397990
POL00397990
Strictly Confidential
Status of Q2 activity and forward planning.
The audit projects and revised work plan is in the appendix
Due to the fluid nature of activity, the audit plan is reviewed on a quarterly basis to allow
higher risk items to be given priority or to accommodate requests from the business as
far as resources allow.
Q1/Q2 results
¢ Most of Q1/Q2 has been completed or commenced as planned in March 2013. The
changes are:
e Review of the Swindon Stores capability and Assessment of the Supply Chain
Compliance team moved to Q3 to accommodate the larger review of branch
auditing.
e The proposed short random check of POLSAP security has been put on hold
due to the positive results of the formal follow up. The review of the HRSAP
security (selected because audit activity in the last 2-3 years has not included
HRSAP) has been put on hold because HR are in the process of upgrading to a
new version of HR SAP. It will be more beneficial to review the set up nearer
implementation in 2014.
Forward Plan — Q3 activity.
It is proposed to complete and commence the following activities using a mix of
the IA team and its co-sourced support
To complete:
= Software Licencing and Identity & Access management audits.
To Commence during Q3
= Swindon Stores — (Planning underway)
* Treasury — application of policies and procedures. (First audit of the
function and processes since transfer from Royal Mail in 2012 -(planning
and risk assessment now underway)
Overall governance assessment of NTP — Programme Assurance
Second Sight — Implementation programme (MZ to lead with IA team)
Second Sight — Review (MZ to assist)
Benefits Realisation (management and methods)
On-going
e Finance Road Map Programme — Programme Assurance including risk
management, issue management, systems and UAT testing strategies.
e Support to the Risk and Compliance team in the risk management roll
out.
Other areas for ARC consideration
Internal Audit update Malcolm Zack — Head of Internal Audit Page 5 of 6
12" September 2013
POL00397990
POL00397990
Strictly Confidential
« The original candidate list presented in February was longer than the team
was likely to cover within the financial year. The ARC members are
requested to review the dashboard in the appendix and highlight any reviews
that should be given focus during Q3 or Q4.
Action requested
7.1 The committee is requested to note the activity and outcomes and direct as
necessary.
Malcolm Zack
12" September 2013
Appendices:
SPMO Executive summary.
Internal Audit — forward planning
Internal Audit - Summary time analysis
Internal Audit update Malcolm Zack — Head of Internal Audit Page 6 of 6
12" September 2013
Confidential
STRATEGIC PROGRAMME MANAGEMENT OFFICE
Audit Highlights and Opinion
POL00397990
POL00397990
@
Overall Assurance: -
Medium - High
The SPMO (Strategic Programme Management
Office) supports the Transformation Board (TB) in
overseeing and directing delivery of all major
change in support of the Post Office’s business
strategy. It aims to hold business leads to account
for project costs, benefits and delivery; review and
challenge project status reports and ensure
alignment with business strategy and other projects.
As part of our review we followed the monthly
SPMO cycle for July which included attending:
o Several delivery meetings between SPMO
and business/programme leads
o A Transformation Board meeting
o Across portfolio and programme meeting
We reviewed TB meeting materials and sources of
data. We also interviewed a sample of SPMO
stakeholders for their views
1) SPMO is a lean, skilled team comprised of
three individuals
2) The team demonstrates strong awareness
of major programmes and projects
3) Team members are respected by
stakeholders and seen as “go to” people for
advice on dependencies and stakeholder
management
4) SPMO provides feedback from TB meetings
to stakeholders which encourages
engagement
5) SPMO provides a strong focus on
programme/project finances
Opinion
Based upon the audit work undertaken a medium to
high level of assurance is given over SPMO activities
and controls.
In general the SPMO appears to be addressing its
objectives effectively. It engages well with
stakeholders to gather relevant information to
present and discuss with the TB. The report details
twelve recommendations to enhance and formalise
some of SPMO’s activities with specific focus around
Top Priority Agreed Actions
Risk Management and Lessons Learnt.
S
Risk management information and analysis
to be enhanced
2
Lessons learnt tracking to be implemented
2
Improvements to TB meeting materials
including disclosure of source data and
manual adjustments. Greater challenge to
be provided on KPI scores
1) There was a weak focus on
programme risk management and
lessons learnt tracking
2) Sources of data, data time periods
and manual adjustments were not
clearly shown in TB meeting materials
3) There was insufficient challenge on a
new KPI for the TB scorecard and
how it had been derived.
4) There were varying degrees of
stakeholder awareness of the remit of
SPMO and Transformation Board
5) There was a general perception
amongst the sample of stakeholders
we interviewed that SPMO focus is
weighted on programme finances
rather than delivery
6) There is no formal process for
tracking and following up actions
arising from TB meetings. Lists of TB
meeting attendees had not been
maintained as part of meeting
minutes
None noted
Executive Responsible
Distribution (date)
Prepared By
Susan Barton
Safia Saeed Reviewed By
Piers Virik, Stephen Hirst, Michael Brown. Cfl - Chris Day, Paula Vennells
Malcolm Zack
POL00397990
POL00397990
Confidential
Risk and Control Assessment
State of controls/processes managing the key risks under review
09-Aug-13 Risk and Control Dashboard
Risk that the SPMO is unable to effectively
support the Transformation Board in
overseeing and directing delivery of all
major change in POL.
