POL00021420
POL00021420
Post Office Ltd - Strictly Confidential
RISK AND COMPLIANCE COMMITTEE
22 March 2006 — Meeting Ref 08
Members:
Sir Mike Hodgkinson (Chair)
Peter Corbett
lan Anderson
In Attendance
Rod Ismay
Keith Woollard
Apologies
Alan Cook
SUMMARY ACTION POINTS
ITEM ACTION LEAD.
0801 “Fraud and control’ to be a formal agenda item at the-next meeting, and I Rod Ismay
to include the implications of different methods of payment.
0802 !
0803 i
0304 I I
0805 I
0806 I
0807 —*& '
0808
0809 i I t
renner pre nnarneryeunineinesur nnn ennrenunanemenewur nnn
0810 Following appointment as Managing Director; Alan Cook'to.resign from Rod Ismay
this Committee.
Pagel of 8
POL00021420
POL00021420
Post Office Ltd - Strictly Confidential
1. MINUTES FROM LAST MEETING
Meeting Ref 07 - minutes-approved.
2, STATUS OF ACTIONS FROM THE PREVIOUS MEETING
EM [ACTION TUEAD I
0701 ”
0702
0703
Page 2 of 8
POL00021420
POL00021420
Post Office Ltd — Strictly Confidential
- I I t
0705 ly: largest shortages'revealed at.audit to. identify if I Martin Ferlinc
the.shortages Camé.as a surpriseito Service team personnel.
Current year audits with shortages > £25k were reviewed: Closed
During this 11. month period, there were 32 such audits of which 6 (19%)
were prompted by concerns raised by Service: As Service had not raised
any concerns for the remaining branches, it would indicate that the
financial results.c
0706
0707
i oe = ~ rs
0708 Update IMPACT audit report for progress up to end of period 11 before I Rod Ismay
further circulation. =
RI to give update at meeting. a Closed
0709 Update Royal Mail Internal Audit & Risk Managemient’ with the. I Rod Ismay
committee's observations on the list of potential areas for audit in
2006/07
Done. IA&RM agreed that relevant programmes to consider for audit’ I Closed
would be the initiatives arising from Rainbow, not Rainbow itself.
0710 Advise Rod, by exception, of any issues re:Investigations.note: Committee
. members
No further comments received Closed
0711 Defer “Audit Charter and Third Party Audit Requests’ to next meeting Rod Ismay
Agenda item at next.meeting. Closed
Brought Forward From 8 November 2005
ITEM. ACTION LEAD
0605 Update Committee on outcome of Branch Audit Half Year Report I RI
recommendation concerning ownership and analysis of ‘cash data. Ongoing
Ultimate owner agreed as Peter Corbett. Additional MI activity within the
curfent “Retail Inventory’ team in Operations:is explained in Appendix 3 to
the briefing pack for the March Committee and responds to a recent
series of cash losses in February and March 2006.
Following OD (Organisational Design) changes to cash ownership will be
addressed by new responsibilities within Finance.
Page 3 of 8
POL00021420
POL00021420
Post Office Ltd - Strictly Confidential
3. MATTERS DISCUSSED AT THE.MEETING.AND.NEW ACTIONS REQUESTED
The issues discussed included the following items (which are expanded on as shown):
3.1 Actions from previous meetings
3.2 IMPACT project status
a3 Method of payment for products in branches
34 Business control
3.5 Updates and plans from Branch Audit.and from Investigations
3.6 Regulatory compliance.
3.7 Year end group reporting — risks. and controls
38 Third party audit requests and.audit charter
3.1 Actions from previous meetings
All actions brought forward were agreed as closed with the exception of:
longer term ownership and prioritisation to. be addressed within OD
Irrelevant seeceeenneed
3.2. IMPACT project status
Peter submitted'a status report'to the Royal Mail Audit & Risk Cornmittee (ARE) in March. ‘The ARC:
noted'the report and.did not raise.any questions:
Post Office:Ltd recognises there-are'open issues with the new systems.and.that Ernst & Young
(external audit) have concerns for theimminent yearend, but that action plans are-in place to ensure
auditable accounts for the year end-and longer term’solutions in the:new year.
