POL00084650
POL00084650
IN CONFIDENCE
Post Office Ltd
Network Field Team Policy/Process
Title Audit Process Manual
Subject Chapter 1 of Audit Process Manual — Audit Plan &
Scheduling
Version Control 8.0
Shaun Turner
Sue Richardson
Purpose Outline responsibilities for planning and scheduling,
including the process followed by the Network Support
Team Leader for scheduling audit activity
Audience Network Field Team
Next Review date I January 2011
Stakeholders
Stakeholders Name I Responsibility
Adrian Wales Network Field Support Manager: Delivery of audit targets
Network Coordination Advisor: Branch Performance
Profile
Network Field Support Project Mgr: Reporting
Responsibilities in change
Role Job Title(s) Date
Author Alan Stuart 20/01/2010
Audit Coordination Advisor
Assurance Network Field Support Manager
Authorised Network Field Support Project Manager
Communication Field Support Change Advisor
Version control
Version Reason for issue Section Date
No. No.
Version 1.0 I Original version 03-03-02
Version 2.0 I Updated version following annual review April 2003
Version 2.1 I Changes from feedback from Lead Team Feb 2004
Version 2.2 I Changes from feedback from Lead Team Feb 2004
Version 2.3 I Amendments to reflect changes in roles April 2004
Version 2.4 I Sections 2.1, 2.2 and 2.3 amended to May 2004
reflect current instructions. Section 2.6
amended, following input from audit
managers. Reference to declaration of
interests made in Section 2.5
Version 2.5 I Section 2.4 updated to reflect new risk July 2004
models ALARM and CARM
Version 3.0 I Annual review, including reflection of new Jan 2005
analytical process
Version 3.1 I Amendments made following comments at Jan 2005
Chapter 01. Audit Plan & Scheduling v 8.0.doc -1-
POL00084650
POL00084650
IN CONFIDENCE
WTLL Leadership meeting on 18 January
2005.
Version 3.2 I Updated to reflect new roles and job titles Mar 2005
Version 4.0 I Annual Review Mar 2006
Version 5.0 I Annual Review Aug 2007
Version 5.1 I Amended to reflect changes in ownership Feb 2008
of audit planning from 2008/9 Audit Plan
onwards, the move to centralised
scheduling (from Jan 2008) and the
outcome of the new Transfer Process pilot.
Version 5.2 I Section 4.3 added at the request of Alvin Feb 2008
West (NCAM)
Version 6.0 I Updated Section 4.2 only April 2008
Version 6.1 I Font changed to ChevinLight 14 Sept 2008
Version 7.0 I Annual Review All July 2009
Version 8.0 I Annual Rrview All Jan 2010
1 Respon jes of Network Field Support Manager 3
2 Responsibilities of Network Coordination 3
Performance
3 Responsibilities of Network Support Team Leader 4
4 Auditors Responsibilities 7
Chapter 01. Audit Plan & Scheduling v 8.0.doc -2-
POL00084650
POL00084650
IN CONFIDENCE
SECTION 1 — RESPONSIBILITIES OF NETWORK FIELD SUPPORT MANAGER
1.1 Prepare the Annual Audit Plan in conjunction with, and approval of, the General
Manager Network, designed to meet current risks, deliver stakeholder
requirements, based on resource capacity, and present to the Risk & Compliance
Committee for endorsement. Document to be ready for deployment before the
beginning of the financial year.
1.2 Review delivery of the plan on a periodic basis with the Network Support Team
Leader; ensure flexibility in changing plans during the year.
1.3 Ensure that pure random selection methods are used to identify those branches
that need to be audited on a random sample basis.
SECTION 2 — RESPONSIBILITIES OF NETWORK COORDINATION PERFORMANCE
2.1. Manage production of the Financial Branch Performance Profile, being a ranked
list of all branches in the network (together with relevant planning information), in
respect of identified financial and compliance/conformance risks.
2.2 The Financial Branch Performance Profile measures branch performance by
scoring them against the following areas
Declared vs Predicted ONCH figures
Declared vs Generated ONCH figures
Cash Rises at Branch Trading period end
Annual cash tracker
Foreign Overnight Cash Holdings
Calls from P & BA to request branch clear cheques on hand figures
Other Postage Holdings
Known current branch debt
Camelot Scratchcard holdings
oo eeco ace oo
2.3. Each branch is scored against the each of those areas on a range of 0 to 10,
where a higher score represents poorer performance/higher risk. The branch is
then given an aggregated score across all the measures and this then gives the
branch an overall score and ranking.
