POL00238126
POL00238126
Royal Mail Holdings plc
Control themes and observations
for the year ended 27 March 2011
POL00238126
POL00238126
POL00238126
POL00238126
“0 31] ERNST & YOUNG cp nas
Private and confidential
Mike Prince 15 November 2011
Royal Mail Holdings Plc
100 Victoria Embankment
London
EC4Y 0HQ
Dear Mike,
Control themes and observations arising from the 2010-11 audit
We have completed our procedures in relation to the audit of Royal Mail Holdings
plc and substantially completed the audit of its subsidiary undertakings for the year
ended 27 March 2011.
The key control themes and observations from our audit were discussed in the May
2011 Audit Results Report and are detailed in each section of this report. We have
also noted a number of more routine observations in the report, which have been
agreed with management.
Our review of the Group’s systems of internal control is carried out to help us
express an opinion on the accounts of the Group as a whole. This work is not
primarily directed towards the discovery of weaknesses, the detection of fraud or
other irregularities (other than those which would influence us in forming that
opinion) and should not, therefore, be relied upon to show that no other
weaknesses exist or areas require attention. Accordingly, the comments in this
letter refer only to those matters that have come to our attention during the course
of our normal audit work and do not attempt to indicate all possible improvements
that a special review might develop. We would be happy to discuss any of the
points contained within this letter in more detail with you.
We would like to take this opportunity to thank you, your colleagues and staff for
their courtesy and assistance extended to us during the course of our audit.
Yours sincerely
POL00238126
POL00238126
Alison Duncan
Partner, on behalf of Ernst & Young LLP
Enc
The UK firm Ernst & Young LLP is a limited liability
partnership registered in England and Wales with
registered number 0C300001 and is a member firm of
Emst & Young Global Limited. A list of members’
names is available for inspection at 1 More London
Place, London SE1 2AF, the firm's principal place of
business and registered office.
POL00238126
POL00238126
Contents
Overview..
UKLPI...
Post Office Limited...
GLS......
POL00238126
POL00238126
CONTROL THEMES AND OBSERVATIONS.
Overview
Our review of the Group's system of internal control is carried out to assist us in
expressing an opinion on the accounts of the Group as a whole. This work focuses on the key
processes that impact the financial statements, namely:
>» Payroll
» Revenue
> IT
We selected key controls within these processes and performed testing to address the material
financial statement risks in specific areas. We also revisited the recommendations that we
made in 2010 and reviewed the status of management's agreed actions.
The key control themes and observations from our audit were discussed in the May 2011 Audit
and Risk Committee and are detailed in each of the sections of this report. We have also noted
a number of more routine observations in the report, which we have discussed with
management and agreed actions.
We have split our report into the key areas where we perform our work, namely:
>» UKLPI
>» Post Office Limited
>» GLS
POL00238126
POL00238126
UKLPI
Control observations
Financial statement close process
There have been changes to the Group’s finance team as part of the business
restructuring, a number occurring only a few months prior to the year end. The most significant
change has been the merger of the previous Letters and Group teams. Despite the reduction in
headcount and the uncertainty, we have not identified any significant impact on the control
environment or noticed an impact on the quality and timeliness of the information provided to
us as part of our audit either at the P11 hard close or the P12 year end.
This was achieved through re-engineering of roles and responsibilities within a very
experienced team, a detailed handover from the ‘Letters team’ in P10, together with bringing
forward as much work as possible to P11. This is evidenced by the number of accounting
matters that were agreed prior to the year end.
Payroll process
Consistent with prior years, we were unable to rely on the IT general controls for the
legacy Infinium payroll system due to developers having access to move programme changes
into production, with no facility to log and review. Therefore, we have extended our sample
testing in relation to application controls, have tested the source data for IT dependent manual
controls and have recast any reports obtained from Infinium that we use as part of our audit.
We have tested manual and management level controls over the key elements of the
payroll process, including joiner, leaver and payroll processing.
We noted that following the departure of a member of the leavers’ team, a check of
payments back to redundancy agreement for 100% of employees being made redundant was
unintentionally discontinued. This was mitigated by higher level review controls during that
period and management promptly reinstated the control following our finding.
