Agenda
17.00
17.05
17.30
17.55
18.05
18.25
18.40
18.55
Post Office Limited
POST OFFICE LIMITED
(Company Number 2154540)
POL00027143
POL00027143
Meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
to be held at 17.00 on Tuesday 19 November 2013
by teleconference
Minutes of the last meeting and matters arising
¢ Minutes of the meeting held on 12 September
e ARC Status Report
Risk management — top company risks
Corporate and Network Audit
e Key principles for internal audit POL
e Implications for Network audit
¢ IT Transformation
IT Audit Findings — Software Licensing and Identity
Access Management
Project Sparrow and Prosecuting Authority
Interim Report review and Ernst & Young Half Year
Review findings
Financial Services Update, including Bank of Ireland
(UK) ple capital & liquidity
Any other business
Papers for noting:
e Information Security and Assurance Group
Specific Update on Brands Database
e Internal Audit activity update, Status of Agreed
Actions
« ARC Governance Review
Dates of Next Meetings
Proposed dates for 2014
CLOSE
feeting-19/11/13
Alasdair Marnoch
David Mason
Malcolm Zack
Malcolm Zack/ Lesley
Sewell
Chris Aujard
Chris Day/ Sarah
Hall / Jeremy Midkiff
Nick Kennett
Alasdair Marnoch
Alwen Lyons
1 of 139
POL-0023784
Agenda
2 of 139
PRESENT:
SECRETARY:
IN ATTENDANCE:
Post Office Limited
Alasdair Marnoch (Chairman)
Neil McCausland (Non-executive director)
Tim Franklin (Non-executive director)
Alwen Lyons (Company Secretary)
Alice Perkins (Company Chairman)
Paula Vennells (Chief Executive)
Chris Day (CFO)
Malcolm Zack (Head of Internal Audit)
David Mason (Head of Risk Governance)
Sarah Hall (Head of Financial Control and Compliance)
Jeremy Midkiff (Senior Manager, Ernst & Young) (Item 6 only)
Lesley Sewell (Chief Information Officer) (Item 4 only)
Chris Aujard (General Counsel) (Item 5 only)
Nick Kennett (Financial Services Director) (Item 7 only)
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
POL00027143
POL00027143
1. Minutes of the last meeting and matters arising
Strictly Confidential
POLARC13 (5")
13/27-13/35
POST OFFICE LIMITED
(Company no. 2154540)
(the Company)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held
on Thursday 12 September 2013 at 148 Old Street, London, EC1V 9HQ
Present:
Alasdair Marnoch Chairman of Committee
Neil McCausland Senior Independent Director
Tim Franklin Non-Executive Director
In attendance:
Alice Perkins Company Chairman
Paula Vennells CEO
Chris Day CFO
Alwen Lyons Company Secretary
Hugh Flemington Head of Legal
Malcolm Zack Head of Internal Audit
David Mason Head of Risk Governance
Julie George Head of Information Security (item 13/31 only)
Sarah Long Financial Accounting Governance Manager (item 13/32 only)
POLARC INTRODUCTION
13/27
A quorum being present, the Chairman of the Committee opened the
meeting and welcomed all those present.
POLARC MINUTES OF THE LAST MEETINGS AND MATTERS ARISING
13/28
(a) I The Committee approved the minutes of the meetings held on 20 March,
21 May and 5 June 2013 for signature by the Chairman of the Committee.
He thanked the CFO and those involved in producing the Annual Report
and Accounts, and congratulated them on the document.
ACTION: (b) I The Committee noted the actions list dated 5 September 2013, and asked
CFO that action A2 concerning Business regulatory risk be clarified to include
the regulatory regime for financial services.
(c) The Committee received and noted an update from Susan Crichton,
General Counsel, on the key issues covered by the Risk & Compliance
and Regulatory Risk Committees.
POLARC RISK MANAGEMENT
13/29
(a) The Committee received a paper and presentation on the Risk
Management Strategy 2013-2014 from the CFO and David Mason, Head
of Risk Governance, highlighting the current status of the Enterprise Risk
Management (ERM) framework in the Company. The Committee sought
assurance that the work would capture cross functional risks and the CFO
explained that cross business risks were captured by a PMO as well as at
the Executive Committee level.
Page 1 of 4
feeting-19/11/13 3 of 139
POL-0023784
POL00027143
POL00027143
1. Minutes of the last meeting and matters arising
Strictly Confidential
(b) The Committee recognised the work that had been done to date and
ACTION: asked the Business to have the risk identification work completed by the
CFO/DM next ARC meeting in November. The Committee recommended that the
focus be on identifying the few (possibly 10-12) higher level risks which
were critical for the Business.
ACTION: (c) The Committee noted the paper and that more detailed work would be
ARC reviewed by the ARC in November before a discussion at a subsequent
Board.
POLARC INTERNAL AUDIT
13/30
(a) The Committee received updates on the Company's Internal Audit from
Malcolm Zack, Head of Internal Audit. This included the outcome of the
final audit activity conducted by Royal Mail Group Internal Audit on behalf
of the Company, the Company's internal audit activity and the planned,
requested and proposed audit and advisory work for the third quarter of
the year.
(b) The Committee discussed the current Branch Audit function which
currently carries out branch audit and training work. Malcolm Zack
explained that the audit work focussed on cash and stock reconciliation
and he believed that there was an opportunity to make the team more
professional and efficient. The CEO explained the history of the existing
structure and agreed that changes needed to align with the business
support process review being carried out by Angela Van-Den-Bogerd,
Network Change Operations Manager. The Committee questioned the
reporting line and asked for this to be considered as part of the review.
ACTION:
AVDB
(c) The CEO suggested that Angela Van-Den-Bogerd should attend the
November ARC to give an update on her work and its impact on business
risk.
ACTION: (d) I The CFO thanked the Committee for their input and agreed to conclude
CFO/MZ the branch audit work and report back changes at the November ARC.
(e) The Committee received and noted the status of agreed internal audit
ACTION: actions and asked that this information be incorporated into the Board
MZ performance pack.
(f) The Committee questioned the SPMO audit and wondered if the report
ACTION: should have had a red status as the risk highlighted was fundamental to
MZ the SPMO delivering their role. Malcolm Zack defended the findings but
agreed to ensure reports were rigorous and challenging.
ACTION: (g) Malcolm Zack was asked to confirm via a note to the Committee when the
Mz two overdue actions highlighted in the audit tracker would be complete.
(h) Malcolm Zack also presented a technical update for the Committee. The
update covered Financial Reporting Council updates to the direct use of
internal audit resources and increasing transparency of external audit
work and the new codes of guidance from the Chartered Institute of
Internal Auditors for internal auditing standards in the financial and public
ACTION: sectors. Malcolm Zack was asked to circulate the document to the
MZ
Page 2 of 4
> Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
1. Minutes of the last meeting and matters arising
Strictly Confidential
Committee.
(i) The Committee noted these updates and endorsed Internal Audit's
suggested approach to these changes. The CFO was asked to organise
a short “teach in” for the ARC on all current recent accounting changes
ACTION: and the implications for the Business, in time for the Company's year-end
CFO (financial quarter 4). He was also asked to produce a summary note for
the Board.
POLARC INFORMATION SECURITY UPDATE
13/31
(a) The Committee welcomed Julie George, Head of Information Security, to
the meeting.
(b) Julie George presented an update on developments, progress and future
plans for Information Security. She informed the Committee that she had
received confirmation that the Business had achieved 1SO27001
Certification for Front Office of Government Services, and was on
schedule for renewal of its PCI certification at the end of September.
(c) Julie George explained that the Business had developed a standard on
Information Security and Data Protection, which would need to be met in
any new supplier contract. The Committee asked how these standards
were being enforced and audited in existing contracts and asked the
Business to progress the issue with existing suppliers.
(d) The CEO asked whether the Brands Database would comply with the
new standards, as this was by far the largest database used by the
Business and in her mind the greatest risk. Julie George reported that the
supplier knew that they were failing to meet the required standards and
the Business would need to move to a different supplier if they did not
ACTION: improve. The Chairman asked for a follow up note to the Committee
JG assessing the Brands Database risk and explaining how the Business
was planning to mitigate it, including what could be achieved by the end
of the calendar year.
(e) The Committee noted the good progress made in Information Security to
ACTION: date and the key areas of focus for the next three months. They agreed
JG that an update should be provided to the ARC by mid-December,
including the plan and timescales for the contract changes.
Julie George left the meeting.
POLARC THE INTERIM REPORT
13/32
(a) The Committee welcomed Sarah Long, Financial Accounting and
Governance Manager, to the meeting.
(b) Sarah Long invited the Committee to review the template for the
Company's Interim Report for the half year ended 29 September 2013
(the Report) and to consider the key messages, highlighted in Section 3.3
of the Interim Report Committee Paper, which the Report should contain.
(c) The Committee discussed the options for the interim report and agreed
that the CFO would include a recommendation in his Financial
Page 3 of 4
> Meeting-19/11/13 5 of 139
POL-0023784
POL00027143
POL00027143
1. Minutes of the last meeting and matters arising
ACTION:
CFO/MD
POLARC
13134
ACTION:
COSEC
POLARC
13/35
(d)
(a)
(b)
Strictly Confidential
presentation at the September Board which would enable input from the
Board and final view by the end of September. The Committee asked the
CFO to taking into account the views expressed and work with Mark
Davies, Communications Director, to feed in the expected
communications environment at time of publication.
Sarah Long left the meeting.
DATES OF NEXT MEETINGS
Date of next meeting: Wednesday 6 November 2013 14.00 -16.30.
The Committee discussed the proposed meeting dates for 2014 and the
Company Secretary proposed moving the ARC to the eve of the main
Board meeting. The Committee agreed in principle and asked the
Company Secretary to check availability.
CLOSE
There being no further business, the meeting was declared closed.
Page 4 of 4
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
Strictly Confidential
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE
STATUS REPORT AS AT 13 NOVEMBER 2013
No. I REFERENCE ACTION BY WHOM STATUS
Al November 2012 Governance of Eagle Contract Nick Kennett To first FS Board Sub Committee
POLARC12/13(f) The Committee asked NK to provide an interim update on the meeting
regulatory position in September 2013, 6 months after the changes had
taken effect.
A2_ I November 2012 The Chairman noted that it would be useful at the same meeting to look I Nick Kennett To first FS Board Sub Committee
POLARC12/13(g) at scenarios in which Post Office would need to respond to a meeting
termination event relating to the Eagle Contract.
A3 February 2013 Committee to review Regulatory Risk Framework later in the year once I Chris Aujard/ Review to be scheduled in for Feb
POLARC13/3 the risk appetite work had been completed. Alasdair Marnoch 2014 ARC meeting
Consider the need for Professional Indemnity cover as it moved into the I Chris Aujard This action relates in particular to
area of financial services advice. the fact that we are planning to
expand our FS activities (e.g.
2 advised mortgage sales as of April
= next year rather than just
introductions).
Our current PI has arisen in
response to various contracts we
have entered in to in the past. So
we have £10m TWiMC with a
£250k excess. Plus cover for
DVLA etc.
Charles Colquhoun from POL met
with our brokers Miller yesterday
on this to kick off discussions on
what coverage we may need going
forward. Those discussions are in
progress and still need to land.
ARC Status Report 13 November 2013 Alwen Lyons Page 1 of 4
POL-0023784
POL00027143
POL00027143
Strictly Confidential
A4 I February 2013 Business to ensure it had enough focus on the major transformation Malcolm Zack The Transformation Programme
POLARC13/5 programmes in both Network and IT within the internal audit plan for focus will be subject to detailed
2013-14. planning and on-going terms of
reference. This will commence
after the relevant Internal Audit
Manager has been recruited and
inducted. UPDATE Sept 2/13. IT
audit programme underway, IT
Audit manager now an attendee to
the IT Transformation Delivery
Board. Audit work in NTP yet to be
planned. Focus is currently on
FRP. Audit Work on SPMO has
been completed.
UPDATE Nov 11/2013. Audit
programme being reviewed to
enable transfer of resource from
planned audits to cover more of
transformation work. Risk review
being considered.
= AS 20 March 2013 Review of allocation and focus of internal audit resource. Malcolm Zack UPDATE Sept 2/13 — 3 person
ry POLARC13/12(d) Team in place since June 2013.
2013/14 audit plan underway since
April 2013. Completed
A review of the Branch audit
capability has been completed in
mid August. After consultation with
Chris Day a paper to the ExCo is
being drafted for October ExCo so
a business view can be discussed
with the Nov ARC. Verbal update
to September ARC.
UPDATE Nov 11/2013. Audit
report completed. Paper for ExCo
reviewed and discussions
ARC Status Report 13 November 2013 Alwen Lyons Page 2 of 4
POL-0023784
Strictly Confidential
POL00027143
POL00027143
underway. Paper for Nov ARC
highlights shape of Internal Audit in
future.
AG 12 September Risk identification work to be completed by the next ARC meeting in I CFO/David Mason
2013 November, to be focussed on identifying the few (possibly 10-12)
POLARC 13/29(b) I higher level risks which were critical for the Business.
AT 12 September More detailed work on Risk Management to be reviewed by the ARC in I ARC
2013 November before a discussion at a subsequent Board.
POLARC 13/29(c)
A8 I 12 September Consider the Branch Audit function reporting line as part of the I Angela Van-Den-
2013 business support process review. Bogerd
POLARC 13/30(b)
AQ 12 September Conclude the branch audit work and report back changes at the I CFO/Malcolm Zack I November ARC
2013 November ARC.
POLARC 13/30(d)
A10 I 12 September Internal audit actions to be incorporated into the Board performance I Malcolm Zack Format and content to be agreed.
2013 pack. 11/11
POLARC 13/30(e)
A11_ I 12 September Ensure that audit reports are rigorous and challenging. Malcolm Zack Done. Communicated to team.
2013
POLARC 13/30(f)
A12_ I 12 September Confirm via a note to the Committee when the two overdue actions I Malcolm Zack These will not be due until 2014,
2013 highlighted in the audit tracker would be complete which was explained in the
POLARC 13/30(g) September paper.
A13_ I 12 September Circulate the update on Financial Reporting Council updates to the I Malcolm Zack Done.
2013 direct use of internal audit resources and increasing transparency of
POLARC 13/30(h) I external audit work and the new codes of guidance from the Chartered
Institute of Internal Auditors for internal auditing standards in the
financial and public sectors to the Committee.
A14 I 12 September Organise a short “teach in” for the ARC on all current recent I CFO
2013 accounting changes and the implications for the Business, in time for
POLARC 13/30(i) the Company’s year-end (financial quarter 4) and produce a summary
note for the Board.
A15 I 12 September Produce a follow up note to the Committee assessing the Brands I Julie George Note to November ARC
2013 Database risk and explaining how the Business was planning to
POLARC 13/31(d) I mitigate it, including what could be achieved by the end of the calendar
ARC Status Report 13 November 2013 Alwen Lyons Page 3 of 4
POL-0023784
Strictly Confidential
POL00027143
POL00027143
year.
A16 I 12 September Update on Information Security to be provided to the ARC by mid- I Julie George
2013 December, including the plan and timescales for the contract changes.
POLARC 13/31(e)
A17_ I 12 September Take into account the views expressed by the Board on the Interim I CFO/Mark Davies
2013 Accounts and work with Mark Davies to feed in the expected
POLARC 13/32(c) I communications environment at time of publication.
A18 I 12 September Check availability to hold ARC meetings on the eve of the main I Alwen Lyons Reviewing for next calendar year
2013
POLARC 13/34(b)
meeting.
ARC Status Report 13 November 2013
Alwen Lyons
Page 4 of 4
POL-0023784
POL00027143
POL00027143
2. Risk ma
agement - top company risks
Strictly Confidential
POST OFFICE LTD AUDIT & RISK COMMITTEE
ExCo report on key risks - November 2013
1. Purpose
The purpose of this paper is to:
1.1 Respond to the Audit & Risk Committee (ARC) request for:
* a snapshot of the ExCo’s view of the current key risks facing PO Ltd in
achieving its strategic objectives; and
e — the timetable for developing this view over the next 12 months.
1.2 Obtain the view of the ARC on other risks for consideration.
2. Background
2.1 ExCo has been developing its assessment of key risks over the past 12 months
through an iterative process of workshops. A paper was presented to the
September ARC outlining the current state of this assessment.
2.2 The ARC acknowledged the progress that had been made in risk management
and recently further requested a concise view of:
«the ‘vital few’ risks that face the organisation;
« the controls in place to manage these risks; and
* a view of any planned internal audit activity to inspect and test this
management.
2.3. This paper provides a snapshot view of progress to date, acknowledging that this
is an iterative process which will be refined over time.
3. Current Situation
34 The table at Appendix A is taken from the outputs of the series of workshops
held by ExCo (facilitated by the Risk Function and Internal Audit) to identify and
assess current risks. These workshops identified nine risks which were deemed
to be ‘critical’ to the business. In particular the table sets out:
* The current view of the top five risks to PO Ltd based on impact and
likelihood. These risks are those with the highest impact and a likelihood of
‘possible’ or ‘probable’;
« Four additional risks which are viewed as critical but unlikely at the present
time.
ExCo report on key risks - November 2013 Chris Aujard Page 1 of 5
13" Nov 2013
ARC Meeting-19/11/13 11 of 139
POL-0023784
POL00027143
POL00027143
2. Risk management - top company risks
Strictly Confidential
3.2 This risk assessment is the subject of quarterly sessions with ExCo.
3.3 ExCo will be further developing the assessment at the next scheduled session
on 19" November 2013. The purpose of this session will be:
« To review the validity of the current ‘critical’ risks;
« Describe the appetite for each of these risks; and
« Develop action plans to achieve the target level of risk.
3.4 A further ExCo session will be held in February to assess progress and further
refine the risk assessment. ExCo believe that this will provide an enhanced view
of the risk landscape which will be presented at the February ARC meeting.
3.5 Progress in this development and action plans will be monitored by the Risk &
Compliance Committee, supported by the Risk Function.
3.6 The table at Appendix B shows the high-level timeline for ExCo activity in relation
to developing this view further.
4. Recommendations
The ARC is asked to:
41 Note the snapshot view of risks;
4.2 Note the update and actions set out in this paper;
4.3 Provide a view on other risks for consideration; and
4.4 Endorse and continue to support the roadmap for risk manage ment in PO Ltd.
Chris Aujard
13th November 2013
ExCo report on key risks - November 2013 Chris Aujard Page 2 of 5
13" Nov 2013
12 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
13" Nov 2013
ARC Meeting-19/11/13
POL00027143
2. Risk management - top company risks
Strictly Confidential
Appendix A: ExCo current view of significant risks
Risk [Owner [ Current risk controls [1A Assurance
Critical and immediate risks
Stakeholders
Plans are significantly Sue Barton Regular stakeholder
hindered, redirected or meetings in pace
otherwise changed by one MDA agreement with RM
or more major stakeholders Engagement of NFSP
e.g RM change of
ownership, change of Govt
strategy/support etc
Compliance
Non-compliance with Lesley Procurement governance I Recent audit of
regulatory framework or Sewell/Chris I process in place software
contractual obligations e.g. I Day Regular compliance Licencing.
PPR, DPA etc training across business
Monitoring of network Plans for
compliance KPIs 2014/15
potentially
include DPA
and AML.
Contract
Management
review in Nov
2012 (RMG) -
revisit for 2014?
Commercial
Dependency on small I Lesley Regular performance Transition of
number of service or supply I Sewell/Martin I meetings SSID (Atos)
contracts George Penalty clauses available I commencing
Nov 2013
Competition
Failure to respond to Martin Digital strategy
competitive environment George Change management
with pace processes in place
including Transformation
Board
Transformation
Failure to fully engage Kevin NT Governance structure
operators in the plans for Gilliland Transformation Board
Network Transformation
Critical but unlikely risks (watch list)
Counterparties
Failure of major Nick Kennett/ I BOI monitoring by Transition of
counterparty e.g. BO! Martin designated risk manager SSID and
George MDA contract Towers (2014-
management 15)
Suppliers
ExCo report on key risks - November 2013 Chris Aujard Page 3 of 5
13 of 139
POL-0023784
POL00027143
POL00027143
2. Risk management - top company risks
Strictly Confidential
Failure of major IT supplier I Lesley Sewell I Supplier management As above
IT transformation &
Transformation Board
Operations
Infrastructure failure or Lesley Sewell I Supplier management Business
business continuity/disaster IT transformation & Continuity —
recovery failure Transformation Board Readiness
Assessment
planned for Q4
but may move
to 2014 to allow
some risk
assessment
work on
NTP/CTP
Strategic
Risk that PO cannot pick Nick Kennett I Project Hawk
up BOI business at
end/break of Eagle
agreement
ExCo report on key risks - November 2013 Chris Aujard Page 4 of 5
13" Nov 2013
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
2. Risk management - top company risks
Strictly Confidential
Appendix B: Risk management roadmap
ExCo quarterly risk session Content
November 2013 Agree risk appetite for critical risks
Establish risk treatment plans for critical risks
February 2014 Half-yearly review of risk map with focus on:
¢ critical risks
¢ risk assessment
¢ risk controls
e action plans & progress
May 2014 Critical risk update
Review of major risk appetite and treatment
August 2014 Half-yearly review of risk map with focus on:
¢ critical risks
¢ risk assessment
¢ risk controls
e action plans & progress
ExCo report on key risks - November 2013 Chris Aujard Page 5 of 5
13" Nov 2013
ARC Meeting-19/11/13 15 of 139
POL-0023784
POL00027143
POL00027143
POST OFFICE LTD AUDIT RISK AND COMPLIANCE COMMITTEE
Internal Audit
41. Purpose
The purpose of the paper is to:
1.1 Outline the principles of internal auditing options for the future shape of
Internal Audit (IA) in POL based on the recent review of network auditing,
current internal audit focus, the risk management needs of the business and
the current Three Lines of Defence model. This is an interim paper as the
business is discussing its internal audit strategy and the necessary structure
of the function to support that strategy.
2. Principles
2.41 To be effective, the Post Office Internal Audit capability needs to maintain
independence, apply professional standards and ways of working, focus on
assurance and the management of risk and control, and these attributes
should be applied and operate across the organisation.
2.2 As an independent assurance function Internal Audit should:
« Assess the efficiency and effectiveness of the overall risk management
framework as designed by the business, test the decisions and actions taken
by management and conclude on the effectiveness of those actions to
address the risks.
«This should include, but not be restricted to,
* Top risks as identified by management,
« Key on going business risks as faced typically by most commercial
organisations and
«Risks identified by the internal audit function.
e For example, strategic risks, financial risks, infrastructure and
technology risks, regulatory risk, customer risk, market and
competition risk, people and culture risk, supplier risk, operations and
continuity risk and more focused areas including fraud risk and risks
arising from major change, new products, brand and reputation
2.3. Within Post Office, assurance is undertaken by management and second line
functions as well. (See the appendix).
« Therefore the business and senior management should have a clear view of
the level and type of assurance it receives from each of these functions. An
assurance map should be constructed and maintained.
e Assurance activity, outcomes and actions in these areas should be visible to
top management and the board.
e The Internal Audit function should have clear line of sight of those functions
providing audit / risk type output and audit and assess their effectiveness
periodically.
Internal Audit Malcolm Zack November 19 2013
> Meeting-19/11/13
POL-0023784
Senior management should ensure that the level of resource applied to each
line of defence is sufficient and in the second and third lines appropriately
resourced and professionally trained.
3. Corporate and Field Auditing
3.1
3.2
To these ends Internal Audit should operate across corporate risks including
major change programmes and risks in the network and the supply chain and
be properly resourced to do so.
Within POL significant current corporate risk areas include:
Company wide change programmes, transformation and transitions
Product development
Financial Services
Stakeholder Management
IT Infrastructure, Integrity and security of Information and IT supplier risk
A growing outsourcing risk as more capability, control and process is
transferred to third parties across the organisation.
« Reputational and brand risk including communications and growing social
media methods.
« Continued economic pressures heighten internal fraud risk.
« Changing organisational structure, systems, process and business models
creates on going continuity risk.
ee eeee
Therefore in summary, in the corporate space Internal Audit should be:
POL00027143
POL00027143
Assessing the overall risk management framework
Assessing the effectiveness of the other lines of defence
Auditing the risks and controls within the listed areas, although the scope and
intensity may change year on year.
Assessing key on-going frameworks in fraud, continuity etc.
3.3
3.4
Internal Audit
A Corporate Audit Team needs to be skilled, professionally qualified and
experienced and able to operate across most parts of Post Office. There is a
need to cover not only the top risks and management concerns but also to
“kick the tyres” and advise and challenge management on a day to day basis.
The branches are the main interaction for our customers where the brand and
supply chain and network operations come together to meet customer needs.
POL significant network and supply chain risks include:
« Front_of house: Customers (e.g. experience and behaviour), stock
management (availability of product, visibility of forms), point of sale,
merchandising, shelf edge pricing accuracy, shrinkage (loss of product
and loss of attached sale). Self service operations (theft, non payment
of packaging, efficiency of systems)
¢ Back office: - Cash and value stock remittances — interface with
supply chain, (movements in and out and balances on hand), Horizon
System operations and control, stock control (stock holdings vs. actual
need), stock ordering, (min/max order levels), team organisation
Malcolm Zack November 19 2013
> Meeting-19/11/13
17 of 139
POL-0023784
3. Corporate and Network Audit
3.5
°
.
.
.
°
3.6
4. Action
41
(coverage and cost management — e.g. balancing for busy and quiet
days), monitoring of sales performance, physical security (safes and
alarms).
e Commercial: - Business and financial performance, local economic
conditions, competition, local product performance, effectiveness of
incentives.
* Supply Chain Network The distribution of large quantities of cash,
valued and operational stock presents risks in:
« Management and control of cash, including foreign exchange at
the depots and through the distribution network and impact on
working capital.
* Customer, delivery and reputational risks arising in the 3" party
cash collection and delivery business, many with high profile
customers.
e Security and bonding risks (Bank of England bond scheme) at the
depots.
« Continuity and stock management risks.
* Criticality of the supply chain/vehicle network to supporting
agency, multiple and crown locations on a day to day basis.
Therefore in summary, in the field, Internal Audit should be
POL00027143
POL00027143
Assessing the overall efficiency effectiveness of the control environment
across the branch network, identifying systemic issues, trends, themes and
good practice.
Assessing the effectiveness of compliance to key internal and external
requirements.
Assessing the effectiveness of the supporting supply chain practices, costs,
and logistics.
Understanding and verifying the key controls over the control of cash and
cash assets including foreign exchange in branches and across the network.
Testing the effectiveness of IT system roll outs/new product launches
including trials.
Working with significant third parties such as Bol Internal Audit and the audit
functions of major multiple partners.
Be responsive to the needs of the Security Department and Finance Service
Centre for cash or security related reviews.
Internal Audit
An effective Internal Audit team with focus on operations and retail
environments needs a mix of qualified experienced professionals spread
across the country that is flexible, able to build working relationships with
senior operational management, empathy as well as challenge with agents
and uses modern field based technology to report quickly to management and
the centre.
