POL00088634
POL00088634
Knowledge Centre - Audits
Chapter 09 - Retention of Audit Papers
5.0
Outline process for filing and retaining audit
papers
Network Operations Field Team
September 2019
Stakeholders
National Training & Audit Manager I Retention and Archiving Reports
- Lesley McNally
Security Team Review of process
Responsibilities in Change
Author Tim Gordon-Pounder - 27/09/2018
Training & Audit Advisor
Assurance Keith Scott - 28/09/2018
Training & Audit Advisor
Authorised Lesley McNally
National Training & Audit
Manager
Communication Tim Gordon-Pounder -
Training & Audit Advisor
Version control
Version Reason for issue Date of
No. Go-Live
Version 1.0 I Complete Audit Process Chapter Review - October
PROJECT 2011
Version 2.0 I Annual Review - Sections 5 & 6 - Salford October
(Manchester) replaced with Bark Street, Bolton I 2013
Version 2.1 I Section 2.3 - Lotus Notes replaced by October
SharePoint 2013
Section 4 - BAU added in front of Regional
Network Managers
Version 3 Annual Review - All references to P32 changed I January
to FAT, No other changes. 2015
Version 3.1 I Section 2.3 - Change from 5 days to 3 daysto I July 2015
add FAT & CAT tools to Sharepoint
Version 4.0 I Annual Review - Section 4 - Change of Nov 2015
responsibility from regional Managers to Area
Managers
Retention of Papers V5.0 Sept. 2018
POL00088634
POL00088634
Version 5.0 I Annual Review - Section 4 - Updated to take Sept 2018
account of business reorganisation.
Section’s 5 & 6 removed as no longer
applicable. Print the CAT email added as CAT
papers aren't mandatory. Section 3 & 4
combined. Reference to the central archive
removed as it doesn’t exist.
Index
Introduction
Standards For The Retention Of Audit Papers
Lead Auditor Responsibilities
Training & Audit Managers Responsibilities
uA] B}w}N
AlWlNIe
Admin Support Responsibilities
INTRODUCTION
It is the duty of the Security Manager to contact the Lead Auditor
within 60 days of the audit if they require the original paperwork
from an audit.
It is imperative that the Lead Auditor completes and forwards the
Event Capture Form within 48 hours to the recipients as detailed on
the Audit Reporting Tool (ART) including the Security Team as this
gives them the initial starting point of the need for an investigation
that may lead to a court case and successful prosecution.
If you have not been contacted within 60 days of the audit you must
shred all paperwork relating to that audit.
After 60 days the only records from the audit available will be those
held electronically on SharePoint, or those previously requested by
the Security Manager
The ART electronic Microsoft Excel form, when completed, holds most of the
information that needs to be retained following an audit. They are stored ona
network server and this has therefore considerably reduced the amount of
manual paperwork.
Original paperwork supporting an audit will from time to time be required for
a variety of purposes (e.g. presentation at court during legal proceedings),
and for this reason a policy of retaining such paperwork has been introduced.
This policy covers the retention of manual documentation arising from audit
activity; stating periods of retention, detailing storage arrangements,
retrieval instructions, and destruction.
All audit papers are to be retained by the lead auditor and held for a period of
60 days. This allows for any immediate post-audit queries to be raised and
answered without delay.
Retention of Papers V5.0 Sept. 2018
POL00088634
POL00088634
SECTION 1- STANDARDS FOR THE RETENTION OF AUDIT PAPERS
1.1. All ART’s (electronic Microsoft Excel forms) to be retained on a network
server for at least five financial years following the year in which the audit
was undertaken. Electronic files to be deleted from laptops once confirmed
on network server.
1.2. All manual supporting documentation (detailed at 1.4) to be securely
retained by the lead auditor for a period of 60 days from the date of audit.
1.3. After 60 days, all manual supporting documentation will be shredded. If
you are unsure whether to shred documents you can discuss your
concerns with Security Team or your Training and Audit Manager (TAM).
It is the Security Managers duty to request audit papers within 60 days.
Events requiring investigation may include:
Suspension of Postmaster / Operator / Agent
Misuse of funds
Unexpected discrepancy greater than £1000
Admission of, or suspicion of, false accounting or theft
Irregular personal cheque on hand
Credit sales
Instances where unfamiliar circumstances are encountered. In these
cases a decision to destroy or retain should be made following
discussion with the Security Team.
1.4 The supporting documentation retained should contain the following
e¢ Security Request Summary Sheet if papers are requested (Knowledge
Centre - Audits - Chapter 02 Working Papers);
e Cash, currency and stock sheets where used;
e¢ Compliance Audit Test (CAT) report (Print the email confirmation);
e Any reports generated from Horizon required by the audit process or
relating to the audit irregularity
e Any hand written notes, papers or associated evidence relating to an audit
that revealed an irregularity.
1.5 The documentation included in any Quality Assurance Review (QAR) must
be retained by the Training and Audit Manager (TAM) completing the QAR
for a period of 12 months following the completion of the QAR. This will
ensure evidence is retained for possible use when completing the Personal
Development Review (PDR) or if QAR results are subsequently questioned.
It also allows documentation to be retained for external audit purposes, if
required.
Retention of Papers V5.0 Sept. 2018
POL00088634
POL00088634
SECTION 2 - LEAD FIELD TEAM MEMBER RESPONSIBILITIES
2.1
22.
23
2.4
2.5
2.6
Ensure that all manual documentation is necessary and not excessive.
Ensure that standards outlined in Section 1 are adhered to.
Ensure the ART and CAT Tools are submitted, within 3 days for storage on
a network server, and deleted from laptop once storage on network
server is confirmed.
Retain audit papers locally for a period of 60 days from the date of the
audit.
Notify the Security Team of any irregularities during audit. This will ensure
that the Security Team can request relevant papers within 60 days.
Forward audit papers by Royal Mail Special Delivery to the POL Security
Team as requested and complete Security request summary sheet as
appropriate.
After 60 days from the date of the audit, all audit papers not required by
Security Team must be shredded by Lead Auditor.
SECTION 3 - Training & Audit Manager (TAM) RESPONSBILITIES
Si,
Kd
3.3
3.4
3.5
3.6
If a Training & Audit Manager (TAM) is designated as the lead Field Team
Member, their responsibility is as described above.
Monitor the supporting documentation retained using the QAR and 1-2-1
processes, and ensures QAR’s are performed within 60 days of the date of
the audit.
Audit papers on which a QAR has been performed are to be retained by
Training & Audit Manager (TAM) completing QAR for a period 12 months
and then shredded.
Ensure that direct reports are aware of the standards and their
responsibilities, and that they are properly equipped (i.e. either be
provided with, or have access to a shredder).
Monitor the supporting documentation retained using the Quality
Assurance Review (QAR) and 1-2-1 processes and ensures QAR’s are
performed within 60 days of the date of the audit.
Ensure that expired documentation is destroyed using a shredder.
Retention of Papers V5.0 Sept. 2018