All the other controls that we have sought to rely on for audit purposes were deemed to
be operating effectively. Key management controls include the weekly and monthly 40X
Reports whereby payroll amounts exceeding set thresholds in each payroll environment are
investigated and resolved prior to the payroll run.
POL00238126
POL00238126
Revenue process
Our work on the ‘order to cash’ revenue process focused on the most significant
income streams. As in prior years, we performed controls testing over the Bulk Mail and
Counter Stamps income streams. The controls we sought to rely on were tested as
operating effectively.
A feature of the dockets and self billing OBA system is that a number of manual
adjustments are required to correct errors, issue credit notes, or in some cases to record
revenue for new products that cannot otherwise be recorded. One of the key controls
tested is the review by the finance team of J-Dockets and support, prior to entries being
uploaded into the system. This includes a hierarchy of approval limits and a review of the
adjustments being proposed. We found this control to operate effectively but that it relied
on operators’ knowledge of other peoples’ roles and titles in the organisation. For example,
there is no formal updated authorisation list for refunds or other adjustments. In addition,
we have reviewed J-Dockets with a value greater than £250,000 and noted no issues.
We have also reviewed the ‘order to cash’ revenue process for Wholesale and
controls were deemed to operate effectively. J-Dockets were appropriately reviewed by
finance prior to being uploaded into the system.
IT
We test the IT general controls around the revenue systems and the SAP-ESFS
general ledger in the Letters business. Where it is more efficient to do so, we place
reliance on a SAS 70 report from CSC.
In prior years, we identified the fact that a large number of users were granted the
powerful SAP_ALL super user access and there was little formal review of their activities.
The number of users with permanent SAP_ALL access has decreased to six. The controls
around granting temporary SAP_ALL access are not sufficiently documented. We have
performed alternative procedures to ensure that no entries were posted by super users to
revenue and that no employee or supplier account had been set up. No issues were
identified following these additional alternative procedures.
Taxation
We have continued to see improvement in the tax control environment in the year. The
improvements are reflected in regular meetings with HMRC and in the continued resolution
of prior year items, and this is supported by feedback provided by HMRC in their recent risk
review.
We have also had ongoing discussions with Royal Mail in respect of the Senior Accounting
Officer certification obligation which for Royal Mail is due by September 2011.
Management's progress on SAO certification is in line with what we see at UK plc as well
as other organisations of similar size and complexity. Management is in the process of
updating the documentation based on improvement suggestions from EY, and we will
review again prior to submission in September.
VAT
Following the legal challenge from TNT and the ruling from the European Court of Justice,
Royal Mail was required to charge VAT on non-USO products from 31 January 2011. This
was a complex project identifying which products would be subject to VAT, changing all
impacted IT systems, updating the accounting and providing training to staff.
POL00238126
POL00238126
Our procedures included a high level review of both the VAT classification and
interpretation of the legislation and our review of IT system changes focused on OBA.
These were performed prior to the ‘go live’ date in order to be able to feedback on a timely
basis any observations, and subsequently followed up post implementation.
Whilst our IT and VAT specialists suggested some minor improvement points around best
practice, we were impressed by the governance of the project, ongoing collaboration with
the HMRC, contingency planning and the delivery of the project to its timetable and budget.
Our audit procedures at the year end did not identify any issues in relation to this new
compliance obligation.
Status on 2009-10 management letter points
In the prior year we noted that a key payroll control in identifying any ghost
employees, the human asset check, had been discontinued due to the significant level of
change as a result of the Transformation. This control has been reinstated towards the end
of the year.
We also highlighted the changes in VAT legislation as a significant risk. As noted
above, this has been adequately managed and addressed in the current year.
Matters for the forthcoming year
Restructuring
The finance restructuring started in 2010 is on track for completion in 2011-12 and
some finance functions are yet to close down or be merged. These periods of change are
always subject to risks of control breakdown. In the case of the Peterborough office, for
example, the cash collection and processing team is currently in the process of moving to
Bolton, with most of the employees being made redundant. We understand that
management has identified dedicated resources to manage the transitions, with an interim
move to Chesterfield being considered. We will continue to work closely with management
to ensure that key controls are focused upon throughout this period.
