Post Office Audit, Risk and Compliance Agenda
POL00240662
POL00240662
®
17" March 2016 + Carla Stent ( Chair) + Paula Vennells + Mike Morley-Fletcher None
Start Time Finish Time + Richard Callard + AlCameron * Garry Hooton
+ Tim Franklin + Jane MacLeod + Peter Mclver, EY (Item 8.3)
14.00hrs 16.30hrs + Ken McCall + Alwen Lyons + Mounia Mukina, EY (Item 8.3)
+ Nick Kennett + Aon pensions advisor (Item 9)
Room 1.19 Wakefield
1. Welcome and Conflicts of Interest Chairman 14.00 — 14.02
ie Report from POMS ARC For noting To receive a verbal report from the meeting of the POMS Audit, I Amanda Bowe 14.02 -— 14.10
(Verbal update) Risk and Compliance Committee held on 15 March 2016.
3. Minutes of the meetings held on 22 For approval To approve the minutes of the meeting held on 22 January Chairman 14.10 - 14.20
January 2016, Matters Arising and 2016, note the Matters Arising and update on the Actions
Action List
4. Risk & Controls Update For discussion To update the Committee on progress with key components of Mike Morley- 14.20 - 14.40
the PO Risk Framework Plan, including: Fletcher
4.1 Progress Report
i + Updates to Top Risks (including details of Key Further
4.2 Risk Profile Actions) and leamings from Risk Incidents (including
4.3 Internal Controls explanation of prioritisation and SLAs for monitoring IT
incidents).
* Details of General Control Framework GE owners/ SMEs
and timetable for ARC receiving assurance. Plus updates
on Policy Framework and Business Continuity projects.
5. Internal Audit For discussion To update the Committee on the PO Internal Audit activity and Garry Hooton 14.40 - 15.00
Quarterly Report and Follow up Audit Key oureomes.
Actions
6. Internal Audit Plan 2016/17 For approval Approval of the 2016/17 Audit plan Garry Hooton 15.00 - 15.10
POL-BSFF-0078725
POL00240662
POL00240662
®
ts AML CTF Framework For discussion To brief the ARC on the findings of the report Jane MacLeod 15.10 - 15.25
8. Finance
8.1 Lesson learnt on Postmaster For discussion To provide the ARC with an update on the Financial CFO 15.25 - 15.50
Compensation provision Controls and Reporting progress.
8.2 Update on Financial Reporting
and controls
8.3 EY External Audit update Peter Mclver EY
8.4 Report & Accounts CFO
9. Pensions Investment Report For discussion To provide an update on the Pensions Investment report Natasha Watson I 15.50- 16.15
7 External
advisors
10. I Review of the ARC Terms of For discussion To review the ARC Terms of Reference and Internal Audit Jane MacLeod 16.15 — 16.25
Reference and Internal Audit Charter.
Charter
11. Items for noting:
11.1 Horizon Spotting For noting Horizon spot any legal, regulatory or other external risks Jane MacLeod 16.25 — 16.30
CLOSE 16.30
POL-BSFF-0078725_0001
POLARC 16(1*)
POL00240662
POL00240662
Strictly Confidential
POL ARC 16/01 — 16/09
POST OFFICE LIMITED
(Company no. 2154540)
(the ‘Company’)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE COMMITTEE
Present:
Carla Stent
Tim Franklin
Ken McCall
Richard Callard
In Attendance:
Paula Vennells
Alisdair Cameron
Garry Hooton
Alwen Lyons
Jane MacLeod
Mike Morley-Fletcher
Angus Grant
Mounia Mukina
Amanda Bowe
POLARC 16/01
POLARC 16/02
held at 9.30am on 22 January 2016
at 20 Finsbury Street, London EC2Y 9AQ
Chairman (Chair)
Non-Executive Director (TF)
Non-Executive Director (KM)
Non-Executive Director (RC)
Chief Executive (CEO)
Chief Financial Officer (CFO)
Audit Manager (GH)
Company Secretary (AL)
General Counsel (GC)
Head of Risk and Assurance, Corporate Services, (MMF)
Ernst & Young, (AG)
Ernst & Young, (MM)
Post Office Management Services Limited Non-Executive
Director & Chair of ARC (AB) (Minute 16/07 only by phone)
INTRODUCTION
(a) A quorum being present, the Chairman opened the meeting.
(b) Each Director confirmed that they had no conflict of interest in
relation to the business to be considered at the meeting.
MINUTES OF THE MEETING HELD ON 10 NOVEMBER 2015,
STATUS REPORT AND MATTERS ARISING
(a) The minutes of the meeting held on 10 November 2015 were
approved as presented and the attendant Committee member was
authorised to sign them as a true record.
(b) The Committee noted the action list dated 1s‘ December 2015.
(c) The CFO explained that Audit fee for 2015/16 had yet to be
finalised as the focus had been on completion of the
subpostmasters’ compensation issue.
ACTION: CFO Report back on the on the finalisation of the Audit fees.
(d) The Committee asked how the Executive were dealing with the
issue of inappropriate expenses claims. The GC explained that the
POL ARC, 22" January 2016 1 DRAFT v1
POL-BSFF-0078725_0002
ACTION: GC
ACTION: GC
ACTION:GC
POLARC 16/03
ACTION:MMF
ACTION:MMF
POL00240662
POL00240662
Strictly Confidential
issue, relating to confusion over LIW/Homebase categorisation,
was being addressed by the introduction of an annual
reconciliation. The ARC asked for an update on the implementation
of the recommendations from the Financial Crime audit at the
March meeting.
Report back on the implementation of the recommendations
from the Financial Crime audit at the March ARC.
(e) The Committee noted that at the last meeting the CEO had
requested a review to give assurance regarding the security of
customer data (minute POLARC 15/44 (e)). The GC was asked to
circulate the outcome of the review to the Committee
Circulate the report on security of customer data to the ARC.
The Chair asked the GC to review the Internal Audit timetable
to include cyber risks.
RISK UPDATE
(a) MMF introduced the Risk Update and undated the Committee with
the progress made to date on the Risk Management Project Plan.
(b) MMF explained the new Group Risk Profile which identified and
evaluated the (GE) Group Executive's proposed top risks for the
Business. The Committee discussed the Risk Profile and
challenged whether Industrial Relations was the highest risk. They
asked the Business to consider whether:
e failure to achieve cost reduction targets;
¢ failure to renegotiate an effective MDA with RMG; and
* cyber security attacks which disrupt systems — for example,
those affecting payments to POCA customers;
should be identified as higher risks.
Reconsider the Top Risks and whether they should include
failure to achieve cost reduction targets; failure to renegotiate
an effective MDA with RMG; and cyber security attacks which
disrupt systems — for example, attacks which affect payments
to POCA customers.
(c) The Chair asked that the Risk Profile be amended to clearly show
GE accountability for managing each risk. KM suggested that the
sign off by the GE owner should be included in any year end
attestation process
Ensure the Risk Profile shows clearly which GE member is
accountable for managing each risk. Include GE signoff, for
the individual risks for which they are accountable, as part of
the new yearend attestation process for year ending March
2017.
(d) MMF explained that general controls had been identified and
collected into a “Framework”, so that the GE could ensure that the
POL ARC, 22"¢ January 2016 2 DRAFT v1
POL-BSFF-0078725_0003
POL00240662
POL00240662
Strictly Confidential
controls in place were at the right standard, and have the right
effect enabling them to be evidenced for yearend attestation (year
ending March 2017). The Committee asked if the Group Executive
would have personal objectives aligned to the Framework. The
CEO assured the Committee that personal objectives for GE
members would be aligned to the General Control Framework.
The CEO agreed to ensure that all areas in the General Control
ACTION: CEO Framework were assigned to Group Executive members as
part of their personal objectives
(e) The Committee discussed the ‘Tone from the Top’ and agreed it
needed more clarity as the project progressed. It was agreed that
this would be the key messages, behaviours and communication
that the CEO and GE demonstrated at all times. These needed to
be aligned and to exemplify the values of the Post Office.
(f) I The CFO explained the alignment with the Financial Controls
project which was building systems to enable attestation that
financial controls were working. He noted that this was work in
progress.
(g) The Committee discussed the frequency of attestation and
reporting and AG explained that in the Financial Services industry
quarterly reporting would be expected. The CFO proposed the
introduction of six monthly reporting to align with the external
reporting calendar. The Chair noted that it took time to embed
attestations and recommended that the Executive have “dry runs”
prior to the year end attestation (year end March 2017).
The CFO/GC to ensure that the areas in the General Controls
Framework are understood and that the Group Executive
ACTION: GC/CFO recognised their accountabilities to attest to the controls
being in place in time to support the Directors’ statement in
the 2016/17 Report & Accounts.
(h) The Committee asked for an update on the Control Framework at
the next ARC with more details of controls, GE owners and subject
matter experts, plus a timetable for when the ARC will receive
assurance.