The ARC is request to consider the risks and general audit approaches
proposed and direct as necessary.
Malcolm Zack
Head of Internal Audit
Malcolm Zack November 19 2013
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
Appendix - Three Lines of Defence — (headcount numbers are approximate as at September 2013)
pny YOMaN pu eJeu0dI09 “g
Governing Body/Audit Committee
Senior Management g
ft t oI a
3 oa
Pa Security -60 » =
le}
Management Risk Management - 10 Fis
Sis
Controls Health & Safety - 11 . =
FoAn D008 Internal Audit
HIA+3
3 Supply Chain Compliance - 8
Internal Control — —
Measures Financial Services Risk Mgt
Information Security Assurance 12
1* Line of Defence 2"4 Line of Defence 3 Line of Defence
Internal Audit Malcolm Zack November 19 2013
POL-0023784
3. Corporate and Network Audit
POST OFFICE LTD AUDIT RISK AND COMPLIANCE COMMITTEE
Internal Audit - IT Transition Projects
1. Purpose
The purpose of the paper is to:
4.4 Outline the recently commenced on-going review of the transition of the IT
services and the longer term plans into 2014/15
1.2 Highlight the resource requirement and proposed sources.
2. Current transition to the new System Integrator/Support Desk organisation
2.41 The ARC members recently agreed through correspondence to amend the
original IT audit plan to expand the proposed work on the Governance and
transition as part of the tower model.
2.2 Atos was awarded the contract in September 2013. The terms of reference
have been drafted and discussed with management and subject to final
approval week commencing November 11 2013.
2.3 The draft terms of reference are in the appendix to this paper. In outline the
key risks to review are:
« The Transition Execution Programme's goals are not achieved because key
stakeholders fail to deliver the contractual obligations.
« Roles and responsibilities on expected deliverables are not clearly defined for
the SISD and Post Office.
* The decision making process is not supported by an adequate information
flow between the SISD and Post Office.
e Transition risks are not adequately managed and shared between SISD and
Post Office.
« Transition activities overrun in terms of cost and timing which will have an
impact on the overall strategy benefits achievements.
The ExCo level Risks impacted is:
The current identified ExCo risks impacted by risks in this review include:
‘Reliance on small number of service contracts, and failure of a major IT
supplier’.
2.4 The scope of the review will include
* Transition Execution Programme Governance (including programme
structure, reporting lines for example).
« Transition Execution Programme Risk Management.
« Design of the new IT organisation.
« Post Office IT Governance and Assurance structure to govern the SISD.
IT Transition- Internal Audit Malcolm Zack November 19 2013 Page 1
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
POL00027143
POL00027143
3. Future IT transitional projects
3.1 Over 2014 and into 2015, the IT organisation will transition into a number of
towers. These will include
Service Desk (Atos)
The Data Centre
End User Computing
Applications and Infrastructure
Networks
eee ee
3.2 Each of these is currently in tender stages so transitions will not take place
until 2014 and into 2015. However these present significant risk to the
organisation and audit/assurance work will be planned in for the 2014/15
internal audit plan.
3.3. The retained in-house IT organisation will need to ensure it has governance
and assurance processes over the suppliers who run the above towers. This
will be included in the proposed plan for 2014/15
4. Implications for independent auditing/assurance
41 The IA team has an IT Audit Manager who is currently engaged in the
transition work having recently completed the IT audits on software licencing
and identity and access management to the LAN. They are also supporting
the IT audit work needed on the new CFS Finance system.
4.2 Some technical resource could be sourced using the recently implemented
co-source arrangement with PwC. This is capped at £100k p.a. running up to
July 2016 but is used only as needed without a commitment to the full spend.
The co-source arrangement is designed to provide support where IA needs it
so has to be available to support other audit work.
4.3 The commitment to oversee the Transitional projects will, under current
resources limit the capability to audit other IT areas during the transition.
5. Action
5.1 The Committee is requested to note the planned and proposed scope of work
in this area and direct as necessary.
Malcolm Zack
Head of Internal Audit
November 19 2013.
IT Transition- Internal Audit Malcolm Zack November 19 2013 Page 2
> Meeting-19/11/13 of 139
POL-0023784
Terms of Reference
Audit Area
Post Office is currently undergoing a
strategy change, which include changes in
the current IT model. The Transition
Execution Programme ‘is the catalyst to
enable Post Office to transition from its
existing IT Operating and Service Delivery
Model and current IT Supply Chain to the
new IT Operating and Service Delivery
Models”.
The Transition Execution Programme is
led by the System Integrator/Service Desk
(SISD) provider, who has been appointed
at the end of September 2013, as part of
the New Operating Model. However the
programme requires a_ considerable
workforce from Post Office.
The programme’s workstreams are: 1)
Operating Model Execution, 2) Supplier
Management and Assurance, 3)
Incumbents management, 4) Transition
Planning and Transition Procurement
Support, 5) Programme benefits, 6)
Stakeholder & Communication, 7)
Technical and Service Design Authority, 8)
Assurance, 9) Security.
Key Risks
e« The Transition Execution
Programme's goals are not achieved
because key stakeholders fail to
deliver the contractual obligations.
e Roles and responsibilities on expected
deliverables are not clearly defined for
the SISD and Post Office.
« The decision making process is not
supported by an adequate information
flow between the SISD and Post
Office.
e Transition risks are not adequately
managed and shared between SISD
and Post Office.
* Transition activities overrun in terms of
cost and timing which will have an
impact on the overall strategy benefits
achievements.
ExCo level Risks impacted:
The current identified ExCo risks
impacted by risks in this review
include: ‘Reliance on small number
of service contracts, and failure of
major IT supplier’.
Scope
«Transition Execution Programme
Governance (including programme
structure, reporting lines for example).
e Transition Execution Programme Risk
Management.
« Design of the new IT organization.
SISD Governance and Assurance Design review
« Post Office IT Governance and
Assurance structure to govern the
SISD.
Exclusions
e This review covers the design phase of
the way Post Office will work with
SISD in the Future Operating Mode.
The effectiveness of the actual
governance of the SISD will be
reviewed as part of the 2014/15
internal audit plan once the process
has transitioned.
Review methods:
e Participating to Programme delivery
board meetings.
« Analysing Programme documents.
«Interviews with key persons involved in
the Programme.
Reporting
We will start the assurance work the week
of the 04" November 2013 and it will be
an on-going review of the Transition
Execution Programme until the Future
Operating Mode will be in place (expected
to be in place in July 2014).
Regular reports will be issued to
management and summaries to the
relevant ARC and to the Chief Executive.
Audit Team
Elena R. Nistor — IT Audit Manager.
Version 0.1 To:
Lesley Sewell, Dave Hulbert
Chris Taylor
Lead Auditor: Elena R. Nistor
Copies for Information:
Chris Day, Susan Barton
POL00027143
POL00027143
POL-0023784
4. IT Audit Findings - S:
3.
icensing and Identity
POST OFFICE LTD AUDIT RISK AND COMPLIANCE COMMITTEE
Internal Audit - Highlights of recent IT Audit reports
Purpose
The purpose of the paper is to:
4.4 Summarise the findings of the recently cleared internal audit reports on
Identity and Access Management and Software Licensing.
1.2 The ARC is advised that this paper is an extract from the full Internal Audit
Activity report which for this meeting has been published for noting only. The
activity report also includes results from the assurance work on the new
finance systems.
Outcomes
241 The two audits were Software Licensing Management and Access and
Identity Management (LAN) which were agreed with the ARC as part of the
2013/14 internal audit plan.
2.2 The main outcomes are summarised in the table overleaf followed by the
Executive Summary from the full report for each. Full copies of the reports
are available upon request.
2.3. An action plan owned by management is in place. The actions are being
tracked and followed up by Internal Audit as they full due over the next few
months.
Requested Action
The Committee is requested to note the outcomes and direct as necessary.
Malcolm Zack
Head of Internal Audit
November 19 2013
Page 1
ARC Meeting-19/11/13
POL00027143
POL00027143
23 of 139
POL-0023784
Business Area reviewed
Assurance
Outcomes (Actions)
Key Risks impacted
Software Licensing Management
The committee is directed to the
Executive Report Summary in the
Appendix
This is a significant risk which
management is now engaged on
including the issues arising from
the privatisation of Royal Mail
under which the licences originally
operated and were managed
This is part of the Separation
programme and needs to reflect
the transition of IT services to the
System Integrator (ATOS) and
Towers model.
Overall there were 11 agreed
actions of which 7 were rated as
red and 4 as amber. The major
actions agreed are shown here.
Low
As a result of the audit, the business, under the direction
of the CIO will:
Define its own software licensing policy and
include clear roles and responsibilities for POL
and the Service Integrator and Service Desk
(SSID) - recently awarded to Atos.
Assign the ownership and governance of
Software licensing immediately to POL’s Support
and Service function.
Ensure that Atos will apply the key operational
requirements for managing software licenses
once Atos is fully on board.
Ensure that POL Procurement will remind the
business that all software licences must be
procured via the Procurement teams and not
directly by the functioning department.
Define a governance and management process
to gain on-going day to day assurance over
software licensing.
Deploy that process over the SSID
Operational,
risks.
and Regulatory
IT & Change Level risks
impacted (Based on current risk
map — Sept 2013)
- Not specifically identified.
Executive Level Risks impacted:
(based on current risk map)
Non compliance with regulatory
or contractual obligations.
Page 2
POL00027143
POL00027143
uepy pu
POL-0023784
Business Area reviewed Assurance Outcomes (Actions) Key Risks impacted
Local Area Network — Access I Low to The Information Security Assurance Group will work I Information Security —_ Risks
and Identity Management Medium with HR to better define the access rights based on I (Confidentiality, Integrity,
roles and hob needs for access via the LAN Availability)
The committee is directed to the A process will be installed to ensure access rights
Executive Report Summary in the will be reviewed when employees change
Appendix. function/role.
A periodical review of users LAN access rights will
As security on POLSAP and be put in place.
Horizon was heavily examined
both internally and externally in F - -
2012/13, the POL IA Audit pl Leavers access will be disabled on a timely basis
» the udit plan and a process to confirm recent leavers and check
focused on how access to the local access will be implemented.
area network (laptops, desktops
etc.) was managed and controlled.
The governance of the IAM process will be defined
as part of the Future Operating model, defining clear
roles and responsibilities for POL, SISD and towers
Overall 21 specific actions were (e.g. EUC).
agreed. Of these 13 were rated as
red and 9 as amber.
Page 3
POL00027143
POL00027143
POL-0023784
POL00027143
POL00027143
Software Licensing Management
Overall Assurance: LOW &
Audit Highlights and Opinion
* Software Licensing Management (SLM) is a
structured and systematic approach to managing the
full lifecycle (from purchase to disposal) of software
licences in an on-going, proactive basis.
* As part of RMG,POL has been following a RMG SLM
process run by CSC and currently POL is going
The Separation programme will provide POL
with an overview of all software licences in use
and needed.
Actions are ongoing, within the Separation
1) There is currently no overview
of all licences and licence types
POL has and uses. POL is
currently at a higher level of risk
through a transition phase to separate from RMG. . - " from sanction should an
programme, to identify the right type of licenses external software audit take
* The audit purpose was to assess POL’s SLM current required for POL, which gives an opportunity to place
risks and to identify the actions to be taken to ensure
POL will be in the position to manage software
licences in an effective way after the separation. The
align license types to business needs.
2) Licences can currently be
purchased by different parts of
iS
5
>
=a
z
a
Fi
a
2
g
=
a
3
g
2
a
a
fy
2
Top Priority Agreed Actions >
review was agreed with the ARC as part of the the business. There is currently 3
2013/14 internal audit plan. The SLM risk was Short term actions no overall control by the 3b
Pa highlighted by the ClO during the audit annual - - . Procurement team on the =
fo) planning. 1) Asoftware licensing policy will be defined by software purchase and change
POL, and will include clear roles and process.
* The review, occurred between August and responsibilities for POL and SISD. . a
September 2013, and included input from the . . 3
Separation programme Manager and the 2) Software licensing governance and assurance
Procurement team: ownership is assigned to POL Support and
Service
+ Limitations: The audit focused on forward looking ; I 1) The SLM process is not yet
process and governance issues. POL IA does not 3) POLwill include the agreed recommendations in defined.
have audit rights over CSC, therefore it could not the requirements for the SISD SLM process . 2) POL software licensing
The SISD will define the SLM process.
independently verify the current completeness and assurance and governance
accuracy of the licence estate. 4) POL Procurement will remind the business that process is therefore also not
Opinion
* Based upon the audit work undertaken a low
assurance is given over the current software
management (SLM) process. This conclusion is
mainly based on the lack of overview POL has on the
owned and used software licenses and due to the
current missing SLM process. Management is aware
of the licence issues and risks within the current
changing context for IT.
Executive Responsible Lesley Sewell
Distribution (date)
Prepared By: Elena-Raluca Nistor
1)
2)
Reviewed By
software licences must be procured via the
Procurement teams.
Medium — Long term actions:
A software licensing assurance and governance
process will be defined by POL.
POL will deploy the assurance process over the
SSID SLM process.
Malcolm Zack
yet defined.
3) Currently there is insufficient
expertise in house to define the
best fit for purpose and cost
effective licenses holistically for
the company needs.
Dave Hulbert, Brian Deveny cfi: - Chris Day, Paula Vennells , Roger Middleton - Status - FINAL Ver 2.0 CONFIDENTIAL
POL-0023784
>
FA
le}
ry
&
g
6E1 JO LZ
As at 25 September 2013
Key Sub Risks to Manage
Risk and Control Dashboard
Risk that software is not appropriately obtained or
managed resulting in possible financial or legal sanction
Process governance
Risk of inadequate software licensing management and non-
compliance with licence agreements.
Process governance. -risk management
Risk that the business might be disrupted or will have incresed
penalities' costs due to inadequate licences.
Process design and deployment
Risk that the business procures software licences
that are not fit for purpose or cost effective
POL00027143
POL00027143
Key Controls
Key Controls
Key Controls
Software licensing management (SLM) is identified as corporate
process (cross business and IT) and a clear approach to managing
software licences is in place (approving, reviewing, monitoring,
lupdating, etc.), ensuring that the process from procurement until
Imonitoring is managed at ail levels.
Risk of nan compliance with copyright and licences contractual]
Jagreements have been identified and they are part of an
loverall corporate risk register.
[An asset register (e.g. systems and applications
requiring) is in place, containing an overview of all
jassets and their licences and it is periodically
lupdated.
The process is documented and related procedures/guidelines have
been defined, approved and they have been communicated to
relevant users involved in the process.
(Criteria to measure the efficiency of the SLM process have
been identified,
JA review of all existing licences is periodically
performed.
lOther process responsibilities have been identified and assigned:
e.g, resources within the organisation to control and monitoring
software licences in each directorate or centrally
Mitigating controls for SLM risks have been identified.
Additional monitoring/assurance controls are in place to
lensure the mitigating controls are operating effectively
The procurement of licences is managed with a
central oversight to ensure it is cost-effective and
Fit for purpose,
Software licensing compliance (with contractual agreements)
process has been defined and is performed periodically
The SLM process is periodically evaluated to ensure itis fit for
purpose (covers the identified risks).
JA process owner has been identified and his/her
roles and activities clearly defined and understood.
Key
[controls not in place
[Controls not fully covering the risks, improvements required
Controls in place sufficiently address risk
Not yet assessed
jueweBeuey sseooy Aquep] pue Bulsuecr] asemyog - SBUIPULY PMY LI “y
POL-0023784
Overall Assurance: - Low &
POL00027143
POL00027143
B
5
>
5
Audit Highlights and Opinion z
2
Fj
é
+ Identity and access management (IAM) is a cross- o
function process to manage who has access to what oe g
information over time. The audit focused on the [AM I 1) /dentity is managed based on unique I 1) There is no overview of all local area Zz
process on the Local Area Network (LAN) (including used IDs. network accounts access rights. 3
access to POL network, SharePoint, File Share). The I 2) LAN accounts are locked (for 30min) I 2) Access rights are granted on a ‘mirroring 3
review was part of the 2013/14 audit plan agreed with after a defined number of with a similar account role’ base instead a
the ARC unsuccessful logon attempts (e.g. of a fit for job principle. e
* SAP and Horizon systems were out of scope. 10). 3) Movers’ access rights are not reviewed &
+ POL currently applies the RMG IAM process which I 3) An authorisation process is in place and updated to remain fit for job. Ey
for the local area network is managed by CSC. for creating new accounts and 4) Leavers accounts are not systematically >
granting them access rights. disabled in ti d there i trol z
* The review was focused on the IAM process steps I, a 'sabled in time and there is no control. 8
7 performed by POL and took place between August I 4) An IT process onder the it 5) No review of accounts access rights is in z
a and September. The purpose of the audit was to on-going (under eo place.
identify current process gaps, eventual access risks the te ba IT proceey ‘0 igen
and mitigation actions to be taken in consideration in aa ‘i z
the ‘to hs IAM process after the separation ownership, roles and responsibilities Top Priority Agreed Actions g
° are considered to be assigned. ~ 7
+ Limitations: POL IA does not have full audit rights to 1) Role based access rights (on LAN) will
CSC since formal separation so technical LAN be defined jointly by ISAG and HR.
security tests were limited. The review focused on 2) Access rights will be reviewed when
forward looking issues as IT transfers to the SSID and I 4) {aM tools, including a provisioning employees change function/role
tower model system, which would allow a_ full , :
‘ fall hi 3) A periodical review of users LAN access
Opinion overview of all accounts access rights rights will be put in place
and their management are not in .
* Based upon the audit work undertaken a low to place. 4) Leavers access will be disabled on a
medium level of assurance is given over the IAM 2) Unauthorised access attempts to LAN more timely basis and a process to
process for the local area network. This is based on t ted to POL hes ti confirm recent leavers and check access
the lack of process definition and end to end overview are not reported fo nformation will be implemented.
of process steps within POL. Furthermore the Security team. .
business has no overview of users’ access rights to I 3) Examples noted of LAN accounts ‘ 5) phe governance or tne tM process wil
the local area network (shared drives, applications, passwords being shared which is model, defining clear voles and perating
SharePoint, etc.) and potential segregation of duties i © iii
oe ) and po greg contrary to company policy responsibilities for POL, SISD and towers
: (e.g. EUC).
Executive Responsible Lesley Sewell
Julie George, Dave Hulbert, Fay Healey, Joe Conner,. Cfl Chris Day, Paula Vennells
Distribution (October 31** 2013)
Prepared By: Elena-Raluca Nistor ReviewedBy: Malcolm Zack Status: Final ver 1.0
POL-0023784
€L/LL6L-Suneew Ou
GEL JO 6Z
Risk and Control Dashboard
Overall risk
Process governance
Risk that the IAM process and related polices are not fit for
purpose and they do not cover information risks.
Key Controls
JAM policies have been defined, and they contain clear IAM
controls which are fit for purpose, ensuring the process
‘goal is achieved.
Policies are reviewed periodically (atleast one per year)
IAM roles and responsibilities to caver the end to end
process have been clearly defined and cammunicated to
parts involved in the process.
Process monitoring controls are in place, to ensure
process efficiency.
Tools are in place to ensure IAM is managed in an efficient
way,
Searegation of duties
Risk of misuse of information and data due to conflicting access
rights
Key Controls
Conflicting access rights have been identified and there is
2 process in place to ensure a user will not be grat
Process in place to ensure users are not granted
conflicting access rights
Process in place to search for and remove conflicting
access rights
As at: 30/09/2013
Risk that the confidentiality. availability and
integrity of data and information is compromised,
User management
Risk that the business is unable to identify who did
what and when with the information accessed,
Key Controls
Unique user 1Ds are given to all users
All defined accounts are known and stared in a
central repository
Passwords must be in place (and complenity criteria
should be activated)
Passwords or any other authentication credentials
must be kept secret (not written down, disclosed or
shared
Authorisation management,
Risk that systems and data are accessed without
appropriate authorization,
Key Controls
‘Access logs are activated and they are periadically
reviewed or alerts are settied in case unauthorized
access attempts are done.
Critical actvties of privileged account are identified,
logged and manitored.
Accounts are locked after a number of unsuccessful
logon attempts.
[Controls or processes notin place
[Controls in place and operating effectively
Not yet assessed
[Controls or processes not fully m place fo address rick
I oe
Risk that the business is unable to identify and stop
unauthorized access attempts.
Key Controls
All requests for new and changes far accounts
‘access rights are approved.
Access rights are granted based on a job need
hase concept
{Access rights which have not been used for an
extensive periad of time 60-90days, are
reviewed and disabled
‘Access rights of users moving roles are revewed
‘and updated to remain fit for job.
Leavers accounts and access rights are disabled
‘and deleted within a defined period of time.
Accounts and their access rights are periodically
reviewed by the line manager and/or the
syster/data owners,
POL00027143
POL00027143
jueweBeuey sseooy Aquep] pue Bulsuecr] asemyog - SBUIPULY PMY LI “y
POL-0023784
POL00027143
POL00027143
5. Project Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Prosecutions Policy
1. Purpose
11 The purpose of this paper is to:
. update the ARC with respect to certain aspects of Project Sparrow;
. seek the ARC's (directional) views on potential changes to the
prosecutions policy; and
. seek the ARC’s views on the further work we are proposing to undertake
prior to a formal recommendation being put to the ARC with respect to a
new prosecutions policy.
2. Background
2.1 In the last (October) CEO report to the Board, an update was given on Project
Sparrow in which it was noted that “.... a paper [will be submitted] to the
November ARC reviewing our overall policy for investigating and prosecuting
future cases.”
2.2 Since that update, Brian Altman QC has prepared two separate reports, one
commenting on “[POL’s] strategy and process for reviewing past and current
criminal prosecutions in light of Second Sight's Interim Report” (the “backward
looking report”) and the other making recommendations as to the future
approach to the conduct of prosecutions (the “forward looking report”). This
second report did not seek to comment on whether continuing with prosecutions
was itself a sensible course of action, either from a business or reputational
perspective, simply whether it was an effective use of resources from a criminal
law perspective, and if so, whether there was scope for improvement.
2.3 The headline conclusion of the backward looking report is that the *...review [of
the cases that had been prosecuted over the last few years] is fundamentally
sound” and that no “systemic or fundamental flaws in the review process” were
detected. In addition, a number of relatively small procedural recommendations
were made regarding matters such as document retention etc.
24 The forward looking report is similarly positive in tone, with Brian Altman
commenting that he had “..... seen no evidence to suggest that Post Office Ltd
exercises its investigations and prosecution function in anything other than a
well-organised, structured and efficient manner, through an expert and dedicated
team of in-house investigators and lawyers, supported by Cartwright King
solicitors and their in-house counsel...” That said, it was noted that “Post Office
Ltd’s prosecution role is perhaps anachronistic...", and that “POL is the only
commercial organisation (albeit Government owned) I can think of (apart from
RMG who retains a residual prosecuting function) that has a prosecution role,
and it is, to that extent, exceptional if not unique.”
Prosecutions Policy Chris Aujard Page 1 of 6
13 November 2013
> Meeting-19/11/13
30 of 139
POL-0023784
POL00027143
POL00027143
5. Project
Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
2.4 An important, and previously little-appreciated, finding to emerge from the 2
reports is that Post Office does not have any special statutory power to
bring prosecutions; rather it brings prosecutions in a purely “private” capacity
further to section 6(1) of the Prosecution of Offences Act 1985, which gives all
individuals and companies the right to bring a private prosecution. Prior to Brian
Altman's review it was believed in many parts of the organisation that the Post
Office had been given special powers by parliament to prosecute. In reality, no
specific legislation or regulation currently requires Post Office to undertake
prosecutions, nor is there any current legislative policy that mandates that
prosecutions should be brought.
2.5 The fact that prosecutions are conducted on a private basis does not mean that
the standards of evidence are in any way reduced, or that the process is less
rigorous than would be the case with a public prosecution. It simply means that
Post Office steps in to assume a function that typically would be undertaken by
the CPS, after the referral to it of a case by the police.
2.6 The reasons why Post Office developed a private prosecutorial capability are
historical; reasons given for its retention include:
. It serves as a “deterrent” i.e. it provides a clear signal to the whole
network that offences of dishonesty will be taken seriously;
. It assists Post Office with its relationship with insurers; and
. It re-assures employees that “securing the company’s assets will be taken
seriously”.
No empirical evidence has been given in support of the above, though from first
principles it would seem doubtful that the cost of, or the terms on which,
insurance can be obtained would be materially impacted by the existence, or
non-existence, of a prosecutorial capability.
27 In addition, it has been said that one consequence of using the criminal process
against sub-postmasters is that the associated debt recovery actions (done
under the Proceeds of Crime Act) are quicker and “more efficient”. This is clearly
true, though the criminal recovery process, albeit very efficient, is a fairly blunt
and sometimes brutal process that involves the forcible sale of assets against the
backdrop of a criminal conviction and possible prison sentence. In the case of
sub-postmasters that are in financial distress, this may well involve the sale of
their main residence.
2.8 A similar outcome could be achieved using the civil recovery process, though
making claims through the civil courts is a more cumbersome process, and the
ability to obtain orders “freezing” assets ahead of trials is much more restricted
than it is in criminal cases (in criminal cases, a “prosecuting authority” has the
right to request a judge to make an order freezing the defendant's assets once
the investigation has commenced, but before it has gone to court).
3. Activities/Current Situation
3.1 Typically, some 250 investigations are conducted each year into cases of
suspected fraud or unexplained loss. In turn, this leads to around 50
Prosecutions Policy Chris Aujard Page 2 of 6
13 November 2013
> Meeting-19/11/13 31 of 139
POL-0023784
Project
POL00027143
POL00027143
Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
3.2
3.3
prosecutions being brought all of which result in the conviction of either a sub-
postmaster (or very occasionally) an employee. The most common charge is
“false accounting”, itself a very serious offence carrying a maximum tariff (7
years) not dissimilar to theft (10 years); this offence of false accounting is
technically committed every time the end-of-day return is made on the Horizon
system declaring that the sub-postmaster’s books balance when the sub
postmaster knows they do not. Indeed, more often than not, criminal
investigations are started when the books have not balanced. The internal
“Network Support/Audit and Training” team (a team of around 200, some of
whom are charged with responsibility for undertaking stock-takes in the network)
identifies the fact that there is an unexplained cash or stock shortfall, and that
the books don’t balance. In turn that team then notifies the security team which
mounts an investigation and decides whether or not prosecute.
Prosecutions, however, are only brought to the extent that they fit within the
internal prosecution policy. This policy focuses on 2 factors: sufficiency of
evidence and likelihood of conviction — latterly a third factor has been added,
which is the quantum of the loss (amounts below £5k are now not pursued). The
highest “risk” group of offenders appears to be those sub-postmasters who have
been in post for less than 5 years but more than 18 months. Amounts involved
are generally less than £20,000, though there are a handful of high value cases
involving outright theft of cash or very large stock deficiencies.