IT
The new HR PSP payroll system has gone live at the end of May 2011 covering
some of the employees of the Group. The system will be rolled out in phases, with the final
phase being completed at the end next year. Management is required to replace the
current system and has created new functionalities to create a more robust system that will,
amongst other things, provide more detailed management information on the cost drivers in
the business. Any new system carries a significant level of risk and this is deemed to be a
business critical system. Other than the technical considerations, we believe it is important
POL00238126
POL00238126
that there is sufficient buy-in from the users of the system as the system places greater
responsibilities on front line staff than the existing system.
We have started working with management in order to give our views on the control
environment. We have agreed to test key controls over the coming months and intend to
use our SAP Explorer technology to assist with maximising the efficiency and configuration
of the SAP-HR system.
POL00238126
POL00238126
Post Office Limited
IT Control observations
Summary
During 2010-11, Post Office Limited (‘POL’) made significant changes to its key financial
systems environment. In September 2010 it completed the progressive replacement of
Horizon with Horizon Next Generation (HNGX) across the branch estate, which had
commenced in December 2009. In addition, the POLFS and SAP-ADS systems were
consolidated into a single SAP system (POL-SAP) in August 2010.
HNGx is the main system used to process transactions from the counters/branches. It
summarises transactions and uploads to POL-SAP, the primary back office system which
underpins the production of the financial statements. _In view of the volume of
transactions flowing through the systems and the geographical spread of the branch
network, they are critical to the ongoing operation of the business and financial reporting
processes and hence our delivery of an efficient audit. In extremis, were we unable to
place reliance on these systems it is arguable whether it would be possible to undertake
the scale of substantive work necessary for us to form an opinion at all.
Our audit identified significant control weaknesses, which in our view reflects a need for
improvement by the outsource provider Fujitsu but also a change in approach on the part of
POL. Despite the outsourced IT environment, POL is responsible for the governance, risk
and control framework over its business critical systems, and should have visibility and
assurance over their design and operating effectiveness.
Management is acting on our recommendations and are remediating the existing IT controls
framework to ensure that our findings and observations are taken into account as POL
commences new contract negotiations with Fujitsu. We are satisfied that the recently
joined POL IT Director has the right knowledge, attitude and experience to address these
weaknesses and to ensure that POL takes ownership for the IT control environment and
demands the appropriate service from Fujitsu.
Set out below are our observations and point of view on the audit process, controls findings
and the contract with Fujitsu.
Audit process
As in prior years, there was no SAS 70 independent audit report over the Fujitsu control
environment. Consequently, it was agreed that Ernst & Young would undertake the
necessary audit procedures to gain assurance over the IT general controls of logical access
and programme change of POL-SAP and HNGX.
Ernst & Young had a new team this year, which unavoidably entailed a steep learning
curve, but also highlighted that we had previously relied on knowledge within our team
rather than the availability of documentation within Fujitsu. Despite the great support of
POL’s new IT Director, Lesley Sewell, and her team, which included securing from Fujitsu
an audit liaison contact and the sponsorship of the Fujitsu account leader, the combination
of: the degree of change in the IT environment; the change of EY team; and Fujitsu’s
approach in delivering audit requirements to POL and EY, resulted in an unduly lengthy,
unpredictable and inefficient audit. Whilst we have found the audit process with Fujitsu
challenging in prior years, we understand that the reason for additional problems in the
current year is due to Fujitsu’s delivery model for POL moving to a shared service model in
conjunction with the rollout of HNGX. As a result, there is no one Fujitsu or POL person
POL00238126
POL00238126
]
9
a
LIMITED
3
]
a
c
a
who has full knowledge of POL’s end-to end processes or access to documentation and
other evidence to support the operation of key controls which resulted in certain information
we would consider routine not being available (such as listings of leavers) or requiring
significant time to produce. This makes it very time-consuming for either POL or EY to gain
assurance that adequate controls are in place and are operating as expected.