As at~
Key Sub Risks to Manage
Project Alignment
Lessons learnt and post
delivery evaluations
There is a risk that issues
experienced from past
projects may be repeated as
Post Investment Reviews
(PIR) may not be performed
consistently and lessons
learned may not be formally
documented and shared
SPMO Independence and Resource
Risk Management []
There is a risk that There is a risk that TB may be
programme/project risks may unable to make key decisions due
not have been identified and to:
managed appropriately and - Inefficient processes (issues may
could adversely impact delivery not be escalated timely, or at all)
- Information provided by SPMO
may be insufficient, inaccurate or
incomplete
- Key metrics and performance
indicators may not be clearly
defined or consistently calculated
‘A process has been developed for
escalating issues to TB in a timely
manner
Reporting to Transformation Board []
There is a risk that projects
may proceed that are not
aligned with the strategic
objectives and other projects
There is a risk that Projects may
not be detivered on a timely basis,
within budget or may not achieve
stated objectives because SPMO
may not be independent enough to
provide sufficient challenge
Alessons learned review is
performed for each project
and shared with SPMO
Arisk log is maintained for each
programme/project and risks are
assessed for impact and likelihood
and prioritised. Action/mitigation
plans are identified for each risk.
The log is periodically reviewed and
updated.
SPMO is informed/made aware
of all projects, of which those
falling within its remit are
selected for review.
SPMO's role and remit is clearly
defined, documented and
appro+Fépriately approved
SPMO is aware of the business
case for each
programme/project in scope in
order to check alignment to
strategic objectives.
SPMO’ role and remit has been
clearly communicated to stakeholders
The SPMO team's workload and staff
resources are regularly reviewed
Key
Process in place but serious weaknesses
Process in place, some improvements neede
Process in place, no major issues
Not yet assessed
SPMO conducts focussed risk
discussion in monthly delivery
meetings with business and
programme/portfolio leads.
SPMO reports key
programme/project risk
information to TB in a timely and
consistent manner
There is an audit trail for all data
presented in TB packs. Data is clearly
presented (i.e. time period, date data
was collected, manual adjustments,
assumptions and sources are shown)
SPMO provides any further
information and/or performs actions
requested by TB in order for it to reach
decisions
A post investment review is
performed to assess whether
the project was delivered to
budget and whether it
achieved anticipated benefits.
SPMO shares lessons learned
(financial and operational) with
business and
programme/portfolio leads.
‘As at August 31 2013,
Updated Plan
[Completed
[Satistactory Progress:
[Active but behind schedule
[Considerable delay/Unsatistactory
[Cancelled or postponed
Planned Audits/eandidate List
Complete from 2012/13 plan
Master Data Reference review (RMG IA)
Joriginal Plan items
Management Bonus Plan - metrics (RMG IA)
Follow up 2012 audits (RMG IA)
NTP Financial Controls Reconciliation (RMG 1A)
IT Governance Review (RMG IA)
Cash Centre Audits - Observation of approach - level of assurance gained
from 2nd line defence team
LAN Security Review - Access and Identity Management
‘Swindon Stores review (pp to @2/Q3)
Benefits Realisation - Management and Methods
Management of the SPMO
Data Security - controls around protection of personal data,
Policy Compliance assessment - Anti- Bribery and AML.
Tr
\sury - Review of procedures and control framework
Network Auditing - Approach and methods (POL 1A)
Software Licence review
‘SAP Security - POL SAP - short random reviews
SAP Security - HR SAP
Eagle Contract - Application of controls and processes agreed.
Business Continuity - Readiness assessment
Systems Integrator- Review of Governance model employed.
Branch Audits and Losses
Transformed branches - review of value vs investment
Branch Profile Model - review of use
Foreign Exchange - management of end to end process.
Manchester Cash centre - management of closure
Information Security Governance - review of improvement plan and its
application
change management
Board effectiveness review/Executive Commitee Effectiveness.
A
aooooo>>
Panning
oa
nys
Dec?
Novibec?
(On Hold
nys
(On Hold
nys
isk Management Framework
Executive Risk Review
Finance Risk Update - May 2013
September ARC summary
Next stage of roll out - SLT/Directorate
Commercial & Marketing - 1st Risk workshop
Financial Services ‘st risk workshop
IMat Requests
IT Security Policies - review
iT general Controls document
Mails. - segregation and penalties
[Request to provide audit input to RAID documents for
NTP
[Financial Controls Framework
JCP suppor to Finance Directorate
[Does the ARC believe this is required
May be superceeded by current branch work
IBeing redesigned by the Security team.
[cancelled
NYS
os
[Does the ARC believe this is required
[Project Assurance
1. Finance Road Map Programme
2. Network Transformation Programme
3. 1T Change Programme
Deparment Development
1. Complete recruitment
2. Complete Co Sourcing Contract
5, Sot up Tempates'proformas
4. Set up recommendations tracking
5. Set up team objectives etc
Jo. Halt year reviews.
Ns
POL00397990
POL00397990
Time Analysis
To help manage the balance of resource across the team, a simple time database is
maintained. The team record time invested across various categories which are either
direct, client facing/involving activities or indirect activities (team management, training,
induction, internal team meetings etc).
The process commenced as at April 1 2013.
POL00397990
POL00397990
The time report for the team to 30" August is shown below. Only Garry Hooton and Malcolm
Zack were in situ for the whole period.
Type of work
Themed Audit
Induction
Project Assurance
Advisory
‘Administration
Development/Appraisals
Department Management(MZ only)
Risk Management Framework
FLT/SLT
Weekly team calls/Meetings
Audit Committee
Finance Directorate Meetings
Royal Mail Transition
Exeo/Risk Committees
Department Management
Recruitment
Fraud/Theftinvestigations
TOTAL
Commentary,
Hours to date Type
1001 Direct
391 Indirect
290 Direct
239 Direct
115 Indirect
105 Indirect
87 Indirect
79 Direct
49 Direct
42 Indirect
29 Direct
20 Direct
20 Direct
15 Direct
12 Indirect
12 Indirect
3 Direct
2506
Type, Hrs
Direct 1734 69%
Indirect 772 31%
2506
Time April to August 2013 (Hrs)
Direct
indirect
The % split of 69:31 direct to non direct work is as expected for the current stage of development
Time has been invested in set up including Induction for all three staff.
