1.
POL00086831
POL00086831
POST OFFICE LTD EXECUTIVE COMMITTEE
Internal Audit - Future options
Purpose
The purpose of the paper which is attached is to:
44
1.2
1.3
1.4
Outline the auditing principles POL is adopting since its full transition from
Royal Mail Internal Audit & Risk in the summer.
Outline the findings and issues arising from the detailed review of auditing
work undertaken by the Field Support Advisors within Network Operations.
Propose options for the future shape of IA in POL based on the recent
review of network auditing and current three lines of defence model.
The committee is requested to discuss and agree a position to recommend
to the ARC which has requested the review.
2. Summary
2.1
2.2
2.3
2.4
To be effective,the Post Office Internal Audit capability needs to maintain
independence, apply professional standards and ways of working, focus on
assurance and the management of risk and control, and these attributes
should be applied and operate across the organisation.
The business has determined it will apply the Three Lines of Defence model.
The Branch Auditing function in its current approach, capability, scope and
reporting does not represent value for money for Post Office. There is
significant opportunity to reshape to support the Post Office’s future retail
focused aspirations.
The review of the Branch Auditing function within the combined FSA audit
and training role, highlighted a number of options in the original report, of
these it is recommended that the Executive consider:
¢ Split audit and training functionality. Enable the dedicated training capability
to focus on improving support and day to day liaison with branches
especially agents.
e Move audit capability to third line, reduce size of branch team, but
professionalise using higher grade staff. (Similar to levels in the supply chain
compliance team) so that capability is strengthed to improve overall value for
investment.
e Broaden the branch audit and assurance scope, change the reporting to
provide meaningful information to help the branch manage risk and control
to build performance. Build ability to support central IA team if necessary.
e The proposal estimates that a revised approach using 50-55 headcount
Retail Audit team costing £2.6m could cover at least 4000 sites per annum.
The current combined 220 FSA (including training) team covers 4500 sites a
year at a combined £6m-£7m.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 1
POL00086831
POL00086831
1. Purpose and principles of Internal Audit
The Principles of Internal Auditing within Post Office are embedded within the Internal Audit
Charter that was approved by the ARC in November 2012 and discussed with the
Executive Committee in July 2013 after the completion of the transition from the Royal Mail
IA service.
In essence the principles are
1. Post Office Internal Audit (POL IA) will apply the Global Institute of Internal Auditor's
definition of internal audit.
e “Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the POLIA will apply international professional
reporting standards and techniques.
2. POLIA will therefore direct its activity towards three on-going overarching goals:-
* To provide the Board with independent and objective assurance over Post Office
organisation’s controls.
e Provide assurance that the Post Office processes for identifying, assessing and
managing risks are effectively deployed.
¢ To help management improve their decision making processes, controls and
operations through risk and control advice and support.
3. POLIA will maintain a functional reporting line to the chair of the Audit Committee to
maintain it’s independence.
4. POLIA will have operational scope across all business activities and functions and have
unrestricted access to personnel, records, property including contractors and external
audit insofar as it applies to authorised audit and review activity. It may attend business
meetings and committees to build and maintain business knowledge and
understanding.
5. POLIA will be sufficiently and appropriately staffed and skilled to carry out its duties in
terms of
* professional competency,
e business knowledge and awareness,
e technical proficiency
and will consider and seek specialised services from either within or outside the
organisation where it does not have the capacity or level of knowledge to undertake
audit or review work.
6. The business has determined that it will apply the Three lines of Defence model to risk
management and auditing. The IA function will sit in the 3 line.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 2
POL00086831
POL00086831
2. The Three lines of defence model.
2.1. The business has determined that it will apply the three lines of defence model.
This is illustrated below. Management and staff are responsible for designing,
implementing and improving controls and processes that manage risks in their
respective areas. The second line focuses on key risks and compliance
management and may including auditing type activity. However this activity is
not independent of management and in some cases may be managed by the
same senior management responsible for running the operations.
2.2 The third line provides independent assurance across 1* and 2™ lines but
reports to and is ultimately managed by the organisation’s audit committee.
The diagram also shows the approximate split of second and third line head
count. (Includes some vacancies)
2.3. The 3 lines is a recommended model supported by the IIA and in the UK by the
Institute of Directors. However it is not a mandatory, legally required model or
structure. It is more prevelant in Financial Services organisations but it is quite
common to find Audit and Risk combined into one function in other sectors such
as retail. This may be for operational, cultural and financial reasons. Some
compliance activities may be absorbed or remain separate. Such blurring of the
three lines presents some independence issues and potential conflicts of
interest so safeguards are usually implemented.
