POLARC13 (6")
13/36 - 13/45
POL00198199
POL00198199
Strictly Confidential
POST OFFICE LIMITED
(Company no. 2154540)
(the Company)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held on
Present:
Alasdair Marnoch
Neil McCausland
Tim Franklin
In attendance:
Paula Vennells
Chris Day
Chris Aujard
Alwen Lyons
Sarah Hall
David Mason
Malcolm Zack
Lesley Sewell
Jeremy Midkiff
POLARC
13/36
POLARC
13/37
POLARC
13/38
(a)
(b)
(a)
(b)
Tuesday 19 November 2013 by conference call
Chairman of Committee
Senior Independent Director
Non-Executive Director
CEO
CFO
General Counsel (GC)
Company Secretary
Head of Financial Control and Compliance
Head of Risk Governance
Head of Internal Audit
Chief Information Officer (Minute 13/40 only)
Senior Manager, Ernst & Young (Minute 13/42 only)
INTRODUCTION
A quorum being present, the Chairman of the Committee opened the
meeting and welcomed all those present.
MINUTES OF THE LAST MEETINGS AND MATTERS ARISING
The Committee approved the minutes of the meetings held on 12
September 2013 for signature by the Chairman of the Committee.
The Committee noted the actions list dated 12 November 2013.
RISK MANAGEMENT — TOP COMPANY RISKS
The Committee had received an ExCo report on key risks from David
Mason, Head of Risk Governance, in the papers for the meeting. The
CFO explained that further work had been undertaken since publishing
the papers and asked that this be the focus of the Committee’s
discussions.
The Committee discussed the top six risks as identified by the Business:
e Allegations relating to the integrity of the Horizon system;
¢ Failure to deliver top line growth in line with strategic plans;
Page 1 of 7
POL00198199
POL00198199
Strictly Confidential
¢ Operating Model fails to deliver requisite cost savings;
e Inadequate people capability or capacity to deliver
transformational change and the strategic plan;
« Non-delivery of Network Transformation Programme; and
e Strike action within Supply Chain that could damage ability to
) distribute cash to network (Industrial Relations/the CWU)
C
In addition to the above risks, the Business identified three further risks
which would be monitored:
«the risk of regulatory action or reputational damage from FS mis-
selling;
e the risk of not maintaining the security and integrity of Post Office
data; and
« the risk of unsuccessful delivery and operation following IT
transformation
(d)
The CEO explained that the Business had owners for all the risks and
was reviewing the actions and assurance processes which were in place
to reduce the risks. The Business would also be reviewing the top risks at
ACTION: (e) the ExCo on a quarterly basis.
Alasdair
The Committee thanked the CEO, noted that a lot of progress had been
Marnoch
made on risk identification and review and applauded the proposed
approach. It was agreed that the Chairman of the Committee would
update the Board at the next meeting. The detail of the risks presented
was Captured in an update for the Board which is shown as an addendum
ACTION: to these minutes and would be discussed at the next Board meeting.
Dave Mason
) The Chairman asked that the Business go back 18 months and review
the 6 top risks and the 3 further risks to see how many would have been
identified at that stage.
(9) The Committee:
e Noted and supported the developing approach to risk
management in the Company.
POLARC CORPORATE AND NETWORK AUDIT
13/39
(a) The Committee received a paper from Malcolm Zack, Head of Internal
Audit, outlining the principles of internal auditing and options for the
future.
(b)
The CFO explained that the Business had recognised the need for
additional resource in the Internal Audit (IA) function but also the need to
commission a short piece of external work to look at IT risk and audit.
The Committee supported that approach as the IT transformation was
complex and an external audit would give the Business assurance.
(c)
Page 2 of 7
POL00198199
POL00198199
Strictly Confidential
ACTION: The Committee asked Chris Aujard, General Counsel, to undertake a risk
Chris Aujard review of FS compliance, with input from Tim Franklin, to ensure the
Business is responding to changes in regulations and the Mortgage
Market Review. It was requested that a paper be brought to the next
ARC highlighting the Business’ compliance scorecard and the work
carried out to date.
ACTION: (d)
Nick Kennett The Committee asked that the Director of Financial Services also be
invited to the next ARC for this discussion.