The Committee had previously challenged on 3.broad areas. Status updates:at the'meeting were:
¢ Data to support and enhance fraud identification — significantly improved since’the last
Meeting but still not fit for routine usage.such-as in the Branch Audit:Risk Model. For
business accounts purposes adjustments‘are being made'to underlying finance records, but
due to the issues in the underlying data it has not been practical to load it into risk models.
Pre-existing data feeds continue to raise significant branch issues. It should be possible very
soon to use the new data
Management Information — as noted by the Director‘of Sales at the Leadership Team
meeting on 21 March high quality daily MI has now become available-to the business.
However, there are important.strands of MI.which are not being delivered yet such as bureau
de change data. The issues blurring the data are now more clearly undérstood and ‘fixes’ are
being progressed with urgency
© ‘Auditability of accounts ‘whilst there aré very material adjustrnents being made-to the
underlying finance balances, there afe-cléar plans in Product & Branch Accounting to deal
with these for the year end
Rod presented a short audit report on the project'status, attached at. Appendix A. This noted the key
themes of concern for the year end audit andthe outline of P&BA‘s plan.
Page 4 of 8
POL00021420
POL00021420
Post Office Ltd — Strictly Confidential
3.3. Method of Payment for Products in Branches
It was.noted that.there is concern in'some parts of the business about cheques. There.is a:risk of fraud
and counterfeiting of:cheques as a method of payment (as well.as'the separate risk of counterfeit
DWP ’cheques being presented for encashment in branches). Cheques may also have higher
administrative costs than other methods of payrnent'such-as debit cards.
Opportunities were considered which might bring benefit to the business, its clients:and its customers,
for instance incentives’such as £25 discount‘on another product if the customer paid by:debitcard
instead of cheque arid possibly coupled with: surcharges'to the customer should a cheque be used and
bounce.
Action'0801
“Fraud and.contro!” to be’a formal agenda item at the:next meeting, and to include the implications.of
different methods:of payment.
Action-0802
Quantify the costs associated with cheques as. a method of payment (including administration, re-
presentation, settlement terms).
3.4 Business Control
The Committee considered what else might be done, assuming a clean sheet, to reduce fraud risk. =
Suggestions included:
Tight recruitment and robust exit processes. . "
AS reliability of data improves post-IMPACT, a review of branches regularly featuring in the _,
Branch Audit Risk Model and a requirement for constructive evidence as to why they. should:,
not be considered for corrective action and possible termination of contract. *
Controlled support channel for'branches being maintained open after suspension of former
subpostmaster, by use of interim subpostmasters and:the Service Project Pool:
Activity under the future area badged “Director for the Protection of. Surrounding Post:
Offices’. .
Aligning accountability (as-with compliantisales).right through the job descriptions post OD.
Positive backing of the ‘winning branches’ to incentivise the right behaviours.
Fast focussed response to MI
Product:simplification and rationalisation
Enabling branches to get it “right first time”
Action 0803
Align accountability through job descriptions and performance measures post OD (as has been done
with “Compliant Sales’ alfeady).and ensure the support and tools to do it are available.
Action 0804
Network Director to be invited to report to'this Committee twice a year.
Page Sof 8
POL00021420
POL00021420
Post Office Ltd - Strictly Confidential
3.5 Updates and Plans From Branch Audit.and'From Investigations
A recent spate of high value branch losses was noted (5 incidents from £30k to £82K since the last
Committee meeting). The highest related to a community post’office considered small and which
consequently received small fixed cash remittances without review. Such branches have now'been
built into the Retail Inventory Team’s Flexible Planning System.
The Branch Audit plan for 2006/07, which had been presented to the preceding Committee meeting,
was formally endorsed.
The Investigations brief was noted with.no comments arising.
3.6 Regulatory Compliance
“The Regulatory Compliance brief was noted with no comments arising.
3.7 Year End Group Reporting — Risks and Controls
“The:draft.group reporting papers were noted:” Rod isto subsequently brief Alan Cook on these-papers’. ~
‘as business:unit' Managing Directors‘are now expected to:sign off'such half yearly returns.
