POL00088750
POL00088750
POST OFFICE INTERNAL
Title Knowledge Centre - Audits
Subject Chapter 09 - Retention of Audit Papers
Version Control 5.14
Purpose Outline process for filing and retaining audit
papers
Audience Network Operations Field Team
Next Review Date June 2020
Stakeholders
Stakeholders Name I Responsibility
Tim Perkins Head of Loss Prevention
Alison Clark Branch Analysis and Control Manager
Rachelle Shimwell Loss Prevention Casework Support Team Leader
Jackie Lawrence Senior Data Protection Manager
Responsibilities in change
Role Job Title(s) Date
Author Simon Talbot - Area Audit Manager 13/01/2020
Assurance Tahira Akbar - Audit Advisor 13/01/2020
Authorised Alison Clark - Branch Analysis and 13/01/2020
Control Manager
Communication Rachelle Shimwell - Loss Prevention 13/01/2020
Casework Support Team Leader
Version control
Version Reason for issue Date of Go-
No. Live
Version 1.0 I Complete Audit Process Chapter Review - October 2011
PROJECT
Version 2.0 I Annual Review - Sections 5 & 6 - Salford October 2013
(Manchester) replaced with Bark Street, Bolton
Version 2.1 I Section 2.3 - Lotus Notes replaced by October 2013
SharePoint
Section 4 - BAU added in front of Regional
Network Managers
Version 3 Annual Review - All references to P32 changed I January 2015
to FAT, No other changes.
Version 3.1 I Section 2.3 - Change from 5 days to 3 days to I July 2015
add FAT & CAT tools to Sharepoint
Version 4.0 I Annual Review - Section 4 - Change of Nov 2015
responsibility from regional Managers to Area
Managers
Chapter9 - Retention of Papers - V5.1 January 2020
POST OFFICE INTERNAL
POL00088750
POL00088750
Version 5.0
Annual Review - Section 4 - Updated to take
account of business reorganisation.
Section’s 5 & 6 removed as no longer
applicable. Print the CAT email added as CAT
Papers aren’t mandatory. Section 3 & 4
combined. Reference to the central archive
removed as it doesn’t exist.
Sept 2018
Version 5.1
Increased 5 year retention to 7 years and 12
month QAR retention to 7 years. Changed
reference to Network Server to Sharepoint.
Update role names.
Jan 2020
Index
Introduction
3
1 Standards For The Retention Of Audit Papers 3
2 Lead Auditor Responsibilities 5
3 Area Audit Managers Responsibilities 5
Chapter9 - Retention of Papers - V5.1 January 2020
POL00088750
POL00088750
POST OFFICE INTERNAL
INTRODUCTION
It is the duty of the Security Manager to contact the Lead Auditor
within 60 days of the audit if they require the original paperwork
from an audit.
It is imperative that the Lead Auditor completes and forwards the
Event Capture Form within 48 hours to the recipients as detailed on
the Audit Reporting Tool (ART) including the Security Team as this
gives them the initial starting point of the need for an investigation
that may lead to a court case and successful prosecution.
If you have not been contacted within 60 days of the audit you must
shred all paperwork relating to that audit.
After 60 days the only records from the audit available will be those
held electronically on SharePoint, or those previously requested by
the Security Manager
The ART electronic Microsoft Excel form, when completed, holds most of the
information that needs to be retained following an audit. They are stored on a
SharePoint and this has therefore considerably reduced the amount of
manual paperwork.
Original paperwork supporting an audit will from time to time be required for
a variety of purposes (e.g. presentation at court during legal proceedings),
and for this reason a policy of retaining such paperwork has been introduced.
This policy covers the retention of manual documentation arising from audit
activity; stating periods of retention, detailing storage arrangements,
retrieval instructions, and destruction.
All audit papers are to be retained by the lead auditor and held for a period of
60 days. This allows for any immediate post-audit queries to be raised and
answered without delay.
SECTION 1- STANDARDS FOR THE RETENTION OF AUDIT PAPERS
1.1. All ART’s (electronic Microsoft Excel forms) to be retained on SharePoint
for at least seven financial years following the year in which the audit was
undertaken. Electronic files to be deleted from laptops once confirmed on
network server.
1.2 All manual supporting documentation (detailed at 1.4) to be securely
retained by the lead auditor for a period of 60 days from the date of audit.
1.3. After 60 days, all manual supporting documentation will be shredded. If
you are unsure whether to shred documents you can discuss your
concerns with Security Team or your Area Audit Manager. It is the
Security Manager's duty to request audit papers within 60 days.
Chapter9 - Retention of Papers - V5.1 January 2020 3
POL00088750
POL00088750
POST OFFICE INTERNAL
Events requiring investigation may include:
Suspension of Postmaster / Operator / Agent
Misuse of funds
Unexpected discrepancy greater than £1000
Admission of, or suspicion of, false accounting or theft
Irregular personal cheque on hand
Credit sales
Instances where unfamiliar circumstances are encountered. In these
cases a decision to destroy or retain should be made following
discussion with the Security Team.
1.4. The supporting documentation retained should contain the following
items:
¢ Security Request Summary Sheet if papers are requested (Knowledge
Centre - Audits - Chapter 02 Working Papers);
e Cash, currency and stock sheets where used;
¢ Compliance Audit Test (CAT) report (Print the email confirmation);
e Any reports generated from Horizon required by the audit process or
relating to the audit irregularity
e Any hand written notes, papers or associated evidence relating to an audit
that revealed an irregularity.
1.5 The documentation included in any Quality Assurance Review (QAR) must
be retained by the Area Audit Manager completing the QAR for a period of
7 years following the completion of the QAR. This will ensure evidence is
retained for possible use when completing the Personal Development
Review (PDR) or if QAR results are subsequently questioned. It also
allows documentation to be retained for external audit purposes, if
required.
Chapter9 - Retention of Papers - V5.1 January 2020 4
POL00088750
POL00088750
POST OFFICE INTERNAL
SECTION 2 - LEAD AUDITOR RESPONSIBILITIES
21
2.2
2.3
2.4
2.5
2.6
Ensure that all manual documentation is necessary and not excessive.
Ensure that standards outlined in Section 1 are adhered to.
Ensure the ART and CAT Tools are submitted, within 3 days for storage on
Sharepoint, and deleted from laptop once transfer is confirmed.
Retain audit papers locally for a period of 60 days from the date of the
audit.
Notify the Security Team of any irregularities during audit. This will ensure
that the Security Team can request relevant papers within 60 days.
Forward audit papers by Royal Mail Special Delivery to the POL Security
Team as requested and complete Security request summary sheet as
appropriate.
After 60 days from the date of the audit, all audit papers not required by
Security Team must be shredded by the lead Auditor.
SECTION 3 - AREA AUDIT MANAGERRESPONSBILITIES
3.1
3.2
3.3
3.4
3.5
3.6
If an AreaAudit Manager is designated as the lead Auditor, their
responsibility is as described above.
Monitor the supporting documentation retained using the QAR and 1-2-1
processes, and ensure QAR’s are performed within 60 days of the date of
the audit.
Audit papers on which a QAR has been performed are to be retained by
the Area Audit Manager completing QAR for a period 7 years and then
shredded.
Ensure that direct reports are aware of the standards and their
responsibilities, and that they are properly equipped (i.e. either be
provided with, or have access to a shredder).
Monitor the supporting documentation retained using the Quality
Assurance Review (QAR) and 1-2-1 processes and ensure QAR’s are
performed within 60 days of the date of the audit.
Ensure that expired documentation is destroyed using a shredder.
Chapter9 - Retention of Papers - V5.1 January 2020 5