Produce a statement including more details of controls, GE
ACTION: MMF owners and subject matter experts, plus a timetable for when
the ARC will receive assurance.
(i) I MMF updated the Committee on the progress in the Policy
Eramework project, explaining that the ‘strawman’ included in the
paper was likely to change, and that the approach was being tested
using the policies owned by the GC. The Committee asked for
dates and timelines for establishing the succinct set of Key Policies,
setting out what can be expected over the next quarters.
ACTION:MMF Include dates and timelines in the Policy Framework
document, with detail as to what the amalgamated policies
include.
POL ARC, 22" January 2016 3 DRAFT v1
POL-BSFF-0078725_0004
POL00240662
POL00240662
Strictly Confidential
(j) The CFO highlighted the challenge in articulating a pricing policy
across the wide range of products sold by the Business. The
complexity was acknowledged and it was accepted that the policy,
if required, may need to be restricted to a set of principles.
(k) The Committee asked Ernst & Young (EY) to provide a list of the
key policies which they would expect to see in a market median
company, to act as a benchmark.
(1) MMF introduced the Business Continuity project and explained the
aim of the Business to benchmark against the measurable
1S022301 business continuity standard.
(m) The Committee were perturbed by the findings to date. The CEO
was disappointed by the language in the report and challenged the
extent to which the ‘business continuity & crisis management is
deficient, unpractised and not embedded within the organisation’s
culture’. The CEO gave examples of the recent flood crisis where
offices had been given support and reopened because people were
very aware of how to manage the network in a crisis. The CEO
believed that, since separation from RMG, more could have been
done to document and test the procedures in place.
(n) The Committee asked the GE sponsor of the paper to update the
ARC on the progress being made. Including a list of top suppliers
and whether they have contingencies in place; specifically before
the next meeting.
Continue to update the ARC on the progress being made to
improve Business Continuity. Including a list of top suppliers
ACTION:GC and whether they have Business Continuity contingencies
plans in place before the next meeting.
(0) MMF gave a progress update on Incident Reporting processes.
The Committee asked for an explanation as to what constitutes a
P1, P2 or P3 incidents how they are monitored and the SLA in
place to report and deal with them. The Committee also asked how
the Executive remediate the root cause of problems and challenge
suppliers to change processes.
At the next update, provide a report to define P1, P2 or P3
ACTION:MMF incidents and the SLA in place to report and deal with them. .
Include how the Executive remediate the root cause of
problems and challenge suppliers to change processes.
(p) The Committee discussed the statement made in the Annual
Report & Accounts that the Business complied with the ‘spirit’ of the
UK Corporate Governance Code (Code) and the implications of
changes in the Code. AG recognised that the Business was not
legally caught by the Code and that significant work would need to
be done to continue to state a compliance with the ‘spirit’ of the
code. The key areas where the Business does not comply with the
Code are those concerned with reporting and risk management
maturity, particularly providing evidence of the review of the internal
POL ARC, 22"¢ January 2016 4 DRAFT v1
POL-BSFF-0078725_0005
POL00240662
POL00240662
Strictly Confidential
controls.
(q) The Committee agreed that the Executive should focus on
improving risk management before any public benchmarking
statement. The Committee asked the Executive to work with the
external auditors to set out what a three year roadmap to
benchmark against the Code would look like.
The Executive to work with the external auditors to set out
ACTION: GC what a three year roadmap to benchmark against the UK
Corporate Governance Code would look like.
(r) The GC supported the decision to withdraw from making a
statement in the Report & Accounts but recognised the importance
of benchmarking against the best practice of the Code albeit
designed for public companies.
(s) The Committee agreed that the Business should pull back from a
reference to the Code in the Report & Accounts but agreed that a
statement was necessary to explain the Business was still
maintaining high standards.
The Executive would discuss how it would reference the
ACTION: GC/CFO Corporate Governance Code in the Report & Accounts, and
revert to the Committee by email before discussing with the
Board Chairman
(t) After providing feedback on its elements, the Committee noted the
Risk Update.
POLARC 16/04 INTERNAL AUDIT UPDATE
(a) GH introduced the Internal Audit Update focussing on the following
key points:
Contract Management. Significant progress has been made with
50% of actions now complete and the other 50% on track for
completion by the end of March. A further report would be provided
at the March ARC.
Property and Health & Safety compliance. Good progress with a
new Head of Property Compliance now in place and although there
are still actions to complete GH believed the controls were
improving.
Open Actions. A detailed revised report would be provided for the
March ARC. The Committee recognised the number of internal
audits and reports due in the last quarter and asked for assurance
that the internal audit team had enough resource to complete the
work. GH gave assurance that the plan would be delivered. The
Chair asked for reports to include feedback on closure of high rated
actions.
Included post audit assurance in the ARC report in relation to
ACTION: GH audit actions rated as high.
POL ARC, 22"¢ January 2016 5 DRAFT v1
POL-BSFF-0078725_0006
POL00240662
POL00240662
Strictly Confidential
(b) GH circulated a paper detailing the Internal Audit Planning Process
and the Draft Audit plan proposed for 2016/17. The Committee
were asked to feedback any comments to GH who would collate
and share with the Chair in February before returning to the
Committee with a final proposal
ACTION:
Committee Committee members to feedback to GH on the audit plan
members proposal
(c) Committee members agreed that all audit reports with a red report
rating would be circulated in full the Committee as soon as the
report was available. Audit reports with an amber or green report
rating would be summarised and reported at the subsequent ARC
meeting.
ACTION: GH to ensure that all reports with a red rating are circulated to
GH the Committee and to the Chair of the POL Board.
(d) Having taken all the discussion points into consideration, the
Committee noted the outcomes of the recent audits and reviews
and further noted the current and upcoming work.
POLARC 16/05 FINANCIAL CONTROLS PROGRESS REPORT
(a) The CFO introduced the Financial Controls Progress Report and
recognised the importance of the work to give the Executive and
the Board the confidence to sign the 2015/16 Accounts. He
explained that the project had started by testing its methodology by
checking the fixed assets, as this was a relatively easy task. The
next reconciliation would be the income numbers, as this was the
most complex area and material to the accounts. The CFO
explained the interfaces between the systems involved which
complicated the reporting process. He did not believe that
systematic errors existed as these would lead to complaints from
customers and clients, but could not yet prove this was the case.
(b) The Chair asked the CFO to focus on ensuring the systems were
secure and providing the correct information, with a plan to
automate as soon as possible.
(c) The Chair asked for progress reports at every ARC and for
Financial Reporting to be flagged in the risk reports.
ACTION:CFO Provide Financial Reporting progress reports at every ARC
and include in the risk reports.
(d) Having taken all the discussion points into consideration, the
Committee noted the Financial Controls Progress Report.
POLARC 16/06 POSTMASTER COMPENSATION ISSUE / SIGNING OF INTERIM
ACCOUNTS
Postmaster compensation
(a) The CFO introduced the Provisions for Compensation paper and
explained the background to the understatement of the provision.
POL ARC, 22"¢ January 2016 6 DRAFT v1
POL-BSFF-0078725_0007
POL00240662
POL00240662
Strictly Confidential
The error had arisen because agreements with subpostmasters
had not been captured accurately, and the provisions based on this
information had been wrongly calculated. After significant work the
provisions had been increased by £67m in September 2014 and
£87m in March 2015. Adjustments to both accounts were
supported by EY.
(b) The CFO stressed that there were no implications for payments to
subpostmasters or adjustments to the EBITDAS in the reports.
(c) The Post Office Interim Reports and Accounts for September 2015
and the Post Office Holdings Company Report & Accounts could
now be signed and published.
(d) The Chair asked why the mistake had not been discovered sooner
by the Business or EY, and if both the CFO and AG were now
absolutely sure of the accuracy.
(e) The CFO stressed that the compensation provision would always
by its nature be an estimate as individual branch details change,
but that he was now comfortable that the provision was prudent
and would cover the right level of compensation. AG agreed and
emphasised that the provision was an estimate as individual
contracts changed during the process. The Chair pointed out that
the recording and aggregating of information had been completed
incorrectly and asked for assurance from AG that the provision was
now accurate. AG explained that the auditors had checked the last
nine months of actual payments and that a lot of work had been
done to check the manual processes with a branch by branch
analysis, and that they were now comfortable with the provision as
restated.
(f) The Committee asked why EY had not identified the problem
during the original External Audit. AG explained that they had done
limited testing and with hindsight should have focussed more on
the manual processes. This was being addressed in this year’s
external audit plan.
(g) The Committee asked what other provisions were made in the
Balance sheet and how they were tested.
ACTION: CFO The CFO was asked to provide the next meeting with an
analysis and assurance of the provisions on the balance
sheet.
ACTION: CFO/JAG The CFO to agree with EY the audit approach for each
financial statement area.