Action 0805
Advise lan of outstanding self-assessments on HR related.key controls
Page 6 of 8
POL00021420
POL00021420
Post Office Ltd — Strictly Confidential
AOB
Rod raised three additional topics from a corporate governance perspective:
Information Security resource — The IS Officer is shortly to retire and it is understood that.
outsource is being seriously considered. Rod suggested that in Post Office Ltd’s markets it
May be expected that the company would retain at least the qualified resource to supervise
the outsource provider, if not'to retain the whole activity.
Legal Services resource — Rod outlined the external shift in legal resourcing and'the current
issues in oversight of legal relationships. lan noted the appointment of lan O'Driscoll to
coordinate legal relationships going forward.
Action 0807
Obtain brief and advice from Post Office Ltd Operations Directorate as to Information Security options
inhouse in POL, inhouse in Royal Mail Group and outsourced.
Action:0808 %
Brief lan O'Driscoll on Legal Services issues meetings to date.
I Irrelevant
bd si
Action 0810 .
Following appointment as Managing Director, Alan Cook to resign from this Committee. a
DATE OF NEXT MEETINGS
Wednesday 6th September 2006 - 10.30 - 12.30
Thursday 7th December 2006 . 10.30 - 12.30
Page 7 of 8
POL00021420
POL00021420
Post Office Ltd — Strictly Confidential
Appendix A — Audit Report.on IMPACT Status
To Post Office Ltd Risk & Compliance Committee From Rod Ismay, Head of Audit & Risk
CC Head of Product & Branch Accounting Date 22 March 2006
Executive Summary
IMPACT and the POLFS accounting system have moved on significantly since the last report to the Risk &
Compliance-Committee.
The system is not yet processing all transactions, correctly and so the.end state of POLFS ledgers which
automatically interface to the main business accounts.(ESFS) has not yet been achieved. However, manual
adjustments can and are being made to the ledgers for the yearend.
The adjustments include several mis-postings which individually are very large, but which in, most cases are
substantiated. Where full substantiation has not’ yet been provided there is clear ownership to ensure that they
are evidenced for the year end.
The external audit is well underway. Given the 'tight timescales, Ernst.& Young are understandably nervous
about the yearend. However, POL Finance are inclosé dialogue with them, and E&Y are constructively
supporting Finance by bringing:
(a) Additional urgency, clarity and prioritisation to the-auditability of the accounts, and
(b) By raising the questions and potential solutions which are compensating for capability shortfalls in
some areas of the business.
The key themes which underlie this area are as follows and.are’ consistent with E&Ys understa! nding:
1) Systems response times which make some accounts difficult to open.and hence need manual.
adjustments: Fixes are being progressed.with PRISM around“housekeeping” :
2) Gaps in accounts ownership and/or ability to.explain balances coherently. The material accounts at
stake have been identified and are being progressed with all utgency
3) Incomplete reconciliations of accounts and from POLFS to.ESFS at previous period. An approach has
been-agreed to:deal with this for the year end
" 4) Accounting and supervisory:capability issues. Theseare-being managed for the year end.on.a-
directive basis but will be addressed in.the new year as part of Finance Development
5) Visibility of interface controls — ie to confirm completeness and “once & once orily”
6) Some’specificaccounts:raised as concern by E&Y and internal review including bureau de change,
Camelot income and “client vendor payment clearing’. Ownersiare:agreed here.
There has been very significant progress in systems functionality, accounting processes:and certain people's
accounting-awareness sinceJanuary. A number of “mis-mappings’, data interfaces and “clearing routines’ have.
been dealt with. However, as explained above several adjustments will continue to have to be made at period
ends into the new year.
Proposed Year End Process to Resolve Current Issues — As Proposed by P&BA ‘to E&Y
Having clarified the issues from period 11, there will now be a 2 stage year end:
1. Aninterim:period end will happen as of Wednesday night. POLFS effectively gives ‘real time”
accounting for the network and so should be equally meaningful and auditable at.any date. Balances
will be run as‘at Wednesday and overlaid'with the known adjustments. POL then has 2.days'to
perform a final healthcheck before the year end
2. The final year end-accounts closure will happen as of Sunday night. The “adjustments” run at
Wednesday will in some cases be the’same. A full accounts interface supported by full ledger
reconciliations will be done as.at the. Yéar end
Accounts evidence will include detailed account reconciliations and third party evidence where possible such as
Branch Audit.evidence of cash balances.and routine:bank reconciliations.
Page 8 of 8