Governing Body/Audit Committee
Senior Management/Risk & Compliance Ctte
t
ful
5
a
g
3 II >
21a
> ie
Management Security - 60 I 3
Controls Risk & Compliance- 10 T =
m
Health & Safety -11 Internal Audit %
FSAs - 220+ HIA+3
Internal Control Supply Chain Compliance -8
Measures FS — Risk Management
Information Security 17
1* Line of Defence 2°¢ Line of Defence 3° Line of Defence
NB the Information security team is currently 12 with vacancies. Some of their activity can
be considered 1% line. Some companies consider Financial control to be second line
functions but clearly some of their activity would be considered 1° line.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 3
POL00086831
POL00086831
3. Examination of Branch Auditing in Post Office.
3.1
3.2
A review of the approach to branch auditing was requested by the ARC and
took place over the summer. Twenty seven branches were included in the
review. The report was cleared within Network Services including discussions
with Kevin Gilliland and also with Chris Day given some of the financial
opportunities that may arise from potential changes.
The review considered the areas and key risks below.
, content of audits + Branch audit activity may not be sufficiently I
* Audit programmes, tools and focussed on all key branch risks
techniques * Coverage may not be sufficient or I
* Outcomes of audits and levels of appropriately balanced.
assurance obtained Results and management information may
Audit strategy, planning, costings and not be sufficient to give senior
team structure.
Management
relevance
Adequacy and balance of coverage
Use of resource, scheduling activity
Information use and
management a view of control
Assurance levels may not be clear
Follow up mechanisms may not ensure the
control environment is maintained /
improved
3.3
3.4
Executive Committee — October 2013
The current structure comprises 220 Field Support Advisors, (FSAs)
including 18 team leaders grouped into teams around the country. In addition
there is a management structure of 5 supported by 15
scheduling/administration staff. This costs approximately £7m in total
although it is recognised that the team has been expanded to take account
of the Network Transformation Programme. The structure reports to
middle/senior management within Network Operations.
¢ The Field Support Advisors (auditors) also do training sessions as part of
their workload, although this is separate from the branch audits. Our
internal audit did not include an assessment of the training activity other
than an understanding of the mix and training commitments undertaken.
e The branch audit capability was, until a few years ago part of Finance. It
was moved to Network Operations and combined with the incumbant
training team.
The one page executive summary from the audit report is in the appendix to this
paper. The full report is available upon request. The findings and issues
identified have been agreed with network management. The challenge to the
Executive Committee and ultimately to the ARC is to determine the most
appropriate way forward given:
a) The results of the review
b) The current cost challenges in the business
c) The shape of auditing in POL.
Internal Audit Options Malcolm Zack Page 4
3.5 Key Findings and Issues
POL00086831
POL00086831
The report concluded that in our opinion, the current remit does not meet the
forward assurance and risk management needs of the business outlined in
section 3.2
In summary:
* No assurance is gained over anything other I «
than cash and some stocks at considerable
cost to the business. The rest of the branch
operation is not covered. This is a missed
opportunity.
Compliance testing undertaken by the FSA’s
and observed was mainly question based by
interview. This should be done instead by
proper examination and testing of supporting
evidence. There is probably an inaccurate
level of assurance over regulatory
compliance in branches.
I Coverage and use of use of resources
e Staff hours are used inefficiently. Analysis I «
indicates of the total man days available in a
typical year that 25% to 30% is actually on
audits. Up to 40% appears to be on non
direct time (although this does include
leave).
little formal
° There is
discussion and feedback or the raising of
issues and concerns whilst auditors are on
Opportunity for I «
premises. It may well occur given the large
number of audits conducted, but not in a
systematic and coordinated way that can
provide a channel of information upwards
into the centre.
I Management information, trends, systemic issues,
e Management Information is limited in its I «
application and really only details number of
audits completed. Trends, systemic issues
and levels of risk and control are not
reported or assessed as a matter of course.
overall view of risk and control in network
Post Offices are closed during the first stage
of the audit while the cash is counted which
usually kicks off at opening time. This can
cause inconvience to customers. Counters
may open up quickly within an hour but
records show that longer periods of up to 2
hours or more can be required. Our review of
this approach suggests that this can be
altered to not require branch closure although
this may mean counting at different times of
the day.