Immediately following the Second Sight report, work was done to rationalise and
consolidate the pre-existing prosecution policy. That said, the consolidated policy
is in substance no different to that which has been applied previously; in any
event, it has in essence been held in abeyance and no further prosecutions have
been initiated.
4. Options Considered
41
4.2
43
At a practical level, there are a number of alternatives to mounting our own
criminal investigations and undertaking private prosecutions. In particular, most
companies when faced with theft from employees, or agents, would simply
contact the police, and if fraud were a persistent problem, develop processes for
engaging with them.
Alternatively, it is open to companies (effectively) to bypass the police and go
directly to the local prosecuting authority (e.g. the CPS in England and the
Procurator Fiscal in Scotland); indeed for technical reasons, this is the approach
that is adopted by Post Office in Northern Ireland and Scotland. The experience
in those 2 jurisdictions, however, is that there is reluctance to prosecute all but
the most serious, or the most clear-cut, cases, as to some extent it is seen by
them as a debt recovery (i.e. civil) matter. We have been advised by Brian
Altman that should Post Office go down the route of referring matters to the
police or the CPS, there would be a limited appetite to prosecute, even if all the
preparatory work (witness statements, fact finding etc.) had been done by Post
Office in house.
In light of the above, four broad options were considered:
Prosecutions Policy Chris Aujard Page 3 of 6
13 November 2013
> Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
5. Project Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
a) Preserving the status quo - i.e. retaining prosecutorial capability and
continuing with a prosecutions policy that is not dissimilar to that which
has been used in the past;
b) Pursuing a prosecutions policy focussed only on high value
cases/cases involving vulnerable members of society, and engaging
with the police in relation to other matters;
c) Ceasing all prosecutorial activities but instead actively involving the
police/CPS etc where it is felt that they are likely to take matters forward;
and
d) Ceasing all prosecutorial activities as per option c) BUT coupled
with work (as yet not formally defined but some of which has already
started as part of Project Sparrow and NT):
. to gather better MI from the network;
. to improve the overall control framework around the branch
network; and
. to provide more support to sub-postmasters.
This last option is perhaps closest to that adopted by banks and other
organisations facing serious losses through fraud and criminal activity.
44 As part of the evaluation process, however, consideration was given to broader
policy factors, including:
« Post Office's brand image;
« whether undertaking prosecutions is consistent with a commercial franchisor-
franchisee relationship; and
e the overall drive to develop better stake-holder engagement and a more
mature working relationship with sub-postmasters.
In light of these considerations:
* Option a) above was felt to be, at best, sub-optimal and was not explored to
any great extent, other than to ask the question of Brian Altman whether it
was “efficient” in terms of the criminal process (which it is).
* Option b) carried with it the risk that any residual prosecutions undertaken by
Post Office would be conducted so infrequently (probably only a handful
each year) as to mean that it was not efficient to maintain an internal team to
handle them. Accordingly, it too was discounted for the time being; and
« Option c) was rejected as carrying an unacceptable risk of fraud and loss
given the scale of the “losses” currently suffered through theft and false
accounting.
5. Proposal
5.1 Option d) is the favoured way forward. That said, before a final recommendation
can be made, further work needs to be done. Accordingly, it is proposed that:
« Work now commence to ascertain the scope, and the cost, of the additional
work that would need to be undertaken to gather better MI from the network
Prosecutions Policy Chris Aujard Page 4 of 6
13 November 2013
> Meeting-19/11/13 33 of 139
POL-0023784
POL00027143
POL00027143
5. Project Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
(including MI as to the “deterrent” value of the current policy), improve the
overall control framework, and provide better support to sub-postmasters
whilst protecting public funds. Part of this work will also be focussed on
exploring additional (non-criminal) sanctions that could be used as a
deterrent against sub-postmasters who have deliberately committed fraud.
A programme director and sponsor has already been identified for this work,
which will in part build upon work that has already been done as part of
Project Sparrow and some of the work that has started in the Audit team;
« The Communications team develop a strategy for effectively delivering
messages about any change in prosecutions policy, given that any move to
change our prosecutions policy, once in the public domain, could:
i. attract significant comment in the media and amongst stakeholder
groups, with potential for an adverse impact on brand and reputation; and
ii. be perceived as an ‘admission’ that past prosecutions are somehow
flawed.
« A deeper analysis is undertaken of the financial impact of adopting option d).
In particular, this will look at:
i. the ways in which civil proceedings (as opposed to criminal proceedings)
can be used more effectively to reduce the financial impact once Post
Office becomes unable to continue to use the Proceeds of Crime Act to
recover money that has been mis-appropriated; and
ii. any headcount savings that may be available.
5.2 This last piece is important. Under the terms of the sub-postmasters’ contract,
sub-postmasters are liable to Post Office for all “losses” of stock/cash etc.
Accordingly, a “fraud” involving the loss of stock or cash gives rise to receivable
in the hands of Post Office, which if not recovered leads to a bad debt. Although
there is a dedicated team that keeps track of bad debts that arise in the normal
course of events, and the recovery for them, anecdotal evidence from the
criminal prosecutions team suggests that once matters are handed to them,
around 75% of all bad debts are recovered. The evidence further suggests that
around £1.5m is recovered annually. As noted above, it is likely that a civil
recovery process would lead to a slower, and slightly lower, recovery rate. We
will therefore need to consider and monitor closely the potential impact any
policy change may have on the “deterrent effect” of the existing policy.
6. Commercial Impact/Costs
6.1 See 5.1 and 5.2 above. There may well be an offsetting impact on the headcount
in certain areas, in particular the security team and the legal team, though this
has yet to be quantified. However, there will be additional costs associated with
enhancing the MI and control framework. These too have not yet been
quantified, but should to some extent fall within BAU budgets (for example to the
extent that they form part of the audit function, they may be part of that budget).
Indeed, some of the work referred to in para. 5.1 above is already being
undertaken given its importance to Post Office's brand and wider business
Prosecutions Policy Chris Aujard Page 5 of 6
13 November 2013
34 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
5. Project
Sparrow and Prosecuting Authority
Strictly Confidential - Subject to Legal Privilege - DO NOT FORWARD
objectives, and therefore has a value which is independent of the issues
discussed in this paper.
7. Key Risks/Mitigation
7.1 These pertain mainly to the potential increased risk of fraud, and being seen to
be “soft” with public money, but should be capable of being addressed by
enhanced MI and improvements to the control framework etc.
8. Long term considerations — horizon scan
8.1 Not taking action now in relation to the prosecutions policy could lead to, or
exacerbate, the impact of further adverse publicity regarding Post Office’s
treatment of sub-postmasters.
8.2 Taking this action may assist in developing better stakeholder engagement.
9. Communications Impact
9.1 The communications team is already heavily involved in Project Sparrow, and it
is proposed to manage the communications of the above through that channel. A
key issue will be to ensure that any change of policy is properly positioned with
MPs, the JFSA and the wider Network.
10. I Recommendations
The ARC is asked to:
10.1 note the update set out above; and
10.2 approve the proposals set out in paragraph 5.1 above.
Chris Aujard
13 November 2013
Prosecutions Policy Chris Aujard Page 6 of 6
13 November 2013
> Meeting-19/11/13 35 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Re’
findings
Strictly Confidential
POST OFFICE LIMITED AUDIT, RISK & COMPLIANCE SUB-COMMITTEE
Interim Report and Condensed Financial Statements for 2013-14
1. Purpose
The purpose of this paper is to:
14 Invite the Post Office Limited Board Audit Risk and Compliance Sub-
Committee to review the Post Office Limited Interim Report and Condensed
Financial Statements for the 2013-14 half year.
2. Background
24 The Post Office prepared a full Annual Report and Financial Statements for
the 2012-13 year to the standard of a listed pic. The ARC agreed at its
September meeting to continue to report to this standard for the half year but
requested that the reporting be relatively succinct.
2.2 The following documents are attached to this paper:
e Draft Interim Report and Condensed Financial Statements
(incorporating Board, Royal Mail, Shareholder Executive and EY
comments);
e ARC briefing book to aid understanding.
3. Interim Report and Condensed Financial Statements approach and plan
3.1 As set out to the Board, the Interim Report is currently anticipated for
publication in the first week of December following Royal Mail's planned
announcement at the end of November. The context remains a challenging
macroeconomic environment which continues to put pressure on margins, and
discussions with Government around future strategy and related post-2015
funding.
3.2 The Condensed Financial Statements have been prepared by Finance and
the Ernst & Young audit work is now complete. In 2012-13, for the first time,
the Post Office prepared consolidated annual Financial Statements under
International Financial Reporting Standards (IFRS) which is in line with a
majority of listed public limited companies. The draft Interim Report and
Condensed Financial Statements have therefore also been prepared in
accordance with IFRS, consistent with the interim reporting of listed PLCs. An
ARC briefing book is attached. This provides a more detailed analysis of the
first half results to aid understanding of the financial statements.
3.3 The current timeline is:
* October ~ initial draft of front half circulated to Board
« 24 October - Board papers include updated Interim Report incorporating
Board comments
* 28 October — further comments from Board submitted
Interim Report Chris Day Page 1 of 3
November 2013
> Meeting-19/11/13
POL-0023784
6. Interim Report review and E
POL00027143
POL00027143
& Young Half Year Review findings
Strictly Confidential
« 31 October - Board meeting to approve the Interim Report and delegate
responsibility for finalising it
« 8 November — draft supplied to Royal Mail and Shareholder Executive for
comment
« 13 November - Royal Mail and Shareholder Executive comments
incorporated and circulated with ARC papers
* 19 November — ARC review
« Late November — Board subcommittee to approve and sign Interim Report
« Early December - Announce results
4. Review process
41
4.2
The comments following the first review by Board members last week have
been considered and addressed. In addition we have asked an investment
bank — Rothschild — to review the report from a ‘PLC/investor relations’
perspective. The material outputs of both have been addressed and were
discussed at the Board meeting on 31 October.
Since the Board meeting, the draft has been shared with Royal Mail and the
Shareholder Executive. Royal Mail requested one minor wording change
which has been accommodated. The Shareholder Executive feedback was
considered and has largely been incorporated. Most changes were minor
wording refinements and there was a strengthening of the content regarding
Government Services on pages 3 and 5.
5. Format
5.1
6. Going
6.1
6.2
Interim Report
We will produce an electronic copy of the Interim Report in-house and make
this available via the website. It will be similarly styled to the Annual Report.
Concern and Funding
The ARC reviewed Going Concern at its 2013 March meeting and this work
has been refreshed at the half year. A summary of the analysis is included in
Section 12 of the ARC Briefing Book attached to this paper. Based on the
analysis in this paper there is headroom remaining until March 2016, and until
March 2017 assuming continuation of the working capital facility, and it is
believed that Post Office Limited will be able to meet its liabilities as they fall
due in the foreseeable future. The Post Office Limited directors consider it
appropriate to continue to prepare the financial statements on a Going
Concern basis.
If the post 2015 funding is announced before the Interims are published there
will be a number of changes required. These are:
« To consider adding reference to the introductory statement;
Chris Day Page 2 of 3
November 2013
ARC Meeting-19/11/13
37 of 139
POL-0023784
6. Interim Report review
38 of
439
d Emst & Young Half Year Review findings
Strictly Confidential
* To amend the going concern note to refer to the funding but note that it is
still subject to State Aid approval (page 11);
« To amend the risks and uncertainties paragraph similarly as this is an
update from the position at year end (page 11);
« To add a Post Balance Sheet Event to note 9 (page 16).
Audit
71 The audit work on the Interim Report and Condensed Financial Statements is
complete. No significant issues have arisen to date.
Recommendation
8.1 The Post Office Limited Board Audit Risk and Compliance Sub-Committee is
asked to:
e Review the Interim Report and Condensed Financial Statements and
provide final individual comments to Chris Day and Mark R Davies by
noon on Monday 18 November.
Chris Day
November 2013
Interim Report Chris Day Page 3 of 3
November 2013
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
POL00027143
POL00027143
Our year so far...
Interim report 2013
29 September 2013
Post Office Limited : Registered number 2154540
POL-0023784
POL00027143
POL00027143
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
There is no more powerful demonstration of the
transformation of the Post Office than the sight of a
freshly refurbished branch, The first six months
2013/14 fmancial year have seen another 588
branches open, with longer opening-beat=and more
feans that since the start of
programme more than 1,100 post offices have be
at a time when our netwo
decades.
iS at its most stable for
Alice Perkins
travelChairman
to continue to be at the hear
the largest retail network in the UK, Longer opening
, Financial Service
transformed, with the evereerbeTa tee Si@tdkC © Shition year on yf
: my] pexeriod. This area of the business ise
This achievement highlights hGb BADE Mio Ae HNL C ©
of modern communities as
POL00027143
POL00027143
re to ensure
Post Office
that is in tune shopping
habits
We are able to building our
by £1
vices revenue
hding, insurance
parativ
to our
“Ambition to grow and further develop aim credible
alternative to the high street banks. a Emnbition
undertined through our pilot of curreniilglcounts in East
{including Post q
and travel ) is up 23% from
collects va nut Hele eervices™
Sustainable Past Office network fit for the 24st century.
That ig the backdrop to what has undoubtedly been a
challenging period. Our operating profit, which includes,
£100 million (2012 £103 million) of the Network
cived from. Gavernmenbdaseypport
efore exception
Ge)
a
Bureau de Change
Paula Vennells
Chief Executive
[lol
Agog
taken steps to address this, expanding the Drop & Go
service which provides an efficient prepaid service for
small businesses, online sellers and anyone sending ma
regularly.
deal of
In Government Services, we face challetiges b'
optimistic for the future, particularly «
role the Post Off n play in Suppor
‘Default agenda. Our unrivalled physical
e perfect partner to this work, provid
to face services - such as Indentity Ag
Inot yet online to al
it still be required if
be
the vital face
jance and
Bs digital
currency digital age
I Annual Report al
st, the Post Office
a commercial bus
ase. We have ser
fany people we pro
ital to their lives,
ed
lovides a crucial col
unities and we are
ining these critical
in the last six mal
purpose into a sin
ua
through a major
Its of which we ef
the year. A furthel
determination to develop ways of worki
the test of a mutual business ~ ensurin
and learn from all stakeholders involved
business. Significant progress is being in this area
is now 48 months since we began ofigfating as an
2 ness. We continue to
Royal Mail, underpinnelby contractual
povides a solid foungetion for m
years to come. We are combining this
other areas which we ar
a strong
nan ambitious
ident wil
41 of 139
POL-0023784
6. Interim Report review and Ernst & Young Half Year Review findings
4
Business review
Key performance figures
six months ended 29 September 2013
Summary Group Profit and Loss Account
2013 2022 Variance Variance
fm £m m %
Turnover 501 (18) (3.6)
Network Subsidy Payment
Revenue
People
Other operating I t oe
Share of post tax profit from joint ventures.
and associates,
Operating profit before exceptional
Operating exceptional items
Profit on disposal of property. plant and
equipment
Loss on sale of associate
Profit before financing and taxation
Revenue by pillar
fm fm Em %
Mails and Retail 196 (12) (6.1)
Financial Services 138 1 o7
Government Services 84 (9) (407)
Telecoms 63 2
Key Financial Performance Indicators
Operating toss
before exceptional
items and Network
Subsidy Payment
(Em)
Operating profit
before exceptional
items (£m)
Turnover (£m) Operating
2012
42 of 139
cash flow (£m)
(47) (142)
ARC Meeting-19/11/13
POL00027143
POL00027143
The Post Office's revenue has declined by £24
million, including a £3 milion reduction in the
Network Subsidy Payment. Turnover decreased from
£501 milion in the first 6 months of the prior year.
to £483 millon this half year with encouraging
growth in the Financial Services and Telecoms
businesses more than offset by decline in the Mails
and Retail and Government Services businesses, The
Network Subsidy Payment is government grant
revenue towards the costs of maintaining the Post
Office network. This payment decreased by £3
million from the previous year to £100 million
consistent with the Government Funding Agreement.
This will reduce further in 2014-15 as set out in the
current funding agreement with the government,
Mails and Retail revenue of £184 million decreased
by £12 million (2012-£196 million). OF this, turnover
in relation to Royal Mait products decreased by £10
million, driven primarily by lower consumer parcel
volumes through the Post Office and lower stamps
Tevenue due to the sales peak ahead of the price
rise at the end of April 2022, in addition, retail
tumover decreased by £1 million, as the
comparative figure last half year included revenue
from the collectibles relating to the Diamond Jubilee
and Olympics memorabilia. Revenue derived from
sales of lottery tickets declined by £1 milion.
POL-0023784
‘The Financial Services offering continues to grow,
using our position at the heart of communities to
offer products that are simple, fair, accessible and
transparent, and value for money.
Financial Services revenue in the first aif of the
year increased by £1 million to £139 milion
(2012-£138 millon), Personal Financial Services
revenue rose by 23%, driven by strong growth in
savings products (particularly Growth Bonds and
Reward Saver) and the growth of the new mortgage
products, Revenue from traditional financial services
Products, including bill payment services and Postal
Orders, continued to decline, This was due to the
increasing provision of electronic alternatives to
paper-based products and the increasing use of
alternative payment methods.
‘The Department for Work and Pensions contract for
cash cheques and green giros has ceased, and
National Savings and Investments’ (NSB) decision to
provide most of their products through their own
direct channel has resulted in a further reduction in
revenue,
Government Services revenue of £75 million
declined by £9 million (2012-£84 million) due to a
lower volume and rate per transaction for DVLA
motoring work and a reduction in the number of
active Post Office Card Account (POCA) accounts
Revenue from the Passport Check & Send service
increased by £1 million due to an increased share of
a growing market,
Two major new contracts have been signed with
Government Departments. Her Majesties Passport
Office has signed a contract under the Front Office
Counter Services framework that will allow for the
continuation of the popular Passport check and send
service, A contract has also been signed with
Government Digital Service for the provision of
Identity Assurance services.
Telecoms revenue of £65 million represented an
increase of £2 million (2012-£63 million). Revenue
from HomePhone and Broadband rose driven by an
uplift in our average revenue per user following the
introduction of more attractive packages last year.
Revenue from our Mobile top-up business was lower
than the previous half year, as more customers
continue to migrate away from pre-pay services
‘onto contracts. Despite this reduction in income. the
Post Office i still a significant provider in the top-up
‘market, and its share of the retail market has been
‘maintained at around 5%,
6. Interim Report review and Ernst & Young Half Year Review findings
POL00027143
POL00027143
People costs of £131 million have increased
compared to the first 6 months of the prior year
by £3 million mainly due to higher pension costs
and historical pay agreements.
Other operating costs have decreased by £15
million ta £422 million mainly due to lower sales
volumes.
The share of profit from the jaint venture. First
Rate Exchange Services Holdings Limited,
increased by £1 million to £23 millon
Operating exceptional items include the costs of
delivery of major change and the impairment of
non-current assets. These are offset by
Government grant funding, received towards the
transformation programme and recognised to
match the associated costs: in addition a gain of
£102 million arose on the change to the terms of
the Royal Mail Pension Plan. In the half year
Network Transformation resulted in costs of £55
million. Costs of £5 million relate to the 1T
transformation programme which will create the
appropriate IT infrastructure for the future.
Government grant funding of £129 million has
been recognised to offset the costs as appropriate
including £31 million to caver costs incurred in
2012-43 but not covered by the 2012-13 grant.
There has been an operating cash outflow of
£142m during the period in contrast to the
comparative half year which saw a net cash inflow
of £78m. This change in cash flow is driven by
differing working capital movements due to the
timing of Easter relative to the March 2013 and
March 2012 year ends. The cash position of the
business remains strong, with cash and cash
equivalents of £829m (2012-£898m)
ARC Meeting-19/11/13
43 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
6
Half year Half year
10.29 to23
September September
2013 2012
Unaudited Unaudited
Notes em em
Continuing operations
‘Turnover
Network Subsidy Payment
Revenue
luding restructuring costs
Other operating costs
hare of post tax profit from joint ventures and associates
Operating profit beforee - eptional items
Operating exceptional items
government grant
- Royal Mail Pension Plan amendment
restructuring costs
Profit on disposal of property, plant and equipment
Loss on sale of associate
Profit before finan- ing and ta ation
Finance costs
Finance income
Net pensions interest
Profit before ta ation
‘Taxation credit
Profit for the period from - ontinuing operations
44 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
Halfyear Half year
to29 1023
September September
2013 2012
Unaudited Unaudited
Notes £m om
41
Profit for the period from - ontinuing operations
Other - omprehensive in- om
Remeasurements on defined benefit surplus
‘nome tax effect
Total - omprehensive in- ome/(e_penditure) for the period
There are no other comprehensive income items that will be reclassified to the profit and loss in subsequent periods.
ARC Meeting-19/11/13 45 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
8
Half year I
Cash flows from operating a- tivities
Operating profit before exceptional items
Adjustment for
epreciation and amortisation
Share of profit from Joint ventures and associates
Pension operating costs
Working capital movements
I _ ecrease/(increase) in trade and other receivables
se In trade and other payables
ecrease/incres
ecrease/(incr se) in inventorie
Increase in non-exceptior
I provisions
Pen sion operating co:
s paid
In respect of operating exc eptional it ms
overnn
estructuning co:
Other
ome tax recovers ad
inc
Cash flows from investing a- tivities
Investment in associat
Proceeds from sale of property’ plant and e+ uipment
Proceeds from disposal of associate
Purchase of non-current assets
Net- ash (outflow) from investing a- tivities
Net - ash inflow before finan- ing a- tivities
Cash flows from finan- ing a- tivities
inance costs paid
Payme yents to finance leas se creditor
epayment of bank borrowings
Net - ash (outflow) from finan- ing a- tivities
Net (de- rease)/in- rease in - ash and - ash equivalents _
Effect of exchange rates on cash and cash e+ ulvalent
ulvalents at the beginning of the pe riod
Cash and - ash equivalents at the end of the period
46 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
at 29 September 2013 and 31 March 2013
29September
2013
Unaudited
£m
- urrent assets
Intangible assets
Total non-- urrent assets
Current assets
Total - urrent assets
Total assets
and bor
Total - urrent liabilities
Non-- urrent liabilities
Provisior
Total non- urrent liabilities
Net assets
Total equity 88
ARC Meeting-19/11/13 47 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
10
-or the half year ended 29 September 201£
At 1 April 2013 (unaudited)
effect
At 29 September 2013 (unaudited)
-or the half year ended 2£ September 2012
for the pe
emeasurements
enefit surplus (2) a)
Transfer
cit to government 286 286
‘ale of 1
48 of 139 ARC Meeting-19/11/13
POL-0023784
6. Interim Report review and Ernst & Young Half Year Review findings
1. Accounting policies
‘The interim condensed consolidated financial statements of
Post Office Limited and its subsidiaries (collectively the
for the half year ended 29 September 201£ were authorised for
issue in accordance with a resolution of the directors on XX
November 201f
roup)
‘The information for the year ended £1 March 201£ does not
constitute statutory accounts as defined in section 424 of the
Companies Act 2006. A copy of the full statutory accounts for
that year has been delivered to the’ egistrar of Companies. The
auditors’ report on those accounts was une ualifieddid not
draw attention to any matters by way of emphasis and did not
contain a statement under section 498(2) or (£) of the
Companies Act 2006.
Basis of preparation
These interim condensed consolidated financial statements for
the half year ended 29 September 201£ have been prepared in
accordance with IAS £4 ‘Interim
adopted by the European Union. This report should be read in
conjunction with the’ roup’s Annual’ eport and
Statements 2012:1£" which have been prepared in accordance
with I-” $s as adopted by the European Union,
~-undamental accounting concept - going concern
After careful consideration of the plans for the coming years
the irectors continue to believe that Post Office Limited will be
able to meet its liabilities as they fall due for the foreseeable
future. Accordingly’on that basis"the irectors consider that it
is appropriate that these interim condensed consolidated
financial statements have been prepared on a going concern
basis.
The’ roup has net assets at 29 September 201£ and js reporting
a profit before exceptional Items. A funding agreement with
overnment was announced on 27 October 2010 which
provided for
+ -unding of £410 million for 201218
Inancial’ eporting as
inancial
+ -unding of £415 million for 2016-14
+ -unding of £££0 million for 2014.15
Extension of the existing working capital facility with
the epartment for Busine Innovation & Skills (BIS
of £115 billion up to £1 March 2016
State Aid approval for the funding for 2012.1£ to 201415 was
received on 28 March 2012 and it was also recognised that th
working capital facility was no longer deemed State Aid, £410
million was received on 2 April 2012 and £415 million was
received on 2 April 201£
This investment will take the form of a’ overnment’ rant and
enable the’ roup to modernise the branch network and the
‘ontinuation of the Network Subsidy Payment recognises the
major social value that Post Offices provide to communities.
New main and local branches are currently being rolled out
across the United Kingdom, Customers are beginning to benefit
from a much better retail experience including extended
opening hours. This programme is designed to make the Pos!
Office network more self sustaining and’ over time’ less
dependent on direct subsidy. This programme will not involve
branch closures.
‘The irectors are satisfied with the continued progress made
towards modernisation during the half year ended 29
September 201£ and that the plans in place and the substantial
ARC Meeting-19/11/13
POL00027143
POL00027143
lL
investment secured will enable the’ roup to continue to
modernise and to secure its future, However they note that the
scale of change ree uired remains significant so not without risk
New standards’ interpretations and amendments
adopted by the’ roup
‘The interim condensed consolidated financial statements have
been prepared in accordance with the accounting policies set
outin the’ roup’s Annual’ eport and - Inancial Statements
2012:1E" except for the adoption of new standards and
interpretations effective as of 1 April 201£
The’ roup applies"for the first time" IAS 19 ( evised 2011)
Employee Benefits. This has not ree uired restatements of
previous financial statements as the effect of the application of
IAS 19’ isnot material in the opinion of the srectors. [AS 19
includes a number of amendments to the accounting for
defined benefit plans’ including actuarial gains and losses that
are recognised in other comprehensive income (OCI) and
permanently excluded from profit and loss which is consistent
with the existing policy of the’ roup; expected returns on plan
assets that are no longer recognised in profit or loss” instead
there is a res uirement to recognised interest on the net defined
benefit asset in profit or loss" calculated using the discount rate
used to measure the defined benefit surplus, Other
amendments include new disclosures’ such as”+ uantitative
sensitivity disclosures.