(h) Having taken all the discussion points into consideration, the
Committee noted the progress and the next steps.
Interim Report
(i) The Interim Report for the six months ended 27 September 2015,
had been circulated to the Committee.
POL ARC, 22"¢ January 2016 7 DRAFT v1
POL-BSFF-0078725_0008
POL00240662
POL00240662
Strictly Confidential
(j) The Committee challenged whether the provision was a true ‘timing
error’ as reported in the narrative to the interim report. The CEO
promised to check the narrative before the accounts were signed
on Monday 25" January.
ACTION: The CEO promised to provide a briefing pack including; the
CEO interim report; the press statement; and Qs & As to the Board
before publication of the interim accounts.
(k) The Committee asked for clarification about a second restatement
in the accounts concerning cash and debtors. The CFO explained
that this was a technical classification which EY had requested at
the end of 2014/15, and was not a new issue. The Committee
asked for this issue to be included in the Qs & As circulated as it
would be easy to conflate the two issues.
(1) Richard Callard explained that the mistake had knocked the
Minister's confidence in the Business and its reporting.
(m) Having taken all the discussion points into consideration, the
Committee noted the Interim Report.
POLARC 16/07 REPORT FROM POMS ARC
(a) The Chair welcomed Amanda Bowe, Post Office Management
Services Limited Non-Executive Director and Chair of ARC, to the
meeting by conference call.
(b) AB introduced the Report from Post Office Management Services
ARC and explained that work was underway to establish a risk
framework and risk appetite for POMS.
(c) AB highlighted two key risks:
¢ the role of Post Office as the Appointed Representative of
POMS, and
« POMS oversight of branch compliance.
(d) AB stressed the importance and risks to both Post Office and
POMS of poor branch compliance and its mitigation through 1° and
2" line oversight arrangements.
(e) AB acknowledged that POMS was at an evolutionary stage in its
development and had resource and capacity risk especially in its
Risk and Compliance function.
(f) AB explained that she was meeting the External Auditors in
February and currently waiting to agree the POMS audit plan.
It was agreed that the POL and POMS audit plans should be
ACTION: GH aligned.
(9) The Committee thanked AB for the POMS ARC report, which
contained the right level of detail from the wholly owned subsidiary
POL ARC, 22"¢ January 2016 8 DRAFT v1
POL-BSFF-0078725_0009
POL00240662
POL00240662
Strictly Confidential
(h) The Committee noted the report.
(i) AB left the meeting.
POLARC 16/08 ANY OTHER BUSINESS
(a) There being no further business the meeting was closed.
POLARC 16/09 DATE OF THE NEXT MEETING
(a) It was noted that the next meeting of the Committee would be 17"
March 2016.
POL ARC, 22"¢ January 2016 9 DRAFT v1
POL-BSFF-0078725_0010
Strictly Confidential
Post Office Limited ARC Committee
POL00240662
POL00240662
Status Report as at: 11/03/2016
REFERENCE ACTION Action Owner IDue Date STATUS Open/Closed
(GE Member)
21 September Strategic risk/Risk update -To look separately at the CFO May ARC We paused this in the light of the more IOpen
2015 15/30 (f) Imanagement of the ATOS contract. urgent issues across the IT partner
estate including Project Trinity. We
now plan to revert in May.
21 September Strategic risk/Risk update -To present a report at the General March ARC For noting at the March ARC meeting. IClosed
2015 15/30 (e) Inext ARC on contract management for both procurement ICounsel
and in-life contracts.
22 January 2016 IMinutes of the Meeting held on 10 November 2015 CFO March ARC To be covered in the meeting Closed
IPOLARC 16/02 _ITo report back on the finalisation of the Audit Fees.
(c)
22 January 2016 IMinutes of the Meeting held on 10 November 2015 General March ARC Update contained in the IA papers for IClosed
IPOLARC 16/02 To report back on the implementation of the Counsel the March ARC
(d) recommendations from the Financial Crime Audit at the
March ARC.
22 January 2016 IMinutes of the Meeting held on 10 November 2015 General March ARC Paper to be submitted for noting to the Closed
IPOLARC 16/02 ITo circulate the report on security of customer data to theICounsel March ARC
(e) IARC
22 January 2016 IRisk Upate Mike Morley- IMarch ARC Group Risk Profile - included in Closed
IPOLARC 16/03 ITo reconsider the Top Risks and whether they should Fletcher agenda item 4 for March ARC
(b) include failure to achieve cost reduction targets; failure to
renegotiate an effective MDA with RMG; and cyber
security attacks - for example, attacks which affected
payments to POCA customers.
22 January 2016 IRisk Upate Mike Morley- = IMarch ARC Group Risk Profile Closed
IPOLARC 16/03 ITo ensure the Risk Profile shows clearly which GE Fletcher i) Included in Group Risk Profile.
(Cc) member is accountable for managing each risk. Include ii) GE accountability for individual risks
GE signoff, for the individual risks for which they are will be included as part of the new year
accountable, as part of the new year end attestation end attestation process for year ending
process for year ending March 2017. March 2017
POL-BSFF-0078725_0011
POL00240662
POL00240662
IREFERENCE ACTION (Action Owner IDue Date STATUS Open/Closed
(GE Member)
22 January 2016 IRi: ate CEO March ARC This is currently in progress and will be IClosed
IPOLARC 16/03 ITo ensure that all areas in the General Control ‘completed as part of 2016/2017
(a) Framework were assigned Group Executive members as objective setting.
part of their personal objectives.
22 January 2016 IRisk Update IGeneral September IGeneral Control Framework - Covered IClosed
IPOLARC 16/03 ITo ensure that the areas in the General Controls Counsel / CFO land to be carried forward in the
(g) Framework are understood and that the Group Executive controls update
recognised their accountabilities to attest to the controls
being in place in time to support the Directors' statement
in the 2016/2017 Report & Accounts.
22 January 2016 IRisk Update Mike Morley- IMarch ARC ‘General Control Framework - included IClosed
IPOLARC 16/03 {To produce a statement including more details of Fletcher in agenda item 4 for March ARC
ih) controls, GE owners and subject matter experts, plus a
timetable for when the ARC will receive assurance.
22 January 2016 IRisk Update Mike Morley- IMarch ARC IGeneral Control Framework Closed
IPOLARC 16/03 __IIn to include dates and timelines in the Policy Framework IFletcher Included in agenda item 4 for March
(i) document, with detail as to what the amalgamated ARC
policies include.
22 January 2016 IRisk Update General March ARC Business Continuity - Included in Closed
IPOLARC 16/03 {To continue to update the ARC on the progress being Counsel lagenda item 4 for March ARC - top
(n) made to improve Business Continuity. Including a list of suppliers identified and BC plans
top suppliers and whether they have Business Continuity requested
contingencies plans in place before the next meeting.
22 January 2016 [Risk Update Mike Morley- [March ARC Incident Reporting - Details of Pi, P2, IClosed
IPOLARC 16/03 {To provide, at the next update, a report to define P1, P2 IFletcher P3 and reporting SLA included in
(0) or P3 incidents and the SLA in place to report and deal agenda item 4 for March ARC
with them. Include how the Executive remediate the root
cause of problems and challenge suppliers to change
processes.
22 January 2016 IRisk Update General May ARC Corporate Governance Capability - EY IOpen
POLARC 16/03 IFor the Executive to work with the external auditors to Counsel are assisting us in developing a plan for
(a) set out what a three year roadmap to benchmark against updating the May ARC
the UK Corporate Governance Code would like.
POL-BSFF-0078725_0012
POL00240662
POL00240662
IREFERENCE ACTION (Action Owner IDue Date STATUS Open/Closed
(GE Member)
22 January 2016 IRisk Update The Executive would discuss how it would General Late April Corporate Governance Disclosure - Closed
IPOLARC 16/03 _Ireference the Corporate Governance Code in the Report &ICounsel / CFO Draft wording agreed by RCC and to be
(s) Accounts, and revert to the Committee by email before discussed by the ARC at the March
discussing with the Board Chairman. meeting
22 January 2016 IInternal Audit Update Gary Hooton) § {March ARC Update to be provided at the March Closed
IPOLARC 16/04 To include post audit assurance in the ARC report in ARC
(a) relation to audit actions rated as high.
22 January 2016 IInternal Audit Update AL lend Feb Audit plan to be considered by ARC at IClosed
IPOLARC 16/04 ICommittee members to feedback to GH on the audit plan March meeting
(b) proposal
22 January 2016 IInternal Audit Update Gary Hooton = jongoing Closed
IPOLARC 16/04 ITo ensure that all reports with a red rating are circulated
i(c) ito the Committee and to the Chair of the POL Board.
22 January 2016 IFinancial Controls Progress Report CFO March ARC Closed
IPOLARC 16/05 ITo provide Financial Reporting progress reports at every
i(c) IARC and include in the risk reports.