It should be noted that formal and informal
feedback from branch management (through
a branch survey during the audit) is that the
current approach is sometimes seen as
disruptive to opening hours, recognised as a
necessity but one that does not help them
improve control, process and manage their
branches better.
Given that most audits are completed before
midday and comprise several staff in some
cases, this would appear to be an opportunity
missed to pick up issues on the ground.
Audit reporting process is inefficient, delayed
and excludes key stakeholders. Reports can
be sent to the Area Manager up to 5 weeks
after the audit and follow up
investigation/revisits needs improvement.
Executive Committee — October 2013
Internal Audit Options
Malcolm Zack Page 5
POL00086831
POL00086831
e In our opinion the resource is ineffectively used and better management
of time could probably reduce the number of personnel needed. It is
particularly hampered by the 35 hour week arrangements which start the
moment an FSA leaves their home and travels to a site. Some FSA’s
owe hours to the business. Most audits appear to use 3-5 auditors
working from 8:30 to around 11am and most then return home other than
the lead auditor.
¢ Staff standards (quality of audit work / turn out) vary considerably across
the country.
The key risks outlined in 3.2 are not well managed.
3.6 The teams do however focus on the remit they have been given: -i.e. to
count cash and some high value stock and to ask some compliance based
questions (albeit with little documentary or evidential activity). Or, to conduct
more detailed tests if financial results are not satisfactory.
It is recognised that the branch audit team may be requested by security or
the Finance Service Centre to conduct “special” audits in light of information
that suggests losses, or irregularities. At times these may lead to justified
agency suspensions although in other cases the amounts involved may be
less than the costs of audit and investigation
If the business wishes to retain this as the primary remit within Network
Operations, then our recommendations would be chiefly around re-designing
the MI and report contents, and addressing the operational inefficiency of the
personnel set up.
The team however could be significantly reduced in size to just cover
requests from security and the Finance Service Centre. This is currently
about 50 requests per month. Some capability would be needed for branch
transfers, openings and closures. This would therefore be a more reactive
team but would have to be willing to travel around the country because the
security/FSC requests could arise anywhere.
3.7 Potential Choices
Whilst the business may chose to retain and modify this approach, in our
opinion, this option misses an opportunity and provides low value for the
business. In essence, whilst several options were suggested in our detailed
report, the choice is between:
« Keeping a loss detection/stock counting based role with some
improvement in reporting/visibility whilst also maintaining a training
obligation, staffed by relatively junior personnel who are generally
experienced ex counter staff but not professionally qualified internal
auditors.
« Creating a modern, higher skilled, but smaller Retail Audit team
capable of assessing a branch as a whole (Crown, Multiple and
agency) providing local, area and senior management with on-going
assessment and intelligence over the risks/controls in the branch
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 6
POL00086831
POL00086831
network. Enabling the remaining headcount to be channelled into a
stronger dedicated branch and head office training function.
3.8 Given the position of the branch network as the largest retail network in the
UK and the aspirations of the business, a strong, business risk oriented
assessment and improvement capability reporting independently of
management is considered important to the future governance of Post Office
Limited.
It should also be able to work collaboratively in the longer term with other
branch based audit bodies such as Bank of Ireland or even with the retail
audit teams of multiples where these exist such as WHSmith, Coop, Tescos
and Asda.
e If the business preferred an option along these lines it could chose to
split the current FSA team into auditors and trainers, allowing the
latter to be more dedicated in training and education needs for
branch and agency staff. Then, either keep the separated audit team
within Network Operations (as second line defence) or transfer the
function to a 3 line of defence under Internal Audit.
« Wherever the function is positioned, the business must recognise
that such a change would be transformational and would require
reassessment of the skills and capabilities required, redesign of the
audit scope, methods and reporting and a structural change.
« The scale of this option is not to be underestimated. This may well
mean that for some personnel such a move would be attractive and
developmental, but for others not attractive or appropriate.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 7
4. Options considered and risks
POL00086831
POL00086831
1. Keep FSA team together - no major change
Benefits
e Current staff population remains in place
« Assurance maintained over cash
e Specialist knowledge pool maintained
Risks/Issues
e Branch audit activity not be sufficiently
focussed on all key branch risks
e Coverage not be _ sufficient
appropriately balanced.
e Results and management information not
be sufficient to give senior management
a view of control
« Assurance levels not clear
e Follow up mechanisms do not ensure
the control environment is maintained /
improved
e Cost opportunities not realised
e No efficiency achieved — low value for
money invested and time employed
or
2. Continue as current but split Audit and Training into separate functions within Network
Benefits
e Current staff have a choice of specialism
subject to senior management
requirements regarding split
e Specialist knowledge maintained
e Minimal disruption to process and
personnel
Risks and Issues
Risks — as above
e Only have some assurance over
cash/valued stock.
