NETWORK AUDITING-APPROACH, METHODS AND ASSURANCE
Audit Highlights and Opinion
POL00086765
POL00086765
&
Overall Assurance: -
Low
e Based upon the audit work undertaken a low level of
assurance is given over Network Auditing.
Executive Responsible Kevin Gillitand
Distribution (date)
The Audit and Risk Committee (ARC), requested a review of I 1) Approximately 30% of the estate is
the branch auditing approach within the context of how Post covered each year
Office is audited overall. . 2) The audit financial audit
¢ Crown, retail multiple and agency branches are subject programme is well established and
to various types of audit visits conducted by the Network structured
Support team. They conduct audit and training activity at
a cost of approximately £6M per year with a team of I 3) Network Auditing provides a
220. development route for experienced
. . . . counter staff and managers
e Audit activity is restricted to the checking of cash and
stock and the validation of procedural compliance I 4) Large pool of experienced staff
questions.
e There is a lack of independent assurance over Branch Top Priority Agreed Actions
Operations
e Results and management information are insufficient to
give senior management a view of control 1) To discuss and agree a way
. forward for network auditing, such
e Follow up mechanisms that ensure the control that it can provide meaningful
environment is maintained / improved do not formally assurance to the business and the
exist. board
Opinion
4)
5)
6)
7)
No assurance over Branch Operations,
other than cash and certain valued stock
Poor management information, only
statistics of visit numbers get reported
Resource is utilised for both audit and
training
Activity is constrained by the 35 hour
working week (capacity is reduced
because this includes travel time)
Company are usually owed hours from
the hours pool - inefficient use of
resources
Currently not a professional audit
service
Value for money is not achieved through
the current activity
Audit reports are not effectively
summarised, to highlight common
issues nor share best practice
Chris Day, Susan Crighton, Roger Gale, Drew McBride
Prepared By
Garry Hooton Reviewed By
Malcolm Zack
POL00086765
POL00086765
DETAILED FINDINGS SECTION
Area Reviewed
Key Finding, Results and Issues
1. Overall Remit, content
of audit.
Key Risks Impacted:
Branch audit activity may not
be sufficiently focused on all
key branch risks
Current audit methods employed only provide limited assurance over cash and some valued stock. They do not
consider the wider risk and control aspects of a branch.
Depending upon the size of the branch, a team of between 2 and 5 auditors arrive prior to opening and once
identified and given access they commence counting the cash on hand.
The branch remains closed until the lead auditor gives the go ahead to open having counted and balanced the
cash and significant valued stocks.
Any cash / stock differences are reported but are not resolved whilst the auditors are on site. There is no
overall view of how the branch as a whole is performing.
Additionally, as part of the audit, compliance questions are asked of the branch staff. The purpose of these is
to gain an understanding of compliance to regulatory, contractual and statutory obligations upon POL.
Responses to the various questions are recorded as a yes/no (pass/fail) and are not subject to any physical
evidential requirements.
Depending upon the size of the branch being audited and how busy it is on the day, the compliance questions
may not all be covered.
Once the main issues have been discussed with the Branch Manager the auditors leave site.
To achieve an overall opinion on any given branch, areas to be covered in the audit could include; Financial Control,
physical security, customer experience, branch tidiness, cleanliness, layout and H&S
2. Audit Programmes, tools
and techniques.
Key Risks Impacted
Coverage, Results,
management information
Assurance levels may not be
clear
Follow up mechanisms
Programmes are well structured to aid consistency, are updated as required, have some automation but papers are
long, reports are difficult to read and field work is still paper based.
The audit programme is based upon a reconciliation of cash and certain valued stocks and a suite of
compliance questions and has been in this format for at least the last 6 years
There are several approaches to the cash counting process as part of the audit.
© Some FSA’s count sufficient stocks to get the counter running and then allow the branch to open and
commence trading with minimal delay, others wait until all cash has been reconciled before allowing
the branch to open. Some require all of the compliance questions to be completed prior to opening,
others allow the branch to open and then ask their questions between customers. In a small branch
with limited staff (sometimes single manned) the compliance questions may not be completed at all if
the branch is busy.
The audit is conducted using manually completed printed sheets which are then entered into an Excel
spreadsheet on a laptop and uploaded to the centre using a Sharepoint site
DETAILED FINDINGS SECTION
POL00086765
POL00086765
Area Reviewed
Key Finding, Results and Issues
The sheets are then input into an Excel file by the lead auditor and uploaded via a Sharepoint site. Whilst this
allows a consistent upward reporting approach, the papers are long and do not easily summarise the results
There is potential to make this more efficient with the use of tablet type devices and summary reporting
methods across a wider area of branch activities.