In the case of the’ roup"the transition to [AS 19° and the
difference in accounting for interest on plan assets and
unvested past service costs has not had a material impact on
the net defined benefit plan surplus. The* roup f ly
adopted any other standard” interpretation or amendment th
has been issued but is not yet effective
1s NOt e
isks and uncertainties
The principal and other significant risks and uncertainties
affecting the’ roup were identified as part of the Performance
view’ set out on pages £4and £8 of the’ roup’s Annual’ eport
and - inancial Statements 2012. These risks remain relevant
for the remaining six months of the current financial year
49 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
12
£, Segmental reporting
egments have b
il’- inancial Services” overnment Services” Telecoms and
on identified as Mails &' «
ar ended 29 §
The’ roup’s operat
tember 2O1E has been discussed further in the Business
the
er. The perf
ng segmental revenue le
net revenue. Thisis calculated v
and liabilities as recognised on the" roup balance
slivering t
not considered to be segm
Half year to 29 September 2013
Dire: tly
attributable Net
Revenue -osts revenue
£m em £m
ent net revenue and profit before taxation is prov
Half year 2
10.29
September September
2013 202
fm
tax profit from joint ventures and
-eptional items
Operating profit before e
Profit before ta ation
50 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
1g
Seasonality of operations
xe tothe nality of the Mails &" etail scled in the second half of the year, This is
nent higher revenues are usually ex
aration is provided to aliow for a
high alas considered by IAS £4
eriod, This i ler understanding of the
mainly attributed to the effect of the Christmas
results’ however 1 ment I cluded that this does not constitu
4. Operating exceptional items
y’ due to the nature of the event
anding of financial
asiness whi
These are items of income
giving rise to them’ res uire
1 expenditure arising from the operations of
eparate present
ion on the face of the Income statement to allow a better underst
performance
Half year Hall yc
to29
September Sepien!
2013 ol
ém
amendmer
Plat
ation including subpostmasters’ compensation
estructuring - other
impairment of ir
Impairment of pr
Total operating e - eptional items 0)
Mail Pension Plan amendment refer to note 6, ue to ongoing operational losses
or further informatiol
(excluding Netw
freehold and long leasehold pro}
in relation to the’ oye
ubsidy Payment) the carrying value of intangible assets and all property plant and e+ uipment other than
‘able amount
peen impaired to the recove
Taxation
nuld be applicable to the expected
The overall taxation credit in the Income statement is calculated by applying the tax rate that
total
nniual earnings to the reported Interim profit
The major components of income tax in the interim condensed income statemer
Half year ial! year
to29 23
September _Septembe
2013,
ém
Corporation tax credit for period 7
Tax under provided in previous periods
Current tax
eferred tax ct mparary differenc
In- ome ta - redit reported in the - ondensed - onsolidated in- ome statement 18
ARC Meeting-19/11/13 51 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
14
6. Pensions
The* roup participates in pension schemes as detai
Name Eligibility
coyal Mail Pension Plan (I MPP) UK employee
Executive Pen 1 ¢ K senior executives
The charge in the interim condensed con!
contributions to cheme
ervice contributions’ nearly alll relal
pensionable pay” has remained at 17.1%
ment for the defined contribution scheme and the’ roup
9 September 2018" and payments of £1lm were made in respect of future
ar future service contributions for’ MPP" expressec
5 £m in the
ng to centage of
The following disclosures reflect the Post Office Limit
roup. isclosures in relation to Post Office Limited
Limited) have been excluded as they are not consider
tatements
{PP scheme which is independently operated by the
are of’ MSEPP (which is operated by’ oyal Mail’ 1
the Interim condensed consolidated financial
> with membs
g the period there was a consultation exerci: of the defined bene
25 10 the terms. These changes were agreed and implemented on 15 October 201£. The k:
pensionable pay which broadly will increase in line with’ Pl (capped at 5%) in future r
off exceptional gain of £102 million.
oyal Mail Pension Plan on proposed
sto the definition of
pay growth. The changes
actua
nlied retrospectively from 26 March 2012. Expected returns on p!
profit or loss. Interest on net defined benefit surplus is recognised in profit or lo
used to measure the net pension surplus. The impact of transition to [AS 19° retr
$19)
lefined benefit
ets of sare not
calculated using the discount rate
not material to the’ roup'and
therefore no restatemen!
as been re+ uired
a) Major long-term assumptions
‘At29
September A h
2013 3
b) Plans’ assets and liabilities
ts and liabilites were:
Market
value
at 29
September
2013
Se- tionalised RMPP €m
ait value of assets
esent value
Surphus in plan before IFRIC 14 adjustment
Less I" 1C14 adj
Surplus in RMPP plan after IFRIC 14 adjustment
Surplus in plan for the Post Office Limited (at approximately 7 MSEPP
Total retirement benefit surplus
52 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
c) Movement in plans ' assets and liabilities
Changes in the present value of the defined benefit pension surplus are analysed as follow
Half year
ended
29 September
2013,
Se- tionalised RMPP tm
Opening net retirement benefit surplus/(defi- it)
I Mail Pension Plan amendment
{ pension deficit to government
Curtailmen
Closing net retirement benefit surplus before IFRIC 14 adjustment
7.Cash and cash e» uivalents
orth
s of the cash flow statement’ cash and cash e+ ulvalents comprise the following:
At
29 September
2013
Cash e+ uivalk
Bank overdrafts
ARC Meeting-19/11/13 53 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
16
8.’ elated party disclosures
All related party transactions were in the ordinary course of business. The transactions entered into and the balances outstanding
as at 29 iber 201£ were as follows
Amounts Amounts
owed from related owedtorelated
Sales/re-harges to _Pur- hases/re- harges party in-luding party in-luding
related party from related party outstanding loans outstanding loans
2013 2012 2013 2012 2013
Half year to September €m em ém
oyal Mail Plc
Midasgrange Limited
rst’ ate Exchange Services
Holdings Limited
or further information in relation to’ oyal Mail plc refer to note 9, The sales to" and purchases
normal market prices. Balances
from’ related parties are made on
atstanding at the half year end are unsecured’ interest free" and settlement is made by cash
The’ roup trades with numerous government bodies on an arm’s length basis. Transactions with these entities are not disclosed
owing to the significant volume of transactions that are conducted. Separately"the' roup ha
government’and receive vernment grant and the Network Subsidy P%
transactions or balance between the’ roup and it
ertain loan facilities with
ment from government. There were no material
»y management personnel during the half year ended 29 September 201E,
9. Post balance sheet events
On 15 October 201£° oyal Mail was listed on the London Stock Exchange as’ oyal Mail plc. - rom this date’ oyal Mail’ roup Limited
ceased to be a subsidiary of’ oyal Mail Holdings plc which is Post Office Limited's immediate and ultimate parent company. The
contractual relationships between Post Office Limited and’ oyal Mail’ roup Limited have not changed
The directors confirm that these condensed set of interim financial statements have been prepared in accordance with IAS £4
Interim - inancial’ eporting”as adopted by the European Union,
By order of the Board
PA Vennells
Chief Executis
CMDay
Chief -inancial Officer
xx November 201£
54 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
Interim Report review and Ernst & Young Half Year Review findings
17
The - oard of Directors to Post Office Limited
Introduction
We have been engaged by the Company to review the condensed set of financia) statements in the halfyearly financial report for
months ended 29 September 201£" which comprises the interim condensed consolidated balance sheet of Post Office
Limited and its subsidiaries (the’ roup) and the related interim condensed consolidated statements of income” comprehensive
income’ changes in e+ uity and cashflow statement for the six month period then ended and the explanatory notes. We have read
the other information contained in the half yearly financial report and considered whether it contains any apparent misstatements
ith the information in the condensed set of financial st
the six
ements,
or material inconsistencies
This report is made solely to the company in accordance with guidance contained in International Standard on’ eview
Engagements 2410 (UK and ireland)” eview of interim - inancial Information Performed by the Independent Auditor of the Entity
issued by the Auditing Practices Board. To the fullest extent permitted by law’ we do not accept or assume responsibility to anyone
“for this report’or for the conclusions we have formed
other than the company for our wor
irectors’’ esponsibilities
}e directors. The directors are responsible for
out in note 1.
he responsibility of and has been approved by't
I report in accordance with the accounting policies s
The half-yearly financial report
preparing the halfyearly financi
As disclosed in note the annual financial statements of the group are prepared in accordance with International Accounting
tandard £4"Interim -inancial' eporting’ as adopted by the European Union. The conc set of financial statements included
in this half-yearly financial report has been prepared in accordance with those policies
Our’ esponsibility
Our re:
financial report based on our review
ponsibllity is to express to the Company a conclusion on the condensed set of financial statements in the hallyearly
Scope of’ eview
We conducted our review in accordance with International Standard on’ eview Engagements (UK and ireland) 280°" eview of
Interim - inancial Information Performed by the Independent Auditor of the Entity” issued by the Auditing Practices Board for use
in the United Kingdom. A review of interim financial information consists of making ene uiries” primarily of persons responsible
financial and accounting matters’and applying analytical and other review procedures, A review is substantially less in scope
than an audit conducted in accordance with International Standards on Auditing (UK and Ireland) and conses uently does not
enable us to obtain assurance that we would become aware of all significant matters that might be identified in an audit
Accordingly’ we do not express an audit opinion
Conclusion
Based on our review" nothing has come to our attention that causes us to believe that the condensed set of financial statements in
the half yearly financial report for the six months ended 29 September 201£ is not prepared’ in all material respects" in accordance
which comply with International Accounting Standard £4s adopted by the
with the accounting policies set out in note
European Union.
Ernst & Young LLP
London
xx November 201£
ARC Meeting-19/11/13 55 of 139
POL-0023784
POL00027143
POL00027143
6 Interim Re ind Emst & Young Half Year Review findings
of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Post Office Limited
Audit, Risk and Compliance Board Sub-
Committee
Briefing Book
Half Year ended 29 September 2013
ARC Meeting-19/11/13 57 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
Section Page
1. Glossary 3
2 Introduction 4
3. Accounting Policies 4
4 Primary Statements 5
5. Operating profit 8
6. Revenue 9
7. Costs and people 12
8. Quality of earnings 17
9. Pensions 18
10. Exceptional items and provisions 21
11. Interest, cash, debt, funding and hedging 22
12. Going Concern 24
13. Property, plant and equipment and non-current assets held for sale 27
14. Goodwill. Investments and intangibles 28
15. — Working Capital 29
16. Provisions 34
17 Litigation and claims- potential claims regarding Horizon 35
18. Taxation 37
2
58 of 139 ARC Meeting-19/11/13
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
1
Glossary review
POL00027143
POL00027143
Below is a listing of key abbreviations used throughout this document with the full meaning
given:
Abbreviation Meaning
AE Application Enrolment Identity
ATM Automated teller machine
BIS Department for Business Innovation & Skills
BOl Bank of Ireland
CPI Consumer Price Index
DVLA Driver & Vehicle Licensing Authority
Dwp Department of Work & Pensions
Eagle Deal in August 2012 to sell POFS to the Bank of Ireland,
restructure commission rates for personal financial
services and extend the contract to 2023
FOoG Front Office of Government
FRES. First Rate Exchange Services
Gamma A contract variation made in 2007 with POFS generating
£100m cash and income over a number of years in
return for a series of commitments through to 2020
Horizon Horizon Next Generation- Counter system
LTIP. Long Term Incentive Programme
NBV Net Book Value
NS&l National Savings & Investments
NSP Network Subsidy Payment
NTP. Network Transformation Programme
POCA Post Office Card Account
PFS Personal Finance Services
POFS Post Office Financial Services
POOC Project One Off Costs
RMPP. Royal Mail Pension Plan
RMSEPP. Royal Mail Senior Executive Pension Plan
RMDCP Royal Mail Defined Contribution Plan
RBS Royal Bank of Scotland
RPI Retail Price Index
SGEI Services of General Economic Interest
UKBA United Kingdom Borders Agency
ARC Meeting-19/11/13
59 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
2. Introduction
This Briefing Book has been prepared to explain the Post Office Limited results for the half
year ended 29 September 2013. It is a summary of the key data, trends and analyses to be
read in conjunction with the Interim Condensed Consolidated Financial Statements, which
readers may find useful to further their own understanding of the results for half year 2013-
14.
Most of the analyses are based on the comparison of this year’s actual results to prior year.
Comparison against budget is discussed in the Monthly Performance Report presented to the
Post Office Limited Board on a monthly basis.
3. Accounting policies
Post Office Limited has reported its results under International Financial Reporting Standards
(IFRS).
60 of 139 ARC Meeting-19/11/13
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
4. Primary Statements
4.1 Post Office Limited Interim Consolidated Income Statement.
POL00027143
POL00027143
Post Office Limited Interim consolidated income statement for the six months to 29 September 2013 and 23
September 2012
Half year to 29
Half year to 23
September 2013 September 2012
Unaudited Unaudited
Notes £m £m
Continuing operations
Turnover 483 501
Network Subsidy Payment 84 100 103
Revenue 6 583 604
People costs excluding restructuring costs 72 (434) (128)
Other operating costs 73 (422) (437)
Share of post tax profit from joint ventures and associates 23 22
Operating profit before exceptional items 5 53 61
Operating exceptional items 10.4 132 (10)
~ government grant 129 35
~ Royal Mail Pension Plan amendment 102 -
~ restructuring costs (64) (24)
> other (35) (21)
Operating profit 185 54
Profit on disposal of property, plant and equipment 104 2 2
Loss on sale of associate : (30)
Profit before financing and taxation 187 23
Finance costs 444 (1) (2)
Finance income - 1
Net pensions interest 2 1
Profit before taxation 188 23
Taxation credit 18.4 2 18
Profit for the period from continuing operations 190 44
ARC Meeting-19/11/13
61 of 139
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
4.2
Post Office Limited Interim Consolidated Cashflow Statement
POL00027143
POL00027143
Post Office Limited Interim consolidated cashflow statement for the six months to 29 September 2013
29 September 23 September
2013 2012
Unaudited Unaudited
Notes £m £m
Cash flows from operating activities
Operating profit before exceptional items 53 61
‘Adjustment for:
Depreciation and amortisation - -
Share of profit from joint ventures and associates (23) (22)
Pension operating costs 13 13
Working capital movements: (6) 434
Decrease/(increase) in trade and other receivables 73 (10)
(Decreasel/increase in trade and other payables (81) 143
Decrease/(increase) in inventories 1 (3)
Increase in non-exceptional provisions 1 1
Pension operating costs paid (13) (13)
Cash receipts in respect of operating exceptional items: 153 178
jovernment grant 215 200
Restructuring costs (59) (47)
ther (3) (5)
Net cash inflow from operating activities 177 348
Income tax recovered 10 11
Cash flows from investing activities
Investment in associate - (14)
Dividends received from joint ventures and associates - -
Finance income received - -
Proceeds from sale of property, plant and equipment 3 2
Proceeds from disposal of associate - 2
Purchase of non-current assets (38) (20)
Net cash (outflow) from investing activities (35) (27)
Net cash inflow before financing activities 152 332
Cash flows from financing activities
Finance costs paid @ (2)
Payments to finance lease creditors (2) (2)
Repayment of bank borrowings (291) (250)
Net cash (outflow) from financing activities (294) (254)
Net (decrease)/increase in cash and cash equivalents (142) 78
Effect of exchange rates on cash and cash equivalents - -
Cash and cash equivalents at the beginning of the period 974 820
Cash and cash equivalents at the end of the period 41.2 829 898
62 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
4.3 Post Office Limited Interim Consolidated Balance Sheet
Post Office Limited Interim consolidated balance sheet as at:
29 September 34 March
2013 2013
Unaudited Audited
Notes £m £m
Non-current assets
Intangible assets -
Property, plant and equipment 134 a 11
Investments in joint ventures and associates 144 83 60
Retirement benefit surplus 145 97
Trade and other receivables 10 10
Total non-current assets 249 178
Current assets
Inventories 154 7 8
Trade and other receivables 15.2 269 352
Cash and cash equivalents 855 971
Financial assets - derivatives = a
Total current assets 1,434 1,332
Total assets 1,380 1,510
Current liabilities
Trade and other payables 153 (899) (874)
Financial liabilities ~ interest bearing loans and borrowings 11.2 - (291)
= obligations under finance leases 11.2 (a) (3)
Provisions 16 (25) (a9)
Total current liabilities (925) (1,187)
Non-current liabilities
Financial liabilities - obligations under finance leases 11.2 (4) (4)
Other payables (24) (24)
Provisions 16 (5) @
Total non- current liabilities (33) (35)
Net assets 422 288
Equity
Share capital -
Share premium 465 465
Retained earnings (45) (179)
Other Reserves 2 2
Total equity 422 288
7
ARC Meeting-19/11/13 63 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
5. Operating profit
51 Operating profit bridge analysis
‘a >)
£m
15 1
Eas
(24) (3)
2012 Revenue People Costs Subpostmasters’ Non People 2013
Costs Costs/Other
XX S
5.2 Explanations for key movements are as follows:
e Revenue - section 6.
e People costs - section 7.2
e Subpostmasters - section 7.3.1
¢ Non People Costs / Other - section 7.3.2 to section 7.3.11
8
64 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
6. Revenue
29 September 23 September
2013 2012 Variance
£m £m £m
Turnover 483 501 (18)
Network Subsidy Payment 100 103 (3)
Total Revenue 583 604 (21)
61 Post Office Limited - Revenue analysis
Post Office Limited Revenue Bridge £m
604 (12)
(9)
I ®) 4 2 583
ZZ ._ @
2012 Mails & Retail Government — Network Subsidy Financial Services Telecoms 2013
Services Payment
Ne
The decrease in year on year total revenue of £21m (3.6%) to £583m (2012 £604m) is
driven by the £3m decrease in the Network Subsidy Payment, and a decrease of £18m in
like for like income.
The following commentary gives further detail on the revenue variances by category:
6.1.1 Mails
The £10.2m (6.0%) decrease in Mails Revenue is driven by volume reductions following the
Royal Mail price changes implemented this year and the unusually high comparative prior
year figure due to the buy forward of stamps before the May 2012 price increase.
« Approximately £9.6m was driven by volume decreases, (mainly stamps, labels and
parcels) and the remainder by price increases.
ARC Meeting-19/11/13 65 of 139
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
6.1.3
POL00027143
POL00027143
« The new Mails Distribution Agreement resulted in an on-going reduction of the fixed fee
with a £0.4m impact in the first half of this year.
Mails & Retail Income is analysed in the table below:
2013-14 2012-13 Variance Volume Price
£m £m £m £m £m
Special Delivery 25.2 25.7 (0.4) (0.2) (0.2)
Parcelforce 24/48 5.3 3.6 17 42 (2.5)
Labels 44.6 47.9 (3.3) (5.5) 2.2
Stamps 12.1 171 (4.9) (4.7) (0.2)
Royal Mail Parcels 0.0 28 (2.8) (2.8) -
International Priority & Standard 15.5 15.9 (0.3) (1.1) 0.7
Other Parcel Force 3.8 3.6 0.2 04 o1
Other Royal Mail 18.5 17.8 0.6 03 0.3
Total Variable Income 125.0 134.2 (9.2) (9.6) 0.4
Fixed Fee 36.2 36.6 (0.4) - (0.4)
Total Mails 161.3 170.8 (9.6) (9.6) 0.0
Lottery 194 19.8 (0.7) (0.7) -
Retail 4.0 5.4 (4.4) (1.4) -
Total Mails & Retail 184.3 196.0 (11.7) (11.7) 0.0
Retail & Lottery
Retail and Lottery revenues have decreased by £2.1m:
« Lottery is £0.7m lower than last year, driven by fewer rollovers.
« Retail is down by £1.4m due to lower sales than last half year as the prior year included
revenue from collectibles from the Olympic and Paralympic games, as well as the
Diamond Jubilee.
Government Services
The £9.2m (11%) decrease in Government Services revenue is principally due to:
* £6.8m lower DVLA revenues due to new contract related lower price and lower volumes.
« £3.6m adverse from falling numbers of POCA accounts, through natural attrition,
migration of customers to bank accounts.
This was offset by
6.14
Telecoms
The Telecoms Services pillar includes the Post Office Homephone and Broadband services,
as well as mobile top-up services and phonecards.
Telecoms Services revenue of £65m (2012: £63m) has increased by £2.3m. Income from
the Post Office Homephone and Broadband product rose by £3.5m, primarily due to higher
average revenue per user.
More attractive packages were introduced in May 2012 to attract and retain higher value
customers. Income from mobile top-ups was £1m below prior year, as transaction volumes
10
66 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
declined due to the mobile networks actively migrating customers away from pre-pay, and
also reducing their transaction fees. Despite this reduction in income, Post Office is still a
significant player in the top-up market. Our share of the retail market has been maintained
at around 5%.
6.1.5 Financial Services
Financial Services income has increased by £1.0m year on year. This continues the trend
of increases in new products offsetting the decline of traditional products. Overall PFS
(defined as Post Office savings, insurance, travel, mortgages and transaction services) is up
by £11.0m (23%) year on year. By product the main variances are:
* a £8m increase in savings products mainly Growth Bonds £3.1m, Reward Saver
£2.8m, ISA £2.1m. These increases follow the completion of the ‘Eagle’ deal in
September 2012.
« a£1.3m increase in Mortgages as this a new product,
* a £1.1m increase in Insurance revenues driven by the new BOI contract and better
rates,
+ a£0.8m increase in MoneyGram driven by higher volumes, and
« a £0.7m increase in ATM revenue, driven by increased volumes as machines reach
maturity.
This was offset by
« a £4.5m decline in NS&I revenues driven by the new contract. Revenue is from
Premium Bonds only as NS&I look to provide most of their products through their own
direct channel,
« a£4.5m net decrease in Banking revenue from:
o a £2.7m decrease in business banking revenues due to rate reduction from
renegotiated contract,
o a £2.2m fall from the DWP exceptions (cash cheques and green giros). This work
has now ceased, offset by
o an increase of £0.5m in personal banking.
« A£1.8m decrease from Payment Services due to:
o a£1.1m decrease in Postal Order income as the product is in decline, and
o a £0.7m decline from bill payments, as utilities and other bill payment clients
continue to migrate customers to other payment methods such as direct debit and
online.
11
ARC Meeting-19/11/13 67 of 139
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
71
Costs and People
This section discusses expenditure, excluding exceptionals.
Total Costs Analysis (excluding exceptionals)
POL00027143
POL00027143
The following provides a breakdown of costs for the half year ending 29 September 2013
compared to the half year ending 23 September 2012
2013-14 = 2012-13 Variance
£m £m £m
Expenditure - (pre- exceptional) Notes
Wages & Salaries 88 89 1 1%
Overtime 5 5 (0) (3%)
Productivity/Bonus 41 7 (4) (51%)
Employers NI 10 9 (1) (7%)
Pensions 14 13 (1) (9%)
Projects (temp people resource) 1 1 0 7%
Temporary Resource 2 4 2 45%
PEOPLE COSTS 7.2.1 131 128 (3) (2%)
Subpostmasters' costs 7.3.4 220 235 415 7%
Collection, Delivery & Conveyance Charges 7.3.2 0 0 0 100%
Compensation 73.3 1 1 (0) (9%)
Property Facilities 734 3 3 (0) (11%)
Property Maintenance 735 4 3 (a) (25%)
Vehicles 73.6 1 a ie) 12%
Computers & Telephones 73.7 38 36 (2) (5%)
Consultancy, Marketing & Legal Fees 73.8 15 12 (3) (29%)
Staff & Agent Related Costs & Consumables 73.9 0 ) (0) 36%
Finance 7.3.10 12 9 (3) (30%)
Cost of Sales 73.41 57 58 1 2%
Other Operating Costs 7.3.12 10 1 5%
Depreciation 7.3.13 0 0 60%
Interbusiness Expenditure 7.3.14 40 41 1 3%
Group Overheads 7.3.15 7 7 0 6%
Projects (excluding temp people resource & IB) 7.3.16 13 21 7 36%
Projects Interbusiness 2 0 (2) -
Total Other Operating Costs 73 422 437 15 4%
TOTAL EXPENDITURE (Pre Exceptionals) 553 565 12 2%
12
68 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
7.2 People Costs (2013 £131m vs 2012 £128m)
7.2.1 People costs (2013 £131m vs 2012 £128m)
People costs have increased in total by £3.3m (2.6%) to £103.9m, representing 23.7% (2012
22.5%) of the cost base.
The number of people employed increased by 87 to 7,999 at 29 Sept 2013 (2012 7,912),
primarily due to the Network Transformation Programme. NTP people costs are included
within exceptional costs. The transfer to exceptional costs is done by a move of the ‘fully
loaded’ staff cost (including NI and pensions) from the wages and salaries line. This
maintains the integrity of pensions and NI for disclosure purposes but means that variances
across the categories need to be viewed in aggregate.
The people cost movement comprises:
e Wages and Salaries have decreased by £1.1m (1.3%), but as noted above, must be viewed
in conjunction with the increase in NI of £0.6m (6.8%) and an element of the pension costs
increase as the movement of Network Transformation staff costs to exceptionals
encapsulates all 3. When viewed in this way, the variance is broadly flat year on year.
¢ Pension costs have increased by £1.2m (9.1%), driven primarily by the increase in the IAS19
pension rate from 18.2% to 20.6%.
¢ Productivity costs have increased by £3.6m (51%), and are predominantly due to
productivity costs under accrual of £1.5m in 2012-13 and a £1.1m increase in the LTIP
accrual as none was booked in 2012-13 following an over provision in 2011-12.
¢ Overtime has increased by £0.1m (2.7%).
Temporary resource costs have decreased by £0.8m (22%), as a result of reduced
recruitment and lower agency labour in Network.
7.2.2 People Numbers
The following analysis shows the movements in the number of people employed during the
half year.
The People numbers were as follows:
Period end employees Average employees
29 Sept 2013 23 Sept 2012 2013 2012
Total employees 7,999 7912 7,946 7,867
7.2.3 Average Cost Per Employee
The 2013 average number of employees for the half year ending 29 Sept 2013 was 7,946
(2012 7,867). The average annual cost per employee (excluding exceptional costs and
exceptional heads) based on these averages has increased by £1,730 (5.2%) to £35,085
(2012 £33,355), but this is distorted by the increase in productivity costs. Excluding the
13
ARC Meeting-19/11/13 69 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
73
productivity impact, the averages has increased by only £632 (2.0%) to £32,217 (2012
£31,584) due to pay awards (Supply Chain) and the pension rate.
Other Operating Costs (2013 £422m vs 2012 £437m)
Subpostmasters costs (2013 £220m vs 2012 £235m). Total subpostmasters costs
decreased by £15.0m (7%). £9.3m of this was due to lower sales, including the impact of
Mails buy forward last year pre the May price increase. £2.2m due to lower fixed pay from
unfreezing the Core Tier Payment and roll out of Locals and £2.7m relating to the DVLA
rate reduction accrual impact.
The average annual cost per subpostmaster branch (excluding VAT and NI) is £40,549
(2012 £42,892). This is a 5.5% decrease on the prior year and reflects the higher income
last year relating to stamps buy forward.
2013-14 2012-13
(P6) (P6)
Agency Branches (incl. Mains and Locals) 10,269 10,389
MAIN 610 33
LOCAL 463 233
Outreach 1,076 1,037
Crown 372 373
Total Branches 11,717 11,799
Collection, Delivery & Conveyance costs have decreased by £0.5m due to ATM
replenishment costs, which were paid to an external company, now being fulfilled by internal
Supply Chain staff.
Property Facilities costs have increased by £0.3m, due to an increase in the provision for the
extension of business rates to ATM's.
Property Maintenance costs has increased by £0.7m, due to the Network Transformation
Programme.
Computers and Telephones costs have increased by £1.9m, mainly due to Horizon Fujitsu
Costs of £1.2m and software licences of £0.6m.