Services
3. Continue as current but attempt to “professionalise” team — remain within Network
Benefits
e Current staff population remains in place
(if they can be professionally trained and
skills upgraded/broadend)
« Limited assurance maintained over cash
e Greater flexibility if “management” hours
are worked and travel time is rationalised
« Development of people
e Partially address risks in 3.2
Risks and Issues
e No significant change — no meaningful
assurance gained
Additional training cost
Low efficiency achieved
Limited “audit coverage” maintained
Disruption during HR processes
Risk that it is unlikely to be achieved
e _Nocost saving opportunity
4. Split audit and training and move audit to POLIA and transform to Retail Audit Capability
Benefits
e Transforms the function to professional
Retail Audit
e Development stream for business. (Staff
could transfer into other areas or into
senior Central Audit roles)
e Assurance over all areas of branch
operation
e Creates opportunity for remaining FSA
Staff to be regrouped into a dedicated
training function not distracted by audit
responsibilities - more direct support /
focus for branches
« Managers and Management gain risk
and control assessments of the network
e More effective testing of compliance (eg
anti money laundering)
e Higher graded, experienced staff — lower
Risks and Issues
e — Initial cost in training
e — Staff disruption
e Need to assess current staff capabilities
e Nota quick fix, will need careful planning
and transition.
e Potential redundancy costs
e Disruption during transformation
Executive Committee — October 2013
Internal Audit Options
Malcolm Zack Page 8
POL00086831
POL00086831
numbers required
e__ Address risks is section 3.2
5. Outsource/Co Source the Network audit function —- 5a) Outsource (with out sourcer running the
activity) or 5b)Co-source (POLIA running the activity with a mix of in house and external resource)
Benefits Risks and Issues.
e Flexible resource e Cost (usually charged at a day rate plus
out of pocket)
e Reduction in POL headcount e Unqualified/inexperienced staff used
e Less specialist knowledge — provider will
« No 35 hour week constraint need to build up POL knowledge ( higher
tisk if complete outsource used — less if
¢ Opportunity to gain assurance over more co-source used_
of the operation « POL still needs to define model and take
responsibility
* Professional exception reporting, timely * Costs may creep if provider needs more
provision of MI time to understand and develop. (less so
if co-source used)
e Provider may not be able to provide
e Use of external expertise to help develop sufficient geographic coverage
the function (especially if co-source
approach taken)
e Could cap costs
e _ Address risks in section 3.2
5. Recommendations
e Split audit and training functionality. Enable the dedicated training capability
to focus on improving support and day to day liaison with branches
especially agents.
e Move audit capability to third line, reduce size of branch team, but
professionalise using higher grade staff. (Similar to levels in the supply chain
compliance team) so that capability is strengthed to improve overall value for
investment.
¢ Broaden the branch audit and assurance scope, change the reporting to
provide meaningful information to help the branch manage risk and control
to build performance. Build ability to support central IA team if necessary.
Other areas of the three lines.
Some organisations (usually non financial services) have chosen to combine
elements of 2/3 lines for either practical or cost reasons. E.g combination of
Audit and Risk, or combining compliance and audit teams. These options
have not been examined within this paper because the stated objective for
auditing and governance in POL has been to apply the 3 lines and to review
the current FSA capability.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 9
POL00086831
POL00086831
6. What would a retail based approach consider?
« Appendix 1 details the potential coverage of a more retail based approach
but this would be developed with the business stakeholders through a
piloting process.
¢ Appendix 2 illustrates a potential top page audit report layout.
¢ Appendix 3 shows a current FSA audit top page layout.
5.1 In outline:
Take a risk based approach and cover the branch population as it currently sits as
follows:
Proposed pa Current FSA approach pa
All crowns visited at least once 370 I Visit crowns once each 185
annually. (Follow ups for lower over 2 years. (370)
performing branches) with full
programme. — 370.