3. Outcomes of audits and
levels of assurance
obtained.
Key Risks Impacted
Results, Assurance levels may
not be clear, Follow up
mechanisms
Current audit reporting is delayed and ineffectively used. Focus is on compliance and manager’s bonus is impacted
if the score is below 80%. There is no overall view of assurance over the management of risk/controls across the
portfolio of branches.
The current reporting process is for the lead FSA to discuss the findings with the branch manager or their
representative, obtain a signature and then leave site taking all audit paperwork with them .
No contact is made with the Area manager at this time.
This is a prime example of where, with a simple communication, key stakeholder engagement could be
fundamentally improved.
Once back home or at a separate office location the report is typed up and submitted via Sharepoint. The
formal report is issued to management sometime (up to 5 weeks) later.
Feedback obtained via branch managers and Crown Area Managers is that often the physical report bears
little resemblance to the discussion held at the time of the audit.
o Acommon comment is that the manager is told that everything was working well at the end of the
audit and then when the report arrives it tells a different story.
©. This is frustrating for a Crown branch manager as a score of 80% or less directly impacts their bonus
potential and with no follow up process there is no ability, or incentive, to correct the issues with any
urgency.
o Anadditional effect is that, because Crown branches are only audited once every two years, the
manager knows he/she has at least a clear year before the next audit.
© Due to the lack of involvement at the time of the audit and the time taken to formally issue the
report the Area manager is not actively engaged in the process and consequently is not properly
motivated towards addressing issues raised.
°
4. Audit Strategy, planning,
costings and team
structure
Key Risks Impacted
The Auditing effort in Network is primarily focussed around checking cash and testing counter staff compliance
with statutory and contractual requirements.
The Network Support Team is made up of approximately 220 FTE that are utilised to conduct a mix of audit work and
training. The majority of staff are drawn from Post office Counters, although some have been sub postmasters. All
DETAILED FINDINGS SECTION
POL00086765
POL00086765
Area Reviewed
Key Finding, Results and Issues
Branch audit activity may not
be sufficiently focused on all
key branch risks, Coverage
may not be sufficient or
appropriately balanced
new staff receive detailed induction training, however, based on our review, none of the staff have any formal audit
qualifications, nor do they have any professional audit training or experience prior to their appointment. Their work is
allocated to them by the scheduling team.
Crown branches are audited every two years as a standard
Other Branches are selected for visit using a variety of tools and criteria drawn from several different
departments and sources. These being; Security, Branch Support, FSC (Chesterfield) and a cash based risk
model.
«¢ The Network team are responsible for both auditing and training, the effort is split equally between the two.
Total cost is approximately £6M per annum.
5.Management
information — use and
relevance.
Key Risks Impacted
Results and management
Information may not be
sufficient to give senior
management a view of
control
MI reporting is not effective and is primarily focused on reporting activity.
Although a large amount of data is captured and stored, there is little useful information produced.
e Reporting is limited to a detailed spread sheet showing the number of audits of each type that have been
conducted in the period.
e There does not appear to have been any requirement for more detailed reporting. Significant benefit could
be gained from highlighting key issues, trends and risks and the promotion of best practice (there are
approximately 300 reports issued per month.)
e Ml reporting is not summarised effectively.. It is not targeted at senior management and is based on a
detailed spreadsheet showing all activity over a given period of time.
e There is focus on activity, number of suspensions by area.
¢ No detailed issue or trend information is produced to better inform management of possible systemic issues,
strengths of weaknesses of control or management of risk across the business or within areas/regions.
¢ Network Audit work is primarily focussed on finding and reporting cash losses but the MI concentrates on
task completed vs forecast. It is important to note that whilst there is considerable focus on cash and cash
losses, reporting of cash losses at a MI level is not an area of focus. When Internal Audit requested a
summary of losses for the year to March 2013, the administration team commented that they did not do this
as a matter of course. As a result a specific report was created for our purposes.
¢ Considerable effort was required by Internal Audit during this audit to obtain the information necessary to
understand the situation with regard to staffing, allocation of work and costs of operating the function. The
appendix shows a summary of the costs but these are still based on a number of assumptions and analyses
made during the audit.
POL00086765
POL00086765
DETAILED FINDINGS SECTION
Area Reviewed
Key Finding, Results and Issues
Network Audit work is primarily focussed on finding and reporting cash losses but the MI concentrates on
task completed vs forecast.
6. Use of resource and
scheduling activity.