[22 January 2016 IFinancial Controls Progress Report CFO March ARC Closed
IPOLARC 16/06 ITo provide the next meeting with an analysis and
(g) assurance of the provisions on the balance sheet.
22 January 2016 IFinancial Controls Progress Report CFO/Angus March ARC Included in EY paper Closed
IPOLARC 16/06 {To agree with EY the audit approach for each financial Grant
(g) statement area.
22 January 2016 IReport from POMS ARC Gary Hooton = jend March The ARC will be updated on the audit IClosed
IPOLARC 16/07 ITo align the POL and POMS audit plans. plans at the March meeting
(f)
POL-BSFF-0078725_0013
POL00240662
POL00240662
POST OFFICE BOARD
AUDIT RISK & COMPLIANCE COMMITTEE GOVERNANCE UPDATE
Contract Management Report
Author: Jane MacLeod Meeting Date: 17 March 2016
Executive Summary
Context
During 2015 the contract management processes at Post Office were reviewed by
Internal Audit. Significant deficiencies were identified in Post Office’s processes and
actions were allocated to address these. The majority of these actions related to the
procurement process and actions to address these were allocated to the procurement
team.
In addition, it was recognised that the in life management of contracts across Post Office
required improvement and various steps were initiated to address these deficiencies.
Questions this paper addresses
. What were the risks and deficiencies identified as requiring improvement?
. What steps were identified to address these?
. What progress has been made in addressing these issues??
Conclusion
1. Details of all material contracts have been collated across each function and it is
now possible to assess the ‘top’ contracts (being those with a value/cost >£5
million.
2. Contract managers have confirmed that they hold signed copies of all material
contracts and we are currently scoping plans to load copies of all contracts onto
an existing contracts database which will aid compliance. Among other
functionality, the database allows automatic reminders to be sent to relevant
managers of upcoming renewal and termination dates.
8. Contract management training has been scoped and sourced and is due to be
rolled out to a pilot group shortly.
4. Cultural changes will be required to embed contract management as a recognised
skill and fundamental responsibility; this will take time however the successful
implementation should result in more effective management of Post Office’
obligations.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0014
POST OFFICE
Input Sought
POL00240662
POL00240662
PAGE 2 OF 4
The Committee is asked to note the status of these developments and that further work
will be required across each function commencing in Q1 2016/17.
The Report
Key actions arising from the Audit
5; The results of the Audit on Contract Management within Post Office were
presented to the POL ARC in September 2015. The following issues were
highlighted:
Issue
Response
Supplier contract portfolio is not
fully known
Each function has been required to
identify the material contracts for which
they are responsible and confirm that
they have copies of the signed contracts
and all amendments. The IA team now
holds a consolidated list of ‘material
contracts’ being those having a
value/cost >£5 million.
We have recommended that electronic
copies of all contracts entered into by
POL and POMS should be stored centrally
in a database.
The contract management
framework (‘CMF’) developed in
2012 remain in draft and requires
further development,
implementation and finalisation
Largely actions for procurement,
progress against which are reported
separately in the Internal Audit report.
Staff have the ability to define their
own roles and responsibilities in
relation to management of
contracts
In relation to each ‘material’ contract,
each function was required to identify
e the GE member accountable for each
such contract, and
e the SLT member responsible for
managing each contract (or where
there are multiple executives
responsible for different aspects of a
contract, those SLT members and the
part of the contract for which they
are responsible)
Strictly Confidential
Board Intelligence Hub template
POL-BSFF-0078725_0015
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 4
Issue Response
Management are unable to ‘Bravo’ is a contracts database which has
effectively foresee and manage been identified as suitable for use as a
expiration of contracts central repository for all contracts. The
field structure is being reviewed to
ensure that it meets PO’s objectives; in
particular, Bravo can record notice and
termination dates and issue alerts to
named managers based on upcoming
notice/expiry periods.
There is little analysis and/I Further analysis will be undertaken to
management of risks to drive I ensure that all obligations (whether to be
contract management performed by Post Office or the
contracting party) contained in each
Material Contract and the timing of these
obligations have been identified. Further,
the relevant contract manager will be
required to advise what MI is produced to
monitor performance (both quantitative
and qualitative as relevant) of all
obligations whether to be performed by
PO or the other party/ies.
This work will commence in Q1 2016/17.
What additional steps were identified?
6. We have sourced additional e-training from the International Association of
Commercial and Contract Management which will shortly be provided to a pilot
group. Dependent on the response to this training, further cohorts have been
identified for training.
he During 2016/17 the following additional controls will be developed:
e Role profiles/job descriptions to be reviewed and amended as necessary to
ensure that responsibility for management of specific Material Contracts is
recorded.
e Objectives to be set for relevant managers relating to contract management
and defining how performance will be measured.
e Each responsible executive will be required to sign an attestation annually in
relation to each Material Contract confirming (among other steps) that:
o the responsible executive has read and understood the main provisions
in the most up-to-date version of the contract(s);
o the contract(s) are concurrent with the requirements;
o the contract(s) have not been extended and/or amended except in
accordance with Post Office’s delegated authority and _ signing
processes;
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0016
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 4
o Performance is being reported accurately in accordance with the
contract(s);
o The main/material provisions of the contract(s) have not been
breached; and
o Payments have only been made to reflect actual performance and the
provisions of the contract(s) in accordance with approved processes.
8. We are looking at resourcing options to start the loading of contracts and
completion of the linked contract summaries into the contract database.
9. Good contract management is cultural and it will therefore take time to embed
best practice across the organisation. The work currently being progressed in
relation to accountabilities will assist the contract management initiatives.
Strictly Co! Board Iatelligence Hub template
POL-BSFF-0078725_0017
POL00240662
POL00240662
POST OFFICE BOARD PAGE 1 OF 7
AUDIT RISK AND COMPLIANCE COMMITTEE
Cyber Security and Information Assurance Update
Author: Julie George Sponsor: Jane Macleod Meeting date: 21 March 2016
Executive Summary
Context
Cyber security and the protection of customer data has been a high profile issue for
many corporates in the last 12-18 months following a series of highly public data
breaches caused by ‘cyber attacks’.
To that end the ARC asked for a review to give assurance regarding the security of
customer data
Questions this paper addresses
. Do we have a Cyber Security and Information Assurance Management System
and Framework in place that meets best practice standards to protect Post Office
business and customer data? Has this been externally validated?
. Are these requirements reflected in supplier’s contracts and what measures and
controls are in place to ensure these are adhered to?
. Have there been any significant (>20 customer data records) instances of
unauthorised access to Post Office data in the last year? Do we report to the
Information Commissioner if customer data is compromised?
. How do we ensure we plan for potential threats and what else do we need to
consider?
Conclusion
1. In the last 3 years Post Office has implemented a Cyber Security and Information
Assurance Management System and Framework that is based on international
industry acknowledged best practice and which enables Post Office to
demonstrate compliance to all current information security regulations. This has
been externally certified and accredited annually for Payment Card Industry Data
Security Standards (PCI/DSS) and Information Security Management (ISO
27001); additionally this framework has been regularly audited by Post Office
external partners.
2. Post Office has developed a ‘House Position’ that is reflected in Procurements and
all new and renegotiated contracts. Suppliers are risk assessed based on the level
of Post Office data they access, process and store and a structured assurance
process is undertaken on a regular basis.
3. There have been no significant instances of unauthorised access to Post Office
data in the last year. Any instances of personal data breaches are risk assessed
Strictly Confidential RCC 2 March 2016
POL-BSFF-0078725_0018
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 5
by Information Security and Assurance Group (ISAG) and the Information
Commissioner is contacted dependant on the outcome of the assessment.
4. A quarterly Cyber Threat Assessment review is undertaken by external specialist
experts to determine if there is any Post Office data available on the Dark Web.
Cyber Threat intelligence is also collected from UK Government, Post Office
specialist suppliers and Cyber/Information Security professional organisations.
This is shared with our risk and IT colleagues, as well as our major suppliers.
5. In terms of what else needs to be done, more scenario planning and workshops
need to be undertaken to ensure Post Office are able to address any major issue
from initial reporting to external communications, clients, partners and media.
This is essential to effectively address (in this instance) any major Cyber Security
incident/breach, to ensure it is part of our contractual obligations to deliver
Government Services and should be a sub-set of the Business Protection Team
work; this will also enable clear accountabilities and responsibilities.
Input Sought
6. The ARC, is asked to note this paper.
Strictly Confidential RCC 2 March 2016
POL-BSFF-0078725_0019
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 5S
The Report
Cyber Security and Information Assurance
Following a major breach in 2012, and a subsequent external review by Deloitte of the information
security capability within Post Office, the Information Security and Assurance Group (ISAG) was formed
and suitably skilled resources were recruited externally.