2.4 The Financial Branch Performance Profile (FBPP) will be produced by the
Network Performance Data Analyst.
2.5 Provide a measure of data assurance on the FBPP before issuing it.
2.6 Issue the latest Financial Branch Performance Profile on a monthly cycle. A new
FBPP should be provided to the Network Support Team Leader every period,
during the third week after period end.
Chapter 01. Audit Plan & Scheduling v 8.0.doc -3-
POL00084650
POL00084650
IN CONFIDENCE
2.7 Ensure that the indicators used in the Branch Performance Profile are periodically
reviewed, to ensure that key risks are covered, and that new data streams are
considered. This will be done (at least) quarterly and changes will be
communicated to all recipients
2.8 Provide details of suitable branches to the Network Support Team Leader to deal
with specific themes or to test the value of new risk indicators
SECTION 3 —- NETWORK SUPPORT ADMIN TEAM LEADER RESPONSIBILITIES
3.1. Calendarise the annual audit plan into quarter and period targets, paying
particular attention to those periods containing five weeks as opposed to four,
ensuring an even spread of weekly activity.
3.2 Prepare weekly audit schedules, designed to meet the period target in order to
achieve the annual audit plan, identifying sufficient resource from the field team.
Using the Financial Branch Performance Profile as the basis for the weekly plan,
those branches displaying higher risk scores should be given priority over
branches with lower risk scores. Weekly plans should be released with sufficient
time to enable proper planning to take place.
The priority order for audit activity is given below:
e Transfers/Closures (type 10/12)
Robberies/Burglaries (type 20/21)
Special requests (type 200)
Cash Centre audits (type 1)
Risk driven audits from the FBPP (type 100)
Follow up activity (type 475)
Random audits (type 150)
Compliance only audits (type 400)
3.3 If insufficient resource is available from the field team or any other circumstance
arises that endangers achievement of the audit plan, and there is little scope for
catching up at a later date, the matter should be discussed with the Network Field
Support Manager and the Network Field Support Project Manager.
3.4 Manage the ‘Audit Requests’ e-mail box, ensuring all requests for special audits
are dealt with within 48 hours. A record of all requests should be maintained. Each
request should be considered on its validity, and if necessary, challenged. Some
requests may be more appropriate for training or other intervention than an audit.
In general the following guidelines may be used to aid decision making:
1. Is the branch already high scoring in the latest Financial Branch
Performance Profile? If yes, this could indicate a need to prioritise the
activity.
2. Is the request based upon information already included in the Branch
Performance Profile? If it does, but the branch is low scoring, it would
indicate that there are riskier branches that have greater priority.
Chapter 01. Audit Plan & Scheduling v 8.0.doc -4-
POL00084650
POL00084650
IN CONFIDENCE
3. Does the request provide clear evidence of fraud or other
misappropriation of funds?
4. Is the request based on support for the subpostmaster or even at their
request? If so, this is perhaps more of a training issue than an audit role.
3.5 Schedule robbery and burglary audits as required, on the day of the incident,
where possible. In the first instance, Field Advisors who have no other activity on
the NFS schedule should be used as resource for these incidents, as in most
cases this will provide a speedier response. Alternatively an audit may need to be
curtailed in order to attend. If an incident is reported in the afternoon,
consideration should be given to arranging attendance for the following day.
3.6 Branches that have been audited and have returned a compliance rating of red or
amber form the basis of type 475 follow up activity. Branches rated as red should
have a follow up visit planned within three months of the original audit. Branches
rated as amber should be planned within six months. Compliance audits
conducted by certain business partners (subject to agreement) and rated as red
may also have 475 activity scheduled.
3.7 Random audits are a specially selected subset of branches which are chosen at
the outset of the financial year and should be planned for audit over the course of
the year. The branches are selected by the Risk & Assurance Team using pure
random selection and are used to provide a baseline measure of risk in the
network (which also helps to test the effectiveness of the Financial Branch
Performance Profile at identifying risk).