All major multiples partner sites visited I 83 I Annually part of agreement I 83
annually — WH Smith with WH Smith (83)
Security /FSC requests (any type) — 600 600
currently 50 per month
Multiples - Tesco 71 Non Crown/WHS. 3632
Multiples - ASDA 22 (General allocation,gap
Multiples - McColls 421 filling)
Coop Group Ltd — 510
Higher risk total 207
7
Smaller agency branches (balance- 191
including smaller 463 regional Coop) _I 3
Total per year 400 4500
t!)
e Alllarge partner mulitiples visited at least once annually — with joint working
with partner audit teams investigated once established.
e All requests from Security and FSC addressed (50 per month)
e« Remaining agencies fill remainder on a risk basis based on turnover, breadth
of services provided, branch profitability (when available).
o Use amenu based approach to the small agencies as the risks will
be lower. Audit visits may well require less than a day and some
auditors should be able to visit more than one small branch in a day.
¢ Branch numbers assumed at 4000 if 35 hour week limitations are still
applied. Number of audits may increase if the approach similar to that
employed by Supply Chain Compliance team is used. Normal 5 day week,
with flexibility for those who may have a high travel content for a particular
week.
e Higher coverage could be obtained in the longer term through the following
mix of alternatives
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 10
POL00086831
POL00086831
Increase of staff towards 75 FTE model
Modernisation of technology from laptop and print out/hardcopy
approach to tablet based/realtime reporting
Self Assessment by some branches. (It is recognised that some
branches do this, but IA would review output and follow up where
necessary)
7. What are the cost and structure opportunities?
7.1 Current — combined role.
The current structure comprises 220 Field Support Advisors, (FSAs)
including 18 team leaders grouped into teams around the country.
The FSAs are PO graded staff and are generally ex-counter staff, not
qualified internal auditors.
Management structure of 5 supported by 15
scheduling/administration staff.
This costs approximately £7m in total although it is recognised that
the team has been expanded to take account of the Network
Transformation Programme.
7.2 Possible — Retail Audit seperated from training and support.
Appendix 4 details the costing models based on a range of team
numbers from 75 to 50 with grades similar to the levels used in the
Supply Chain Compliance team but lower than in the head office risk
and compliance team and Internal Audit team.
What would be the minimum network audit team?
50 operational auditors, 3 operational audit managers, 1 - 2 admin staff.
Teams would be regionally based, North& Scotland, Midlands and South.
Executive Committee —
The current FSA time records suggest the equivalent of about 110
FSAs are used so the retail audit team would be smaller but with
higher capability to cover wider risks and audit programme and
enable support to the Corporate Audit team which is the HIA and
three band 4 managers.
This is estimated to be the minimum needed to provide a base level
of assurance to both the Board, the ARC and to management with
the following assumptions.
Audits would be typically one day by a single auditor rather than 3-5
for half a day.
Auditors work for the 5 normal working days and are not counting
hours from point of leaving home.
Requests from Security and the FSC are maintained at current levels.
October 2013 Internal Audit Options Malcolm Zack Page 11
POL00086831
POL00086831
Based on information from Network Finance the above team would require an on
going BAU cost of £2.6m at current rates.
This excludes:
Costs of transformation and transition. There will be a need to reassess the
skills needed, the capabilities available, training required and supporting
technology.
Once established there will be on ongoing CPD requirement and some
professional training/qualifications for junior staff who may join Post Office in
developmental roles. It is assumed these would be part of the annual
Learning and Development bidding process.
The Corporate team is currently three audit managers at band 4 — all professionally
qualified, experienced individuals. Budget (excluding Head of Internal Audit but
including co-source arrangements capped at £100k per annum) - £360k for
2013/14. This is separate from the figures analysed for the branch auditing
capability.
8. Overall Actions and Recommendations
The Executive Committee is requested to:
8.1
8.2
8.3
8.4
Appendicies
Reaffirm the internal auditing principles as consolidated with the Internal
Audit Charter.
Note the three lines of defence model and confirm its application or debate
otherwise.
Discuss the findings and recommendations arising from the branch audit
review
Make recommendations or propose options to the Audit, Risk and
Compliance committee for its October meeting.
A1 — Potential areas of scope. (Would be developed with the business).
A2_ - Potential Audit Results summary “Post Office Branch Health Check”
A3 — Example of current top page of FSA report
A4 — Cost proposals.
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 12
POL00086831
POL00086831
Appendix 1 —Proposed Proforma work programme. This is just a summary of potential areas for a review.