Controls observations
As noted above, our audit identified significant IT control weaknesses; however we
ultimately obtained mitigating audit evidence to rely on the IT control environment. Details
of our controls observations are included in the next section. In summary, however, our
audit identified:
POL-SAP
» Accounts with access to both develop and deploy changes to the live environment
» Access to deploy changes for inappropriate individuals/leavers
» Lack of periodic review of and monitoring of changes deployed into production
» No evidence that program changes are approved, tested and authorised
» Lack of involvement of Post Office staff in testing most fixes and maintenance changes
» Multiple generic accounts with highly powerful privileges
» Users with permanent access to SAP_ALL not being monitored
» Lack of periodic review of appropriateness of user access
» Lack of user administration procedures for Cash Centre users
HNGX
» Developers with access to migrate changes to live environment
» Leavers with access to promote changes to live environment not being removed
» Lack of periodic review and monitoring of changes deployed into production
>» No evidence of Post Office approving specific HNGX releases following the pilot
» Evidence of POL testing on changes not being retained consistently
» Lack of periodic review of appropriateness of user access
» Leavers’ access not being revoked in a timely manner
» Access requests being granted without evidence of approval from line managers
» Passwords for privileged generic accounts being shared by multiple users
Since the completion of our IT audit, we have discussed in detail the control observations
and our expectations in addressing these with Fujitsu and POL. We have also held a de-
brief session with Fujitsu and POL regarding the difficulties we faced during the audit. We
have worked with Lesley Sewell in engaging with the Fujitsu account leader to highlight
POL’s desire to implement a required controls framework and explore options for the
conduct of the audit in future. From these discussions we understand that Fujitsu has
accepted that control improvements are required and has initiated a project to address the
security issues; in addition, high-level action plans have been agreed by Fujitsu, POL and
ourselves to improve the audit process for next year.
POL00238126
POL00238126
Recommendations — contract with Fujitsu
In our opinion, POL currently relies on Fujitsu to act in its best interests, and will need to be
more demanding in this contract relationship going forward. We have the following
recommendations which should be addressed urgently:
» Fujitsu to undertake formally to address the control issues noted during the audit,
whether relating to the POL account or to its shared service provision, and to accept a
requirement to address issues arising in the future within a specified period
» POL to take ownership of the effectiveness of the control environment with Fujitsu and
require Fujitsu to implement a control framework devised by POL (including standards
and requirements) and to provide assurance (independent or otherwise) over its
continued effective operation
» Metrics/service level agreements to be agreed for the timely provision of information in
response to requests from Post Office itself or its auditors
» Whilst Fujitsu has indicated that the provision of an ISAE 3402 (formerly SAS70) would
be excessively costly and the preference within POL at present is to focus on improving
the existing audit process going forward, we recommend that POL keeps the ISAE 3402
option under consideration over time, as there are indications that Fujitsu will adopt an
increasingly global approach to service provision, further complicating the process of
gaining audit evidence
Whilst we do recognise that the current outsourcing model has been pursued to
successfully deliver very significant commercial benefits to POL, there is a need to
implement additional governance measures to reflect the shared service nature of Fujitsu’s
provision.
Other Control observations
Financial statement close process
The improvements made to the POL financial reporting and financial statement
close process last year have continued. There was appropriate rigor over the P11 hard
close with all reconciliations performed in a timely manner and supported by appropriate
documentation.
Payroll process
The POL payroll process is independent of the process and systems that support
the rest of RMG. It covers approximately 20,000 employees and agents, which primarily
include front line workers and agents working at Post Offices around the country. The
system supporting this process is a SAP-HR module.
We have had to take a fully substantive audit approach to POL payroll in recent years due
to a number of control deficiencies over the review of joiners and leavers and a lack of
documentation of a number of review controls. Following efforts in the prior year to improve
the POL financial statement close process, the payroll process has received a high level of
management focus and attention. The recommendations that we made last year have now
been addressed. Although a number of small improvement points were identified (e.g. full
human asset check, additional review of change request), we believe the controls have
operated effectively during the year, and we relied on these controls for our audit.
POST OFFICE LIMITED
OTHER CONTROL OBSERVATIONS
Observation
Human Asset Check
An employee asset check was completed for the first 6 months
with a response rate of 75%. The remaining 25% was not
completed given the upcoming organisational restructure.
However, as all employees are expected to be put onto new
online organisational chart before March 2011, Management
believes this will allow for a more robust human asset check in
the future.