Key Risks Impacted
Coverage may not be
sufficient or appropriately
balanced
Current working practices are inefficient for the business.
The current 35 hour week (which includes all travel time) is inefficient for the business and inequitable for the
employees.
Work is scheduled by the scheduling team (14 x FTE currently based in Salford) who allocate the work based
on a set of variables that include skill set, base location, hours position and recent work patterns.
Some FSA’s will have worked in excess of 35 hours and are owed time by the business (5205 hours at w/e
1/7/13), others will not have not worked the full 35 hours and owe the business time (3488 hours at w/e
1/7/13). FSA’s typically arrive on site by 08.30 and are usually finished by 11.30 at the latest, when all but the
audit lead finish for the day.
There is little or no formal follow up activity on the results of the audits, other than follow up from FSC at
Chesterfield on cash discrepancies.
FSA’s can be required to undertake either audit or training work.
An analysis of audit and training split was attempted and this is documented in Appendix 1. The analysis
suggests that only 25% of total FSA days available spent is on actual direct audit and audit related work
although there are no formal time records to verify this. The remainder is accrued to non direct work and a
further 25% to training.
(For breakdown of work undertaken please see Appendix 1) but is approximately 50:50.
FSA’s contracts describe Saturday (am) working this is very rarely undertaken.
POL00086765
POL00086765
APPENDIX
Appendix 1 — Structural Options
Option 1
Continue as current
Pros Cons
e Current staff population remains in place
¢ Limited assurance maintained over cash
e Specialist knowledge pool maintained
Nothing changes — no improvement in assurance gained
Not risk based
No efficiency achieved — low value for money invested and time
employed
Limited “audit coverage” maintained
Coverage questionable
Option 2
Continue as current but split Audit and Training into separate functions withi
in Network Support
Pros
Cons
e Current staff have a choice of specialism subject to senior
management requirements regarding split
© Specialist knowledge maintained
¢ Minimal disruption to process and personnel
No significant change — no improvement in assurance gained
Not risk based
No efficiency achieved — low value for money invested and time
employed
Limited “audit coverage” maintained
Coverage still questionable
Option 3
As option 2 but stream auditors to specialise in Crown, Retail Multiples or Agents
Pros
e Staff population remains in place
¢ Limited assurance maintained over cash
e Current Staff have a choice of specialism — giving potential for
greater coverage
e Flexibility of staff across streams once trained
e Specialist knowledge maintained
No significant chnage — no meaningful assurance gained
Impact of 35hr week on flexibility of teams
No overall efficiency achieved
Limited “audit coverage” maintained
APPENDIX
Option 4
Continue as current but professionalise team — remain within Network Services
POL00086765
POL00086765
Pros Cons
e Current staff population remains in place (if they can be ¢ No significant change — no meaningful assurance gained
professionally trained and skills upgraded/broadend) © Additional training cost
e Limited assurance maintained over cash ¢ No efficiency achieved
e Greater flexibility if “management” hours are worked and travel e Limited “audit coverage” maintained
time is rationalised e Disruption during HR processes
e¢ Development of people e — Risk that it is unlikely to be achieved
Option 5
Split audit and training and move audit to POLIA and transform to Retail Audit Capability
Pros
Cons
Transforms the function to professional Retail Audit
Development stream for business. (Staff could transfer into other
areas or into senior Central Audit roles)
Assurance over all areas of branch operation
Creates opportunity for remaining FSA staff to be regrouped into a
dedicated training function not distracted by audit responsibilities —
more direct support / focus for branches
Managers and Management gain risk and control assessments of the
network
More effective testing of compliance (eg anti money laundering)
Higher graded, experienced staff — lower numbers required
Initial cost in training
Staff disruption
Need to assess current staff capabilities
Not a quick fix, will need careful planning and transition.
Potential redundancy costs
Disruption during transformation
APPENDIX
Option 6
POL00086765
POL00086765
Split audit and training but move audit (compliance activity) to Security and keep current activity which is broadly loss detection based
Pros
Cons
Provides resource for immediate response to cash losses / issues /
potential theft
Limited assurance maintained over cash
Professional, timely reporting and MI.
Training capability remains in Network and able to focus more on
direct support.
Loss prevention / detection function only
No efficiency achieved unless Security can reshape.
