Post Office Ltd'— Strictly Confidential
RISK AND COMPLIANCE COMMITTEE
08 November 2005 — Meeting Ref 06
Members:
Sit Mike Hodgkinson (Chair)
Peter Corbett
lan Anderson
In Attendance
Rod Ismay
Alwen Lyons
Keith Woollard
Secretary
Michael Dadra
Apologies
Alan Cook
Steve Sims
John Scott
SUMMARY ACTION POINTS
POL00021419
POL00021419
ITEM
ACTION
LEAD
0601
Martin Ferliric. to attend next. meeting to: outline’ Audit Risk
Model review: (Refer'to preceding.action 0503)
MD
0602
Graham Halliday to be invited to attend next meeting for
discussion on Compliance Framework :
0603
Irrelevant I
I 0604
Provide monthly report on IMPACT : status, including: .
e Fraud identification ‘data, MI and auditability of accounts
e@ Summary of POLs requirements, what is being delivered
and whether that is better or worse than before
e Progress update and actions
The report then to be copied to Compliance Committee
members monthly, and subsequently to the Royal Mail Audit &
Risk Committee and to Ernst & Young
RI to liaise
with Vicky
Noble — for
delivery
0605,
Update Committee on outcome of Branch Audit alt Year
Report recommendation concerning ownership and analysis of
cash data.
RI
0606
Feed back to RI on the data mining techniques HM Revenue
and Customs use
KW
0607
Recruit,2 internal auditors
0608
0609
Irrelevant
Post Office Ltd — Strictly Confidential
POL00021419
POL00021419
0610
Reschedule CIT risks and controls agenda: item for next
meeting and increase duration by 30 minutes
MD
0611
Schedule next year's meetings, aligning to Post Office Ltd
Board meetings as well as half year and full year reporting
dates
MD
1.
MINUTES FROM LAST MEETING
Meeting Ref 05 - minutes approved.
2,
STATUS OF ACTIONS FROM THE PREVIOUS MEETING
ITEM
ACTION AND UPDATE:
LEAD
0501
0502
Further correspondence required with DWP regarding
dissatisfaction at products anti-fraud features and liability, and
follow on to paper on cash cheques referred in.0407.
Correspondence crystallized in terms of reference for joint
working party between Post Office Ltd and Alliance & Leicester
on. this. Terms include consideration of product re-engineering,
security and the:. process .ahd timescales for dealing with
liabilities.
‘counterfeits, despite the contract’migrating from DWP to. A&L:.
encashment procedure continue ~— Operational focus articles
issued week 22 and 25 to all Post Office branches.
Lastly, the Product and Accounting team in Chesterfield are
Pursuing persistent offenders for restitution of lost monies due
Irrelevan
A-UY lamp trial is planned to-follow.after the Christmas period. I: :
DWP to provide £25: rewards to counter staff for impounding I’
Communication to branches to faise awareness of the proper I-
RI
Closed
0503
Branch segmentation to identify underlying high-risk branches
and a plan of how they could all be audited in a 3-year period.
National Audit Manager to: attend next meeting following
review of risk model.
Closed to
new action
0601
0504
Update compliance matrix for branch audit compliance
coverage:
Kw
POL00021419
POLOO021419
Post Office Ltd — Strictly Confidential
The table was. intended to show current accountabilities in the I CF to next
business for each compliance driven requirement. mtg,
agenda
Branch Audit contributes data about compliance but they are I item:
not responsible for managing or enforcing compliance.
0505 Update compliance matrix with lead owners for each row. and I KW
column, aligned to the Post Office Ltd organisation chart. CF to next
. mtg,
Future allocation of compliance accountabilities is being I agenda
reviewed. ___I item:
0506 Update compliance matrix to make ‘Training’ more explicit I KW
and with cofe lead role through Sales lines in the Chief
Operating Officer's Directorate. , CF to next
mtg,
Future. allocation of compliatice accountabilities is, being I agenda
reviewed. A item.
0507. —f
0508
€
0509
0510
0511
0512 Conclude on TUPE risks raised in former discussions about. RCS
branch cover.
Closed
The risk previously discussed was about TUPE being an issue if
Post Office Ltd had to put its own staff in to manage the
_branch.
POL00021419
POL00021419
Post Office Ltd —-Strictly Confidential
Service consider that they are demonstrating that replacement
subpostmasters are found with satisfactory timescales, that the
NFSP advises such interim’s about TUPE and that TUPE is not
therefore a risk to Post Office Ltd in this situation.
3.