The Management System and Framework
ds
Taking into consideration the recommendations within the Deloitte review of early
2013, a new best practice management system and framework was introduced
to protect the business. This was designed to demonstrate legal, regulatory and
contractual practices.
Post Office is a transforming and complex business, therefore the management
system and framework introduced had to be flexible enough to cope with any
current or proposed cyber and information security regulation across a variety of
industries. Key points to note since the introduction of the management system
and framework:
. Annual external audits have been successful, as have ad-hoc audits by
clients.
. The Threat Library is regularly updated to reflect current and potential
issues.
. Risks and controls are regularly reviewed, assessed and updated as part of
an ongoing industry standard Group-wide Information Security Management
System.
. The risk model used is an industry standard model in line with Post Office
Enterprise Risk methodology.
Contracts and Supplier Assurance
9.
10.
Procurement exercises and new contracts include the Post Office’s ‘Cyber
Security, Information Assurance and Data Protection House Position’ and
renewed contracts are reviewed and updated to ensure inclusion. This ensures
that suppliers/partner and joint ventures are protecting Post Office data to an
agreed best practice standard, in line with our information security management
system and framework.
Assurance activities are undertaken as a BAU process to ensure compliance to
Post Office ‘House Position’. The amount of assurance activity undertaken on
suppliers, partners and joint ventures is based on the criticality of systems,
services and data, it is also dependent on the assessed level of risk. This activity
provides the ‘Top Twenty’ Supplier List:
. Regular meetings are held with the Top 20 suppliers to ensure risks are
assessed and mitigated with appropriate controls, also that any incidents
are appropriately reported and managed;
. Regular assessments and due diligence exercises are carried out via Cyber
Security questionnaires (questionnaires are available for information, if
Strictly Confidential RCC 2 March 2016
POL-BSFF-0078725_0020
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 5
required). Dependent on the risk assessment of the information provided,
on-site verification activities are undertaken to validate results;
. Business, Privacy and Payment Card Impacts are assessed, this ensures that
not only can Post Office information be identified when accessed, processed
or stored by individual suppliers etc, but also the overarching impact on the
business is understood. This activity is essential to ensure that the overall
cyber security and information estate across Post Office is understood and
protected and that any impacts to contractual, legal and regulatory
requirements are managed and planned for;
. Technical security architecture is reviewed, advised upon and Penetration
tested by specialist external independent third parties. This confirms that
appropriate protection against threats, such as Distributed Denial of Service
(DDOS), are in place (further detail on this element is described in the
appendices); and
. Cryptographic controls are advised upon and implemented based on the
level of risk associated with the information. Post Office Encryption Standard
ensures appropriate use and management of cryptographic controls (e.g.
preserves the integrity of sensitive information and confirms the identity of
the originator of transactions or communications.
Breaches and Incidents
11. Over the last year there have not been any significant instances of unauthorised
access to Post Office data, and over the last 4 years there have been only a few
incidents that could be described, or were reported, as ‘Major’:
. One such incident occurred in late 2012 (termed at the time Project
Rainbow), whereby encrypted Post Office Card Account Data was
mismanaged by our direct supplier Hewlett Packard’s supply chain (J P
Morgan who then sub-contracted services to Marshall Resources). Further
detail provided in appendices.
e — Asecond similar incident occurred in the autumn of 2013 where Post Office
were advised that an encrypted back up disk thought to contain Post Office
Card Account (POca) data held by JP Morgan on behalf of Hewlett Packard
had gone missing. Following a Post Office investigation led by the newly
formed Information Security and Assurance Group, the disk was found and
processes at Hewlett Packard and J P Morgan updated to prevent this type
of incident recurring.
. On 28 February 2014, allegedly twenty-nine Customer Referral Forms, along
with a 2011 desk diary containing Bureau de Change orders, were recovered
from a skip outside the recently decommissioned Southport Crown
Branch. The documents contained customers’ personal information, along
with a limited amount of investment information for eleven individuals. The
incident was not ‘self-reported’ to the ICO at the time of incident as the
information was deemed to be below the threshold for notification. Later in
the year, and following a complaint, the ICO investigated the case and
determined that regulatory action against Post Office would not be
appropriate.
Strictly Confidential RCC 2 March 2016
POL-BSFF-0078725_0021
POL00240662
POL00240662
POST OFFICE PAGE 5 OF 5
12. The suspected DDOS attack on Post Office website reported in August 2015 was
reviewed by specialist investigators commissioned by Post Office. The
investigators concluded that it was unlikely to have been a DDOS attack:
. There was no factual evidence available to suggest that it was DDOS
Attack.
. There wasn’t the usual residual activity they would normally see relating to
this type of attack, and they could find no evidence of data extraction or
loss.
. This conclusion was further underpinned by another commissioned report
from specialists that confirmed that there was no Post Office data found on
the Dark Web or anywhere else on the web.
Potential threats and what else do we need to consider?
13. To ensure Post Office remain vigilant and proactive around keeping customer and
colleagues’ information safe, the Dark Web will be searched regularly by our
commissioned specialists to ensure that we remain informed of any information
leaks.
14. Recent high profile incidents have shown that not only is Cyber Security and
Information Assurance important and newsworthy, what is also essential is the
ability to effectively manage incidents including well-defined accountabilities and
responsibilities. Alongside this is the necessity for our CEO/GE and Board to have
adequate and appropriate messages to give to the media.
15. A Data Protection audit is underway by PwC and the scope extends to areas of
Cyber Security. The timing of this audit is fortuitous since it will assist Post Office
in preparing for the forthcoming Data Protection Regulations; it will also provide
a holistic view across our suppliers and will validate the location of Post Office
data.
16. Scenario planning and workshops need to be undertaken to ensure Post Office
are able to address any major issue from initial reporting to external
communications, clients, partners and media. Aside from being an essential
business practice this is part of our contractual obligations to be certified to ISO
27001 (Information Security Management System) for Government Services.
Planning is underway to address this requirement, involving all relevant business
areas (which will incorporate the Business Protection Team).
Strictly Confidential RCC 2 March 2016
POL-BSFF-0078725_0022
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 2
AUDIT AND RISK COMMITTEE
4) Risk & Control Report
Author: Mike Morley-Fletcher Meeting date: 17 March 2016
Executive Summary
Context
This paper updates the ARC on progress against the project plan for developing POL’s
Risk Framework, in particular how we have been developing POL’s Group Risk Profile,
Internal Control Environment, Assurance mechanisms and Corporate Governance
capability.
Questions
1. Is implementation of the Risk Framework on target?
2. How has the Group Risk Profile changed since last time the ARC saw it, are the
Key Further Actions reasonable and what are we learning from our Risk Incident
Reporting process?
3. How have we developed the Internal Control Environment?
4. How have we developed our Assurance mechanisms?
5. How have we developed our Corporate Governance capability and how will we
disclose this in the Annual Report & Accounts?
Conclusion
1. The plan is on schedule (see Appendix 1) despite some resource shortages. In
addition, due to the needs of the Financial Controls Framework project, we have
been able to bring forward introducing a Self-Assurance Regime to provide more
comprehensive assurance to Management and ultimately the Board for inclusion
in the 2016/ 17 year end Annual Assessment. We will pilot this at the half year
2016/ 17. In consequence, we have pushed back the creation of a business-
wide Assurance Map to Q1 & 2 2016/ 17. A summary of Work Done since
January ARC and Next Steps is included in Appendix 2.
2. Management’s evaluation of top risks has not changed, except for risk 12,
Pensions Risk (risen from 3-3 to 4-3, amber to red risk rating) and inclusion of
Health & Safety (risk 25, an amber risk). Key Further Actions have been
identified and will be monitored. Risk and Action information will be included in
the Business and Strategy planning process for 2016/ 17. Work with business
areas (other than IT, which has a formalised process) is continuing to develop
the maturity of our Risk Incident Reporting process.
3. Internal Audit have progressed framing several key components of our Internal
Control Environment and ensuring that these are being documented and gap
analysed, so that Management can make appropriate remediations. These
include the General Control Framework, review of key policies and business
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0023
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 2
continuity procedures. These actions should enable Management to take credit
for these controls in dealing with their risks, ensure the controls are efficient
and practical, and self-assure themselves that these controls are working as
designed. They can then provide assurance to the ARC/ Board - see 4 below.
4. Internal Audit has developed two forms of self-assurance for Management that
are flexible and scalable, leveraging off our desire for improved assurance for
financial reporting purposes. These consist of a high level Executives’
Declaration and a Control Self-Assessment by local control operators. Both have
support from RCC and will be tested and rolled out in 2016/ 17 to provide
additional assurance as part of the Board’s Annual Assessment.
5. Following RCC and ARC direction, compliance with the UK Corporate Governance
Code is not felt appropriate at present. In consequence, the following draft for
inclusion in our 2015/ 16 Annual Report & Accounts has been developed by RCC
for ARC approval, “PO maintains standards of corporate governance appropriate
for our ownership structure, our commitment to our social purpose and our
strategy for commercial sustainability”.