The agent asset check continues not to be in place. The design
of an asset check for agents is still under discussion and the HR
department have put forward a suggested process to senior
management and are awaiting approval.
As this control is not yet fully operational, there is a continued
risk of either ‘ghost’ employees or agents, or that employees or
agents who have left the business incorrectly remain on the
payroll.
Recommendation
We recommend that HR reviews the results
of the trial run of the employee asset check
and ensure that 100% coverage is achieved.
In addition, we await to see senior
management's decision regarding
implementation of the proposed agent's
asset check but recommend that the
proposed control is introduced at the earliest
opportunity to migrate the inherent risks.
POL00238126
POL00238126
Management comment
Agreed
a) Employees — the final verification of our structure
will in effect deliver the second 6 month review as per
the agreed control.
b) Agents — Currently we are performing a check of
offices paid on HRSAP against office transacting
basics products e.g. 1% class stamps (via Credence).
We intend to continue with this check and await a
decision on whether we require anything further to
deliver an acceptable asset check.
OFFICE LIMITED
POL00238126
POL00238126
Review of Employee Change Request
We noted a marked improvement in the maintenance and
transparency of the employee changes log spreadsheet, however
one month sampled identified that the 10% check had not been
carried out in full, with only 8% of changes (contractual and non-
contractual) being subject to review.
It was also noted that the log was not amended in cases where
the information would suggest a contractual change but once
processed this was not the case, however it is recorded by sign
off if the change lead to a contractual change.
This control is important in ensuring that all changes are being
reviewed and input onto SAP correctly. It was noted that this was
done in the other months selected for testing apart from the
exception noted above.
Variance Report for Agents
It was noted when testing the agents pay variance reports for
April, August & September that there were a small number of
exceptions per the generated exception reports that had not been
brought forward and noted on the summary front sheet - which is
in turn reviewed by the Service Team Leader (STL). There
appear to be no guidelines in place which dictate which variances
and follow ups require management review although those
exceptions identified within the report had been investigated in
We recommend that the change from a
“contractual” change request to a “non-
contractual” change request be clearly
documented on the spreadsheet in order to
ensure transparency over what contractual
changes have been made. In addition, we
Agreed — Now in place
a) Additional column has now been included on our
spreadsheet to highlight where there is a change in
status from the source document i.e. sent as
contractual and processed as non-contractual or vice
versa. This is already noted on the source document
however this addition adds visibility.
recommend that the level of secondary check b) 10% check as detailed in our Control Manual will be
each month (e.g. 10% of the full population) is delivered. On the one month where only 8% was
adhered too in all cases.
We recommend that there are clear process
guidelines for the level of management
checks to indicate which variances should be
raised for management review, in order to
ensure no significant variances and follow up
documented this has now been re-visited
retrospectively and the team leader has checked a
further sample to meet the agreed requirements.
Agreed — Fully implemented for P12 processing.
The check is 100% on the variances that are produced
with those requiring action documented on a front
facing sheet. Narrative detailing the guidelines to
actions are omitted. All items within the report Perform the check will accompany the front facing
meeting this threshold should then be included sheet. The sheet will also be updated to include a
on the front sheet ready for management
review.
the initial review but not included on the front sheet ready for STL .
review.
A lack of clear guidelines dictating which variances should be
raised for management review leaves the potential for oversight
of significant variances generated by the SAP report which are
not included in the STL review
‘balance’ of all variances identified that period which
will form part of the team leader sign off.
POL00238126
POL00238126
GLS
Control observations
Financial statement close process
In order to meet the Group reporting requirements at year end, GLS entities report
eleven months of actual results together with one month of forecast results. GLS have a
number of years of experience in this methodology and in 2010-11 there was minimal
difference between the P12 forecast and P12 actual EBITA. This accurate forecasting
allows GLS to meet the Group’s fast timetable for consolidating results with a true-up
performed once the actual results are finalised, and allows us to complete our audit
procedures in line with the Group reporting deadlines.
The GLS business operates across a number of decentralised locations with
reliance on a core management team that has a significant level of knowledge and
experience. The control environment is complemented by the GLS ARC and the reviews
performed by the GLS Internal Audit function.