Preparation work before branch visit
. Cash situation / history
- Losses by cashier?
- ONCH performance
_ Stock loss performance
- P&L (Performance to budget)
- Recent incidents
- Grapevine
On arrival
_ Sign in and review visitors book procedures
- Condition of customer area
- POS up to date / Use of space
- Condition of back of house area
. State of counter positions / relevance of notices
_ Ensure clocks are operational and correctly set
. Availability of stationery
Branch Operations
Horizon System
. User Log ons in the correct format
- All staff have own log ons
. All unused log ons explained / disabled / deleted as
required
- Allnecessary training completed / logged / in
currency
. If open counter — ensure cash limits are observed
- If open counter — ensure roller safe operation is
used correctly
Forms
- Ensure all forms in use are the current versions
- _ Ensure stock replenishment process in use at the
branch is sensible / reasonable
- Ensure all obsolete forms are removed and
returned / destroyed
Stocks
- _ Review the allocation / use / reconciliation of
stocks
- Review cash loss / action situation with manager
- Ensure security is maintained — keys available /
secure — spares secured
- _ Review the replenishment process for counter
tock:
‘Security
Operation of Safes
. Ensure the operation of safes is in accordance with
current procedures
- Ensure time locks used
- Review key controls — who holds and when /
where are spare keys kept etc
Security
_ Ensure key controls are observed correctly
- Review entry and exit procedures
- Review alarm controls
- _ Review frequency of code changes for both alarms
and internal security door access panels
Mails Segregation
- Ensure segregation process is physically set up
with appropriate signage (to encourage maximum
compliance)
- Ensure checks are carried out by management /
supervisor to provide maximum compliance
_ Ensure end of day routine is correctly followed and
bags are ready when RM operative arrives to
collect
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 13
Cash/Value Stocks
- Obtain system balance and reconcile cash / value
stocks as required
= Reconcile MVL’s
- Reconcile Philatelic / Collectors Coins as required
- _ Review last 3 REM’s in and out for completeness /
accuracy
- Ensure all recalls / returns have been actioned
_ Ensure Foreign Exchange “Bible” is available and
is the most up to date version
POL00086831
POL00086831
Customer Services
Post and Go Machines
- Ensure Post and Go machines (where installed)
are serviceable and presentable
- Ensure reconciliation is in place and that cash is
added / removed as necessary
- Review procedure for emptying boxes during / at
the end of the day.
Drop and Go
- _ Review drop and go procedures as operated on the
counter
- Ensure counter staff are aware of offer and
promote it as necessary
In addition — the review would conduct regulatory compliance tests including the following areas.
Regulatory Training, Anti Money Laundering, Financial Services , Information Security (Including Data Protection)Royal Mail Services (Mails Integrity) Royal Mail Services (
PiP and Mails Segregation)Telephony ProductsWeights & Measures Act Procedural Security, Government Services Post Office Card Account
subject to a current review by Risk and Compliance
NB - These are all
Executive Committee — October 2013 Internal Audit Options
Malcolm Zack Page 14
Appendix 2 - Example top proposed page of audit for branch and area manager.
POL00086831
POL00086831
Post Office Health Check
Audit
Branch Manager Area Mgr Date Auditor
Ashford A. Man B. Person 05/05/2014 R. Isky
Overall Control Grade
Areas Audited Area Grade 2014 main points 2013 Audit 2013 main points (October 2013)
1 CashiValue Stocks ase ‘ps0
2 Security 70% 60% Back door locks broken
3. Post & Go/Drop & Go 18% Reconcilation controls need to be in place. 65%
4 Mails Segregation 88% 8b)
5 Front of Office/Customer Area SEEN Ticketing machine not operating. Two clocks show wrong time. es aa [Clocks need adjusting to show correct time
6 Safe Management BT Spare keys not secure, doors left open during audit visit 68%
7 Branch Documentation/Forms SERIE old obsolete forms stil in use PERE
8 Health and Safety 98% 900%")
9 Counter Operations ss ae (ee
10 Regulatory Compliance 56% Missing documentation to support compliance 166%
Commentary,
The branch continues to perform at a reasonable standard of control but needs attention in a number of areas including more focus on basic security procedures. The main area of concem was the decline in
regulatory knowledge and supporting documentation to ensure compliance. Further details can be found on page 3 of
Executive Committee — October 2013 Internal Audit Options Malcolm Zack Page 15
IN CONFIDENCE
ict From =
‘Branch Manager {Gndy Kennard adam France
West Wekham eld Aaisor icscsu
[cain Midcteton
[Regional Support Advisor
Frank Martin
Field Team Leader
Date: 16 Apri 2013,
‘Audit of Post Office Branch’ Wost Wickham 009012
Section 1 - Introduction
‘an aut of the above braich, led by myself, was undertaken on 16 Art 2013,
‘The purpose of this audit was to provide assurance that financial assets, due tothe Post Office® were
tothand and confirm compliance with a range of busness processes, procedures and regulatory
requirements. Qh this occasion cash, cheques and currency were checked along with certain stock
items for 5 outof 9 Stock Units. The Stock Units not checked were deemed tobe Assured.