Consultancy, Marketing & Legal Fees have increased by £3.5m year on year. £1.1m of this is
offset with the staff and agent related costs line below for Skills group off charges for project
activity. £1.6m relates to increased marketing costs, prior year rebranding was within
project one- off costs, £0.6m relates to increased consultancy costs for SPMO Operating
model and mutualisation and £0.5m increased legal costs relating primarily to separation.
The remainder relates to decrease in database management and Estate fees.
14
70 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
7.3.7 Finance costs have increased by £2.7m, driven by the ceasing of the Bureau rebate of
£2.2m (ceased October 2012) and increased bank charges of £0.4m. The remainder is
losses related.
7.3.8 Cost of Sales has decreased by £1.4m (2.4%), driven by lower Retail costs due to Olympic
and Jubilee collectables. The main reasons are detailed below:
Cost of Sales
29 September 23 September
2013 2012-13 Variance
£m £m £m
Comments
Telecoms 40 40 0 -
Government Services 15 15 0 ;
Decreased Sales due to collectable
Mails & Retail 2 3 1 45% oducts for Jubilee and the Olympics
Financial Services 4 4 0 -
Total 57 58 1 2%
Other Operating costs have decreased by £0.5m (5.4%) primarily due to reduced cheque processing
costs.
7.3.9 — Interbusiness expenditure have decreased by £0.8m due to reduced property costs and is
detailed below:
Interbusiness 2013-14 2012-13 Variance
£m £m £m
Offical Mail 8 8 0
Call Centres 2 2 0
Facilities Management 7 7 ie}
Vehicle Services 3 3 0
Romec 3 4 1
Property 16 16 0
Other QO ie) QO
Total Interbusiness 40 41 1
Projects Interbusiness 2 0 (2)
Total Interbusiness including projects 42 41 (1)
7.3.10 Group overhead expenditure has decreased by £0.4m due to separation as work transfers
over to the Post Office.
15
ARC Meeting-19/11/13 71 of 139
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
to £13m. The £13m spent on projects is analysed below:
2013-14 Project Expenditure £m
Customer Engagement (Brand Campaign) 5
Financial Services (Portfolio) 05
FO0G (DVLA Enhancements & Home Office Development) 13
Telephony (Fixed Line Tender, Contract negotiations and Migration) 15
Mails (Collections & Returns, Small, Medium Business Proposition) 08
Finance (Road Map) 03
HR & Compliance (Recruitment, Training & Data Protection & Freedom of Information) 07
IT Delivery (Saleforce Licences & RMG Small App Migration (UEX Phase 2) 05
Property (Crown Network) 0.2
Supply Chain (North West Cash Centre & Swindon Barcode Scanners & Printer) 04
Security (Fraud Software Analysis) 0.8
Digital (Digital & Multi-Channel) 04
Network 01
Total Projects (excluding temp people resource & IB) 13
Projects (IB) 2
Projects (temporary resource) 1
Grand Total 16
16
POL00027143
POL00027143
7.3.11 Project expenditure (excluding temporary people resource and IB) has decreased by £7.4m
72 of 139
ARC Meeting-19/11/13
POL-0023784
8
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Quality of Earnings
2013-14 2012-13 Growth
Post Office Limited (consolidated) Notes £m £m £m A
Operating profit_before other exceptional items 53 61 @) (43%)
Network Subsidy Payment (200) (203) 3 EY
Project one off costs 73.41 16 22 (a) 27%
Operating (loss) before project one off costs, exceptional items and NSP (31) (20) (a1) (55%)
Each item in the table is explained further below:
8.1 Network Subsidy Payment
The Network Subsidy Payment decreased from £210m for 2012-13 to £200m for 2013-
14. The Network Subsidy Payment has been accounted for as a government grant in both
years and has been recognised evenly through the year.
8.2 Project one off costs
Project one off costs are non exceptional costs of project activity in the year. They
increased in 2012-13 as the pace of implementation towards the new plan continued but
have decreased in 2013-14. These costs do not form part of the underlying business as
usual performance of the company.
17
ARC Meeting-19/11/13
73 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Pensions
9.1 Background
The Post Office participates in pensions schemes and detailed below:
Scheme Eligibility Type
Royal Mail Pension Plan (RMPP) UK employees, Defined benefit
Royal Mail Senior Executive Pension Plan (RMSEPP) UK senior executives (closed) Defined benefit
Royal Mail Defined Contribution Plan (RMDCP) UK employees Defined contribution
On 1 April 2012 almost all of the assets and liabilities of the Royal Mail Pension Plan (RMPP)
were transferred to HM Government. On this date the RMPP was also sectionalised with Royal
Mail Group Limited and Post Office Limited responsible for their own sections. Royal Mail Group
Limited is the principal employer in the Royal Mail Senior Executive Pension Plan (RMSEPP)
and the Royal Mail Defined Contribution Plan (RMDCP). Post Office Limited became a
participating employer in both with effect from 1 April 2012. Royal Mail Pensions Trustees
Limited manages the main defined benefit scheme Royal Mail Pension Plan (RMPP) which has
around 5,200 Post Office active members.
At the September 2013 half year the emphasis has been on the RMPP plan, as the movements
in the 7% share of RMSEPP are considered not to be significant to the Interim Report.
However, the RMSEPP has been reviewed and Post Office 7% share of the RMSEPP surplus has
increased by £1m to £2m driven by an improvement in asset values. An actuarial gain of £1m
has therefore been recognised in the period.
9.2 Assumptions
IAS 19 revised requires a number of assumptions. The choice of assumptions used for the
calculations is the responsibility of the Directors, based upon advice given by an independent
actuary. The key assumptions for the half year to 29 September 2013 are set out in the table
below.
Towers Watson has confirmed that the assumptions have been determined in a manner
consistent with those used for the disclosures at 31 March 2013, and any relevant adjustments
to 29 September 2013 have been made. Conversations with Royal Mail management confirm
that it is their intention to adopt the same assumptions. The rate of increase in pensionable
salaries has been adjusted from RPI +1% to RPI to reflect the impact of the change to terms
arising from Project Robin as explained in paragraph 9.3.
September March
2013 2013
% pa Nominal (for comparison)
Inflation (RPI) 3.3 3.3
Inflation (CPI) 2.3 23
Rate of increase in Pensionable salaries 3.3 43
Discount rate (i.e. bond rate) 46 48
Demographic assumptions, for example mortality, remain unchanged from those made in
March 2013.
18
74 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
93 Movements in the defined benefit surplus
The movement in the RMPP defined benefit surplus during the six months to 29 September
2012 is detailed below. Scheme assets are assessed at fair value at the balance sheet date. For
example, quoted equities are valued at the latest ‘bid’ price. Scheme liabilities are discounted
using a high quality corporate bond rate. The IAS 19R surplus/deficit is usually therefore
different to the cash funding surplus/deficit (the “actuarial” valuation) assessed by the Trustees,
for which the scheme liabilities are discounted using the expected returns available on scheme
assets.
Sectionalised RMPP eo eewenber Year ended
2013 2013
£m £m
Opening net retirement benefit surplus/(deficit) 99 (205)
Royal Mail Pension Plan amendment 102
Transfer of pension deficit to government - 286
Current service cost (13) (24)
Curtailment costs - (2)
Net financing credit 2 2
Employers contributions 11 25
Actuarial (lossesV/gains 7) 7
Closing net retirement benefit surplus before IFRIC
14 adjustment 164 99
During the period there was a consultation exercise with members of the defined benefit Royal
Mail Pension Plan on proposed changes to the terms (Project Robin). These changes were
agreed and implemented on 15 October 2013. The key change was to the definition of
pensionable pay which broadly will increase in line with RPI (capped at 5%) in future regardless
of actual pay growth. The changes have resulted in a one-off exceptional gain of £102 million.
The current service cost is intended to represent the amount by which the liabilities will
increase due to employing active members for one more year. The current service cost,
expressed as a percentage of pensionable pay is 20.6% for RMPP (2012 18.2%). The charge in
the income statement for the defined contribution scheme was £1m in the half year to 29
September 2013, and payments of £11m were made in respect of RMPP future service
contributions at a rate of 17.1% (2012 17.1%).
The net financing credit of £2m, a non-cash item, is reported under finance income and
reassessed annually.
Actuarial gains and losses are recorded directly in the statement of changes in equity (and not
the income statement). The actuarial loss of £37m during the half year arose primarily due to a
greater than expected decrease in assets as a result of changes in market conditions.
19
ARC Meeting-19/11/13 75 of 139
POL-0023784
POL00027143
POL00027143
9.4 Assessment of recoverability of surplus under IFRIC 14
In order to recognise a surplus it is necessary to prove that the Post Office could recover the
surplus either through lower future contributions or through a refund.
Towers Watson has calculated
that Post Office Limited would be able to recover £103 million of the £164 million surplus in
RMPP through lower contributions and the remaining £61 million could therefore be recovered
through a refund. The element of surplus that is recoverable through a refund would be
subject to a 35% withholding tax and therefore the overall surplus on the balance sheet has
been reduced by £21 million to £143 million. The element that is recoverable through lower
contributions has resulted in a deferred tax liability of £21m, which is consistent with the
deferred tax credit recognised in the year to 31 March 2013 and therefore no further tax
consequence has been recognised in the half year to 29 September 2013.
20
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
10.
10.1
10.2
10.3
Exceptional Items and Provisions
POL00027143
POL00027143
This section discusses the exceptional items on the income statement together with
movements in the related balance sheet provisions/payables.
Exceptional items summary
The following exceptional items were recognised in the consolidated income statement for the
half years ended 29 September 2013 and 23 September 2012
2013-14 2012-13
Exceptional items Notes £m £m
Operating Exceptionals:
Royal Mail Pension Plan amendment 102 -
Government Grants 10.2 129 35
Restructuring costs including Subpostmasters compensation 10.3 (64) (24)
Impairments (35) (21)
Total operating exceptionals 132 (10)
Non operating exceptionals:
Profit on disposal of property 2 2
Net Exceptional gain/ (costs) 134 (8)
Government Grants - In April 2013 the Post Office received grants totalling £215m from the
Government, (April 2012 £200m) to fund capital projects and transformation.
Amounts utilised in the respective half years are as shown with the 2013/14 utilisation
including £31m relating to network and IT transformational costs incurred in 2012/13 for
which there was insufficient grant in that year.
Restructuring costs - include the costs (£55m) of delivery of a major change in the network.
Network Transformation introduces new style agency offices and seeks to improve
fundamentally the profitability of the Crown network. The IT Transformation programme will
create the IT infrastructure appropriate for an independent group with ambitious growth plans
and incurred a further £5m. Other costs included are business separation of £2m and
redundancy of £2m.
Network Transformation comprises costs of £15m for Subpostmasters’ compensation and
£40m programme costs. The £40m spent on Network Transformation is analysed below:
Network Transformation
Branch Fit Out (Inc. Signage /Scales etc)
Horizon Implementation
Legal-New Operating Model Contracts
Management Consultancy
Marketing
Crown Transformation: pilot design/scoping
Professional Fees -Site Survey
Staff.
Skills Group Internal Consultancy Resource
Project Management (Roll Out)
Total
S b tp
BiyfalBlafaleIo}eIw} olf
21
ARC Meeting-19/11/13
T7 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
11. Interest, Cash, Debt, Funding and Hedging
11.1 Net finance costs Sept 2013 £1m vs Sept 2012 £1m
29September 23 September
2013 2012
Finance costs & investment income £m £m
Interest received on investments - UK = 1
Total finance income - 1
Interest charged on Government borrowings - -
Interest payable on finance leases - (1)
Other finance costs (a) ie)
Total finance costs (1) (2)
Net finance cost (4) (1)
Interest payable on the BIS Loan fell last year as the average borrowing volume significantly
decreased due to funding receipts attributable to transformational programmes. This position
continued with £200m received in 2012-13 and £215m in 2013-14.
Finance leases are nearing conclusion and both arrangements covering counter printers and
the AEI equipment finish in 2014-15 - accordingly interest is reducing.
Other finance costs include commitment fees to BIS for the Post Office credit facility, and
charges to RBS for their note sorting facility.
11.2 Cash, cash equivalents and debt within the balance sheet
29 September 31 March
2013 2013
Net cash/debt analysis Section £m £m
Cash in the Post Office Limited network. 113 825 870
Other cash at bank (overdraft)/deposits (26) 9
Cash equivalent investments 30 92
Total cash and cash equivalents 829 971
Loans, repayable on demand or less than 1 year 11.4 - (291)
Obligations under finance leases (current) 11.5 (4) (3)
Total current financial liabilities (a) (294)
Obligations under finance leases (non-current) 11.5 (4) (4)
22
78 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
11.3
11.4
11.5
11.6
Cash within the Post Office Limited network (Sept 2013 £825m vs March 2013 £870m)
The reduction in Post Office network cash from March 2013 levels is due to the year-end
coinciding with Easter necessitating increased branch and cash centre holdings.
Loans and borrowings (Sept 2013 £nil vs March 2013 £291m)
Daily borrowing requirements in the first half of 2013/14 are significantly lower than the year
end loan position on account of advanced government funding of both the £215m
transformational funding and £200m Network Subsidy.
Obligations under finance leases (current & non-current) (Sept 2013 £5m vs March 2013
£7m)
The obligations under finance leases have decreased by £2m in the half year attributable to
lease repayments in 2013-14. Lease types are shown in section 13.2.
Loan facilities
At half year the Post Office had no external (non Government) borrowing facilities in place.
23
ARC Meeting-19/11/13 79 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
12. Going concern
Post Office Limited has net cash and cash equivalents of £829m (section 11.2) and a
borrowing facility of £1,150m of which none (section 11.4) was drawn down at 29 September
2013.
12.1 Background
On 24 March 2010 a funding agreement was agreed that provided up to £180m for
compensation for losses sustained in parts of the Network in 2011-12, as well as providing
access to the working capital facility to 31 March 2016. These arrangements received State
Aid approval on 23 March 2011 through the working capital facility was limited until 31
March 2012.
A further funding agreement with Government was announced on 27 October 2010 which
provided for:
Funding of £410m for 2012-13 (received 2 April 2012)
Funding of £415m for 2013-14 (received 2 April 2013)
Funding of £330m for 2014-15
Extension of the existing working capital facility with BIS of £1.15bn up to 31
March 2016
State Aid approval for the funding for 2012-13 to 2014-15 was received on 28 March 2012.
It was also recognised that the working capital facility was no longer deemed State Aid.
However, no drawing under the facility may extend past the Final Maturity Date (31 March
2016).
The going concern analysis is based on the latest draft 2020 strategic plan financials
presented to the Post Office Board in April 2013 and forming part of Government funding
discussions.
12.2 Assessment for the Post Office
Post Office has finished implementing its 2005-11 strategic plan and has completed its
closure programme. It posted an operating profit before exceptional items for the first time
for a number of years in 2008-09 and has continued to do so, but still operates with a cash
outflow with the exception of 2012-13. The 2011-15 plan is intended to reverse the trend of
an increasing Network Subsidy Payment (NSP) with the draft strategic plan beyond 2014-15
continuing that reducing trend.
The 2011-15 strategic plan updated for latest views has been shown in Table 1 of this
section, and shows that Post Office has sufficient cash headroom to continue to trade. The
available facility has been defined to include network cash, ATM cash, ATM debtor, POCA
debtor and SGEI cheques. Downsides have been applied that the funding for NSP and
transformation post March 2015 is not available and that the growth and savings plans are
not fully delivered. Subject to ceasing spend on transformation post March 2015, there could
still be sufficient headroom to trade. It should be noted that there is a dependency on the
working capital loan being extended beyond its current end date of 31 March 2016.
The one year funding deal for 2011-12 added the ability to borrow up to £50m from other
sources, as well as the up to £50m in finance leases previously allowed, which would improve
the headroom capacity shown if required.
24
80 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
12.3. Summary conclusion
Based on the analysis there is available borrowing headroom until March 2016 and until
March 2017 if it is assumed that the working capital loan can be extended for another year.
Royal Mail Group Limited is a key trading partner with Post Office Limited and, in arriving at
the conclusion that Post Office Limited is a going concern, the assumption is made that Royal
Mail Group Limited is a going concern or that an alternative mails provider would work
similarly with Post Office Limited providing a similar level of income.
It is believed that Post Office Limited will be able to meet its liabilities as they fall due in the
foreseeable future. It is therefore expected that the directors will consider it appropriate to
prepare the accounts on a going concern basis.
Post Office Limited Funding Analysis
Table 1 September 2013
£m (curnulative apart from free cash flow) 2012-13 2013-14 2014-15 2015-16 2016-17
Opening Funds (336) (204) (220) (316) (559)
Borrowing facilities 1450 «1150 = 1,150 1.150 1150
Restriction due to level of network cash (98) (350) (350) (350) (350)
Borrowing from other sources - finance leases, bank 14 9 4
overdraft etc
Latest plan free cashflow before assumed non NSP grant (68) (231) (266) (23) (a1)
injection
Non NSP grant injection per October 2010 plan/ April 2013
plan 200 215 170 80 80
Closing Funds Headroom 862 589 488 241 310
Downside impact of no NSP beyond March 2015 (130) (210)
Downside impact of no further grant injection beyond March 2015 (80) (160)
Adjusted Headroom pre risk 862 589 488 31 (60)
25
ARC Meeting-19/11/13 81 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Table 2: Risks,with management actions
£m (cumulative) 2012-13 2013-14 2014-15 2015-16 2016-17
Headroom pre risk (as above) 862 589 488 31 (60)
Risks
Financial Services growth slower than plan (3) (8) (18) (60)
Mails revenue decline halted but not reserved (net of agents’ cost (10) (20) (30) (40)
saving)
Network Transformation benefits are not fully delivered (2) (6) (9) (12)
Crown Transformation benefits are not fully delivered (5) (10) (25) (40)
Pension contribution rates increase (4) (8) (a2) (16)
Increase in cost as a consequence of stopping transformation post (50) (150)
March 2015
Headroom post risks pre management actions 862 565 436 (113) (378)
Management actions 309 526
Stop transformation post March 2015 145 263
Reduce capex to replacement only (£30m pa) post March 2015 164 261
Headroom post risk and management actions 862 565 436 196 146
Notes:
2012-13 shows the year end outturn and last years are the latest view of the strategic plan.
Available facilities are defined as network cash, ATM cash, ATM debtor, POCA debtor and SGEI
cheques.
Table 1
This table shows the 2020 strategic plan projections for 2014-15 and beyond. It demonstrates
positive headroom throughout the plan period assuming funding post 2015 is agreed. If it is not there
would be a need to take management action.
Table 2
This table sets out the impact of theoretical downside scenarios if the plan does not generate the
income streams anticipated, the network programmes fail to deliver the benefits and if the pension
scheme costs increase.
Management actions have been identified to manage the lack of future funding and downside risk
within the headroom. There are further actions that could be taken but are not required. These
include the sale of property and/ or tax losses.
However, it is required to assume that the loan is extended beyond March 2016.
26
82 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
13. Property, plant and equipment and non-current assets held for sale
13.1 Net Book Values
The net book value (NBV) of land and buildings, plant and fixtures and intangible fixed assets
at September 2013 was £11m (March 2013 £11m). Movements in the six months were as
follows:
Land and Vehicles, plant Intangible fixed
buildings and fixtures assets Total
Movement in NBV £m £m £m £m
NBV at 31 March 2013 11 - - Bal
‘Add capital expenditure 2 15 18 35
Less disposals - - - -
Less depreciation - - - -
Less impairment (2) (15) (28) (35)
NBV at 29 September 2013 a4 - - 44
13.2. Assets held under finance leases
The value of equipment held under finance leases is £nil (March 2013: f£nil) having been
impaired in the years in which it was acquired. The two finance leases held are:
e Counter printers, capitalised and impaired in 2006-7 with an asset value of £10m, expires
2014-15;
e Identity equipment in branches, capitalised and impaired in 2010-11, with an asset value
of £8m, expires 2014-15.
13.3 Capital expenditure
The following table summarises capital expenditure to 29 September 2013:
Vehicles,
Land & plant &
buildings fixtures Intangibles Total
Capital expenditure analysis £m £m £m £m
Technology Roadmap - - 10 10
Network Transformation - 11 - 11
Separation (from RMG) project - - 2 2
Finance Roadmap - - 1 1
FOoG Front Office of Govt - - 2 2
Vehicles = 2 - 2
Property 2 - - 2
Other (items <£1m) - 2 3 5
Total 2 15 18 35
27
ARC Meeting-19/11/13 83 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
14,
14.1
Goodwill, investments and intangibles
Investments in joint ventures and associates
29 September 34 March
2013 2013
£m £m
Investment in joint ventures 83 60
Joint ventures
Post Office Limited’s joint venture investment is a 50% interest in First Rate Exchange Services
Holdings Limited, whose principal activity is the provision of Bureau de Change. The movement
from the year end is £23m representing the share of post tax profit.
A dividend is anticipated from FRES during October 2013 - value not confirmed at time of
writing - which will reduce the carrying value of the joint venture.
28
84 of 139
ARC Meeting-19/11/13
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
15 Working capital
15.1 Inventories (September 2013 vs March 2013 £8m )
29 September 31 March
2013 2013
£m £m
Scratchcards 5 5
Retail 2 3
Total 7 8
15.1.1 Inventory written off
POL00027143
POL00027143
The provision for stock write downs and discrepancies has decreased to £0.4m in
September 2013 from £0.5m in March 2013. Shrinkage and obsolete stock written off in
September 2013 was £0.3m (March 2013 £0.4m).
15.2 Trade receivables
Receivables are tabulated below, followed by a detailed explanation of the various balances.
Receivables
29 September 31 March
2013 2013
Trade receivables 56 32
Client receivables 156 240
Prepayments and accrued income 58 74
Other receivables (taxation) @ 9
Total 269 352
15.2.1 Trade receivables: Current (due within one year)
Trade receivables
29 September 34 March
2013 2013
Sales ledger 27 18
Doubtful debt provision (a) (a)
Homephone debtors 22 14
Homephone provision (6) (6)
Subpostmasters debt 2B 14
Subpostmasters debtors provision (8) (9)
_POFS.FRES cost recovery 0 9 _ a
Total 56 32
29
ARC Meeting-19/11/13
85 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
The increase in sales ledger is largely explained by the £5m debtor at September 2013 for
DWP card account income (March 2013 DWP debtor: £nil). Mainly the DWP adhere to agreed
terms and pay the month following invoice receipt though there are instances when the DWP
settle in-month.
The increase in homephone debt is due to POL switching provider from BT to Fujitsu. Fujitsu
are currently experiencing difficulties and have not invoiced customers for September 2013,
increasing customer debt levels. Other variances largely net off,
Receivable balances in relation to former subpostmasters of £8m have been provided for in
full in line with previous years. This is due to the difficulty in recovering these amounts. The
remaining £5m of subpostmaster debt which is unprovided against relates to current
subpostmasters debt which are usually settled through a deduction from remuneration. The
balances are provided for when they reach 60 days old for single subpostmasters or 90 days
for multiples.
A profile of the trade receivables is as follows:
Trade receivables
29 September 34 March
2013 2013
owe 5
Bank of Ireland (2012: POFS) 12 44
FRES. 2
Partner banks 4 -
Bank of Ireland (ATM commission) 3 2
Bill payment partners. 2 1
Subpostmasters - a
Others 2 3
Total 27 18
Ageing of trade receivables:
Debtors over 60 days overdue: September 2013 £4.6m (March 2013: £0.4m).
The Post Office does not have a general risk in relation to bad debts due to the agency nature
of our client base. The main debt ageing at September 2013 is £4.5m Bank of Ireland.
15.2.2 Client receivables
Analysis of the significant client balances at year end is as follows:
Client receivables
29 September 34. March
2013 2013
ATM (Bank of Ireland) 92 123
Card Account JP Morgan) 30 76
Partner banks 22 29
Others 12 12
Total 156 240
30
86 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
The reason for the significant difference in Client levels between September 2013 and March
13 is due to the coinciding of the March 2013 year end with Easter, which increased
transactional activity and also temporarily extended settlements into 2013-14 because of the
bank holiday.
15.2.3 Prepayments and accrued income September 2013 £58m (March 2013 £71m)
Accrued income represents the majority of this amount (September 2013: £39m, March
2013: £34m), and year on year the product components are similar. The larger accruals at
September 2013 are: DWP card account income for September £7m, Homephone £6m and
Bank of Ireland commissions £7m.
Additionally there are prepayments of £20m at September 2013 (March 2013 £36m). There
are two main elements: a £12m (March 2013 £28m) advance payment to Fujitsu in respect
of the 2013-14 managed service, and £4m (March 2013 £12m) - also to Fujitsu - for 2013-
14 set-up costs for their take-on of the Telephony contract.
15.3. Payables: amounts due within one year
A summary of payables categories is:
29 September 31 March
Section 2013 2013
Trade payables 15.34 25 43
Accruals and deferred income 153.1 99 110
Client payables 15.3.2 375 528
‘Advance customer payments 47 50
Capital payables 15 18
Social security 9 10
Business transformation 6 7
Amounts due to group companies 10 6
Government grant deferred
income 10.2 188 102
NSP 100 -
Bank Overdraft 25 =
Total 899 874
15.3.1 Trade payables and accruals
Trade payables and accruals
29 September 31 March
2013 2013
Trade payables 25 43
Accruals, GRNI 59 55
Agent, employee pay balances 10 24
Productivity, bonus schemes 10 16
Deferred income (Gamma) 12 7
Others 8 8
Total 124 153
31
ARC Meeting-19/11/13 87 of 139
POL-0023784
6. Interim Report review and Emst & Young Half Year Review findings
Manual accruals and GRNIs represent the material trade liabilities at any point and are
consistent year on year, reflecting high levels of project activity commensurate with the
Network Transformation programme.
Trade payables at March 2013 included a one-off entry for Clydesdale Bank of £7m. The
POL00027143
POL00027143
remaining reduction in trade payables balances relates to the purchase ledger and Fujitsu and
BT in particular where y/e invoice levels were high.
Within agent pay balances at March 2013 is a £3m one-off accrual for DVLA payments to
agents and £7m product pay due on account of March being a five week period. (September
2013 equivalents: £nil)
15.3.2 Client payables
29 September 31 March
a 2013 __2013
Santander 139 183
NS&I 21 28
DVLA 53 107
Utility companies 9 24
Bank of Ireland 13 8
BACS 43 59
Others 97 119
Total 375 528
March balances were impacted by the Easter bank holiday coinciding with the Post Office’s
year end, having the effect of increasing the settlement timescale temporarily. The DVLA
balance was most affected by the coinciding of year end with calendar month end.
During 2013/14 a new DVLA contract provides for changed settlement terms which has the
effect of increasing the balance on hand and is cashflow positive for Post Office Ltd.