The EY audit team attended the year end ARC meeting on 13 May and provided:
> Anupdate on audit status
>» Asummary of the year end audit results
» Updates on significant litigation matters
EY performs audits at all of the significant GLS locations and an assessment is made, and
agreed with GLS management, at the start of each year over the areas that will be covered
by the external audit.
Overall, the only issues of Group audit importance noted in any of the GLS audits is the
GLS LTIP item, the potential tax exposure in GLS Italy and the overprovision for damaged
mail covered elsewhere in this report.
Status on 2010-11 management letter points
A controls-based audit approach is taken at the significant GLS locations.
Management is conscious of the recommendations that we raise and appropriate attention
has been given to the points that we have made in previous years, including amendments
to the IT control environment and intercompany confirmation process.
GLs
GLS Germany
Internal control/process issues
Observation
Recommendation
Management Response
SAP_ALL Users (PR1)
The profile SAP_ALL represents the status of a
superuser and therefore provides unlimited
access to the SAP R/3 systems. During our
audit we observed that there is one external
consultant in the SAP HR-System (PR1) with
permanent SAP_ALL rights.
Permanent “SAP_ALL*“ rights should be limited
to emergency users.
The use of the emergency user should be
documented as well the temporary assignment
of the SAP_ALL rights.
The SAP_ALL right for the external consultant
(in fact it was an employee of the external
consultant) has been cancelled.
Several tools in place to support the
Change Management process
During our audit we observed that several
independent tools are used to organise and
document changes to IT systems within the
change management processes. Each
department used their own tool to manage the
changes. No tool exists that covers the entire
change management processes from the
request to the deployment. Furthermore, no.
linkage to the incident and problem
management exists.
The use of multiple tools is likely to create a
management and documentation overhead.
Furthermore, the likelihood of failures is
increased. Due to the multiple tools it is difficult
to track used times and to identify bottlenecks.
To increase efficiency, a single tool should be
used to support the change management
process. This will also ensure the traceability of
a change, the complete process beginning with
the request / defect (helpdesk call) and ending
at the final deployment of the change.
The tools are based on our workflows for
requests (LN teamroom), defects (testdirector)
and support calls (LN helpdesk).
The tool for tracking defects (test director) will
be at the end of its life in August 2011.
Therefore we are evaluating a workflow tool that
should cover all requirements in order to
support the change management process as
recommended. The first step will be then to
replace the tool for the defect handling.
POL00238126
POL00238126
GLS Denmark A/S
Internal control/process issues
Observation
Recommendation
Management Response
IT - General controls - User rights —
Segregation of duties
A lack of segregation of duties was noted in
relation to IT user rights.
As such, there is an increased risk that
unintentional or intentional errors in master
data remain undetected. Specifically
employees, who are in charge of creditor
payments should not be allowed to change
vendor master data or have super-user rights
in Cap Nordic.
During our walkthrough of approvals of costs
we found several employees that had limits for
approval above the normal level (not head of
department employees approving more than
DKK 10,000).
To ensure that the correct approval procedures
are in place we recommend a_ periodical
overview of the encoded authorizations to
approve invoices in the Cap Nordic System -
including which accounts the authorisation
regards and a maximum amount, if any.
Anew workflow system will be implemented as
of 1 of June 2011, which, amongst other things,
ensures a visible hierarchy structure for
approval of invoices. This hierarchy will be build
according to the implemented GLS Group
Limits of Authority.
IT - General controls - Change
Management
Since October 2010, testing of the changes to
the system have been confirmed by phone and
not in recorded in written documentation, e.g.
in an email. There is therefore no record that
can be inspected to confirm that changes have
been appropriately tested.
We recommend that the previous practice of
maintaining written records is reinstated.
Monthly log showing all changes performed in
the system will be reviewed and signed off by
the Finance Director.
POL00238126
POL00238126
GLs
Observation
Recommendation
Management Response
Payment of wages and salaries
Wages and salaries are handled by a small
team of individuals. Lack of segregation of
duties weakens the internal controls and
increases the potential risk of errors and fraud.
According to the system "Personaleportalen”,
users with super-user rights can change master
data. A change is performed by one person
and another approves the change. The IT-
system does not require that 2 different
individuals perform this - in our test of control
of changes of master data we found a small
number of examples where there was no
documentation for changes in employee's bank
account number.