2 of the 3 staff did not arrive until part way through Q1
The desired split now that the team is past the transition is to move to 80:20.
Direct time is that time spent either directly on work or with customers/clients. Indirect is internal to IA only, training, appraisals «
POL00397990
POL00397990
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit — Status of Agreed Actions
1. Purpose
The purpose of this paper is to:
1.1. Explain to the Committee how agreed actions arising from audits and advisory
activity are tracked and progress reported.
1.2 The committee is requested to note and provide directions as necessary.
2. Changes to process
2.1 As outlined in the June 5” ARC papers, the tracking of progress of
implementation of agreed actions was managed and reported by Risk
Compliance on behalf of the Royal Mail Internal Audit team and reported to
previous risk and compliance committee meetings.
2.2 As part of the transition to POL IA, POL IA will now track recommendations
status directly and will report status to the ARC. Royal Mail Internal Audit was
requested to conduct follow up audits on items audited in 2012 so that a position
as at 30 June could be confirmed.
2.3. Going forward a new report has been designed and is shown in the appendix.
Original agreed target dates are retained in the log even though it may be agreed
to re-set a target date. It is important for the business to remain aware that risks
identified from audit work have yet to be addressed if an action date is changed.
2.4 The report emphasises:
Implementations — because implementations by management in the previous
period indicate improvements to the control environment and management of risk
arising from audits/advisory work.
Period Movements — so that the business can understand the pace of change
Overdues/WIP — so that the business is aware of has been agreed but has not
met original target dates and hence risks still remain.
High risk items will be highlighted and ExCo members notified directly and in the
performance pack going forward.
2.5 As at June 30"
e 21 Actions were transferred into the new log as either work in progress or not yet
due.
Through the period July and August 2013:
e 22 actions were added through a mix of audit and advisory work that took place.
¢ 11 of the revised total of 43 items were implemented by management.
Recommendations Status Malcolm Zack — Head of Internal Audit Page 1 of 3
12" September 2013
POL00397990
POL00397990
Confidential
Of the 32 items carried forward, 21 are not yet due, 11 are overdue from original
target date but all are in progress.
« Some of these overdue items are within the information security area but the
original dates were agreed when Information Security was part of Security.
Since that audit, the function moved back to IT, there has been the external
reviews and the establishment of the Information Security Assurance function
and some changes of action point ownership. All of those items are in progress
and considerable effort has been made to improve overall control. The revised
dates are mainly targeted for December 2013 and are being closely monitored.
e The two rated as red risks (translated from RMG original report “priority 1”) are:
« Embedding the information security governance into the supplier
requirements for the remaining three towers. As contractual negotiations
are still ongoing this is expected to run into 2014.
¢ Completing the embedding of Information Security requirements into the
product and service projects being developed around the business. This
is underway.
3 ARC members action
e The committee is requested to note the status, the reporting methods going
forward and to provide direction as necessary
Malcolm Zack
12" September 2013
Appendix
Table and graphs.
Recommendations Status Malcolm Zack — Head of Internal Audit Page 2 of 3
12" September 2013
POL00397990
POL00397990
Confidential
Appendix
Overall Summary as at 2nd September 2013
Total Red Amber Green Implementations since July 2013
Total actions bfwd as at 30 June 2013 24 2 14 5
Implemented by Mgt -to 31st Aug (11) 6) 6)
Actions added (audits and advisory) 22 1 4 10
Carried Forward as at Sept 2nd 32 3 19 10 Cc)
Analysis of Carried forward Number implemented
Overdue - not yet started 0 0 0 0
Overdue - Work in progress " 2 7 2
Not yet due 24 1 12 8 Total to date
2 3 2 J Rating of action a time of aut
Audit Actions - Overdues - Trending by month Re Implementations - Trending by month
a Fatal =Total
—m Red Red
= Amber —- Amber
—a Green “= Green
Trend (3mth
——Trend (3mth
mov va) ___.mov avg)
July “Aug
Aug-13, 2013 Month implemented
Recommendations Status Malcolm Zack — Head of Internal Audit Page 3 of 3
12" September 2013
POL00397990
POL00397990
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit —- Technical Update for ARC members
1. Purpose
The purpose of this paper is to:
1.4 Summarise recent Governance, risk and audit announcements that may be of
relevance to the committee and of interest and help to members in fulfillment
of their audit committee duties.
1.2 If members of the committee require further information, POL IA will provide
the detailed papers or meet with members as requested.
1.3 Request ARC members to note the items raised and direct as necessary
2. Announcement by Financial Reporting Council — Direct use of Internal Audit
resources by External Auditors.
2.1 In the external financial audits conducted by E&Y on POL up to 2011/12, E&Y
have traditionally used RMG IA auditors to do/assist external audit work on
areas, most notably payroll. This is known as “direct assistance”.
e For 2012/13 year end and going forward, the POL HIA stated that this
support would not be provided by POL IA going forward because POL IA
had only a small team of three (compared to RMG 30+) and secondly the
POL IA team members were senior audit managers and using them on
what is generally considered to be audit work by junior personnel, would
not be an appropriate use of resources. This was agreed by the E&Y
partner.
¢ Since that time the FRC have stated that effective for external audits 2014
onwards, the use of internal auditors by external auditors directly on
external audit work is to be banned.
e¢ This does not preclude the external auditors reviewing internal audit
reports or internal audit workpapers and seeking to place some reliance
on IA work. This has always been an option for external auditors and is
not a new alternative. However, reliance may only be placed when the
work has been scoped and managed by the internal audit function.