Input Sought
The Committee is asked to review the attached papers and provide feedback,
support and approval as appropriate.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0024
Risk Framework: Project Plan
POL00240662
POL00240662
Version: 10‘ March 2016
Four Components Q3 a4 Qi Q2 Q3 aa
31 Dec 2015 31 Mar 2016 30 Jun 2016 30 Sep 2016 31 Dec 2016 31 Mar 2017
a) Develop
Group Risk
Profile & Key
b) Enhance
Design Conduct 7
Internal enrnemneh Gnitce Remediate Control Framework Gaps
Controls Framework * Implement - OF
i Quick Wins Include in ED &
Environment T CSA — see c)
Design Policy For CS, conduct a below
* coordinate with Framework & Gap Analysis & eon Sitch For non-CS, conduct Gap Analysis & ——
Financial Control conduct Gap Remediate Policy Alleles to include Remediate Policy Gaps, as required
Framework project Analysis Gaps p
a
c) Develop Gestion 1 Revise
Assurance Assurance Map D Assurance Map
Mechanisms to Rae area aneae aman, I mr errr Year End Self-Assi
1, Develop Self-Assurance mechanisms: ry run '-Assurance ‘ear f-Assurance
support Board's Executives’ Declaration + Control Self-Assessment = mechanisms (BOE)
wee wee ee eM Ee ee eH
Annual Assessment
(effectiveness of Risk
Management and Internal
Control systems)
Develop Year End Board Annual
Assessment and sign off process
Implement Year End Board Annual
Assessment and sign off process
d) Develop
Corporate
Governance
Capability (and
disclosures for Annual
Report & Accounts)
ARC Updates
©
& wording
Research & agree Corporate Governance positioning
©
Draft ARA Statement (Principle Risks
and mitigations, GCF and Assurance)
©
Draft ARA
Statement
©
eo 4
POL-BSFF-0078725_0025
POST OFFICE
POL00240662
POL00240662
PAGE 4
Appendix 2 -Risk and Control Framework: Summary of Work Done and Next Steps
We have completed all key and time-critical components against the four main components of the plan (see Appendix B for
a copy of the updated plan). Some of the main achievements have been, and next steps:
Work Done
I Next Steps
a)
Risk Profile and Actions - see paper 4a)
.
.
Group Risk Profile:
Changes suggested by ARC and GE Risk Owners since last
reporting have been made.
Risk Owners have identified Current Controls and Key
Further Actions (KFA) for each of the 25 Top Risks - Red
Risk KFA are provided to ARC for information.
Incident Reporting:
Risk Champions have reported further incidents (mainly IT)
and these, with past incidents, have been mapped against
the Top Risks. As these build up we expect this will enable
us to challenge our GRP, both the focus of the risks and
evaluation.
Risk Owners will monitor and report the completion of KFAs
on a quarterly basis.
Information on the Top Risks and KFA will be included in
the Business and Strategy planning process for 2016/ 17.
The Central Risk team will work with Risk Champions in
other business units (e.g. besides IT) to clarify what
“significant” incidents are, so that we can encourage fuller
reporting and challenge our risks (April).
b)
Internal Controls Environment - see paper 4b)
.
bi) General Controls Framework (GCF):
Subject Matter Experts (SME) engaged for each of the
components of the framework.
Supporting tools and templates have been created and
piloted with Finance as part of the Financial Controls
Framework (FCF) review.
Work with CEO and HR to ensure General Controls are
reflected in GE role descriptions and/ or objectives (April).
Review state of existing controls (Q1/ 2016) in order to
populate the self-assessment templates for dry run at half
year 2016/ 17 and full roll out at year end.
Strictly Confidential
ARC 17 March 2016
POL-BSFF-0078725_0026
POST OFFICE
POL00240662
POL00240662
PAGE 5
) Policy Framework (key policies:
Completed self-assessment of Corporate Services policies.
Remediations in progress: those for Partner Banking
Agreement project (end of March), others (end of April).
Key Policy Framework for non-Corporate Services reviewed
and refreshed with business stakeholders.
. Complete remediation of all Corporate Services policies
(April).
Use EY’s benchmarking to confirm the list of non-Corporate
Services key policies and complete a current state
assessment to steer which further polices need remediating
(April).
.
bii
.
i) Business Continuity:
Revised BC and CM policies are continuing to be used to
ensure our disciplines are in line with best practice
guidelines.
Crisis Management process construct revised with a high-
level view of assignable roles & responsibilities and an
explanation of escalation routes.
« Complete phase 1:
- Delivery of revised, improved and tested Crisis
Management processes (April).
- Delivery of Business Continuity activities (May).
. Commence phase 2: BC Programme Management
Structure.
c)
Assurance Mechanisms (& assessment of effectiveness of Risk Management and Internal Control systems) — see paper 4c)
Two forms of self-assurance have been developed for
Management, that are flexible and scalable: a high level
Executives’ Declaration and a Control Self-Assessment by
local control operators. Both have been approved by RCC.
e Dry run of both forms at half year 2016/ 17
° Full roll out of both forms at year end 2016/ 17 to support
Board’s Annual Assessment.
d)
Corporate Governance Capability (& disclosure in the Annual Report & Accounts)
Following RCC and ARC suggestion, compliance with the UK
Corporate Governance Code is not sought at present. In
consequence, the following draft has been developed by RCC
for ARC approval, "PO maintains standards of corporate
governance appropriate for our ownership structure, our
commitment to our social purpose and our strategy for
commercial sustainability”.
. Ernst & Young have provided (recently) a review of our
compliance gaps, which the Central Risk team will analyse
to develop for the May RCC (and ARC) a route map to
compliance (over the next 2 or 3 years). This will enable
RCC and ARC to determine if this is appropriate for our
needs and practical.
POL-BSFF-0078725_0027
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 4
4a) Group Risk Profile and Key Further Actions
Author: Mike Morley-Fletcher, Head of Risk and Assurance Date: 17" March 2016
Executive Summary
Context
The purpose of this paper is to provide an update on the progress made by the Group
Executive in completing the profile of our Top Risks (“Group Risk Profile”). This
involved identification of Key Further Actions (“KFA”) to manage the Top Risks
previously identified in December. Completion is designed to provide assurance to
the ARC that the GE, via the RCC, is actively challenging and monitoring the Top
Risks, ensuring that they are within our expected Risk Appetite and that appropriate
Key Further Actions are being taken.
This will also provide input to the Business and Strategy planning processes for
2016/ 17 and our risk governance disclosures in the Annual Report & Accounts,
including disclosure of our “Principal Risks”.
Questions
1. Are the Key Further Actions identified appropriate and sufficient to manage the
Top Red Risks, over the next 12 months, to their target evaluations?
2. What do risk incidents reported tell us about our Top Risks, their evaluations and
the success over time of our Key Further Actions?
3. What are the next steps?
Conclusions
1. Key Further Actions for our most significant risks, the 14 Red Risks, are hereby
presented to the March ARC for approval. KFAs for Amber risks have also been
identified and are being monitored in case their profile changes, but are not
reported to ARC. The RCC believes that their Risk Mitigation Plans, and the KFA
highlighted, are those most appropriate at this moment to manage the Red Risks.
As they progress with their actions, they will review the sufficiency of these
actions and, where necessary, identify any further actions.
2. The majority of risk incidents reported are against IT Availability, due to IT’s
established formal reporting process, reinforcing the significance of this risk.
Reporting processes in other areas are less established and the Central Risk team
has a project plan with Risk Champions to develop this.
3. As next steps, risks and KFAs will be included as input to the Business and
Strategy planning processes for 2016/ 17 and disclosed in the Annual Report &
Accounts as our “Principal Risks”. Going forward, Risk Owners, assisted by Risk
Champions, will monitor completion of actions on a quarterly basis and the risks
will be reviewed bi-annually by the RCC/ ARC (next due September 2016).
Input Sought
The Committee is requested to review this report and provide any input or
suggestions it has on the Key Further Actions.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0028
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 4
Work Done
1. Changes to the GRP
GE risk owners, with assistance from their Risk Champions and the Central Risk
Team, reviewed their risk registers to confirm their Current Controls and their
Key Further Actions. They considered whether they were accurate, appropriate
and sufficient. As a result, the following changes were identified and included:
e Risk 7) Transformation Complexity, in consideration of project Trinity has
been renamed “Transformation IT Delivery”. The evaluation is currently the
same.
e Risk 12) Pension Cost risk evaluation has risen from a 3 - 3 (impact/
likelihood) to a 4 - 3, an amber to a red risk rating.
e Risk 20) PO Brand has been retitled as “Corporate Reputation” to ensure it
is clear that it includes all elements of our brand, not just the commercial
aspects. Risk ownership was moved to Neil Hayward and Mark Davies.
e Risk 25) Health & Safety was added as an amber risk to reflect the
importance of the wellbeing of our colleagues and customers.