We recommend that the IT system is set up to
secure that 2 different persons are always
involved. Otherwise we recommend that the
monthly approval is made by written
documentation as an email or signing the paper
profile. We furthermore recommend that for
changes in master data made by users with
super-user rights written documentation is
archived.
We have no possibility to change super-user
rights in “Personale-Portalen”, as it is not our
system. There are 3 super-users registered,
Lone Koch (Payroll), Steen Kristensen (Finance
Director) and Karsten Klitmaller (Regional
Manager). They can individually prepare and
approve changes in masterdata etc. Monthly
white-collar payments are approved by the
Finance Director and written documentation will
in future be obtained. Furthermore we have
implemented a procedure for documenting all
changes in master data in written.
Transfer Pricing documentation
We draw the attention to the Danish legislation
on transfer pricing, which requires that written
documentation must be prepared to document
that the intra-group transactions are made at
market prices. The documentation must also
include all material transactions between
Danish Group Companies, and e.g. GLS
Express’ transfer pricing documentation must
also include transactions with Der Kurier.
We have been informed that GLS Group has
prepared some documentation, e.g.
documentation of corporate centre charge.
However, we strongly recommend that GLS DK
at least prepares documentation of all identified
types of group internal transactions (with
amounts and specification of countries
involved) and a reference to the documentation
that is supporting the pricing of the transaction.
Transfer pricing documentation for transactions
between Danish Group companies and for
Corporate center charge as well as loan in
interest costs are updates and maintained in
GLS Denmark. Transfer pricing documentation
for international transactions (clearing) is
maintained in GLS Germany.
POL00238126
POL00238126
GLs
GLS France
Internal control/process issues
Observation
Recommendation
Management Response
Price sheets returned unsigned by the
customer
The price sheets provided with the customer
agreements that serve as the basis for invoicing
are not always returned duly signed by the
customer.
We put the stress on the following points:
- The sales representatives and sales
administration have set up improvement
to keep on quality on this issue
- Many agencies have set up follow-up of
customers to have prices listing validated
- Customers rarely contest the prices that
GLS France charges to them
Actions plans have been implemented over the
last 5 years; We recommended that the update
of contracts and amendments has to be made
in a more rigorous way.
Following action have been made by Sales
Admin department to ease up the controlling of
contracts updating by Sales Manager in region.
- Selligent menu to have the list of each
document not declared by sales service
as validated in Selligent
Moreover, to make the overview of contracts
updating process more reliable, it has been
decided to develop an IT program to enter data
validation on Selligent based on the scanning of
document. Each scan is available on a data
base. The setting up of this process in region is in
progress. A first statement will be made in June
2011.
At least, to check controlling operation managed
by region, Internal Audit team includes this
guideline in their audit organisation
Price modification under Selligent or during
the transfer between Alpha and Sellingent
During IT review we noticed that anyone in the
agencies can modify the prices in the customer's
data.
We recommend setting up an IT limitation so
that only a few dedicated people can modify the
client data in Selligent.
An analysis is planned. Solution will be proposed
via a request and submitted for development.
Observation
Recommendation
Management Response
POL00238126
POL00238126
GLs
Subcontractors contracts
During our audit, there were some cases for which
we could not match some rates, per point or per
round, applied in the invoices sent by
subcontractors, with the contract.
We had difficulties in obtaining the last price
amendments for some subcontractors
We recommend updating the invoicing follow-
up files set up in each agency. These files could
include the reference of the last codicils
corresponding to the updated price.
Furthermore, we recommend keeping the last
price amendments signed by the subcontractors
in the subcontractor files in the agencies.
Action is still in progress in stressing by more
internal audits of the subcontractor files :
* Quality team audit on these files on the field.
e Internal audit also systematically check and
best practices spread.
Subcontractor file
Some files selected during our audit did not
include all the updated legal documents (copy of
subcontractor insurances, copy of the driving
licenses of the drivers)
Action plans have been set up over the last
years. We recommend the agencies to be more
rigorous.
Preventive actions: training of local
correspondents and depot managers on the good
recordkeeping, regular information on legal news
and precise items.