(External audit may not direct the internal audit work that the IA function
may be undertaking as a result of its own internal audit plans and risk
assessments)
¢ The move has been undertaken to avoid conflicts of interest and a lack of
independence.
ARC - Techncial update Malcolm Zack September 12 2013
POL00397990
POL00397990
e This has been discussed with the E&Y partner and any planned reliance
(if any) anticipated by E&Y will need to be discussed with the ARC at the
presentation of the E&Y audit plans for 2013/14 at a future ARC.
3. FRC standard on external audit reports — Increasing transparancy of
external audit work.
The FRC has issued a revised external auditing standard (ISA 700) to
enhance transparancy in the auditors report by increasing
communication with investors. The Code is requiring Boards to:
Describe the work of the audit committee in the annual report
For the Auditor to report if the Board’s disclosures do not address
matters it has disclosed to the audit committee
Auditors to information the committee about significant audit
judgements it has made.
Effective for full reporting periods on or after 1 October 2012.
4. New code of guidance for internal auditing standards in the Financial
and Public sectors.
ARC — Techncial update
The Chartered Institute of Internal Auditors has issued two new codes
to improve the effectiveness and positioning of Internal Audit. These
seek to strengthen existing international standards especially for
Financial Services organisations in light of goverance issues arising
since the difficulties in 2008.
POL IA will be reviewing the guidance for any opportunities for
improvement.
Malcolm Zack
Head of Internal Audit
September 12 2013
Malcolm Zack September 12 2013
POL00397990
POL00397990
Strictly Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Information Security and Assurance Group Update
1. Purpose
1.1 The purpose of this paper is to provide the ARC with an update on developments, progress, and
future plans for Information Security.
2. Background
2.1 Since our update to the ARC in June, we have been progressing with a number of tasks within
the Information Security remit and this paper is to advise, inform and assure the Committee on
the progress that has, and is being made.
* Progress following the Deloitte Review
e Progress on the Top 13 Data Assets
e Update on the new Organisational Model for Information Security and Assurance Group
e Post Office certification activity underway.
3. Progress following the Deloitte Review
3.1 We are continuing to embed the actions from the Deloitte review into our business as usual
activity, this is aligned with 1$027001'. Most Information Security Policies have now been
completed and accepted through all review groups, culminating in final acceptance by ExCo
members. Only one Policy, the Acceptable Usage Policy is subject to a Corrective Action Plan
and Business Case to mitigate risks, before it is re-presented. A demonstration of a secure
collaborative working tool will be presented mid-September 2013, which is the proposed
Corrective Action Plan for this policy.
The accepted Policies are now on the Intranet and have been communicated to all staff,
planning has started to incorporate the Policies into regular updates; validation, and also as
part of the induction of new starters.
3.2 All contracts; renewed and new continue to be tracked, including those negotiated through the
IT Transformation programme to ensure Information Security and Data Protection requirements
are being incorporated.
3.3 Information Security Training is almost complete for central locations, 2153 out of 2243 staff
have completed the e-Learning module; of the 90 outstanding staff 34 are on maternity leave
or long-term sick leave. The remaining 56 are being escalated to their managers.
Plans are three months ahead of schedule for the rollout to the network, which is expected to
be completed by the end of the September 2013. An Information Security Workbook is being
distributed on Monday 9" September 2013 for those colleagues within Networks that do not
have access to the online training via Horizon.
3.4 Awareness is being raised across our change community, to increase understanding and to
ensure Information Security and Assurance is included in Programme Initiation Documentation.
This activity is being repeated within Legal and other areas such as Financial Services.
'1$027001: An International Standard covering the specification and management of an organisation's
Information Security Management System. The guidelines and general principles for initiating,
implementing, maintaining and improving information security management within an organisation
Information Security and Assurance Group
Lesley Sewell/Julie George Page 1 of 3 September 2013
4.
POL00397990
POL00397990
Strictly Confidential
Progress on the Top 13 Data Assets
4.1 The Top 13 Data Assets continue to be tracked through the contract and renegotiation phases
(see 3.2) we are specifying Information Security and Assurance requirements which continue to
include:
4.2 A full Controls Framework review is being undertaken on the marketing database Brands’,
whi
ich is sponsored by Post Office Marketing Directorate and incorporates Information Security
and Assurance colleagues. This is expected to be concluded by Mid December 2013
See Appendix A regarding the progress on the Top 13 Data Assets.
5.
Information Security and Assurance Group
5.1 Recruitment has started to recruit three roles within the Group, this is intended to support the
future growth of the Post Office and provide a specialist and professional service into internal
programmes and projects. One of the roles is Privacy and Data Protection which is
transitioning from Risk and Compliance into Information Security and Assurance Group.
The Group is still under resourced which is a significant risk highlighted in the Group regular
reporting into Risk and Compliances’ Stratex tool, for presentation to the Risk and Compliance
Committee. The awareness of the Information Security and Assurance Group across the
organisation has increased demand for services and support which is proving difficult to fulfil.
6.
6.1 The
Post Office Certification Activity
re are a number of Information Security Certification projects underway:
e PCI/DSS Payment Card Industry Standard— Renewal on schedule for end of September
2013
* 18027001 Certification POLSAP* — Renewal scheduled for October 2013
e 1$027001 Certification Front of Office Government services, on schedule for new
certification 12 September 2013.