MATTERS DISCUSSED AT THE MEETING AND NEW ACTIONS REQUESTED
The issues discussed included the following items (which are expanded on as shown):
31.
a2
33
34
35
3.6
37,
38
Actions from previous meetings -
Committee terms of reference and communication
IMPACT project status
Branch Audit findings and Investigation activity
Banking and Financial Services compliance
Vital few controls— assurance plan
Cash in Transit controls and risks
AOB
"3.1 Actions from previous meetings
3.2 Committee terms of reference and communication
Proposed terms of reference were circulated following agreement by Post Office.Ltd
Board without any further amendments or comments.
POL00021419
POL00021419
Post Office Ltd — Strictly Confidential
3.3 IMPACT project status
IMPACT has several problems but work arounds are in place for servicing clients.
There are issues with system response times, mapping between systems, data
interfaces, and ability to get accurate Management information. A team from SAP
are currently supporting Post Office Ltd to resolve the issues.
Action-0604 ;
Provide monthly report on IMPACT status, including:
e Fraud identification data, MI and auditability of accounts
© Summary of POLs requirements, what is being delivered and whether that.is
better or worse than before
© Progress update and actions.
The report then to be copied to Compliance Committee members monthly, and
subsequently to the Royal Mail Audit & Risk Committee and to Ernst.& Young
3.4 Branch Audit findings and Investigation activity
Losses are £1m lower than last year at period 6, This reflects no repetition of the two
frauds at Blackwood and Sevenoaks, which totalled £1m last year. In the £25k-£100k
loss range, however, the 13 cases this year are similar to last year. =
Positive action has been taken through Branch Control since last year. This has
reduced the incidence of “suspense accounts’ being abused to conceal fraud.
. “However, there is an increase in the number of losses covered up by inflating cash
figures. IMPACT will in the longer term improve cash MI here, but short'term actiori: 7
is neéded between teams‘involvéd in cash to i improve the analysis and ‘clean up’ of ‘
data.
Improvements in compliance. results for Anti-Money Laundering, though training
records still an issue for both FS and AML.
Financial Investigator now trained, passed exams and in place.
Action 0605
Update Committee on outcome of Branch Audit Half Year Report recommendation
concerning ownership and analysis of cash data.
POL00021419
POL00021419
Post Office Ltd — Strictly Confidential .
Action 0606
Feed back:to RI on the data mining techniques HM Revenue and Customs use.
3.6 Vital few controls — assurance plan
Key controls audits and product audits have been commenced and a more’formal
reporting plan drafted. The Committee asked about the limited resource in this-area
and agreed 2 new recruits should be taken to expand audit management and data
analysis:capability.
- 6 areas(DVLA, Agents Pay, Network Reinvention.Payments, T.&S, Expenditure Cards
and:Revenue) were noted.as'being.in'the final stages of.reporting: .
On:T&S, the audits had:confirmed control failures: aroha ‘authorisation:and a'lack,of
escalation of inappropriate: claim: Hay
On purchasing cards, the Committee noted that the business:may be planning more
usage ‘of such cards. Cost / benefit decisions would be necessary about.controls, but
Clear communication of policy and sanction (including dismissal) would be necessary
to deal with non compliance.
Action 0607 :
Recruit 2 internal auditors.
3.7 Cash in Transit controls and risks
Cancelled at short notice due to a business incident. To be revisited at next meeting.
Action 0610
Reschedule CIT risks and controls agenda item for next meeting and increase
duration by 30 minutes.
POL00021419
POL00021419
Post Office Ltd — Strictly Confidential
4 ANY. OTHER BUSINESS
Frequency of meeting was discussed and it was agreed that.4 meetings to be held a
year with scope to increase if need to meet.
Action 0611
Schedule next year's meetings, aligning to Post Office Ltd Board meetings as well as
half year and full year reporting dates.
5. DATE OF NEXT MEETING
To be scheduled and communicated.
Risk and Compliance: Late Jan Late March — Early Sept Early Dec
committee to meet
POL Board dates 16" Feb 25 April 18 Oct 20 Dec
CRMG Feb May Nov Feb ~
Agendaiitems - pi
Mins and actions X Xx X Xx *
Branch Audit & : X y . xX x x
Investigations .
FS & AML x x x X s
Compliance . x
frameworks*
VFC — Key controls / ; xX xX x x
internal audit :
Half yearly.corporate x x
tisk returns
Special
presentations/topics
aT Extra 30 mins
*Compliance Frameworks — regulated products, approved. to sell, capability to sell and
compliance frameworks (inc mails integrity, FS, Phones).