15.3.3 Client advances
This category also includes specific, non-client, creditors as follows:
Client advances
29 September 31 March
2013 2013
Client advances, deferred income 21 23
Postal order liability 16 17
Homephone line rental advance
payments 10 10
Total 47 50
32
88 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
15.4 Payables: amounts due after one year
Payables due after one year
29 September 34 March
2013 2013
‘Amounts due under finance
leases 4 4
Bank of ireland deferred income
(Gamma) 24 24
Total 28 28
Bank of Ireland deferred income concludes in financial year 2022-23 and is recognised in line
with an amortisation schedule. In addition to the above sum, there is £12m in current year
trade payables and a further £7m remains to be invoiced in future years.
33
ARC Meeting-19/11/13 89 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
16.
Provisions
Provisions (September 2013 £30m vs March 2013 £26m)
Crown
Conversions Network
Project Transformation Other Total
£m £m £m £m
At 31 March 2013 7 10 9 26
Charged/ (released) in operating
exceptional items (a) 15 3 v7
Charged in operating costs - 3 3
Utilisation (a) (11) (4) (16)
At 29 September 2013 5 14 14 30
Included within current liabilities 25
Included within non current liabilities 5
The Network Transformation provision relates to compensation payments due to
subpostmasters who have signed up to the new contract terms or for a termination payment
at September 2013.
Crown conversions relates to the contract with WH Smith for the original tranche of Crown
outlets franchised. The new contract relating to these branches is not considered onerous and
future income growth assumptions have been overlayed onto the existing provision,
prompting the exceptional release of £1m. This provision effectively concludes in 2014/15.
Other provisions at September include onerous property lease obligations £3m, personal
injury claims £1m, redundancy £2m, Bank of Ireland sales capability investment (Eagle
provision) £3m and the ATM business rate provision £2m.
34
90 of 139
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
17. Litigation and Claims- Potential Claims regarding Horizon
17.1 Post Office Limited has received various claims from subpostmasters (SPMs) alleging defects
in the Horizon system and Post Office Limited's internal processes.
These allegations were initially made in 5 claims brought through solicitors Shoosmiths.
Similar allegations have been made through:
e@ —SPMs’ MPs;
e the “Justice for Subpostmasters Alliance” (JFSA);
e defences to court proceedings brought by Post Office Limited to recover debts from
SPMs; and
¢ — direct contact with Post Office Limited.
17.2 On 8 July 2013, Second Sight published an Interim Report finding shortcomings in Post
Office Limited’s internal training and support to SPMs on the Horizon system, but no
systemic problems with Horizon itself.
17.3 Following the Second Sight Interim Report, on 27 August 2013 Post Office Limited launched
a Mediation Scheme aimed at finally resolving individual complaints made about Horizon.
17.4 Sir Anthony Hooper has been appointed as Chair of the Working Group overseeing the
Mediation Scheme. He will chair his first meeting on 25 October 2013.
17.5 The Mediation Scheme has received 64 applications from sub-postmasters since it was
opened at the end of August, of which 44 have been formally accepted onto the scheme to
date. Only 1 case has been excluded at this stage, on the grounds that it is subject to an
ongoing legal process: all the other cases are either still being reviewed, are awaiting further
information or need to go through Post Office Limited’s normal investigation processes
before they would be referred to mediation. The application closure date is the 18
November 2013. SPMs will then have a month to complete their full applications before
Post Office Limited review the cases in detail. The aim is to get some cases into the
mediation process before the end of 2013 with the majority happening between January
and March.
17.6 Post Office Limited is also reviewing past and present criminal prosecutions brought against
SPMs to ensure they continue to satisfy the evidential, public interest, and disclosure
standards required for prosecutions. This review should be completed by the end of October
2013.
17.7 Post Office Limited's external firm of criminal solicitors, Cartwright King (CK), has now
completed a review of 301 cases subject to past prosecution to identify whether Post Office
Limited has a duty to disclose the findings of the Second Sight report and associated issues.
CK has concluded that disclosure is appropriate in 10 of these cases, and a short letter has
therefore been sent to each of the defence teams to bring their attention to the report. It is
now a matter for the defence in each case to determine what action, if any, they might take
in light of this additional information. Post Office Limited is also awaiting an unknown
number of further historical prosecution files from Royal Mail, although at this stage Post
Office Limited has no reason to believe these will substantially increase the number of actual
disclosures. In view of the potential interest from the Criminal Cases Review Commission,
Post Office Limited commissioned a review by Brian Altman QC of the prosecution
35
ARC Meeting-19/11/13 91 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
procedures it has followed. He concluded that Post Office Limited is complying with its duties
and that the approach adopted by the prosecution team was “fundamentally sound”.
17.8 Post Office Limited is not issuing any new criminal summons pending the instruction of a
new, independent expert who can give evidence to support the Horizon system. The process
of identifying this expert is under way.
17.9 To date, no claim has been made against Post Office Limited in the civil courts, and no
appeal has been made to the Court of Appeal against any conviction obtained in the criminal
courts.
17.10 Post Office Limited has instructed Brian Altman QC to undertake a second review, which will
look at Post Office Limited’s prosecutions approach in the context of its wider business
needs.
36
92 of 139 ARC Meeting-19/11/13
POL-0023784
18.
18.1
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
Taxation
Income statement
A breakdown of the tax credit is shown in the table below:
Half year to Half year to
29 September 23 September
2013 2012
£m £m
Corporation tax credit for period - 7
Tax under provided in previous periods : :
Current tax - 7
Deferred tax credit relating to the origin and reversal of temporary differences 2 14
Income tax credit reported in the condensed consolidated income statement. 2 18
18.2
Factors affecting tax credits
An additional deferred tax credit has been recognised in relation to the retirement benefit
surplus on the balance sheet as the proportion of this surplus which is considered to be
recoverable through future contributions moved in the half year to 29 September 2013. An
equal and opposite entry has been recognised through equity.
The Group (POL and subsidiaries) has significant tax losses that are available for offset
against future taxable profits. It also has unrecognised deferred tax assets relating to fixed
asset timing differences. These tax losses/deferred tax assets could be recognised in the
future should suitable taxable profits arise. The tax losses/unrecognised deferred tax assets
means that the Group should not incur any tax charges for the foreseeable future.
37
ARC Meeting-19/11/13
93 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Post Office Limited
2013/14 Half year results report
For the period ended 29 September 2013
13 November 2013
EY
Building a better
working world
94 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Emst& Young LLP Tel: +f ry
{More London Place Fax: + . c }
London ey.com Yd
‘SE1 2AF soa
Building a better VESTOR IN PEOPLE
working world
Private and confidential 13 November 2013
Audit and Risk Committee
Post Office Limited
148 Old Street
London
EC1V 9HQ
Dear Members of the Audit and Risk Committee
Half year results report - FY2013/14
We are pleased to attach our half year results report for the forthcoming meeting of the Audit and Risk
Committee. This report summarises our review findings and conclusion in relation to Post Office Limited’ s
financial position and results of operations for the period ended 29 September 2013. Our review is designed to
express a review conclusion on the interim financial information as presented for the period ended 29 September
2013.
This report is intended solely for the information and use of the Audit and Risk Committee, Board of Directors and
management, and is not intended to be and should not be used by anyone other than these specified parties.
We welcome the opportunity to discuss this report with you on 19 November 2013, as well as understand whether
there are other matters which you consider may influence our audit.
Yours faithfully
Angus Grant
Engagement Partner
For and on behalf of Ernst & Young LLP
members'names is
More London Pace,
Principal place of business and re
ARC Meeting-19/11/13 95 of 139
POL-0023784
POL00027143
POL00027143
6 Interim
POL-0023784
POL00027143
POL00027143
6 Interim review a ig Half Year R
Contents
1AS34 half year review procedures
Management representation letter for half year review
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
IAS 34 Half year review
Introduction
During the current year, for the first time in its history, Post Office Limited (‘ POL’ ) intends to issue interim
consolidated financial statements for the period ended 29 September 2013, in compliance with IAS 34
Interim Financial Reporting. In last year’ s interim, Post Office issued a trading statement which was not in
accordance with IAS 34, with selected disclosure information.
As a result, at the request of management, we have also been engaged to perform a review under ISRE 2410,
the standard that covers interim reporting procedures.
Objective of our review
The objective of our review is to express a conclusion whether, on the basis of the procedures performed,
anything has come to our attention that causes us to believe that the interim consolidated financial
statements have not been prepared in all material respects in accordance with IAS 34 Interim Financial
Reporting, as adopted by the European Union.
Review process
Our review of the Group’ s financial information for the 6 months ended 29 September 2013 was performed in
accordance with ISRE 2410 (UK and Ireland) ‘Review of Interim Information performed by the Independent
Auditor of the Entity’ , as adopted by the Auditing Practices Board (APB) in the United Kingdom.
A review is substantially less in scope than an audit, because it does not include:
» Tests of accounting records by inspection, observation, or confirmation
» Obtaining corroborative evidence in response to enquiries
» Application of certain other procedures normally performed during an audit, such as tests of controls
and verification of assets and liabilities.
» Our work therefore consisted primarily of making enquiries of POL’ s accounting and finance staff,
executive management and applying analytical review and other review procedures.
Management anticipates that the half year results will be announced in the month of December 2013. Our
review will express a conclusion whether, on the basis of the procedures performed, anything has come to our
attention that causes us to believe that the interim financial statements are not prepared in all material
respects in accordance with IAS 34, as adopted by the European Union, for the 6 months ended 29
September 2013. We anticipate issuing an unqualified review conclusion.
Status of review
At the time of issuing this report, our review of the Interim Results is ongoing with the following items
outstanding:
» Review of final interim report including front end.
» Receipt of the Letter of Representation from the Directors.
» Subsequeneventproceduresto be completedhrougtthedateof ourreviewconclusiogmatterdobe
updatedinclude: managementenquiries,reviewof latest managementaccounts, and board minutereviewto
date of signing).
We continue to work with management in order to complete these procedures and will provide a verbal update
at the Audit & Risk Committee meeting.
In the following pages, we set out a summary of the Half Year procedures performed and the results of our
review.
98 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
IAS 34 Half year review (cont’ d)
Half year review results
Interim materiality and
evaluation of misstatements
Review of primary
statements numbers and
support
Summary of review
adjustments
Conclusion
We calculated an interim materiality in order to:
Determine the extent of analytical and other review procedures to perform and evaluate the results.
> Evaluate errors of misstatement or judgmental differences.
» Come to a conclusion that the interim financial informationis prepared, in all material respects in
accordance with IAS 34° interim Financial Reporting’ .
» Determine what matters of governance interest should be brought to your attention.
> Our determination of interim materiality requires professional judgement and takes into account
qualitativeas well as quantitative considerations implicit in the definition.
> We performed an overall analytical review on both the Balance Sheet and Profit & Loss account (on profit
before interest, tax and exceptional items).
» We noted that operating profit before exceptionals was £53.0m, down by 13% or £8.0mon the same time
last year. Operating profit for the period was £185.0m, which included the gain of £102.0m arising on
the change to the terms of the Royal Mail Pension Plan, which was reported under exceptionalitems.
> Based on our discussions with management, including the financial controller, the fluctuationsand
variances experienced during the period are consistent with our understanding of the entity and of its
financial position as of 29 September 2013. As a result of our procedures, we have not identified any
previously unidentifiedrisks of material misstatement due to fraud.
> We report one unadjusted reclassiticationdifference for £6.1m in relation to business transformation
payments, which was also reported at year-end.
» This error is a reclassification review difference totalling £6.1m (2012/13: £6.7m) which we
believe should be reclassified from accruals to provisions. These relate to a commitment to Crown
branch staff for business transformation payments. As noted in our prior year audit results report,
POL has recorded this business transformation payment as an accrual rather than a provision.
From our review, we believe that these payments are by nature a provision and not an accrual in
accordance with IAS 37, due to the element of uncertainty of whether the Communication
Workers Union will accept or reject POL" s offerThere is no impact of this unadjusted review
difference to the income statement.
> As we did at the prior year end, owing to the quantum and materiality of the unrecorded difference,
we had to internally consult on the unadjusted reclassificationdifference. This consultationhas been
concluded.
» There were no other unadjusted review differences.
» Based on work carried out to date, aside from the above unadjusted reclassification difference, there
were no amounts that we identified that are individually or in aggregate material to the presentation
or disclosures of the interim consolidated financial statements for the period ended 29 September
2013.
Post Office Limited 5
ARC Meeting-19/11/13 99 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
IAS 34 Half year review (cont’ d)
Half year review results (cont’ d)
Revenue recognition In the period ended 29 September 2013, POL generated revenues of £583m (includingthe £100m network
subsidy payment received from 81S), which was £2 1m lower than revenues for the corresponding period in
the prior year.
During our half year review procedures, we held meetings with management to go over management’ s
detailed revenue schedule, which splits out the performance for every individual sub-revenue line. We carried
out a detailed analytical review on POL s revenue lines, whilst also completing analytical reviews on POL’ 5
deferred and accrued revenues as disclosed in the Balance Sheet. No issues were noted during the course of
ourreview.
Counterparty cred One of the significant risks that we have identified in planned our risk based approach is that there is a
perceived heightened risk since the 2008 financial crisis over the credit risk exposure of counterparties,
particularly the Bank of Ireland.
Counterparty Exposure at Exposure at Nature of business
29/09/13 (Em) 31/03/13 (Em) with POL to cause
exposure
Bank of Ireland 92 123 OTM Deir
Cheque clearing
IPS 22 14 system
Card payments in
See ey network
30 Processing benefit
JP Morgan 76 settlements
As part of our half year review procedures, we held meetings with the Head of Corporate Finance, and noted
that POL’ s method of managing and mitigating counterparty risk is consistent with that at the prior year end.
During the half-year, total client debtors (which are the main source of credit risk) decreased mainly due to
the 2012/13 year end falling on the Easter bank holiday weekend- customer ATM cash withdrawals and
benefit payments tend to be significantly higher during the holiday season. The year-end balance was also
higher since receipts from key client debtors including JP Morgan, Barclays and the Bank of Ireland were
delayed, which was responsible for the larger year end client debtors balance.
Based on the procedures performed at half year, we conclude that the counterparty credit risk is periodically
monitored and managed. We will continue to monitor the counterparty receivables balance at year end,
Post Office Limited 6
100 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
IAS 34 Half year review (cont’ d)
Half year review results (cont’ d)
Pensions For the purposes of preparing their half year IAS 34 financial statements, management have obtained an IAS
19R valuation of the pension fund surplus for their RMPP scheme, for the period ending 29 September 2013.
This valuation indicated a net pension surplus of £143m for the RMPP scheme, whichis net of £21m
withholdingtax of 35% on the element of the surplus which is recoverable through a refund from the pians.
POL also recognised a £2m net surplus relating to their RMSEPP at half year end.
During the period, there was a consultation exercise with members of the defined benefit RMPP scheme, on
proposed changes to the terms of the scheme. The key change was to the definition of pensionable pay,
which, broadly speaking, willincrease in line with RPI, but will be capped at 5% in the future, regardless of
actual pay growth. The impact of these changes has been to increase the defined benefit surplus by £102m.
Management treated this as a settlement” under IAS 19R, whichis” a transaction that eliminatesall further
legal or constructive obligations for part or all of the benefits provided under a definedbenefit plan" , and
accordingly recognised this in the income statement as an exceptional gain. The exceptional gain is supported
by calculation by Towers Watson, who included this in their actuarial valuationreport at half year-end. We
concur with management’ s approach to account for the gain.
‘Qur review during half-year has included us involving our own actuarial specialists, who have been established
members of our audit team since last year’s audit. As part of our review, we also held a meetingwith the
Company’ sactuaries.We reviewed the key assumptionsthat underpin the value of the pension obligation at
29 September 2013, and note that the discount rate 4.6% (4.8% in March 2013), RPI 3.3% (3.3% in March
2013), CPI 2.3% (2.3% in March 2013) and the expected rate of non-promotionalsalary increases 3.3% (4.3%
in March 2013) are within the range of assumptions that we would deem reasonable based on our analysis.
Management also noted that the transition to IAS 19R and the difference in accounting for interest on plan
assets and unvested past service costs did not have a materialimpact on the net defined benefit plan surplus
(ess than £1m).
Classification of Continuing the trend from the previous year, POL continuesto have significant exceptionalitems relating to
exceptional costs network transformation& restructuring(£64m in the current year to date), impairments (£35m in the year to
date). These were offset by the government grant of £129m, and the Royal Mail Pension Plan amendment
gain for £102m, which managementhas treated as offsetting exceptional gains. This results in a net credit in
exceptional items of £132m (2012: £10m net costs). We concur with the accounting treatment and note this
is inline with IFRS.
The items included within network transformationcosts and restructuringcosts are consistent with those
reported as exceptionalin prior years and continue to meet the Group’ s definition of exceptionalcosts and
quidance from the accounting standards. The only new type of addition to exceptional costs during the year to
date was relating to separation costs (£2m), relating to the separation between RMG and POL, which, owing
to the one-off nature of the events giving rise to them, were deemed appropriate by management to include
as an exceptional item.
POL also has a number of exposures that are reflected in the financial statements at each year end. Total
provisionshave increased from £26m to £30m in the half year ended. We reviewed the breakdown of
provisions as at the current half year end, including movements since the prior year. From our meetings
with management, we noted that the assumptions used remained appropriate for the half year accounts,
noting no issues.
Post Office Limited 7
ARC Meeting-19/11/13 101 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Ernst & Young Half Year Review findings
Hi Li
IAS 34 Half year review (cont’ d)
Half year review results (cont’ d)
Corporation Tax In the half year to 29 September 2013, POL recorded a deferred tax credit of £2m in the income statement
and a deferred tax charge of £2m in OCI, both relating to movements on the element of the RMPP pension
Surplus expected to be recovered through a reduction in future contributions.
POL does not expect to be in a tax paying position for the full year. Consistent with the position at 31 March
2013, POL has only recognised deferred tax assets up to the value of the deferred tax liability in respect of
pensions, leaving a net deferred tax balance of nil. The remaining potential deferred tax asset balances are
not recognised due to uncertainty around the availability of future taxable profits
We have reviewed the full year forecast tax calculationsand the allocation of the deferred tax figures in
respect of pensions, and made enquiries of management and Wilkins Kennedy, who assisted the POL finance
team in the preparation of the figures.
Review all board meeting» We have reviewed all the meeting minutes for all board meetings up to the latest date at time of issuance
minutes in the half-year of this Report, being the Pensions Sub-committee on 7" October 2013. No further issues to note. We will
‘obtain meeting minutes for all board meetingsup to date of releasing our review opinion for the half year
financial statements.
Review of current material » The POL finance team provided us an update on all material provisions and exceptional costs in the
litigation & regulatory business incurred during the half-year. We noted that no material provisions or exceptional costs were
fines, compensation and incurred or booked in relation to litigationand regulatory fines.
accruals. > We made enquiries of POL’ s legal counsel to gain an update of POL’ litigationand compliance with laws
and regulations since year-end, with no issues noted.
» We discussed the Horizon subpostmaster claim with POL’ s legal counsel and financial controller. It was
noted that management had not made any reserve related to the Horizon subpostmaster claim to date
and have assessed they did not require to make one. Based on our discussion with management, we agree
that their view appears to be reasonable. We also discussed the progress on the legal situation concerning
POL potentiallyhaving to pay a separate business tariff on its ATMs in retail premises. A provision had
been made in the March 2013 financial statements for £1.7m. Management and legal counsel continue to
believe the likelihoodof paying these backdated business tariffs is highly probable, and have increased the
half year end provision to £2.0m. Based on discussion with management, we agree that their view
appears to be reasonable.
> We will continue to revisit and gain updates from management on the situationthrough the audit.
» We also reviewed the minutes of all board meetings and sub-committees and noted there were no other
material itigation claims or regulatory claims that management should consider providing for.
Post Office Limited 8
102 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
Management representation letter for half
year review
Angus Grant
Ernst & Young LLP
1 More London Place
London
SE1 2AF
xx December 2013
Dear Sirs
Post Office Limited
This representation letter is provided in connection with your review of the condensed consolidated balance
sheet of Post Office Limited as of 29 September 2013 and the related condensed consolidated statements
of income, changes in equity and cash flows for the six-month period then ended for the purposes of
expressing a conclusion whether anything has come to your attention that causes you to believe that the
interim financial information is not prepared, in all material respects, in accordance with International
Financial Reporting Standards as adopted by the EU.
We acknowledge our responsibility for the preparation and presentation of the interim financial information
in accordance with International Financial Reporting Standards as adopted by the EU.
We confirm, to the best of our knowledge and belief, the following representations:
a) The interim financial information referred to above has been prepared and presented in accordance
with International Financial Reporting Standards as adopted by the EU.
b) — We have made available to you all books of account and supporting documentation, and all minutes of
meetings of shareholders and the board of directors.
c) There are no material transactions that have not been properly recorded in the accounting records
underlying the interim financial information.
d) There has been no known actual or possible noncompliance with laws and regulations that could have a
material effect on the interim financial information in the event of noncompliance.
e) We acknowledge responsibility for the design and implementation of internal control to prevent and
detect fraud and error.
f) We have disclosed to you all significant facts relating to any known frauds or suspected frauds that may
have affected the entity.
g) We have disclosed to you the results of our assessment of the risk that the interim financial information
may be materially misstated as the result of fraud.
h) We believe that the effects of any unadjusted review differences, summarised in the accompanying
schedule, accumulated by you during the current audit and pertaining to the latest period presented are
immaterial, both individually and in the aggregate, to the financial statements taken as a whole.
i) We confirm the completeness of the information provided to you regarding the identification of related
parties.
ARC Meeting-19/11/13 103 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
104 of 139
Management representation letter for half
year review (cont’ d)
m)
n)
0)
The following have been properly recorded and, when appropriate, adequately disclosed in the interim
financial information:
Related party transactions, including sales, purchases, loans, transfers, leasing arrangements and
guarantees, and amounts receivable from or payable to related parties;
Guarantees, whether written or oral, under which the entity is contingently liable; and
Agreementsand options to buy back assets previouslysold.
The presentation and disclosure of the fair value measurements of assets and liabilities are in
accordance with International Financial Reporting Standards as adopted by the EU. The assumptions
used reflect our intent and ability to carry specific courses of action on behalf of the entity, where
relevant to the fair value measurements or disclosure.
We have no plans or intentions that may materially affect the carrying value or classification of assets
and liabilities reflected in the interim financial information.
We have no plans to abandon lines of product or other plans or intentions that will result in any excess
or obsolete inventory, and no inventory is stated at an amount in excess of realizable value.
The entity has satisfactory title to all assets and there are no liens or encumbrances on the entity's
assets.
We have recorded or disclosed, as appropriate, all liabilities, both actual and contingent.
To the best of our knowledge and belief, no events have occurred subsequent to the balance sheet date and
through the date of this letter that may require adjustment to or disclosure in the aforementioned interim
financial information.
Christopher Day
Chief Financial Officer
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
20a Post Ottice Limited u
ARC Meeting-19/11/13 105 of 139
POL-0023784
POL00027143
POL00027143
6. Interim Report review and Emst & Young Half Year Review findings
EY I Assurance I Tax I Transactions I Advisory
About EY
EY isa global leader in assurance, tax, transaction
and advisory services. The insights and quality
services we deliver help build trust and confidence
in the capital markets and in economies the world
over. We develop outstanding leaders who team to
deliver on our promises to all of our stakeholders.
In so doing, we play a critical role in building a better
working world for our people, for our clients and for
our communities.
EY refers to the global organization and may refer
to one or more of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited
by guarantee, does not provide services to clients.
For more information about our organization, please
visit ey.com.
Ernst & Young LLP.
‘The UK firm Ernst & Young LLPis a limited liability partnership
Fegistered in England and Wales with registered number 0C300001,
andis a member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.
©2013 mst & Young LLP. Publishedin the UK.
ALRights Reserved
ED NONE
1373427 (UK) 07/13. Creative Services Group.
CD, Mnline with EY" scommitment to minimise its
impact on the envionment, this document has
SC been printed on paper witha high recycled content.
Information in this publication is intended to provide only a general
outline ofthe subjects covered. It should nether be regarded as,
comprehensive nor sufficient for making decisions, nor shouldit be
Used in place of professional advice. Ernst & Young LLP accepts no
responsiblity for any oss arising from any action taken or not taken
by anyone using this material
ey.com/uk
106 of 139 ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
2, including Bank of Ireland (UK) plc
Strictly Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Update on various Financial Services matters, including Bank of Ireland (UK) pic
capital & liquidity
1. Purpose
1.1 The purpose of this paper is to update the Committee on the:
«Bank of Ireland (UK) plc's (“Bol”) capital and liquidity position against its
regulatory and Eagle contract requirements;
« Prudential Regulatory Authority's (PRA) stress testing framework for the UK
banking system and potential impact on Bol;
« Financial Services sales strategy development;
e Financial Conduct Authority's (FCA) forthcoming review of the Post Office
mortgage strategy; and
« Project Polo.
2. Bank of Ireland (UK) - Capital and Liquidity position
2.1 Under the Financial Services Joint Venture Agreement (“FSJVA"), Bol must attest
that it is meeting the capital and liquidity levels set out in the agreement. This is
part of the early warning system that would enable the Post Office to take action
within the termination provisions, should this become necessary.
2.2 Bol has confirmed that it continues to meet its obligations during 2013, providing
certificates on 27" March, 3" June and 237 August that, on each occasion:
« Bol's Core Tier 1 Capital Ratio exceeded the amount required in the FSJVA;
« Bol was holding a surplus over its regulatory liquidity requirements;
e Bol is meeting the Capital Planning Buffer as set by the regulator.
2.3. Post Office is of the view that Bol remains well capitalised with surplus liquidity.
2.4 The public rating agencies’ ratings of Bol's parent (BolG) are stable, but remain a
grade below “investment-grade, viz:
« Moody's - Bat with negative outlook (April 2013) — this is the same as Bol;
e S&P - BB+ stable outlook (July 2013) - revised up from negative.
2.5 BolG's financial position continues to improve. Recent announcements include:
« September 2013 - raising €500m of 7 year long term Irish covered
bonds/assets covered securities. The offer was significantly over-subscribed,
confirming that BolG has access to the long term capital markets.
« August 2013 - BolG’s net interest margin rose 31 basis points to 165 bps in
the six months to June and reached 190bps for the three months to
September; this is on track to reach the public target of 200bps. Underlying
losses fell to €383m from €933m in the previous year. Excluding provisions
of €780m, BolG made an operating profit of €380m.
e July 2013 — BolG has had its proposed changes to the EU restructuring plan
approved, allowing it to retain the Irish Life business but exit UK commercial
and corporate banking and intermediary mortgages in Ireland.
ARC Bank of Ireland (UK) plc Capital & Liquidity Nicholas Kennett Page 1 of 3
November 2013
ARC Meeting-19/11/13 107 of 139
POL-0023784
7. Finan
108 of 139
POL00027143
POL00027143
fate, including Bank of Ireland (UK) ple capital & liquidity
Strictly Confidential
* October 2013 — BolG announced agreement with the IBOA' to change the
Bank’s major defined benefit pension scheme. The resolution amends
benefits, reducing IAS 19 deficit by approximately €400m.