Certifications, such as the three listed above, provide:
© Competitive advantage when Post Office is bidding or gaining clients or partners —
particularly within the Government and Financial space
e Demonstrates to all of our stakeholders that Post Office take Information Security
seriously, and expect our partners or suppliers to do the same
e Provides the Post Office with a Corporate Information Security function by introducing a
recognised Industry best practice Information Security Management System that
provides a foundation for our business growth and feeds into Corporate Governance and
Risk requirements
Summary
The Committee is asked to note the positive progress and change which has been made.
The key areas for the next three months are:
? Brands is the Post Office Marketing Database containing all customer (personal data) and product
records.
° Post Office HR and Financial System
Information Security and Assurance Group
Lesley Sewell/Julie George Page 2 of 3 September 2013
POL00397990
POL00397990
Strictly Confidential
¢ The transitioning of Privacy and Data Protection into the Information Security and
Assurance Group, and the recruitment of 3 new roles into the new Organisational
Model
e The continuous process of raising awareness of good Information Security practice
across Post Office
e The Information Security due diligence within the Transformation and Change
programmes
e Continue the mitigation of the top 13 risk areas
e Complete the Information Security training and instigate an ongoing Information
Awareness Programme with HR
e Final sign off of the Acceptable Usage Policy and acceptance of the proposed
Corrective Action Plan.
Further updates will be provided to ARC and the Risk and Compliance Committee on a regular
basis.
Lesley Sewell/Julie George
September 2013
Appendix A - Progress on the Top 13 Data Assets
The following Suppliers are currently going through contract renewal and the information security
and data protection house position will be implemented:
e RAPP Brands — has now been signed
AON
Cap Gemini
St. Ives (part of the Rod Fishing License)
Cogent
BT Home Phone & Broadband (to be replaced by Fujitsu in September)
Existing contracts:
¢ Bank of Ireland
POCA / HP.
FRES
Fujitsu Horizon
Salesforce.com & Fujitsu
Fujitsu Home Phone & Broadband
CSC SAP HR
A risk based approach will be used which will be presented to the Risk and Compliance Committee:
e Supplier relationship (willingness to amend contract)
Contract duration (is it up for renewal soon)
Information Security & Data Protections risk level
Has the contract been amended recently (resistance to further changes)
Contractual restrictions regarding change
Information Security and Assurance Group
Lesley Sewell/Julie George Page 3 of 3 September 2013
POL00397990
POL00397990
Strictly Confidential
POST OFFICE LIMITED AUDIT, RISK & COMPLIANCE SUB-COMMITTEE
Interim Report for the half year ended 29 September 2013
1. Purpose
The purpose of this paper is to:
14
Invite the Post Office Limited Board Audit Risk and Compliance Sub-
Committee to review the template for the Post Office Limited Interim Report
for the half year ended 29 September 2013 and to consider the key messages
that this Interim Report will contain.
2. Background
24
2.2
2.3
24
2.5
In August 2013 the Post Office published its first set of full year consolidated
financial statements prepared under International Financial Reporting
Standards (IFRS). These financial statements were of a ‘FTSE 100’ standard.
In order to maintain this standard it has been decided that the Post Office will
publish an Interim Report for the half year ended 29 September 2013 which is
fully compliant with IFRS.
A template Interim Report document is attached to this paper; this is intended
to show the proposed layout and content of the Post Office Limited Interim
Report for the half year ended 29 September 2013. This will be the first time
the Post Office has produced an Interim Report which is fully IFRS compliant.
This Interim Report will therefore contain significantly more information than
was included in the Trading Statement that was produced in relation to the
September 2012 half year.
This template Interim Report has been through an initial review by Ernst &
Young and their feedback incorporated. This was not a full technical review;
this will be carried out following the half year end. The full review is expected
to necessitate further changes to the Interim Report. This template Interim
Report is intended to act as a guidance document only to allow the committee
to view at an early stage the layout and proposed content.
The half year financial information and the items highlighted in yellow are yet
to be confirmed and will be finalised following the half year end and the
conclusion of the audit process.
3. Interim Report approach and plan
3.1
3.2
Interim Report
The Interim Report is planned for publication in November against the
backdrop of tight budgetary control within the company, a difficult external
economic environment which is putting pressure on margins and discussions
with Government around future strategy and post-2015 funding positions.
We have developed the messages and content by working closely with a
comprehensive range of stakeholders and contributors from across the
business to ensure it accurately reflects the progress we have made.
Chris Day Page 1 of 3
September 2013
3.3
3.4
POL00397990
POL00397990
Strictly Confidential
The proposed key messages to be contained within the Interim Report are as
follows:
As we stressed at the year end, the Post Office is in the midst of a significant
transformation, it is inevitable that we face challenges in this context and against
the backdrop of difficult economic conditions on the high street. (Note that this will
only be said once).
Whilst Mails and Retail revenue is down year on year in the first six months, we
are working hard to address this.
Financial Services revenue is up year on year and on track with plans that this
area will grow as we further establish this element of the business (reference to
current account).
Telecoms revenue has continued to grow year on year and Government Services
performance is in line with plan.
we have confidence in our strategy and continue to deliver business turnaround.
We have a project plan which is being led by the Communications team
working closely with Finance. The current timeline is:
* 31 October — Board meeting reviews key messages, provides comments
and delegates finalisation to a Sub-Committee, the quorum for which to be
comprised of any three of Alice Perkins, Paula Vennells, Chris Day and
Alasdair Marnoch
+ 6 November - ARC meeting reviews Interim Report and will be asked to
recommend that the Board Sub-Committee approves the Interim Report.
Comments received from ARC
* 7-8 November - Further amendments made following ARC feedback
* 11 November - updated draft circulated to Board members, Royal Mail
and Shex for comment
+ 13 November - final comments received and updates made
+ 18 November — Board sub-committee approves final version for
publication.