‘Section 2 provides a management summary which indudes the result ofthe nancial aut and the
results of Compliance & Conformance audit
Section 3 detats a breakdown of the result of the financial audit,
‘Section 4. Acompliance declaration, which should be completed, signed and returned (nthe addressed
Section 2 - Management Summary
Thenet fhrancid audt revedied a shortage of £4.42 subject toa reconciliation of
some figures (undertaken after the audit) A breekdown of this figure can be found in section 3,
(Compliance tests carried out during the audt did not identity any contrl gaps. I would therefore Ike to
Actions that were cetaiea m tne prewous auat stil require attention. nese are nghignted in pola text
in the appendices.
Section 3 - Result of the Financis
Audit
‘The results for all the Stock Units which were subject to checks of cash, cheques and foreign currency *
ae detaled in Table 1 and the totd value of any discrepancies fr the range of stock tems checked in
‘these Stock Unis are shown in Table 2
ratio
So Vana CUTONG I NERRATOTTR spaces I Gs
Unit Feported on Horizon currency found at audit Shortage I Surpl
a rato Sano —a00 [a0
3 eaoate 88 faunse 72 —I ~en00—I ent
creas wares ——I ome I
= Err a
S teit89 toowtss I toa I e136
ta Baers erasror I “eso I e808
Table 2
SK) tock reported on Horn I Sock ound at aud I Strtage I Susie
o_[ —trrioo aa oo
& THs ws
cs [Batt see ast
'Nso during the audt the flowing discrepancies were noted:
Is were by 0 The correct reporting provadures must be followed
Lottery cheques were ©-—=—campared to the Horizn expected figure. The correct reporting
Procedures must be followed
POCA cards were 0 campared to the Horizon expected fgure. Cards should
be Femmes in or stock aust fo ensure the fgure on hand and snapshot agree
During the aust & was noted hat you are haling more than four times your average week sates of
FcAcas You nae genet oe ay peg nie eng O A Ha
teeisnebober 2013 Internal Audit Options
Your current average monthyisue of POCA cards is 3
In exktion to the above amounts the Net dcrepancy as per Otice Shapshet alsoneeds to be taken
into consideration 0 and the transaction corections not processed of 72
[woul ie to hank the banc Manager and sat for thee assistance 058.
APPENDIX 3 —
Example of current report by FSAs.
Current report sent to branch and area managers — usually
in a zip file with 5 — 6 other documents. This example
summarises the financial results, highlighting a loss of
£4.42 but completely omits the fact that £1000 of missing
travellers cheques was noted in the audit. (Post Office IA
observed this review)
The report is hence focused on financial results only and is
not easy to read. No compliance work was undertaken.
Malcolm Zack Page 16
POL00086831
POL00086831
APPENDIX 4
Costings Proposal - POL Network Audit
Role Job Grade
Regional Audit Manager 3A
Regional Auditors 28
Audit Adminstrator
Executive Committee — October 2013
Base Cost Incl On Cost
45 57.15
30 38.1
23.5 29.8
Bens Cost
4.2
N/A
POL00086831
Plus T&S to be added (£5K per head)
Internal Audit Options
POL00086831
BS 70 65 60 50)
Total FTE
£(000)'s —_-£(000)'s £(000)'s £(000)'s_ I £(000)'s
63.15 3 189 189 189 189 189)
42.3 75-50 3173 2961 2750 2538 2115
29.8 1 30 30 30 30 30)
[Staff cost 3392 3180 2969 2757 2334]
390 365 340 315 265
[Total cost 3782 3545 3309 3072 2599)
£m 3.78 3.55 3.31 3.07 2.60)
Malcolm Zack Page 17