* As at 30" June 2013 BolG had €72bn of customer deposits of which €26bn
were held in the UK, with Post Office customers accounting for 72.7%
(€19bn) of the UK balance sheet and 26.4% of the Group’s deposits.
* BolG's residential mortgages (before provisions) were €52.25bn of which
€25.14bn were held in the UK.
3. PRA’s stress testing framework for the UK banking system
3.1 In March 2013, the Bank of England Financial Policy Committee recommended
that the PRA develop proposals to stress test UK banks. The approach would
provide a quantitative, forward-looking assessment of the capital adequacy of the
system and of individual institutions.
3.2 In October the PRA issued a Discussion Paper setting out the methods and
scenarios it would follow.
3.3 If the stress-testing changes Bol’s capital and liquidity requirements, Bol will be
required to certify to the Post Office that it is meeting any new standards.
4. Update on Financial Services sales effectiveness
44 The new FS sales and supervisory structure is now operational:
e There are 274 Financial Specialists (FS) in the network, with 2 FS Regional
and 35 FS Area Managers appointed (with 32 accredited and live).
* 76 offers have been made to Mortgage Specialists (MS); all MSs will
complete Mortgage Market Review training to meet the new regulatory
requirements from April 2014.
« We are piloting a limited deployment of FSs in agencies. These FSs are
subject to Post Office's new supervisory structure.
e We have begun the roll out of the new sales process, focusing on
understanding customers’ needs, supported by a new incentive scheme
covering MSs, Financial Services and Crown Regional and Area
Managers?. The new incentive scheme for FSs is being developed for
deployment in January 2014 (deployment has been delayed by a lack of
engagement from the CWu)’.
5. FCA’s review of the Post Office mortgage strategy
5.1 As part of the FCA’s regular oversight of Bol, it has notified the Bank that t
intends to conduct a “deep dive” assessment of the Bol-Post Office mortgage
strategy. This will assess whether Bol has appropriate governance arrangements
in place to ensure sufficient consideration is given to the customer in the
formulation and implementation of the branch mortgage strategy.
5.2 In making its assessment, the FCA will seek to understand:
Irish Bank Officials Association,
All these managers fall within CMA linked, or higher, grades.
A briefing paper on the new incentive structure is due to be presented to the Post Office Board in
November.
ARC Bank of Ireland (UK) plc Capital & Liquidity Nicholas Kennett Page 2 of 3
November 2013
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
7. Finan
fate, including Bank of Ireland (UK) ple capital & liquidity
Strictly Confidential
e Bol and POL’s strategy development process, including its consideration of
customers’ interests against the commercial needs of the business;
e The effectiveness of the governance arrangements for the implementation
and oversight of the strategy;
« The identification and mitigation of conduct risks which could lead to
customer detriment; and
* The communication of the strategy and conduct standards to frontline staff.
5.3. The FCA assessment will comprise:
* an analysis of documentation;
e interviews with key Bol and Post Office executives; and
* avvisit to a Post Office branch.
5.4 Bol is currently collating the necessary information and notifying individuals that
they will be interviewed by FCA. All interviewees will be accompanied by a
member of the Bank compliance team.
6. POLO update
6.1 The Proof of Concept trial (launched 13" May) has generated 1,623 applications
and 818 sales, with a further 80 in the account opening referral process.
6.2 An extensive risk governance structure is in place for product sales, including
post-sale customer care calls, mystery shopping and regular engagement with
the FCA/PRA (including an FCA branch visit).
6.3 The FCA focus continues to be on Packaged Accounts. Following a branch visit it
advised that Health Declaration questions for travel insurance should be
delivered orally by branch staff — this has been adopted. More recently the FCA
has challenged banks to advise customers when they have dual insurance with
the same provider — Post Office is working with Bol to develop a solution that
meets the FCA’s requirements.
7. Recommendations
71 The Committee is asked to note the update.
Nicholas Kennett
Director, Financial Services
November 2013
ARC Bank of Ireland (UK) plc Capital & Liquidity Nicholas Kennett Page 3 of 3
November 2013
ARC Meeting-19/11/13 109 of 139
POL-0023784
POL00027143
POL00027143
9. Papers for noting,
STRICTLY CONFIDENTIAL
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Information Security and Assurance Group
Brands Database Update
1. Purpose
441 The purpose of this paper is to provide the Committee with an update on the current
state of the controls framework and future plans for the Brands’ Database and
subcontractor.
1.2 Brands is managed by Marketing who liaise and assign work with the prime supplier of
these services - RAPP’, and engage with specialist marketing analytical suppliers under
RAPP’s direction. Marketing are supported by the Information Security and Assurance
Group who undertake some due diligence exercises in these activities.
2. Background
21 ARC have specific concerns around the Brands Database as it is the Post Office’s
largest database of personal information; which includes approximately 30 million
records. Furthermore, ARC acknowledges that there is a heightened level of risk due to
the sensitivity of information held, the number of records, and potentially the suppliers of
marketing services.
2.2 Due to the nature of the Brands Database, a Control Framework is maintained by
Marketing which has recently been reviewed by Information Security and Assurance.
2.3. The records for the Brands Database are generated from a number of services provided
by our suppliers, these include:
e Bank of Ireland and their product suppliers;
(i) Family
(ii) Junction
(ii) NIB
(iv) Aviva
(v) Aegis
Aon;
FRES;
Cap Gemini;
HP; and
Fujitsu Homephone and Broadband.
3. Current State of Brands, RAPP and Draft FCB
3.1. RAPP maintains the records from the Brands Database; there are also a number of
specialist service providers in the RAPP supply chain. These are listed within the Brands
Control Framework. Information Security and Assurance have recently reviewed the
Control Framework and have noted some gaps which unless resolved increase the risk
of data loss.
" Brands is the Post Office Marketing Database containing all customer (personal data) and product records.
? RAPP is the prime supplier of Post Office Marketing Services and holds the com plete Marketing Database
Brands Database Update Julie George Page 1 of 5
November 2013
110 of 139
> Meeting-19/11/13
POL-0023784
9. Papers for noting,
3.2
3.3
3.4
3.5
41
42
43
POL00027143
POL00027143
STRICTLY CONFIDENTIAL
RAPP is 1S027001° certified, and subject to Post Office Information Security Standard
due diligence, which includes a regular Information Security Management Forum (ISMF)
between Post Office and RAPP representatives. The purpose of the ISMF is to discuss
risks, issues, incidents and on-site reviews. Despite these assurance activities there
have been some Data Protection incidents over the last 6 months, which have been
investigated by Post Office Information Security and Privacy and Data Protection and
have been found to be as a result of RAPP employee error. Marketing have therefore
concluded that they may have to exit their contract with RAPP, refer to Appendix B for
Exit Report.
Further to this, Information Security were requested to undertake a review of DraftFCB‘,
a recent addition to the RAPP supply chain and a specialist supplier of marketing
analysis and services.
DraftFCB lists Post Office as one of its many high profile clients on its website; it is
owned by Interpublic Group (IPG)? and is globally compliant to Sarbanes Oxley (SOX).
An on-site review of DraftFCB was conducted by Information Security and Assurance in
October where their designated global CISO was in attendance. It was found that
DraftFCB already have access to some aspects of the Brands Database, via RAPP. It is
currently understood that this data is anonymised, although some DraftFCB staff have
intimated that there is indeed sensitive Post Office Data included that has not been
anonymised.
Although the report is in Draft status an interim view has been provided to Nick Fox —
Senior Manager, Customer Management. It is recommended that there should be no
further sharing of Post Office information until they are fully compliant to Post Office
information Security Standards (including Privacy and Data Protection requirements).
Future Plans
Marketing are currently producing an exit plan from the RAPP contract which looks to
exit by December 2014. See Appendix A.
Marketing is considering next steps for their relationship with DraftFCB, however, this
will have to be dealt with cautiously, particularly, if it is found that they do have access to
Post Office sensitive data.
Recent meetings with Nick Fox have resulted in him meeting DraftFCB; armed with
Information Security and Assurance advice to not share any further information with
DraftFCB until they have resolved the issues that were found and to ensure any data
they currently have is secured.
The Head of Information Security and Assurance has engaged with Martin George the
new Head of Commercial, who is fully supportive and understands the need to utilise the
specialist skills within Information Security and Assurance. Martin George has directed
his team to engage with Information Security and Assurance to ensure that appropriate
risk assessment and mitigation is implemented, and that the Brands Control Framework
is fit-for-purpose. This activity will assist in raising confidence in the Control Framework
and provide an audit trail of steps taken to protect Post Office Customer Personal Data
318027001: An International Standard covering the specification and management of an organisation's Information
Security Management System. The guidelines and general principles for initiating, implementing, maintaining and
improving information security management within an organisation.
* DraftFCB - http:/Avww_drafifcb.co.uk/ is providing specialist marketing services to Post Office Marketing
* Interpublic Group (IPG) http://www interpublic.com/ Parent company of Draft FCB
Brands Database Update Julie George Page 2 of 5
November 2013
ARC Meeting-19/11/13
111 of 139
POL-0023784
9. Papers for noting,
112 of 139
44
5.1
POL00027143
POL00027143
STRICTLY CONFIDENTIAL
Actions underway:
Assign an Information Security and Assurance consultant as a ‘point of contact’ for
Marketing.
Provide Marketing with a complete review and update of the Brands Control
Framework - end November 2013
Marketing to set up a ‘Show and Tell’ about their activity to ensure that other
projects are addressed.
Interaction with Company Secretariat to ensure that new and renewed contracts
have input from Information Security and Assurance before signature. This is
currently underway and was part of the Company Secretariats intention to review
their processes. An update is planned for 13" November 2013.
Request
ARC is asked to note the content of this paper:
Julie George
Head of Information Security and Assurance
November 2013
Brands Database Update Julie George Page 3 of 5
November 2013
ARC Meeting-19/11/13
POL-0023784
POL00027143
POL00027143
STRICTLY CONFIDENTIAL
Appendix A - RAPP Exit Report (Written and instigated by Marketing)
Background
Rapp in an external supplier used by POL to manage the Brands Database which hold all the
POL customer data and is used for direct marketing and Call Centre background information.
Rapp also runs the direct marketing campaigns for POL
Incident Summary
During the period April 2013 to July 2013 there have been 3 incidents caused by human error
by Rapp staff:
1. An unencrypted email attachment containing personal client details of 2,322 individuals,
was sent 10/04/13 from Rapp to HiFX, (supply/management of International Payments),
copying in Firstrate (FRES) and POL.
2. An erroneous Travel Money e-mail sent 31/05/13 by Rapp to 559,900 POL customers,
advising that travel money is ready for collection at the POL branch. These customers
had not reserved travel money. If the error had not been identified by POL the e-mail
would have gone to 3.3m POL customers.
3. Erroneous Travel Insurance and Travel Money e-mails sent between 24/07/13 and
04/08/13 by Rapp to 2,707 Travel Money POL customers and 1,150 Travel Insurance
POL customers, advising that the wrong product has been purchased and try to cross-
sell the product they have already purchased.
Contractual Position
Rapp is a Data Processor for POL, and they have signed the new contract with Information
Security and DP House Position Clauses. There is therefore no ambiguity regarding the DP.
relationship.
The contract was renewed in April 2013 and runs to April 2015, but with 6 months break clause
from May 2014.
Risk Assessment
For each of the incidents it was the POL opinion that the incident would not be required to be
reported to the ICO, in line with their guidance.
Despite none of these incidents requiring notification to the Information Commissioner, it would
look bad for POL if there was to be an incident that comes to the attention of the Information
Commissioner. The Information Security Committee has requested that an Exit Report to be
presented at the 08/10/13 meeting.
Risk Mitigation
Rapp has implemented a new Management control, which is performed prior to any campaigns
being broadcast. In addition POL is creating a Brands Controls Framework, which will
document control gaps and recommend controls gap remediation.
Brands Database Update Julie George Page 40f5
November 2013
ARC Meeting-19/11/13
113 of 139
POL-0023784
POL00027143
POL00027143
9. Papers for noting,
STRICTLY CONFIDENTIAL
Exit Strategy options
1. Continue with the current Rapp contract — not recommended
POL could continue to utilise the Rapp services until the end of the current contract (April
2016).
This is viewed as having too high a risk from an Information Security, Data Protection and
Marketing perspective.
2. Utilise the Customer Management Programme as an exit - recommended
The Customer Management Plan to further develop POL’s Customer Management capabilities
was endorsed by the ExCo on 20th August but not yet authorised by the POL Investment
Committee (POLIC).
A key element of the Customer Management Plan is the decommissioning of the Brands
database once it has been replaced by Single Customer View (SCV) on the Common Digital
Platform (CDP).
The CDP will be available for development from February 2014. All the Data Centre (DC) Tower
Services will as part of IT&C Transformation be available from June 2014 to September 2014.
It will therefore be possible to implement SCV by October 2014, with a 6-month parallel running
with the Brands database.
3. Interim solution prior to Customer Management Programme — not recommended
It will not be possible to develop an interim solution significantly faster that the SCV solution,
because of the complexity of the customer data needing to be loaded.
4. Terminate the Rapp Contract now — not recommended
To terminate the Rapp Contract with immediate effect will cost (Legal to confirm cost — not
available as at 12/11/2013) in penalties.
It will also make it impossible for POL to conduct direct marketing and provide the Call Centre
background information.
Next Steps
1. Business and Information Security Committee sign-off for the Exit Plan
2. Completion of the Brands Controls Framework
3. Implementation of SCV.
4. Decommissioning of Brands and the permanent removal of all data.
Ole Christensen 11/09/13
Brands Database Update Julie George Page 5 of 5
November 2013
114 of 139 ARC Meeting-19/11/13
POL-0023784
9. Papers for noting,
1.
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit - Activity Update
Purpose
The purpose of this paper is to:
11
1.2
1.3
21
2.2
2.3
24
Update the Committee on the outcome of the POL IA audit activity since the
previous
Outline the planned, requested and proposed audit and advisory work for
Q3/Q4
The committee is requested to note and provide directions as necessary.
Outcome of recent audits
Branch Audit. - Outcomes. Challenges presented in the audit review are input
to the wider considerations of future training and branch review arising from
the Second Sight work
As reported at the ARC in September, internal audit work on the efficiency
and effectiveness of the function itself was completed in August 2013 with a
primary recommendation to management that the future direction needed to
be confirmed (see appendix 1). This report was followed up with a separate
paper prepared for the October Executive Committee so that an agreed
position would be reported to the November ARC.
However it proved essential for the business to consider its options in light of
the recommendations arising from Second Sight and the options for the
currently combined FSA audit./training. The paper on options for branch audit
is thus an input to the Executive Committee to consider the implications of
these. The reason being that a broader set of issues need to be considered
of which the future of branch auditing would be a part.
At the time of writing, POL IA is in discussion with Executive Committee
members.
« Acopy of the original audit summary is in the appendix but ARC members
are advised that this report was focused purely on the operation of the
function.
« A separate draft paper is under review. Whilst the initial audit report
outlined several structural options which are included in the Executive
Committee paper, this includes a recommendation for the building and
implementation of a higher skilled and broader focused Retail Audit
capability. This would require a full capabilty assessment, transitional
costs and training which would probably require a 12-24 month
implementation period.
Internal Audit Activity Malcolm Zack November 2013
> Meeting-19/11/13
POL00027143
POL00027143
115 of 139
POL-0023784
24 Summary of other recent audit activity and outcomes since last Audit Committee.
Business Area reviewed Assurance Outcomes Key Risks impacted
Software Licensing I Low As a result of the audit, the business, under the direction I Operational, and Regulatory
Management of the CIO will: risks.
The committee is directed to the Define its own software licensing policy andI!T & Change Level risks
Executive Report Summary in the include clear roles and responsibilities for POL I impacted (Based on current risk
Appendix and the Service Integrator and Service Desk I map — Sept 2013)
(SSID) - recently awarded to Atos.
This is a significant risk which - Not specifically identified.
management is now engaged on Assign the ownership and governance of
including the issues arising from Software licensing immediately to POL’s Support I Executive Level Risks
the privatisation of Royal Mail and Service function. impacted:
under which the licences originally (based on current risk map)
operated and were managed Ensure that Atos will apply the key operational
requirements for managing software licenses I Non compliance with regulatory
This is part of the Separation ‘once Atos is fully on board. or contractual obligations.
programme and needs to reflect
the transition of IT services to the Ensure that POL Procurement will remind the
System Integrator (ATOS) and business that all software licences must be
Towers model. procured via the Procurement teams and not
directly by the functioning department.
Overall there were 11 agreed
actions of which 7 were rated as Define a governance and management process
red and 4 as amber. The major to gain on-going day to day assurance over
actions agreed are shown here. software licensing.
Deploy that process over the SSID
Internal Audit Activity Malcolm Zack November 2013
POL00027143
POL00027143
POL-0023784
Business Area reviewed Assurance Outcomes Key Risks impacted
Local Area Network — Access I Low toI e The Information Security Assurance Group will work I Information Security Risks
and Identity Management Medium with HR to better define the access rights based on I (Confidentiality, Integrity,
roles and hob needs for access via the LAN Availability)
The committee is directed to the
Executive Report Summary in the * A process will be installed to ensure access rights
Appendix. will be reviewed when employees change
function/role.
As security on POLSAP and
Horizon was heavily examined * A periodical review of users LAN access rights will
both internally and externally in be put in place.
2012/13, the POL IA Audit plan
focused on how access to the « Leavers access will be disabled on a timely basis
local area network (laptops, and a process to confirm recent leavers and check
desktops etc.) was managed and access will be implemented.
controlled.
_ e The governance of the IAM process will be defined
Overall 21 specific actions were as part of the Future Operating model, defining clear
agreed. Of these 13 were rated as roles and responsibilities for POL, SISD and towers
red and 9 as amber. (e.g. EUC).
Finance Road Map —- new Risk Management Improvements. Under the] An on going Assurance level
system (CFS) management of the Programme manager and oversight I was not provided in this
by the Programme Board, the programme will: highlight memo.
Internal Audit maintains an on-
going audit presence in this Risk Management: - The key risks related to:
programme. This includes e Re-establish the monthly process to update the top
examination of processes, key level risk map, showing any movements or new I Programme risks not being
documents and controls, risks for the FRP Board to consider. effectively communicated and
programme governance, risk discussed at the FRP Board
management and attendance at « A weekly process will be established to discuss top I level leading to false levels of
selected key meetings. level and project level risks and the associated risk I assurance.
and action table with the rest of the team. This
should incorporate updated risks from Project I Decision making across the
As appropriate IA issues a Server programme.
“highlight” report to the
Internal Audit Activity Malcolm Zack November 2013
POL00027143
POL00027143
POL-0023784
>
ry
Business Area reviewed
Assurance
Outcomes
Key Risks impacted
Programme Board.
The latest was issued in late
September 2013 and covered IA
work on risk management,
Programme governance and
Financial elements.
« Arisk and action table should be maintained
« All risk issues discussed or raised at FRP board
meetings will be documented and the risk map and
action table updated accordingly. .
Governance
* The Design Authority Terms of Reference will be
reviewed to reflect any changes in remit and
membership. Changes should be approved by the
Programme Board.
+ DA meeting efficiency of meetings will be improved
including ensuring meeting minutes are complete
and accurate.
« The Programme Board Terms of reference will be
reviewed to confirm scope and approval authorities
and quorate.
Finance
« Programme finances, specifically run/burn rates will
be reviewed on a regular basis and reported to the
Programme Board.
* Savings and reallocation of spend will be discussed
with POL Finance teams in accordance with POL
Finance procedures.
Clarity of financial spend.
Internal Audit Activity
Malcolm Zack November 2013
POL00027143
POL00027143
POL-0023784
9. Papers for noting,
3.
Other Programmes and Project Assurance work
3.1
3.2
3.3
3.4
As the resource assigned to include Programme Assurance work as part of
their remit has been conducting the Treasury Audit as part of the agreed audit
plan, planned preparation for review of another of the transformation board
programmes has yet to take place.
As recently communicated separately to the ARC members, the current IT
audit plan will be amended to allow the IT audit manager to devote significant
audit time in the rest of the 2013/14 programme to providing independent
assurance over the transition to the SSID (ATOS). This transfer should be
complete according to management plans by April 2014 and is a high risk
area. The ARC members have supported this change.
e IT audits in POLSAP and HR SAP security have been dropped from the
current year’s programme along with the review of Information Security
Governance. The proposed review of IT Change Management will be
reassessed in January 2014.
Experience since the establishment of POL IA has proven is not resourced to
review each programme within the overall Transformation Programme as well
as conduct assurance work in other higher risk non — programme/project parts
of the business. POLIA has so far (since mid June 2013)
« Reviewed the effectiveness of the SPMO as reported in September as this
is an entity level control over the programme of change.
« Established project assurance over the FRP programme and is reporting
on an on going basis as this was the first of the targeted three
programmes to review in 2013.
«Identified the IT transition work as a high risk priority and has commenced
planning as highlighted above.
In light of further discussions with the ARC chair in early November 2013
POL IA will
« Consider how some assurance over the CTP and NTP programmes can
be obtained. This will require the Audit Manager who focuses on Supply
Chain and Network to postpone planned reviews of the business
continuity programme and review of the branch profile model (run by the
Security department) into next year’s plan. This work would be done
jointly with the Audit Manager for Programmes and Projects.
« Given the ARC priorities about risk management across the business A
proposed review is an overall assessment of the risk processes and
management at Transformation Board/SPMO and within transformation
projects. This will enable IA to obtain a view on a specific theme without
the need to get closely involved in a fuller programme assurance review.
« As part of the planning for 2014/15 IA will review and document an overall
assurance map of the Transformation Programme for future discussion
with the ARC members and management. An assurance map shows
where all types of assurance come from of which Internal Audit is one
source, albeit the most independent one.
Internal Audit Activity Malcolm Zack November 2013
ARC Meeting-19/11/13
POL00027143
POL00027143
119 of 139
POL-0023784
9. Papers for noting,
Current Activity and Q4 planning
41
4.2
4.3
44
The following audit and advisory work is underway.
Treasury Review
The governance, risk management, processes and controls employed by
the recently established POL treasury function following the separation
from Royal Mail. Review of the process, controls, decision making and
authorisation for managing the amount of cash to be held in the branch
network vs. balances in cash centres or with the Bank of England.
(Optimisation of interest earnings vs. sufficient stock in the network risk)
Swindon Stores -
Swindon is a core operational site supporting the valued and non valued
stock distribution across Post Office. It was last reviewed in 2010. Some
parts significantly automated others manual. Key risks include security,
financial loss, continuity to branches and general operations.
Items planned for Q4 per original 2013/14 plan
Benefits Realisation - A review of the overall approach for transformation,
and application of guidance issued to selected individual projects, and the
measurement methods being used. The risk is that projects and
programmes don’t apply sufficient data/metrics before and during the
programme to enable the project to be properly assessed during and post
implementation"
Re-Assessment of Programme Assurance coverage.
Assessment of the 2" line defence function — Supply Chain Compliance
team. This team reports to the Supply Chain Director as part of Network
and Sales Directorate. It is mainly focused on compliance to ISO
standards for external assessment and accreditation.
o Examination of the depot/cash centre auditing processes.
Assessment of scope, coverage and auditing techniques.
Assessment of the degree of assurance that the board can obtain
from current approaches.
Items now under review for either consideration in final quarter or
postponement to 2014/15 from original plan.
Business Continuity Readiness Assessment. Assessment of the actual
plans in place across key operational and business sites in POL.
o Whilst a project is underway to establish a full Business Continuity
Management, process and policy, documents and plan exist in
various locations. The audit will determine the company's
Internal Audit Activity Malcolm Zack November 2013
120 of 139
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
9. Papers for noting,
readiness and ability to react quickly after notification of a major
incident. Review of current in progress BCM policy and procedures
and future plans. Link to management of company reputation.
Includes IT Disaster Recovery/Incident management"
e Social Media — management of reputational and security risk. Social
media presents opportunity for Post Office. The immediacy of social
networks and tools and instant communication increases the risk of
reputational damage either maliciously or unintentionally. Review of
company policy over usage by communications staff and general staff and
its application. - Assessment of the residual risk facing the organisation.
e IT Change Management — as indicated above and the IT Security testing.
« Information Security Governance. (POLIA have on going involvement
with the revised team and committees)
5. 2014/15 Internal Audit plan
5.1. I Commencing in November and running through to January, the IA team will
be building the 2014/15 internal audit plan for approval at the February 2014
ARC. The plan will follow normal processes and will include use of the
emerging risk management framework, current control frameworks allied to it,
discussions with senior management, items identified by POL IA itself and
items raised by ARC members.
6 Summary of above
e Complete Treasury and Swindon audits.
« Commence IT Transition to Atos programme assurance
« Re-assess programme assurance activity for remainder of year
* Commence proposed overall risk assessment review of Tranformation
programmes
e Commence audits of Benefits Realisation, Supply Chain Compliance team
e Continue with project assurance work on the FRP programme ( now in Build
phase).
e Replan remaining items
* Commence and complete the planning for 2014/15 for ARC approval in
February 2014.
7. Actions
7.1 The Committee is requested to:
* Note the outcomes of the recent audits and reviews.
e Support the revised priority activity for the remainder of the year and direct as
necessary
Malcolm Zack
Head of Internal Audit
19" November 2013
Internal Audit Activity Malcolm Zack November 2013
ARC Meeting-19/11/13
POL00027143
POL00027143
of 139
POL-0023784
>
a
fe)
NETWORK AUDITING-APPROACH, METHODS AND ASSURANCE
Audit Highlights and Opinion
POL00027143
POL00027143
©
z
S
3
®
3
s
Overall Assurance: -
Low
&
The Audit and Risk Committee (ARC), requested a review of
the branch auditing approach within the context of how Post
Office is audited overall.
Crown, retail multiple and agency branches are subject
to various types of audit visits conducted by the Network
Support team. They conduct audit and training activity at
a cost of approximately £6M per year with a team of
220
Audit activity is restricted to the checking of cash and
stock and the validation of procedural compliance
questions.
There is a lack of independent assurance over Branch
Operations
Results and management information are insufficient to
give senior management a view of control
Follow up mechanisms that ensure the control
environment is maintained / improved do not formally
exist.
Executive Responsible
Distribution (date)
Prepared By
Opinion
Based upon the audit work undertaken a low level of
assurance is given over Network Auditing.
Kevin Gilliland
Garry Hooton
Reviewed By
1) Approximately 30% of the estate is
covered each year
2) The audit financial audit
programme is well established and
structured
3) Network Auditing provides a
development route for experienced
counter staff and managers
4) Large pool of experienced staff
Top Priority Agreed Actions
1) To discuss and agree a way
forward for network auditing, such
that it can provide meaningful
assurance to the business and the
board.
1)
2)
3)
4)
5)
6)
No assurance over Branch Operations,
other than cash and certain valued stock
Poor management information, only
statistics of visit numbers get reported
Resource is utilised for both audit and
training.