* 19-22 November — date to be confirmed - publication
4. Proposal
44
42
The Communications team is proposing to produce the report in house with
no external agency involvement. The Interim Report will only be available
online as a pdf document.
The Interim Report is significantly shorter than the full year financial
statements. The structure of the report is designed to flow from the headline
statements from the Chairman (300 words) and CEO (500 words) through to a
Business review which contains operational and financial information. This is
followed by the financial reporting element which will include key financial
statements and a selection of explanatory notes.
Interim Report Chris Day Page 2 of 3
September 2013
POL00397990
POL00397990
Strictly Confidential
5. Recommendation
5.1. The Post Office Limited Board Audit Risk and Compliance Sub-Committee is
asked to:
e Note the proposed layout, content and key messages for the Post Office
Limited Interim Report for the half year ended 29 September 2013 and provide
any comments to Chris Day and Mark R Davies by Friday 20 September; and
e Note the proposed timetable.
Interim Report Chris Day Page 3 of 3
September 2013
POL00397990
POL00397990
Post Office Limited
Registered Number 2154540
Post Office Limited
Unaudited interim condensed
consolidated financial statements
29 September 2013
Yellow highlighting = TBC
POL00397990
POL00397990
Post Office Limited
(300 words)
(500 words)
To include financial and operational detail on our pillars:
Mails & Retail
Financial Services
Government Services
Telecoms
0000
POL00397990
POL00397990
Post Office Limited
Interim condensed consolidated income statement
Half year to29 Half year to 23
September 2013 September 2012
Unaudited Unaudited
Notes £m £m
Continuing operations
Turnover 501
Network Subsidy Payment 103
Revenue 604
People costs excluding restructuring costs (128)
Other operating costs (437)
Share of post tax profit from joint ventures and associates 22
Operating profit before exceptional items 61
Operating exceptional items 4 (10)
= government grant 35
~ restructuring costs (24)
= other (21)
Operating profit 54
Profit on disposal of property, plant and equipment 2
Loss on sale of associate (30)
Profit before financing and taxation 23
Finance costs (2)
Finance income 1
Net pensions interest 1
Profit before taxation 23
Taxation credit 5 Tec
Profit for the period from continuing operations TBC
Interim condensed consolidated statement of comprehensive income
Post Office Limited
POL00397990
POL00397990
Half year to 29 Half year to 23
September 2013 September 2012
Unaudited Unaudited
£m £m
Profit for the period from continuing operations TBC
Other comprehensive income:
Remeasurements on defined benefit surplus (32)
Income tax effect -
Total comprehensive income for the period TBC
There are no other comprehensive income items that will be reclassified to the profit and loss in subsequent periods.
POL00397990
POL00397990
Post Office Limited
Interim condensed consolidated statement of cash flows
Half year to 29 Half year to 23
September 2013 September 2012
Unaudited Unaudited
Notes £m sm.
Cash flows from operating activities
Operating profit before exceptional items 61
Adjustment for:
Depreciation and amortisation -
Share of profit from joint ventures and associates (22)
Pension operating costs 13
Working capital movements: %
(Increase)/Decrease in trade and other receivables (10)
Increase in trade and other payables 108
Increase in inventories (3)
Increase/(Decrease) in non-exceptional provisions a
Pension operating costs paid (13)
Cash receipts/(payments) in respect of operating exceptional items: 213
Government grant
Restructuring costs
(Other
Net cash inflow from operating activities
Income tax recovered i
Cash flows from investing activities
Investment in associate (11)
Dividends received from joint ventures and associates -
Finance income received -
Proceeds from sale of property, plant and equipment 2
Proceeds from disposal of associate 2
Purchase of non-current assets (20)
Net cash (outflow) from investing activities (27)
Net cash inflow before financing activities 332
Cash flows from financing activities
Finance costs paid (2)
Payments to finance lease creditors (2)
(Repayment)/proceeds from bank borrowings (250)
Net cash (outflow) from financing activities (254)
Net increase in cash and cash equivalents 78
Effect of exchange rates on cash and cash equivalents -
Cash and cash equivalents at the beginning of the period 820
Cash and cash equivalents at the end of the period 898,
Post Office Limited
Interim condensed consolidated balance sheet as at:
POL00397990
POL00397990
29 September 31 March
2013 2013
Unaudited Audited
Notes £m £m
Non-current assets
Intangible assets -
Property, plant and equipment a
Investments in joint ventures and associates 60
Retirement benefit surplus 6 97
Trade and other receivables 10
Total non-current assets 178
Current assets
Inventories 8
Trade and other receivables 352
Cash and cash equivalents 971
Financial assets - derivatives 1
Total current assets 1,332
Total assets 1,510
Current liabilities
Trade and other payables (874)
Financial liabilities - interest bearing loans and borrowings (291)
~ obligations under finance leases (3)
Provisions (29)
Total current liabilities (2,187)
Non-current liabilities
Financial liabilities - obligations under finance leases (4)
Other payables (24)
Provisions 2)
Total non- current liabilities (35)
Net assets 288
Equity
Share capital -
Share premium 465
Retained earnings (479)
Other Reserves 2
Total equity 288
Post Office Limited
Interim condensed consolidated statement of changes in equity
For the half year ended 29 September 2013
Retained
Share earnings Other Total
premium £m reserves equity
Notes £m £m __£m
At 1 April 2013 (unaudited)
Profit for the period
Remeasurements on defined benefit surplus
Income tax effect
At 29 September 2013 (unaudited)
For the half year ended 23 September 2012
Retained
Share earnings Other Total
premium £m reserves equity
Notes £m &m £m
At 26 March 2012 (unaudited) 465 (552) 47 (40)
Profit for the period - 23 - 23
Remeasurements on defined benefit surplus - (32) - (32)
Transfer of pension deficit to government - 286 - 286
Sale of interest in associate - 45 (45) -
Income tax effect - =
At 23 September 2012 (unaudited) 465 (230) 2 237
POL00397990
POL00397990
POL00397990
POL00397990
Post Office Limited
Notes to the interim condensed consolidated financial statements
1. Basis of preparation and changes to the Group’s accounting policies
The interim condensed consolidated financial statements of Post Office Limited and its subsidiaries (collectively, the Group) for the half year
ended 29 September 2013 were authorised for issue in accordance with a resolution of the directors on XX November 2013.