Corrective actions: annual checking of
subcontractors’ files sample by legal department
with request of corrective actions, deadlines and
checking of actions lead.
GLS Belgium and GLS Netherlands Holding BV
POL00238126
POL00238126
GLs
Internal control/process issues
Observation
Recommendation
Management Response
During our audit procedures performed on the
Claims process of both companies we noticed
that both companies use an entirely different
method for determining their monthly claims
provision.
The claims provision for GLS Belgium
Distribution, mainly for freight activities, is
calculated locally and is based on a formula
taking into account:
- Actual claim cost prior year
- Ratio containing the claim cost trend over
previous years
- Actual weight (in kg) of prior year shipments
- Actual number of shipments prior year
- Estimated number of shipments current
year
~ Risk factor
We noted that no annual update of the data
used in the formula is done.
First of all, we recommend GLS Belgium
Distribution updating the date used in the
formula each year in order to present a more up-
to-date view of the actual claim costs in prior
year.
Furthermore, we recommend both companies
to align the claims process in order to give a
more transparent view and to facilitate the
understanding of both provisions.
The claim departments of GBD and GBE have
been centralised in Anderlecht since June 2010.
Our first priority has been to cope with the extra
volume of claims, since the staff that was formerly
responsible for the GBE claims remained in
Vilvoorde. We are currently engaged in the
harmonisation of the claims procedures.
The next priority in the ongoing harmonisation
process, is the reporting format. This will include
the provision building process as well as the
provision reports. Obviously, GLS Belgium is
expected to conform to the German template, but
we will make sure the report is transparent and
matches the templates we have been using for
GBD in the past, so you can easily plug into the
data of both companies at the next audit.
The formula for the computation of the claim
provisions for GBD is normally updated every year.
However, since the FY2010 data were considered
unrepresentative due to the perturbations of the
protracted depot-splitting process, the computation
basis of the previous financial year was upheld for
one year. The financial year 2012 will be based on
a fresh computation based on the FY2011 data.
POL00238126
POL00238126
Observation
Recommendation
Management Response
GLs
As from 2010-11, both companies report one
consolidated MCP reporting package. Both
companies are consolidated using the full
consolidation method. The eliminations in the
consolidation process are entirely based on
intercompany codes which are automatically
assigned in SAP at the moment intercompany
invoices are encoded. SAP will eliminate these
intercompany codes in a separate
consolidation module. We noted that
provisions and COD amounts which are built
up between both companies at month end do
not receive this intercompany code and are
therefore not automatically eliminated in the
consolidation. Furthermore we noted that no
proper consolidation report is made on a
regular basis in order to facilitate the review of
the eliminations done on consolidation level.
We recommend both companies to use
intercompany codes in SAP for all
intercompany transactions encoded in order to
avoid missing intercompany eliminations in the
consolidation process.
Furthermore we recommend to make a
consolidation report on a monthly basis
containing:
- The separate trial balances of both
companies with local accounting numbers
- The separate eliminations done in both
companies on accounting number level
- One trial balance of both companies after
eliminations on local accounting numbers
- Mapping table between local accounting
numbers and MCP classifications
This, in order to facilitate the review of the
eliminations and to assure reconciliation with
the consolidated MCP reporting package.
With effect from April 2011 intercompany COD
balances will be eliminated in the GLS Belgium
MCP.
An improved consolidation / elimination audit trail,
as proposed by E&Y, will also be put in place.
On a monthly basis General Logistic Systems
Belgium extracts data from GEPARD and
reconciles this data with the data available in
SAP in order to assure the completeness
between the two systems. Differences which
come up during this reconciliation process are
investigated and solved. During our review of
this reconciliation process we noticed that
neither the reconciliation nor the explanation of
differences is documented or kept.
We recommend General Logistic Systems
Belgium to formalise the documentation of this
reconciliation process.
We will document the difference as of now.
POL00238126
POL00238126
POL00238126
POL00238126
Emst & Young LLP
Assurance I Tax I Transactions I Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 130,000 people are united by
our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider
communities achieve potential.
For more information, please visit www.ey.com/uk.
© Emst & Young LLP 2008. Published in the UK,
All Rights Reserved.