Activity is constrained by the 35 hour
working week (capacity is reduced
because this includes travel time)
Company are usually owed hours from
the hours pool - inefficient use of
resources
Currently not a professional audit
service
Value for money is not achieved through
the current activity
Audit reports are not effectively
, to highlight common
Chris Day, Susan Crichton, Roger Gale, Drew McBride
Malcolm Zack
POL-0023784
>
a
fe)
Local Area Network - Identity and Access management
Audit Highlights and Opinion
Identity and access management (IAM) is a cross-
function process to manage who has access to what
information over time. The audit focused on the [AM
process on the Local Area Network (LAN) (including
access to POL network, SharePoint, File Share). The
review was part of the 2013/14 audit plan agreed with
the ARC
SAP and Horizon systems were out of scope.
POL currently applies the RMG IAM process which
for the local area network is managed by CSC.
The review was focused on the IAM process steps
performed by POL and took place between August
and September. The purpose of the audit was to
identify current process gaps, eventual access risks
and mitigation actions to be taken in consideration in
the ‘ to be’ IAM process after the separation.
Limitations: POL IA does not have full audit rights to
CSC since formal separation so technical LAN
security tests were limited. The review focused on
forward looking issues as IT transfers to the SSID and
tower model
1)
Executive Responsible
Distribution (October 31** 2013)
Prepared By:
Opinion
Based upon the audit work undertaken a low to
medium level of assurance is given over the IAM
process for the local area network. This is based on
the lack of process definition and end to end overview
of process steps within POL. Furthermore the
business has no overview of users’ access rights to
the local area network (shared drives, applications,
SharePoint, etc.) and potential segregation of duties
conflicts.
Lesley Sewell
Elena-Raluca Nistor
Identity is managed based on unique
used IDs.
LAN accounts are locked (for 30min)
after a defined number of
unsuccessful logon attempts (e.g.
10).
An authorisation process is in place
for creating new accounts and
granting them access rights.
An IT process governance exercise is
on-going (under the IT
Transformation umbrella) to identify
the ‘to be’ IT process and IAM
ownership, roles and responsibilities
are considered to be assigned.
IAM tools, including a provisioning
system, which would allow a_ full
overview of all accounts access rights
and their management are not in
place.
Unauthorised access attempts to LAN
are not reported to POL Information
Security team.
Examples noted of LAN accounts ‘
passwords being shared which is
contrary to company policy
POL00027143
POL00027143
©
Rg
8
Overall Assurance: - Low & *
1)
2)
3)
4)
5)
There is no overview of all local area
network accounts access rights.
Access rights are granted on a ‘mirroring
with a similar account role’ base instead
of a fit for job principle.
Movers’ access rights are not reviewed
and updated to remain fit for job.
Leavers accounts are not systematically
disabled in time and there is no control.
No review of accounts access rights is in
place.
Top Priority Agreed Actions
1)
2)
3)
4)
5)
Role based access rights (on LAN) will
be defined jointly by ISAG and HR.
Access rights will be reviewed when
employees change function/role.
A periodical review of users LAN access
rights will be put in place.
Leavers access will be disabled on a
more timely basis and a process to
confirm recent leavers and check access
will be implemented.
The governance of the IAM process will
be defined as part of the Future Operating
model, defining clear roles and
responsibilities for POL, SISD and towers
(e.g. EUC).
Reviewed By :
Julie George, Dave Hulbert, Fay Healey, Joe Conner,. Cfl Chris Day, Paula Vennells
Malcolm Zack Status: Final ver 1.0
POL-0023784
6EL JO bZL
€L/LL6L-Suneew Ou
Risk and Control Dashboard
Overall risk
Process governance
Risk that the IAM process and related polices are not fit for
purpose and they do not cover information risks.
Key Controls
JAM policies have been defined, and they contain clear IAM
controls which are fit for purpose, ensuring the process
‘goal is achieved.
Policies are reviewed periodically (atleast one per year)
IAM roles and responsibilities to caver the end to end
process have been clearly defined and cammunicated to
parts involved in the process.
Process monitoring controls are in place, to ensure
process efficiency.
Tools are in place to ensure IAM is managed in an efficient
way,
Searegation of duties
Risk of misuse of information and data due to conflicting access
rights
Key Controls
Conflicting access rights have been identified and there is
2 process in place to ensure a user will not be grat
Process in place to ensure users are not granted
conflicting access rights
Process in place to search for and remove conflicting
access rights
As at: 30/09/2013
Risk that the confidentiality. availability and
integrity of data and information is compromised,
User management
Risk that the business is unable to identify who did
what and when with the information accessed,
Key Controls
Unique user 1Ds are given to all users
All defined accounts are known and stared in a
central repository
Passwords must be in place (and complenity criteria
should be activated)
Passwords or any other authentication credentials
must be kept secret (not written down, disclosed or
shared
Authorisation management,
Risk that systems and data are accessed without
appropriate authorization,
Key Controls
‘Access logs are activated and they are periadically
reviewed or alerts are settied in case unauthorized
access attempts are done.
Critical actvties of privileged account are identified,
logged and manitored.
Accounts are locked after a number of unsuccessful
logon attempts.
[Controls or processes notin place
[Controls in place and operating effectively
seed
Not yet as
[Controls or processes not fully m place fo address rick
I oe
Risk that the business is unable to identify and stop
unauthorized access attempts.
Key Controls
All requests for new and changes far accounts
‘access rights are approved.
Access rights are granted based on a job need
hase concept
{Access rights which have not been used for an
extensive periad of time 60-90days, are
reviewed and disabled
‘Access rights of users moving roles are revewed
‘and updated to remain fit for job.
Leavers accounts and access rights are disabled
‘and deleted within a defined period of time.
Accounts and their access rights are periodically
reviewed by the line manager and/or the
syster/data owners,
POL00027143
POL00027143
~Bunou 19} siedeg “6
POL-0023784
>
a
fe)
* Software Licensing Management (SLM) is a
structured and systematic approach to managing the
full lifecycle (from purchase to disposal) of software
licences in an on-going, proactive basis.
* As part of RMG,POL has been following a RMG SLM
process run by CSC and currently POL is going
through a transition phase to separate from RMG. . - " from sanction should an
programme, to identify the right type of licenses external software audit take
* The audit purpose was to assess POL’s SLM current required for POL, which gives an opportunity to f
risks and to identify the actions to be taken to ensure align license types to business needs. Place.
POL will be in the position to manage software 2) Licences can currently be
licences in an effective way after the separation. The
review was agreed with the ARC as part of the
2013/14 internal audit plan. The SLM risk was
highlighted by the ClO during the audit annual
planning.
* The review, occurred between August and responsibilities for POL and SISD.
September 2013, and included input from the . .
Separation programme Manager and the 2) Software licensing governance and assurance
Procurement team: ownership is assigned to POL Support and
Service
+ Limitations: The audit focused on forward looking . . . 1) The SLM process is not yet
process and governance issues. POL IA does not 3) POL will include the agreed recommendations in defined.
have audit rights over CSC, therefore it could not the requirements for the SISD SLM process . 2) POL software licensing
independently verify the current completeness and The SISD will define the SLM process. assurance and governance
accuracy of the licence estate. 4) POL Procurement will remind the business that process is therefore also not
POL00027143
POL00027143
Software Licensing Management ?
Audit Highlights and Opinion Overall Assurance: LOW & 3
Opinion
* Based upon the audit work undertaken a low
assurance is given over the current software
management (SLM) process. This conclusion is
mainly based on the lack of overview POL has on the
owned and used software licenses and due to the
current missing SLM process. Management is aware
of the licence issues and risks within the current
changing context for IT.
The Separation programme will provide POL
with an overview of all software licences in use
and needed.
Actions are ongoing, within the Separation
1) There is currently no overview
of all licences and licence types
POL has and uses. POL is
currently at a higher level of risk
Top Priority Agreed Actions
purchased by different parts of
the business. There is currently
1)
1)
2)
Short term actions
A software licensing policy will be defined by
POL, and will include clear roles and
software licences must be procured via the
Procurement teams.
Medium — Long term actions:
A software licensing assurance and governance
process will be defined by POL.
POL will deploy the assurance process over the
SSID SLM process.
no overall control by the
Procurement team on the
software purchase and change
process.
yet defined.
3) Currently there is insufficient
expertise in house to define the
best fit for purpose and cost
effective licenses holistically for
the company needs.
Executive Responsible Lesley Sewell
Distribution (date)
Dave Hulbert, Brian Deveny cfi: - Chris Day, Paula Vennells , Roger Middleton - Status - FINAL Ver 2.0 CONFIDENTIAL
Prepared By: Elena-Raluca Nistor Reviewed By Malcolm Zack
POL-0023784
6€L JO 971
>
a
fe)
ry
8
As at 25 September 2013
Key Sub Risks to Manage
Risk and Control Dashboard
Risk that software is not appropriately obtained or
managed resulting in possible financial or legal sanction
Process governance
Risk of inadequate software licensing management and non-
compliance with licence agreements.
Process governance. -risk management
Risk that the business might be disrupted or will have incresed
penalities' costs due to inadequate licences.
Process design and deployment
Risk that the business procures software licences
that are not fit for purpose or cost effective
POL00027143
POL00027143
~Bunou 19} siedeg “6
Key Controls
Key Controls
Key Controls
Software licensing management (SLM) is identified as corporate
process (cross business and IT) and a clear approach to managing
software licences is in place (approving, reviewing, monitoring,
lupdating, etc.), ensuring that the process from procurement until
Imonitoring is managed at ail levels.
Risk of nan compliance with copyright and licences contractual]
Jagreements have been identified and they are part of an
loverall corporate risk register.
[An asset register (e.g. systems and applications
requiring) is in place, containing an overview of all
jassets and their licences and it is periodically
lupdated.
The process is documented and related procedures/guidelines have
been defined, approved and they have been communicated to
relevant users involved in the process.
(Criteria to measure the efficiency of the SLM process have
been identified,
JA review of all existing licences is periodically
performed.
lOther process responsibilities have been identified and assigned:
e.g, resources within the organisation to control and monitoring
software licences in each directorate or centrally
Mitigating controls for SLM risks have been identified.
Additional monitoring/assurance controls are in place to
lensure the mitigating controls are operating effectively
The procurement of licences is managed with a
central oversight to ensure it is cost-effective and
Fit for purpose,
Software licensing compliance (with contractual agreements)
process has been defined and is performed periodically
The SLM process is periodically evaluated to ensure itis fit for
purpose (covers the identified risks).
JA process owner has been identified and his/her
roles and activities clearly defined and understood.
Key
[controls not in place
[Controls not fully covering the risks, improvements required
Controls in place sufficiently address risk
Not yet assessed
POL-0023784
9. Papers for noting,
POL00027143
POL00027143
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit — Status of Agreed Actions
1. Purpose
The purpose of this paper is to:
141 Update the committee on the status of agreed actions arising from formal audit
and advisory activity
1.2 The committee is requested to note and provide directions as necessary.
2. Changes to process
24 As outlined in the September 12" ARC papers, the actions arising from IA activity
are tracked and reported. The report highlights period movements since the last
ARC, analyses overdues and highlights any high risk items for attention.
2.2 The original agreed target dates are retained in the log even though it may be
agreed to re-set a target date. It is important for the business to remain aware
that risks identified from audit work have yet to be addressed if an action date is
changed.
2.3. As at October 31° 2013
32 Actions were brought forward from September 2" 2013, of which at that time
11 were overdue from original target dates. Most of these were reported as
longer standing and known information security items which were re-targeted for
1° December 2013 and are therefore not yet due.
Through the period September and October 2013:
43 actions were added through a mix of audit and advisory work that took place
in that period.
12 actions were implemented by management. This is the same rate as over the
previously reported 2 month period bring the total to 24 since the transition in
June 2013.
Of the 63 items carried forward, 43 are not yet due, a large portion being from
the recently completed audits or not due from earlier. 20 are overdue from
original target dates but all are in progress. One of these, the review and
verification of bonus rules was completed and approved by the Remuneration
Committee on November 6". This action will be reflected in the next set of
statistics and was rated an amber.
The 6 items rated as red risks in the overdue section are:
e Embedding the information security governance into the supplier
requirements for the remaining three towers. As contractual negotiations
are still ongoing this is expected to run into 2014.
Recommendations Status Malcolm Zack — Head of Internal Audit Page 1 of 3
19" November 2013
ARC Meeting-19/11/13
of 139
POL-0023784
9. Papers for noting,
POL00027143
POL00027143
Confidential
Completing the embedding of Information Security requirements into the
product and service projects being developed around the business. This
is underway and aiming for completion by the end of the year.
The single action arising from the review of branch auditing which is on-
going and subject to a wider exmaination in the context of Second Sight
and cost challenges by the Executive Committee.
Three red rated actions arising around the risk management processes
for the Finance Road Map programme which at the time of writing were
underway but yet to be fully demonstrated. These have since been partly
addressed and will be assessed by Internal Audit at the next FRP
Programme Board.
2.4 The actions implemented in the period include key actions arising from the recent
SPMO audit especially around the risk management processes
Risk heat map now re-enstated at Transformation Board (and also
reporting to the Risk and Compliance Committee).
SPMO reiterating the need to bring risk documentation to meetings to
ensure risk discussions are focussed and ensuring stronger KPI
challenge, review and consistent scoring.
Actions raised within the FRP programme in July around engagement of
senior finance management, and risk management have been
implemented.
3 ARC members action
« The committee is requested to note the status and to provide direction as
necessary
Appendix
Malcolm Zack
19" November 2013
Table and graphs.
Recommendations Status Malcolm Zack — Head of Internal Audit Page 2 of 3
128 of 139
19" November 2013
ARC Meeting-19/11/13
POL-0023784
EL/L/6L-Buneew OV
6EL JO 6ZL
Appendix
Overall Summary as at 30th October 2013
Total Red Amber
Total actions bfwd as at 2 September 2013 32
Implemented by Mgt - to 31st Oct (12)
Actions added (audits and advisory) 43
Carried Forward as at November 1st 63
Analysis of Carried forward
‘Overdue - Work in progress 20
Not yet due 43
63
3
24
27
6
a
27
19
(6)
16
29
30,
POL00027143
Audit Actions - Overdues - Trending by month
Aug-13 Sep-13
Recommendations Status
Oct-13
POL00027143
©
2
g
Confidential a
3
g
Fi
p
Green Implementations since July 2013
10
(6)
3
7
5
1
a Teter =
a Red
a Amber
—2-Green
Trond (3th
mov avg)
July “Aug Sept -
2013 Oct 2013 Month implemented
Malcolm Zack — Head of Internal Audit Page 3 of 3
149" November 2013
POL-0023784
9. Papers for noting,
1.
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
ARC — Self Assessment
Purpose
The purpose of this paper is to:
11
1.2
21
2.2
2.3
3.1
130 of 139
Summarise the results of the committee's first self assessment.
The committee is requested to note and determine the next steps with the
Board and Executive committee as appropriate.
Background
The terms of reference require the audit committee to conduct a self
assessment of its activities and performance annually.
There is no prescribed method of achieving this. Most organisations will
utilise either an in-house designed questionnairre or use the services of an
external independent source such as interviews with an external audit partner.
These options were discussed and it was agreed to use a simple
questionairre approach based on an excel template. Twelve questions were
agreed and using a drop down menu members assessed the questions using
ascore of 1-5. Each score had a qualifying comment and a free form box to
add any additional views. A copy of the template is in the appendix.
Results
Table 1 in the appendix summarises the results with comments where these
were made. The template assigned green to scores 4 or 5, amber to 3 and
red to scores of 1 or 2. The graph below illustrates the overall average for the
areas assessed. Table 2 in the appendix details the responses to three
further free form questions which were not scored.
Overall View of
I Risks
I Pe 5D View of Specific
I apers, Risks
49
I 3.0 xternal Audit
Meetings External Audit
‘Approach
I 20
19
External Audit
Report to the Board 00
I Reps repocte—Seriest
I ‘Communication
ITerms of Reference en eetnie
Management Internal Audit
I Actions approach
Internal Audit
Quality
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
9. Papers for noting,
3.3
3.4
3.5
3.6
3.7
41
4.2
Confidential
Risk Management
« There is some difference of opinion across the ARC members. Two raised
serious challenges to the current view of business risks and there is a desire
for more detail in specific business areas especially in Financial Services and
IT.
« It is accepted by the comments made that the work is heading in the right
direction, but there was consistent message in requiring the owners of the
risks to be visible to the committee and to discuss these more directly.
Internal Audit
« Whilst there was agreement on overall approach and processes in place.
There was disagreement among the ARC members on the resource levels
employed in the corporate team given the risks faced by the business.
Meetings and general ARC processes
e Views differed on the effectiveness and content. Meetings need to move the
bar upwards to focusing on the risks and how these are managed rather than
reporting on progress and process.
External Audit
e There was generally satisfaction with the external audit approach but some
challenge over how the audit committee, internal audit and external audit
liaised as a group.
Other
e Other areas were assessed as either good or very good by the ARC
members.
o In addition to the twelve questions, ARC members were asked three
free form questions. See appendix for detail but the trend for 2014 is
for improved focus on risk and greater visibility of management's
assessment and actions.
Conclusions
The committee appears generally satisfied with overall governance,
processes and procedures. As this has been the first year of its existence,
effort has understandably focused on the operation of the committee.
The committee requires management to step up the visibility, content and
discussion of the risk agenda. This requires the Executive to complete its
current assessment with the assistance of the Head of Risk and to commence
ARC Meeting-19/11/13
POL00027143
POL00027143
131 of 139
POL-0023784
132 of 139
4.3
Confidential
discussing the risks in detail including Directorate presentations at ARCs in
2014.
The committee recognises the challenges facing the small internal audit team
in providing independent assurance over the management of key risks in the
business. There remains challenge to the business but the committee is not
fully united on this.
Actions
5.1
5.2
The committee is requested to consider the outcomes of the self assessment
and discuss the next steps with the Board and Executive committee as
appropriate.
Should the committee decide to invite executive management to present their
risk assessments the committee is requested to consider the following running
order based on assumed ARC dates.
February 2014 — Financial Services
March 2014 — IT
May 2014 — Network and Supply Chain
September 2014 — Commercial
November 2014 — Finance, Legal and HR
o0000
Malcolm Zack
ARC Meeting-19/11/13
POL00027143
POL00027143
POL-0023784
a
3
g
@
&
Confidential
Questions assessed
ARC
ARC2
ARC3
‘Comments made by respondents
Risk Management
1. The Committee has a good overall view of risks in the
business, is confident that management is actioning plans
and that the framework is balanced, practical and easy to
understand.
2. The committee has a sufficient view of specific risk areas
such as Information Technology, Legal, Fraud detection,
operational and financial risk. The committee has oversight
on management processes and controls to manage these
areas
External Audit
3. The committee has a good understanding of the external
audit approach, risk assessment, its scope and audit
approach.
4. The committee is able to understand the financial
reports from external audit, comment upon disclosures,
accounting policies or adjustments
5. There is an effective communication and liaison process
between the committee, external audit and management
Internal Audit
6.The committee has a good understanding of the internal
audit scope, approach, its risk based focus and methods
Risk management process still being refined by the Exec team so WIP
but heading in the right direction.
Lots of good effort to put process in place which was necessary. Not
enough time spent yet agreeing the risks, or how to manage them
Follows on from number 1.
Overall I agree, but I think we need a more granular appreciation of
the specific risks we face in IT as we move into the transformation
programme. Also need more over sight of matters relating to delivery
of the Financial Services Strategy and the risks there, given the
importance of this pillar to delivery of the overall plan.
New Head of Audit in place and putting in place good
processes/procedures
POL00027143
POL00027143
~Bunou 19} siedeg “6
POL-0023784
Q
g
g
2
S
Confidential
Questions assessed
ARC1 I ARC2 I ARC3 I Comments made by respondents
employed by the IA team
7. The 1A team is appropriately resourced, able to respond
to requests from the committee and the business and is
sufficiently independent and led.
However we will need to continue to review as the PO changes shape
including the role of the Field Audit teams.
1am still unsure that there is adequate and appropriate resource.
Not sure how it could be really if I feel as I do about answer number
1
‘Actions by Management
8, The committee is confident that actions agreed with
external and internal auditors are implemented in a timely
fashion with regard to risks, costs and benefits.
Governance
9. The ARC terms of reference are clear, can be met
annually and are properly reviewed with the Board
10. Reporting to the Board by the Audit Committee is
sufficient, highlighting key risks and control issues to
provide the Board with the level of assurance required.
Meetings
11. Meetings are well structured, allow sufficient time for
all items, and reach appropriate conclusions and actions.
Maybe too much emphahsis on discussing process, with not enough
on risks/actions
12. Papers are available in good time, well presented and
clear in their purpose and intent.
POL00027143
POL00027143
~Bunou 19} siedeg “6
POL-0023784
Du
Confidential
Free form questions
What are the top two items you wish the committee to change or improve in 2014?
Agree risks between the Board, ExCo and ARC and then start managing them better.
More visibility of risks in IT and Financial Services.
Further development on Risk Management. Further develop the role of the ARC as the PO changes
What should it stop doing or what should it do more of?
Less process to be discussed at the ARC. Needs to take less time and spend more on content.
See more of the Exective Members with specific risk accountability to talk about their risks and the mitigating actions. This would create more direct line of
sight between the AC and the risk owners and create a greater sense of accountability.
How does this committee compare with others you have worked on in the past or currently. What are its relative strengths and relative weaknesses.
This is young and evolving, so not really a valid comparison. The journey we are on is necessary, we probably just need to go a bit faster. That may happen
naturally now that we have our first year under our belts.
Stronger than most. Good representation of people with financial background. Only suggestion for improvement is in relation to more interaction between
committee and risk owners. I have seen this work very effectively elsewhere.
Strengths - good understanding of the business and strong links with the Exec team and Board. Weaknesses - further work required to tie down Risk
Management with the Exec team
POL00027143
POL00027143
edeg
‘Bugou JO si
POL-0023784
POL00027143
POL00027143
9. Papers for noting_
Confidential
NAME
INSTRUCTIONS: Answer each of the 12 questions using the drop down box
itpossite please add a comment to your score to aid the assessment process using the
ox tothe right ofthe drop down
‘The final 3 questions are general and require feetorm answers.
Please complete and retum to malcolm.zack@postofice.co.uk by October 25th 2013,
Level of effectiveness ‘COMMENT
Risk Management
The Commitee hes a good overall vew of sks in the business, 1s conflent that 5c nsce, bares mo [Risk management process stl beng retned
‘managementis actionng plans and thatthe flamework is belanced, practical and easy to . ly the Exec team so WIP but heading in the
understeng. nt direction
‘The committee has a suffclnt view of specific risk areas such as Information Technology. [5 cwaiy aye. in vated) 4
Eee Fn Saginaw eee ok The corbin ws Geng ns 1 omar ev™ nen rere og
‘management processes and conto to menage these areas.
Extornal Aut
The conmitee has a good understanding of the exteme! aust appeREh. WSK [> say apes coodvaiy dace. [v8
‘assessment, ts Scooe and audit anoreach, .
The conmites is able o understand the franc reports fom extemal aust, conment I, uy ages Paces deccaring ated] 5
upon dlsclosures, accounting poicies or adustments 4
‘Theres on efectie communication and tason process between the commites extemal (ecco Sw)
‘uit and management ftom
Inert ut
=) 4 uNorreatormcarn pace na potngr
" ees eras
The team s appropri resourced, abe to respond to requests fom the commitee i owaiewe wt needa contin 0 ew as
‘and the business and is suffcienty independent and led 4, Agee forthe most part : the PO changes shape including the ole oftheI
ied Audit teams
‘he conmtee nes 8 goo ngerdg of in nal aut scope, approach, sk [x age ter eames
Hebe Yr Crp ep y
‘Actions by Management
‘The committee is content that actons agreed wih extemal and intemal auctor are [5 Are, Parogenet ends at el 4
‘plemented na timely fasion wah egaré to risks, costs and benefits.
Governance
‘he ARC terms of reerence are clear can bemetannualy and ae propeyrevewed wih [5 Seondy Agee Scones aeemsie ons] 5
the Boas
Reporting to the Boa by the Audt Commitee is suBcient, highlighting Key dshs and ['-Fuy res Comiteerenrtaceiea™) §
cool sses to prowde the Board wth the ewe of assurance required
Mostings
Meetings are well stctured, iow suficient tme for al tems, and reach appropriate [+ Agree Be — ee
conclisons an actions
Papers are aafalen god ime, wel presented and clearn the purposeand intent. [FATE OreTeaanomsin gf
136 of 139 ARC Meeting-19/11/13
POL-0023784
9. Papers for noting,
1.
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Annual Review of Terms of Reference and Internal Audit Charter
Purpose
The purpose of this paper is to:
1.1
1.2
Review and approve the committee’s annual review of its governance
documents
Request approval of any changes and highlight these to the Board where
necessary
2. Annual Requirement
21
2.2
Sections 2.2 and 2.4 of the ARC terms of Reference require the committee to
review and re-approve the Internal Audit Charter and its own Terms of
Reference annually
The documents were circulated to ARC members and to senior attendees in
October 2013 for review and to highlight any amendments.
3. Results
3.1
3.2
3.3
All respondees were satisfied with both documents. The only proposed
amendment was to the Internal Audit Charter on the role of the IA function
which currently states in section 3
« “The role of Internal Audit is to understand the key risks of the
organisation and to examine and evaluate the adequacy and effectiveness
of the frameworks of risk management and internal control as operated by
the organisation."
The comment was to to go beyond understanding of the key risks and verify
that the organisation's key risks have been properly identified, and ensure that
adequate controls and processes are in place to mitigate the risks
The verification was considered implicit in “examine” and “evaluate” but it is
accepted that verification should be added for clarity. The controls may be
verified as operating and adequate, but they may not be as efficient or
effective as they could be so an evaluation is necessary.
4. Proposed rewording
44
“The role of Internal Audit is to understand the organisations key risks, verify
the identification of those risks, examine and evaluate the adequacy, efficency
and effectiveness of the controls, frameworks and processes used to manage
risk.”
Annual Governance Review Malcolm Zack November 14" 2013
> Meeting-19/11/13
POL00027143
POL00027143
137 of 139
POL-0023784
POL00027143
POL00027143
9. Papers for noting,
5. Recommendations
5.1 The committee is requested to:
Reapprove its Terms of Reference.
Reapprove the Internal Audit Charter with the proposed amendments or as
discussed in the meeting.
Malcolm Zack
Head of Internal Audit
November 2013
Annual Governance Review Malcolm Zack November 14" 2013
of 139 ARC Meeting-19/11/13
POL-0023784
entary Documents
Location:
By teleconference and Room 501, 148 Old Street, London, England, EC1V 9HQ, United Kingdom
ARC Meeting
19 November 2013
ATTENDANCE LIST
ATTENDEES
SIGNATURE
Alasdair, Marnoch
Neil, McCausland
Tim, Franklin
Also in attendance
Alwen, Lyons
Alice, Perkins
Aujard, Chris
Chris, Day
Paula, Vennells
> Meeting-19/11/13
POL00027143
POL00027143
139 of 139
POL-0023784