(e)
The Committee agreed that the Risk Management and IA teams should
be focussed on the top 6 risks and3 further risks and that enough
resource should be provided to fulfil this requirement. The CFO
explained that the structure for internal network audit would also be
reviewed but that this would be done at a later date and did not stop the
Business moving on strengthening the corporate IA function.
(f)
The Committee noted the plan outlined in the Committee paper.
POLARC IT AUDIT FINDINGS — SOFTWARE LICENSING AND IDENTITY
13/40 ACCESS MANAGEMENT
The Committee welcomed Lesley Sewell, Chief Information Officer, to the
(a) meeting.
The Committee received a paper from Malcolm Zack summarising the
(b) most recent internal audit reports on Identity and Access Management
and Software Licensing.
The Chairman thanked the Head of Internal Audit for the frank reports
ACTION: (c) which clearly identified the areas of concern. The Committee asked that
Malcolm future reports included deadlines for all actions identified.
Zack
Lesley Sewell explained that both audits were important as a baseline for
(d) _ the Business as it separated from Royal Mail Group suppliers and would
enable her to ensure the new suppliers fulfilled the audit
recommendations as they took over the service.
The Committee noted the outcomes of the reports.
(e)
(f)
POLARC PROJECT SPARROW AND PROSECUTING AUTHORITY
13/41
Lesley Sewell left the meeting.
(a) Chris Aujard, General Counsel, updated the Committee on the approach
to prosecutions brought by the Post Office. He sought the Committee’s
views on potential changes to the prosecutions policy and further work
proposed prior to a formal recommendation on a new prosecutions policy.
The Committee discussed the alternative approaches to prosecution but
(b) were concerned that if any changes were agreed the timing might
influence the mediation process by raising questions on previous
prosecutions.
Page 3 of 7
POL00198199
POL00198199
Strictly Confidential
Chris Aujard explained that one of the issues was the perception that
(c) subpostmasters had of the Post Office bringing prosecutions for false
accounting rather than theft, which had a lower standard of proof. The
Committee asked whether the business would still be able to recover
these debts through the Civil Courts. Chris Aujard explained that this
would still be open to the Business but it may be slower and not as
reliable. He explained that the Business was working to put in controls to
support subpostmasters and stop any debts escalating. The Committee
supported this but was nervous about changing the approach to
prosecutions as in their view this acted as a deterrent.
The CEO thanked the Committee for the helpful challenge. She stressed
(d) that the Business was not saying that it would never bring prosecutions,
but that it would be more circumspect in the cases it chose to take. She
agreed that the current approach was a deterrent but explained that there
were other deterrents such as suspension or termination of contract.
It was suggested that the decision on the Company's prosecuting policy
ACTION: should be taken to the January Board.
Chris Aujard (e)
The CEO updated the Committee on Project Sparrow. She explained that
the lesson learned review was complete and the report would be
(f) available in the next couple of weeks. The CEO drew the Committee’s
attention to two risks to the delivery of the Project.
The first risk highlighted was that the Business had envisaged that the
final number of cases would have been under 100, but as the scheme
neared the deadline for application the number of applications was
(g) nearer 150, with nearly 50 being received in the last couple of days
before applications closed. As a result, the timetable will have to be
extended as each case will need individual investigation and Second
Sight will need to be with us for longer. There will also be a resource cost
to the Business which the CFO is aware of.
The second risk that had arisen concerned the compensation that
subpostmasters believed they were entitled to. It had become clear from
the applications for mediation that there was an expectation gap which
the Business needed to mitigate where possible.
(h) The Committee emphasised the need to reach conclusion as quickly as
possible and to constrain the costs. It was noted that the Board would
receive an update at the November Board meeting.
POLARC INTERIM REPORT REVIEW AND ERNST & YOUNG HALF YEAR
13/42 REVIEW FINDINGS
(a) The Committee welcomed Jeremy Midkiff (JM), Senior Manager, Ernst &
Young to the meeting.
(b) Chris Day, CFO, invited the Committee to review the Company’s Interim
Report and Condensed Financial Statements for the 2013-14 half year.
(c) The Committee also received a report from Ernst & Young (EY) on the
Page 4 of 7
POL00198199
POL00198199
Strictly Confidential
Company's Half Year Results 2013 — 2014. JM welcomed discussion on
this report.