No assurance provided over the whole branch operation
Option 7
Outsource/Co Source the Network audit function —
7a)Outsource (with out sourcer running the activity) and
7b)Co-source (with POLIA running the activity with a mix of in house and external resource)
Pros
Cons
Flexible resource
Reduction in POL headcount
No 35 hour week constraint
Opportunity to gain assurance over more of the operation
Professional exception reporting, timely provision of MI
Use of external expertise to help develop the function (especially if
co-source approach taken)
Could cap costs
Cost (usually charged at a day rate plus out of pocket)
Unqualified/inexperienced staff used
Less specialist knowledge — provider will need to build up POL
knowledge ( higher risk if complete outsource used — less if co-
source used_
POL still needs to define model and take responsibility
Costs may creep if provider needs more time to understand and
develop. (less so if co-source used)
Provider may not be able to provide sufficient geographic coverage.
APPENDIX
APPENDIX 2
Branch Survey Results
A number of branches were visited during this review and others surveyed by a questionnaire agreed with management.
Conclusion
The survey responses showed that the majority of branch managers valued the Network audits as a barometer of the accuracy of their financial
performance. Most of them viewed this with an air of inevitability rather than seeing them as a proactive aid to the business.
The approach was viewed as professional (with regard to the behaviour and conduct of the staff) but inflexible and outdated with regard to issue
resolution.
Branch Survey Questions and consolidated responses
1. What is your experience of Network Audits in your branch(es) — please list positive and negative separately.
Positive
o. Professional approach towards branch staff
o. Ifaudit team is of sufficient size the audit can be completed quickly
Negative
© Can mean the cancellation of team activity / sales training as audits are generally targeted towards these times to ensure access for
auditors and management availability
o Audit team can outnumber staff, leading to a feeling of being overwhelmed
© Disrupts the whole day as it throws out break sequences
POL00086765
POL00086765
POL00086765
POL00086765
APPENDIX
© Discussion at the end of the audit did not reflect what eventually came through on the report
2. Do you have any comments on the FSA’s carrying out the audits?
o. Experienced and knowledgeable staff
© Willing to help with issues if they are asked
o. Their questioning disrupts service and distracts management and staff once branch is open
3. What do you think could be changed/added to improve the process?
o Use of technology to ease completion of the audit — specifically Horizon data, auditors require paper evidence of compliance training which
is all completed on the Horizon system, branch fails if paper certificate cannot be produced (even though training may well have been
completed)
o Ensure that the audits are planned for when the manager will be in (branches penalised if staff cannot find certain records on the day)
o Avoid auditing branches after busiest days of the year, to allow them to catch up
© Include sharing of best practice
4. What do you get out of the audit process?
o Anindication as to what is going wrong in the branch with regard to cash and stock
o. A feeling of comfort that things are working as they should be
oA feeling of frustration having told the Area manager that everything was as it should be after the audit and receiving a report 5 weeks later
detailing issues.
©. Improved knowledge around compliance and security
5. How useful (or not) is the audit report document?
© Time delay between audit and issue of report renders it largely irrelevant
POL00086765
POL00086765
APPENDIX
© Provides clarity of required corrective actions
o Often differs substantially (adversely) from verbal feedback at the end of the audit
©. Itis irrelevant if the clearance at the end of the audit is well conducted. Actions usually completed within a week and report comes out
some time after that
6. Do you consider that there are any risks to your business that are not covered by the current audit?
© This question was not answered by many managers indicating that risk awareness is not high on a branch managers list of priorities
© Would prefer all cash and stock to be counted and reconciled rather than just a selection
© Contractors that arrive unannounced expecting access to secure areas — happens frequently and should be addressed by auditors
7. What is your view on having to close the Branch until the cash has been counted?
©. This is a necessary part of having an audit and it doesn’t happen that often
This is an inevitable consequence of an unannounced audit regime
©. This has a negative impact on the customer experience
© Why not count the cash later in the day and balance at the end of the day instead of at the beginning
8. Please provide details of any other issues or views that you may have on the Network Audit process.
© Allowance for new managers in post — do not penalise them for not being able to find things in filing if new to branch
o Split the cash reconciliation and compliance questioning over two days (as per Bank of Ireland audits)
o With the move to monthly balancing the issue of accountability for losses should be more closely examined
POL00086765
POL00086765
APPENDIX
Branches Visited during this audit Branches Surveyed
Canterbury (WHS) Golders Green
West Wickham (Crown) Croydon
Maidstone (Crown) Stockwell
Sittingbourne(Crown) Wood Green
Chingford Mount (Agent) Stevenage
333 Lea Bridge Road (Agent) Milton Keynes (Crown Walk)
Petersfield (Crown) Peterborough
Guildford (Crown)
Rainworth (Agent-Conversion to Main)
Underwood (Agent — Transfer)
Stoke Park (McColls)
North Finchley (Crown)
Northolt (Crown)
Ashford (Crown)
Haywards Heath
Sittingbourne
Crawley
Solihull
Walsall
Longton (Stoke)
POL00086765
POL00086765
APPENDIX
APPENDIX 3
RESOURCES, ALLOCATION AND COSTS
Background
Determining the costs of the auditing capability was obtained with the assistance of Network Finance (Ron Greenwood) and the Network Scheduling team
(Lee Heil).