In addition, the January ARC suggested changes which have been enacted as
follows: adding “Cost Reduction” (risk 26, under risk ownership of Al Cameron, a
risk mitigation plan was developed), making cyber risk more explicit in the
detailed descriptions of risk 11) IT Availability and 19) Information Security
Breach, and separating out risk 9) the RMG relationship from 2) Market
Developments/ Competition (non-FS).
There are now 26 Top Risks, 14 Red and 12 Amber risks. RCC reviewed these
risk and actions and approved them on 2nd March for presentation to the ARC.
2. Learnings from Incident Reporting
Significant incidents reported to the Central Risk team are being mapped to the
Group Risk Profile (see Appendix 4 for incidents since August 2015) to help us
challenge the Top Risks, their focus and evaluations. This could also show us if
Key Further Action are being successful and, if incidents reported do not map to
the existing profile, this may suggest new risks we should be tracking.
e¢ The number of incidents which map to IT Availability (risk 11) is high in
comparison to the other risks; this is mainly due to the existence of an
established reporting process for IT incidents (see 3. below) which does not
yet exist for other types of incidents.
e¢ Overall the number of risk incidents reported from other parts of the
business continues to be low. The Central Risk team has developed a
project plan with Risk Champions to encourage reporting of significant
incidents from more parts of the business.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0029
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 4
3. IT’s Incident reporting process
IT incidents are subject to an agreed process which is managed by ATOS. All IT
incidents are rated according to a defined criteria based on the impact that the
incident will have on services which includes Post Office users, customers and
clients. IT incidents are rated P1 — P3 as follows:
Pri I Priority Meaning Communication Incident I Resolution
ori following Incident Updates I Target
ty Logging
P1 I Any failure that results in the total loss of the Within 15 mins to PO I Every 30 I 4 elapsed
service or an essential back end IT component. stakeholders and user I mins hours
The Incident has an immediate and /or community
potentially prolonged adverse impact on one,
some or all of the following: - Post Office
Customer, Branch, clients, employees or POL
brand and reputation
P2_ I Any failure that results in a partial loss of the Within 20 mins to PO I Every 60 I 8 elapsed
service, or back end IT component. stakeholders and user I mins hours
community concerned
P3_ I Any failure that has the potential to become Within 2 hours tothe I No target I 3 working
service, customer, or internal IT user affecting user community applicable. I days
but can also be controlled and mitigated through I concerned, if Updates
effective management e.g. manual workarounds I applicable agreed
are in place. between
Service
Desk and
User
e« Anumber of SLAs have been agreed with our suppliers and these vary
across systems and services. All SLAs are monitored and reported on by
ATOS through monthly reports, highlighting where SLAs have been
breached (if any).
e« ATOS are also responsible for monitoring and ensuring that a root cause
analysis is carried out and reported for all P1 incidents. The root cause
analysis reports are submitted to the IT Service Delivery Director who
manages the relationship with the IT suppliers and contain specific actions
taken/ planned to remediate the issue and ensure that it does not recur in
the future. Any exceptions (outside the SLAs), including overall service
availability times, are monitored and exceptions are taken up with the
suppliers and service improvement plans are developed, agreed and
monitored.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0030
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 4
Support materials
Details of risk (titles, descriptions and GE owners), their evaluations (net and target)
and Key Further Actions are included in the attached documents - details of Current
Controls are not presented here, but are included in local risk registers:
e Appendix 1a: Group Risk Profile - a summary of our Top Risks with their net
evaluation displayed on a Heat Map. Use to consider the significance of the
risks, particularly which are Red (need actioning to bring the net evaluation
to the target) and which Amber (monitor to alert if turning Red).
e Appendix 1b: Risk Descriptions. Use to consider if risk is accurately focused
on the right event, causes and outcomes.
« Appendix 2: Summary of Key Further Actions for Red Risks - descriptions of
each risk, plus the most significant further actions risk owners are planning to
take to manage the risks, over the next 12 months, to their target evaluations
- sorted by risk owner. Use to consider if appropriate and sufficient actions
have been identified.
e Appendix 3: Harm Table. Use to explain evaluation criteria.
e Appendix 4: Significant incidents reported since August 2015 mapped to the
Top Risks in the Group Risk Profile. Use to challenge the focus and evaluation
of our risks, whether Key Further Actions are successful and if new risks should
be considered.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0031
POL00240662
PoL.o0240662
POST OFFICE Appendix 1a
GROUP RISK PROFILE - Mar 2016 See overleaf (Appendix 1b) for full list of risk descriptions)
Version: 10th March 2016
3 Year Plan Objectives - illustrative example Targets - illustrative example
Lore vehoment —_—_—_—_—_—_—_—_—_—_—_—_—_— Sa
I srennng or cooing dl rt el 6 os rennet pnb pend othe) omer ceo re
KEY RISKS
NET RISK PROFILE (including Targets)
Neil
Industrial Relations (Transformation)
>20%
2 IMarket Developments/ Competition (non-FS) [Martin
3 Transformation Benefit Realisation [Davia
4 IThird Party Relationship Management Vane Meck 5 Fs
8s
5 [Network Proposition Kevin 6 é i)
2
6 [People Capability Ine 3
a
7 Transformation IT Delivery [David Qs s
as
& ICustomer Experience Martin G Ss: %
ice
‘9 IRoyal Mail Alignment Martin 6 3
82
10 IMarket Developments/ Competition (FS) Nick K s %
11 IITavailability ine a
12 [Pension Cost Ine
<1%
13 [FS Regulatory Supervision Nek
<10% 10 — 25% 25 -— 50% 50 — 80% > 80%
14 IFinancial Reporting and Controls laic
[Government Funding
7 [vestments Decisions lare LIKELIHOOD
I Soverment Alignment Marin Q = seatesic
[lote: —Objecives and Yargts ar rom Business Pan 8/i6~ 17/18 Used ox Matatve example wl updated for Dutner Plan 7 187.
‘Ais’ net evaluation i afte consideration of the effect of eurent contol i's target evaluation i the estimate of where the isk wl ben 12 months after the effec of planned Key Further Actions (see overleaf for deals of Key Further Actions}.
For ARC/ governance purposes, Red iss are for actioning and have Ke Further Actions designed to bring the net evluaton tothe target; Amber Risks are for monitoring, alert f the risk s turning Red. Rsk ewners may well have Key Further Actions for amber sk, but they are nt reported fo the ARC.
Further detail of current contol and further ations are eld by risk one in ther busines are Risk Registers
POL-BSFF-0078725_0032
POST OFFICE
RISK DESCRIPTIONS - Mar 2016
Version: 10th March 2016
Appendix 1b
peo eo I — ie eee
That tayward Tdatrar Relations (Transtonnavon) Fa a er a TOO PTR RT SSS 7 7 r
[Marin George ———H es Se RT ag TE FONE PT SPR PT a 0
3 [David Hasey ansformation Benefit Realisation Scene ae RR RR AS HE SDT 7) = 3
7 [lane Macleod Third Party Relationship Management a AT a TERR AT TN ST a i a
5 [Keun citland Network Proposition [itetctn reat shchiostoradnneaedtmensaeisa en nrononand 5S] 3 ay? 7
© [Nei Hayward People capably Pe a TR RT RT OR ET 73 73 7
7 [David Hussey ansfrmation Oevery-nteated Seve Model Ie RRS PA TS on i oe oH TT 73 7] 3 3
© [Marin George customer perience re a RSE A RTT RSA TT TT 3 ry
7 [Marin Georse ese Royal Mall Alignment enna arn a A aN sen DTS ra 7T3 7
10 [Nee Kennett iad Mesket Deveprantl Coxpetion 9 [ct ahe maa sue sn ar pcty-ncsie bln sled Goeeaer anc) moe POL eth a) 3 s )? °
ii [AlGameron iravaiabiney a Ro RG OR SB ST SSE OTT wT TT TT3 z
Wek Kennett FS Regulatory Supervision eR a as Eg SS AN PSR SS y [4 y [2 $
0 [Acameron Franca Reporting and Contras a a rae :
1 [Acameron Government Fading a TST RA TS RT AS TT TF — -
16 [David Hussey [ransformation Resources [a a DT TTR TT ST STO POS 3 PE] z
37 [Alcameron investments Decisions [vonow nsafezeowten qty iors dtsond eter pocenm ede eccumasise. 7) 3 a)? 5
18 Wek Kennett Fs Stes Capabiiny [ae aa Sane POR TO a TT aE) Pane 5
29 jane Maciecd nformation Security Breach linen odor mati nabcheomguyasateteesa/aatone) >I? 2)? .