Basis of preparation
These interim condensed consolidated financial statements for the half year ended 29 September 2013 have been prepared in accordance
with IAS 34, ‘Interim Financial Reporting’ as adopted by the European Union. This report should be read in conjunction with the Group's
Annual Report and Accounts 2013, which have been prepared in accordance with IFRSs as adopted by the European Union
i
New standards, interpretations and amendments adopted by the Group
The interim condensed consolidated financial statements have been prepared in accordance with the accounting policies set out in the
Group's Annual Report and Accounts 2013, except for the adoption of new standards and interpretations effective as of 1 April 2013.
The Group applies, for the first time, IAS 19 (Revised 2011) Employee Benefits. This has not required restatements of previous financial
statements as the effect of the application of IAS 19R is not material in the opinion of the Directors. IAS 19R includes a number of
amendments to the accounting for defined benefit plans, including actuarial gains and losses that are now recognised in other comprehensive
income (OCI) and permanently excluded from profit and loss; expected returns on plan assets that are no longer recognised in profit or loss.
instead, there is a requirement to recognised interest on the net defined benefit asset in profit or loss, calculated using the discount rate used
to measure the defined benefit surplus, and; unvested past service costs are now recognised in profit or loss at the earlier of when the
amendment occurs or when the related restructuring or termination costs are recognised. Other amendments include new disclosures, such
as, quantitative sensitivity disclosures.
In the case of the Group, the transition to IAS 19R and the difference in accounting for interest on plan assets and unvested past service costs
has not had a material impact on the net defined benefit plan surplus. The Group has not early adopted any other standard, interpretation or
amendment that has been issued but is not yet effective.
2. Principal risks and uncertainties
The principal risks and uncertainties which could impact the Group for the remainder of the current financial year remain those detailed on
pages XX and XX of the Group's Annual Report and Accounts 2013, a copy of which is available on the Group's website at XXXX. These risks
remain relevant for the current financial year.
POL00397990
POL00397990
Post Office Limited
3. Segmental reporting
The Group's operating segments have been identified as Mails & Retail, Financial Services, Government Services, Telecoms and other. The
performance of these segments in the half year ended 29 September 2013 has been discussed further in the Business Review on page XX.
Performance is assessed based on net revenue. This is calculated using segmental revenue less the directly attributable costs of delivering the
service or product. Assets and liabilities as recognised on the Group balance sheet are not considered to be segmental assets or liabilities but
rather are managed by the Group's central functions
Directly
Attributable Net
Half year to 29 September 2013 Revenue Costs Revenue
£m £m £m
Mails & Retail
Financial Services
Government Services
Telecoms
Other
Sub total
Network Subsidy Payment
Total
Directly
Attributable Net
Half year to 23 September 2012 Revenue Costs Revenue
£m £m £m
Mails & Retail 196 (3) 193
Financial Services 138 - 138
Government Services 84 (15) 69
Telecoms 63 (40) 23
Other 20 : 20
Sub- total 501 (58) 443
Network Subsidy Payment 103 : 103
Total 604 (58) 546
3. Segmental reporting continued
POL00397990
POL00397990
Post Office Limited
A reconciliation between underlying segment net revenue and profit before taxation is provided below:
Underlying segment net revenue
Indirect costs
Share of post tax profit from joint ventures and associates
Half year to 29 Half year to 23
September 2013 September 2012
546
(507)
22
Operating profit before exceptional items
Operating exceptional items
61
(20)
Operating profit
Profit on disposal of property, plant and equipment
Loss on sale of associate
51
(30)
Profit before financing and taxation
Finance costs
Finance income
Net pensions interest
Profit before taxation
23
Seasonality of operations
Due to the seasonality of the XX segment higher revenues are usually expected in the XX half of the year. This is mainly attributed to XX. This
information is provided to allow for a better understanding of the results, however management has concluded that this does not constitute
‘highly seasonal’ as considered by IAS 34
POL00397990
POL00397990
Post Office Limited
4, Operating exceptional items
These are items of income and expenditure arising from the operations of the business which, due to the nature of the events giving rise to
them, require separate presentation on the face of the income statement to allow a better understanding of financial performa nce
Half year to 29 Half year to 23
September 2013 September 2012
£m £m
Government grant 35
Business transformation -
Network transformation including subpostmasters compensation (14)
Restructuring - severance (6)
- other (4)
Impairment of intangible assets (10)
Impairment of property, plant and equipment (44)
Total operating exceptional items (10)
5. Taxation
The overall taxation (credit)/charge in the income statement is calculated by applying the tax rate that would be applicable to the
expected total annual earnings to the reported interim profit.