(d) JM explained the scope of EY’s review of the Company's interim financial
statements. He noted that this was the first time that the Company had
issued interim results under IAS 34 and therefore the scope of EY’s
review was in accordance with ISRE 2410 and designed to give negative
assurance over the interim financial information.
JM indicated that the scope of the review and focus areas were similar in
(e) nature to the full audit for the prior year ended 31 March 2013 with focus
areas being revenue recognition, counterparty credit risk, pensions,
classification of exceptional costs on the income statement and review of
corporation tax. Based on the review to date, no findings were
highlighted to the Committee except for the reclassification SAD
(summary audit difference) related to the presentation of business
transformation payments on the balance sheet similar to the prior year
end.
JM noted that subsequent events procedures and management enquiries
(f) will need to be updated to the expected date of sign-off and that a
management representation letter will be required for the interim results.
Finally, whilst not specifically highlighted in the EY interim report, JM
(g) drew attention to the exceptional credit of £30m in the interim financial
information as a result of utilising part of the current year non-network
subsidy grant to offset costs which were incurred in the previous financial
year. Whilst there was no issue with the accounting treatment adopted
by the Business, EY wanted to highlight that this was an area of focus
during the interim review as it seemed unusual to have a gain in the
current period financial statements for this specific matter.
No other issues or findings were specifically highlighted to the Committee
for their consideration.
(h)
Sarah Hall (SH) responded that the use of the 2012-13 additional grant
had been specified in a designation letter from BIS into amounts for
(i) capital and agents’ compensation with the balance being available for
other spend. Although 2012-13 expenditure was below the total level of
the grant, the mix was different and about £30m was spent above the
grant level for expenditure that was transformational but neither capital
nor agents’ compensation. In setting the designation letter for the 2013-
14 grant, this issue had been discussed with BIS and the 2013-14 letter
allocated a lower level to capital and agents’ compensation leaving a
greater balance for other transformational spend to cover the amounts in
the prior year that had not been covered by the 2012-13 grant as well as
expenditure in 2013-14. The Shareholder Executive team is aware of
this treatment and of the use of the grant to date.
SH highlighted the key changes since the Board had reviewed the
Interim Report which had mainly arisen from the review by the
(j) Shareholder Executive team. She also highlighted that there would be
further changes required should the funding announcement be made
before the Interim Report was finalised. It was agreed that these
changes would be reviewed by the Board Sub-Committee which would
be arranged for a date in the last week of November or the first week of
Page 5 of 7
POLARC
13/43
ACTION:
Nick Kennett
ACTION:
CEO
POLARC
13/44
ACTION:
CEO
ACTION:
Chris Aujard
POLARC
13/45
(k)
(I)
(a)
(b)
(c)
(d)
(a)
(b)
(c)
(d)
(e)
POL00198199
POL00198199
Strictly Confidential
December.
The Committee noted the Interim Report Review and thanked JM.
JM left the meeting.
FINANCIAL SERVICES UPDATE, INCLUDING BANK OF IRELAND (UK)
PLC CAPITAL AND LIQUIDITY
The Committee considered the report received from Nick Kennett,
Financial Services Director.
The Committee asked for a note to update them on the effect of the Bank
of Ireland strategy on the savings portfolio and its position as value for
money for customers compared to the rest of the savings market.
There was concern that the Current Account rollout was delayed and the
Committee asked for a fuller update at the Board.
The Committee noted the update
PAPERS FOR NOTING
The Committee noted the Information Security and Assurance Group
Specific Update on Brands Database. The CEO agreed to check again
that the right controls were in place for the Brands Database. The
Committee asked the Business to test whether information security for
international payments was covered by the FCA.
The Committee asked that the Business check that the
The Committee noted the Internal Audit activity update, status of agreed
actions.
The Committee noted the report on the Committee’s first self-
assessment.
Finally, the Committee noted the report on the annual review of the
Committee’s terms of reference and the Internal Audit Charter and
agreed that:
« the terms of reference be ratified; and
« the Charter be approved with the changes detailed in the report.
CLOSE
Page 6 of 7
POL00198199
POL00198199
Strictly Confidential
There being no further business, the meeting was declared closed.
Page 7 of 7