3.8 The following should be considered when scheduling:
Annual leave commitments
Current excess flexible hours
Declaration of interests, detailing any auditor’s conflict of interests with the
branches due to be audited
Balance of leading audits and assisting at audits
Sufficient administrative time to be allocated to ensure that all reports are
submitted within 5 working days of the audit and all P32s are sent to the P32 File
by no later than noon on the Monday after period in which the branch was
audited
e Where possible, lead auditors are not the same person who led the last audit of
the branch
« Attendance by a Team Leader to be focused on Crowns or high risk branches
likely to lead to a suspension (e.g. investigation audits or specially requested
audits)
e Audit plans from our business partners (e.g. Bank of Ireland) should also be
taken into consideration to ensure there is no clash of activity.
3.9 There is no precise formula for determining appropriate resource levels for audit
activity, and different types of activity may require fewer auditors than others.
There are also regional differences; for example Scottish law requires financial
irregularities to be witnessed by a second person, irrespective of the size of the
branch. As a general rule, the following attached spreadsheet gives approximate
recommended resource levels for risk based financial auditing (audit types 100,
Chapter 01. Audit Plan & Scheduling v 8.0.doc -5-
POL00084650
POL00084650
IN CONFIDENCE
150 and 200), for all currently open branches in the network (as at 24/06/09).
Resource levels stated are based around Bth’s, number of stock units and counter
positions. Several branches are at this present time unable to be accurately
assessed for resource and show #N/A. If selected for audit, these branches should
be resourced using other known factors.
f=
Resource. zip
For transfers, closures, robberies and burglaries, resource levels should follow the
above table, but branches requiring 3 or more auditors should have the resource
reduced to a maximum of 3. Compliance audits and follow up visits should only
ever be conducted by one auditor.
Various other factors may influence actual resource, so the table above should not
be considered definitive. Factors include:
e Cash holdings (i.e. amount of cash likely to be presented to the auditor to count
before the branch can open), or presence of an ATM
Additional cash holdings e.g. due to bank holiday funding etc.
Previous audit history indicates a well organised office
The ability to perform a second audit on the same day (if required)
Accommodation for auditors at the branch
Branch format e.g. combi-store
Possible late finish which may impact on following days activity
Any other known factors
3.10 Prepare period returns of actual audits undertaken for submission to the Network
Conformance Data Analyst and Network Field Support Project Manager. These
to show progress towards audit targets for both period end and cumulatively.
3.11. Weekly reports should be compiled on a Friday or Monday for submission to the
Network Field Support Manager. The report should contain details of actual
activity that took place in the week just ended together with cancellations (and
reason for cancellation) and a summary of planned activity for the following
week. Pivot tables need to be inserted showing the number of audits taking
place against audit type for both planned and actual activity. See attached
example:
P100104 v1 AB.xis
3.12 A simplified plan of activity for the week ahead should also be forwarded to the
Contracts Advisors
SECTION 4 — AUDITORS’ RESPONSIBILITIES
Chapter 01. Audit Plan & Scheduling v 8.0.doc -6-
44
42
43
44
eecee
POL00084650
POL00084650
IN CONFIDENCE
To perform the audit activity as designated by the Network Support Admin Team
Leader.
Designated lead auditors from the field team must ensure that their line manager
and Network Support Team Leader is aware of any circumstance that either
prevents or is likely to prevent an audit taking place, which may require it to be
rescheduled for a later time. Such communication must be made as soon as
practicable. Circumstances may include:
Sickness
Car breakdown
Weather
Travel disruption (strike action/accidents etc)
Consideration may be given to redirect a team to a nearby alternative branch, or
to perform other (intervention) activity so that costs already incurred are not
wasted.
Audits identifying shortages or other circumstances which involve the Contracts
Advisor, and result in a suspension must be notified to the Network Support
Team Leader so that the additional activity can be properly accredited.
Post Transfer Visits which occasion a full compliance audit may be conducted by
either a Field Advisor or a Team Leader. The scheduling of these falls to Outlet
Field Support Admin Team. Team Leaders should collate all PTV activity for
their team and forward to the Network Support Team Leader at the end of each
period.
Chapter 01. Audit Plan & Scheduling v 8.0.doc -7T-