This proved to be problematic .
e The FSAs have a dual role (they currently conduct both audit and training) — although they record their time in hours, they do not formally record
their activity conducted within those hours.
e So lA had to work backwards from the days allocated to audits by the scheduling team, make deductions for non frontline activity and assume that
the remainder was allocated to training activity.
e The analysis also had to assume that the average number of FSAs allocated to an audit was 3 per audit (this was validated by Lee Heil, Scheduling
team leader).
e The financial analysis initially attempted to work from costings by individual but this proved complex. The Field Support Advisor analysis has used
the overall area costs for 2012/2013 which totals £5.6m for the FSAs. This excludes the time for the senior management in the team and the
scheduling team which number 14 staff.
Data used was for the year to March 2013 and as a check the first quarter of 2013/2014, using BAU figures only and extrapolated.
Conclusions
Based upon the information provided to IA the split of effort between audit and training is broadly a 50/50 split but trending to 45:55.
This would indicate that for the full year 2012/13 the cost of auditing was £3.01M and based on the first quarter of 2013/14 the out turn could be
expected to be £3.36M
NOTE: All costs are for BAU cost centres only, there is approximately a further £1.4M that is NT related FSA activity
COSTING DETAIL
APPENDIX
Cost Centre Current Cost Centre Structure Year Quarter 1 2013/14
2012/2013 I 2013/2014 I Extrapolated
£M £M £M
2540347 South East 1.62 I 0.49 1.96
2540348 Midlands 1.52 I 0.43 1.72
2540360 Scotland 0.95 I 0.25 1.00
2540361 Northern Ireland 0.27 I 0.07 0.28
2540367 Wales 1.23 I 0.25 1.00
2541501 Audit/Training Projects and Standards 0.17 I 0.15 0.60
2541602 Head of national Field Support 0.26 I 0.04 0.16
Totals 6.02 I 1.68 6.72
POL00086765
POL00086765
TIME ANALYSIS (YEAR 2012/13)
APPENDIX
Detail Days Scheduled Totals I Percentage
(Days) Split
Audit Activity
Interventions 862
Agency Transfers/Closures 860
Agency Unplanned Closures 27
Robbery and Burglary Incidents 72
6-9 Month Post Transfer Audits 602
Cash and Stock Checks (All Branches) 8619
Random Cash and Stock Checking 102
Cash Centre CViT & Swindon 11
Total Audit Time 11155
Non Direct Time
Annual Leave 4882
Bank Holiday 1510
Sick Leave 683
Special Leave 118
Maternity Leave 37
Authorised Time back 1693
Regular Time back 1552
Blank Days* 6246
Short Term Loan 41
Network Conformance Team 1245
Total Non Direct 18007
Time
Calculation of Training days
Total FSA Days based on staff Nos 44735 100%
Less Audit Time 11155 25%
Less Non Direct Time 18007 40%
Balance (assumed training activity by FSA’s) 16532 35%
* Time not recorded as allocated to anything is analysed as Blank Days — this amounts to 14% of the total time available
POL00086765
POL00086765
TIME ANALYSIS (Quarter 1 2013/14) (check for consistency of numbers)
APPENDIX
Detail Days Scheduled Totals I Percentage Split
Audit Activity
Interventions 138
Agency Transfers/Closures 598
Agency Unplanned Closures 9
Robbery and Burglary Incidents 12
6-9 Month Post Transfer Audits 185
Cash and Stock Checks (All Branches) 3210
Random Cash and Stock Checking 27
Cash Centre CViT & Swindon 3
Total Audit Time 4182
Non Direct Time
Annual Leave 1286
Bank Holiday 671
Sick Leave 93
Special Leave 21
Maternity Leave 3
Authorised Time back 460
Regular Time back 942
Blank Days* 569 4%
Short Term Loan 1
Network Conformance Team 267
Total Non Direct 4313
Time
Calculation of Training days
Total FSA Days based on staff Nos 14560 100%
Less Audit Time Less Audit Time 4182 29%
Less Non Direct Time Less Non Direct Time 4313 30%
Balance (assumed training activity by FSA’s) 6065 41%
* Time not allocated to anything is analysed as Blank Days — this amounts to 4% of the total time available
POL00086765
POL00086765