The major components of income tax in the interim condensed income statement are:
Half year to 29 Half year to 23
September 2013 September 2012
£m £m
Corporation tax credit for period
Tax under provided in previous periods
Current tax
Deferred tax credit relating to the origin and reversal of temporary differences
Income tax credit reported in the condensed consolidated income statement
Post Office Limited
6. Pensions
The Group participates in pension schemes as detailed below:
POL00397990
POL00397990
Name Eligibility
Royal Mail Pension Plan (RMPP) UK employees Defined benefit
Royal Mail Senior Executive Pension Plan (RMSEPP) UK senior executives Defined benefit
Royal Mail Defined Contribution Plan (RMDCP) UK employees Defined contribution
The charge in the interim condensed consolidated income statement for the defined contribution scheme and the Group contributions to this
scheme was £Xm in the half year to 29 September 2013, and payments of £XXm were made in respect of future service contributions,
nearly all relating to RMPP. The regular future service contributions for RMPP, expressed as a percentage of pensionable pay, has remained
at 17.1%.
The following disclosures reflect the Post Office Limited sectionalised RMPP scheme which is independently operated by the Group
Disclosures in relation to Post Office Limited's approximately 7% share of RMSEPP (which is operated by Royal Mail Group Limited) have been
excluded as they are not considered to be significant to the interim condensed consolidated financial statements.
IAS 19R has been applied retrospectively from 26 March 2012. As a result, expected returns on plan assets of defined benefit plans are not
recognised in profit or loss. Instead, interest on net defined benefit surplus is recognised in profit or loss, calculated using the discount rate
used to measure the net pension surplus. The impact of transition to IAS 19R retrospectively is not material to the Group, and therefore no
restatement has been required.
a) Major long-term assumptions
At 29 September 2013 At 31 March 2013
%pa %pa
Rate of increase in salaries 43
Discount rate 48
Inflation assumption (RPI) 33
Inflation assumption (CPI) 23
Demographic assumptions, for example mortality, remain unchanged from those made in March 2013.
b) Plans’ assets and liabilities
The plan assets and liabilities were:
Market value
At 29 September 2013 At 31 March 2013
Sectionalised RMPP_ £m £m.
Fair value of assets 243
Present value of liabilities (144)
Surplus in plan before IFRIC 14 adjustment 99
Less IFRIC 14 adjustment (3)
Surplus in RMPP plan after IFRIC 14 adjustment 96
Surplus in plan for the Post Office Limited 1
share (at approximately 7%) of RMSEPP
Post Office Limited
6. Pensions continued
c) Movement in plans’ assets and liabilities
Changes in the present value of the defined benefit pension surplus are analysed as follows:
At 29 September 2013
Sectionalised RMPP- £m
POL00397990
POL00397990
At 31 March 2013
£m
Opening net retirement benefit surplus/(deficit)
Current service cost
Movement in company contributions accrued
Curtailment costs
Net financing credit
Employers contributions
Actuarial gains/losses
Closing net retirement benefit surplus
7. Net debt
Asummary of the Group's net debt position (excluding network cash) is shown below:
At 29 September 2013
£m
At 31 March 2013
£m
Cash equivalents:
- Short term bank deposits
- Money market fund investments
Financial liabilities:
~ Obligations under finance leases (current)
~ Interest bearing loans and borrowings (current)
= Obligations under finance leases (non current)
6
86
(3)
(291)
(4)
Net debt
(206)
Net debt has decreased overall by XX during the half year ended 29 September 2013 as shown in the table below.
£m
Net debt brought forward at 1 April 2013
Net cash inflow before financing activities
Deduct increase in cash in the network included within net cash inflow
Finance costs paid
(206)
Net debt carried forward at 29 September 2013
POL00397990
POL00397990
Post Office Limited
8. Related party disclosures
There have been no material changes to the related parties listed in the Group's Annual Report and Accounts 2013. Alll related party
transactions arise during the ordinary course of business and are on an arm's length basis and are detailed below.
Amounts Amounts
Sales/recharges Purchases/ owed from related owed to related
to recharges from party including party including
related party related party outstanding loans outstanding loans
2013 = 2012 2013-2012 2013 «2012 2013 = 2012
Half year to September: £m £m £m £m £m £m £m £m
Royal Mail Group Limited
Midasgrange Limited
First Rate Exchange
Services Holdings
Limited
The Group trades with numerous government bodies on an arm's length basis. Transactions with these entities are not disclosed owing to the
significant volume of transactions that are conducted. Separately, the Group has certain loan facilities with government, and receives a
government grant and the Network Subsidy Payment from government. There were no material transactions or balance between the Group
and its key management personnel during the half year ended 29 September 2013
POL00397990
POL00397990
Post Office Limited
The Board of Directors to Post Office Limited
Introduction
We have reviewed the accompanying interim condensed consolidated balance sheet of Post Office Limited and its subsidiaries (the
Group) as of 29 September 2013 and the related interim condensed consolidated statements of income, comprehensive income,
changes in equity and cash flows for the six month period then ended and the explanatory notes. Management is responsible for the
preparation and presentation of these interim condensed consolidated financial statements in accordance with IAS 34 Interim Financial
Reporting (IAS 34). Our responsibility is to express a conclusion on these interim condensed consolidated financial statements based on
our review.
Scope of review
We conducted our review in accordance with International Standard on Review Engagements (UK and Ireland) 2410 Review of Interim
Financial Information Performed by the Independent Auditor of the Entity. A review of interim financial information consists of making
enquiries, primarily of persons responsible for financial and accounting matters, and applying analytical and other review procedures. A
review is substantially less in scope than an audit conducted in accordance with International Standards on Auditing and consequently
does not enable us to obtain assurance that we would become aware of all significant matters that might be identified in an audit.
Accordingly, we do not express and audit opinion
Conclusion
Based on our review, nothing has come to our attention that causes us to believe that the accompanying interim condensed consolidated
financial statements are not prepared, in all material respects. in accordance with IAS 34.
Angus Grant
for and on behalf of Ernst &Young LLP
London
[Date]