2 lane Macleod Regviatory Compliance Breach [SSS a aR BE SRR EE TT DP SRT 73 z [2 a
[Marin George (Government Alenment Fenn ord eT Gn pr a oe A ae ra ra z
3 [Manin George Dieta Cmpeteney Fa a ce SRO ORT OST PTO OP DOT ORET 4 3 ry
24 el Hayward NFSP Alignment [reagre pepe shah theleebsiew soonest ne ne nme eta or cmeete a] 2 ay 8
35 [Nel Hayward ath & Safety Breach [aw a a SE ST TO TT STS OP TERS NewI 3) 2 ya 3
36 [AlCameron cost Reductions [aioe cnreacionasantne new I 23 y I 2 a
POL00240662
PoL.o0240662
POL-BSFF-0078725_0033
POST OFFICE Appendix 2
SUMMARY OF KEY FURTHER ACTIONS (RED RISKS ONLY) - Mar 2016
Version: 10th March 2016
— I trot) oe [=I {omreton
7 indastial lations [ise dae par cage aod aie aaa San aa tow De Reanon Pacem Tom Woe rare
(Transformation) [wclorged needa eon J coer scary
on 6 People Capability [there is no clear prioritisation of capabilities required to deliver the 3 3 4 2 7 [+ Redefine organisation design and structure. jionathan Cormack IMar-16
Hayward fase raeey etn capa heap or rent and ure tte ln crack ecie
[Pension Cost Kos cai i caren DE wae Bear ORO TORS) 7p 73 Genes conan on clon Ded Beret lant Tare tanh Wikon lorie
resent strate dein pln to. fr apeov stain wison este
[Market Developinente] ante respond aly sgh tne area WN TTT a TO I Cates Wats Sanya seaplane Ivar oer aie
[competition non-ts)_Isrategie busress mol arent competes with new prod ery purpose target store sepa, ropostons& _IMartn Georg Radha Daves ents
fsa whe mare sare ana roby senna strategy necsary deliver ofa satiate prot
Martin I
3 [Coctomer Experience [pr corer expereocepropeons and ine any vo 7] y [2 @ I *dewion Coster Seater Per Wary Radha Ove Ivars
George [ver wa corre wart I cewiop chal Steny adn Dies zon 99 ents
2 [Royal Mal Alignment talenmert of cbjecives and unc veg oan oT WOR re 73 ae Gordon os tare Ser varie
Jeetotaton on earotagous tems nant MDA management oar cordon ose Mark Ser varie
3 INetwork Proposition POU sone tartan onder ind aC i TTT ame 77 I Basco ghee ranch ropnion supra nea anna fore
Py Jain arn whens rela Decgrnew trae models andcheoe tcl sclusons Kevin sallr hnse
TO” Market Developments] nate rapond ancy re open onan ATT ra Ta [ry pps arg conte tne anv aed [Roan Fe hie
(competition (5) rset busiest mos rence th new produc ronson an dtrnton chal defne saat,
lecnologs, wo ke mart share aa or poate Icstomer cere growthsaeny
lots nat aged step o ranch to aust POs growth rectal and lnge em negaations wth ot nderwayo——onthani husse
ek bs ti
ennete [i [FS Regulatory Supensslon Irowh vavvomaton ano comple wane og Fae a4 772 I conseton of fay acon te new cote kon anv Gand Toon pce
fatng ck rorcomplan prod dso, dean oF martin) owns ncrhtrors on pater ment boi
aren appronch ores ator etry coef its [Mek Kena Kvn Gillan orss
3 ]iraratormation Benoit Baas Taarnatan propane no aTgned ORS 77 FCG ew oc prom mes wey Tae STNG SE [wena
lReatsaton lsectves ot able oq ack and ler benef sce review andiglementevued ert Tang ramewsrt/ IW Sambige varss
ltr or ken cos of angst peed bet, fooemance
mare nw Biante prove mare dae reat eka arse
conduct Cost 8 Benet Trckingrevews.on ported bs Martin rd Nek Somtridge longing
Lassa 7 [Transformation FT Delivery ~ [Appointment af Fujau forthe branch Paint of Sendce (eS) solution 7 3 3 3 I Work wa Fajtau, other Supply Chain merabers and Atos towel witnson pera
Hussey Integrated Serie Model.” [tthe an evere lect onthe panned Src adel le une Service ode
lmencting te qty of tartormaton en prefect eras sure the th Sree Mosel clearly considered rig thee Wikison lune
conte msblie aobut are Modelbsndon ndury et Wikaen ts
sone
improve Spor elton troughaienad governance, INet Wino Gi Tat lavas
xtra gestrimohement tom bans sateholers
Fn fates of ora or penn eraoneT er dono Ts TF a ron Ger iano
[rina sero eybr at adalat vay newer 8c & OR eng resery& repr Seren kes ects
ert ak fet upto ate nature inne serie
Sepertono EU ees om srsron cies faas
al
Pay TH [Fnandal Reporing and) [rodents Tava convol to proved Tnonl wavatanentond 7.4 73 3 I conses trac conv FarmenetmapsngBaocse [Dae Gtr hone
controls foster cemptare wth acnunng and prance andre [sour orenedtegae
plement aun proces of xeutves Delain (and lowe cate Mie Meyer —_fatra7
lcm st-xccamert bm ctr lreras
fed Party Relationship [aa sdacs aro, sare moor anT en Fy roan 77 a fanaa homie
Jane haamngerane Jntsouce elton) conacs cena or enteral improve er provers to nzre ag oars arated [heat ag ete
Macteod leach contacal terms byPO Anna ateston abou compare wih poly ents
esd of ga
POL00240662
PoL.o0240662
POL-BSFF-0078725_0034
POST OFFICE
HARM TABLE - MEAUREMENT CRITERIA
Version: 18th Feb 2016, post RCC & ARC
Financial**
(EDITDAS)
Impact on*
Operational
Continuity
(Operations, IT, Colleagu
Reputational
ues, Third Party,
Regulator)
Appendix 3
Likelihood of*
Label
Probability
Critical >20% of National service disruption/ withdrawal of stakeholder/ customers/colleagues/ 3rd I [Very Likely
Vinancial target or _(sishificant location/s or business party support, or
Nnmificant inpect on \tunetion/s for >3 days - extensive national media coverage, or
alcbjectives - formal regulatory intervention
4 ISignificant I>10-20% ot National service disruption F significant challenge from stakeholder/ customers) Likely 50-80%
J di v if challenge fi keholder/ 7
Kinancial target or _(sishificant location/s or business colleagues/ 3rd party support, or
ei oiteant in act on _Ifunction/s for <3 days I- some national media coverage, or
aobjectver - formal regulatory investigation
3. IMajor >5-10% of Regional service disruption/ - major questioning from stakeholder/ customers/ Possible 325-50%
Kinancial target or \™2/0" location/s or major business _Icolleagues/ 3rd party support, or
el vifiecea act on _Ifunction/s for <3 days - extensive local media coverage, or
a cbjectves. - informal regulatory enquiry
2 IModerate I>1-5% or Local service disruption at several moderate concern from stakeholder/ customers/ Unlikely 310-25%
Kinancial target or _{(2cations or business functions for >3._Icolleagues/ 3rd party support, or
significant a acton [4S - some local media coverage, or
a objected - informal regulatory conversations
1 IMinor 0-1% of Local service disruption at several F neglible interest from stakeholder] customers/ Remote 0-10%
Iinancial target or _{(2¢ations or business functions for <3/_Icolleagues/ 3rd party support, or
ignieart mpacton {2¥° }-no media coverage, or
ity cbjecthes - no regulatory interest
ote: * any one year over Business Plan time horizon
** generally use financial measure first, then enhance if an additional operational or reputational impact applies too
Our risk evaluation can be on a basis of:
= the risk evaluation before taking into account the effectiveness of controls currently in place
GROSS risk sometimes referred to as "inherent" risk.
= the risk evaluation after taking into account the effectiveness of controls currently in place.
NET risk n “rei "
Sometimes referred to as "residual" risk.
TARGET risk 7 tHe Fisk evaluation if further actions were taken to manage the rik to an acceptable level. ultimately to meet the desired risk appetite.
tis
POL00240662
PoL.o0240662
POL-BSFF-0078725_0035
POST OFFICE
Appendix 4. Significant incidents reported since August 2015 against Top Red Risks
POL00240662
POL00240662
Rating based on harm table: qualitative ‘opinion’
Quantitative data: incidents reported
14 ‘Red’ Top Risks
08/15
09/15
10/15
01/16
03/16
Industrial Relations (Transformation)
Market Developments/ Competition (non-FS)
Transformation Benefit Realisation
Third Party Relationship Management
Network Proposition
People Capability
Transformation Complexity
Customer Experience
wloal\niajulalwinie
Royal Mail Alignment
a
°
Market Developments/ Competition (FS)
rs
ns
IT Availability
»
N
Pension Cost
ny
w
FS Regulatory Supervision
»
FS
Financial Reporting and Controls
Strictly Confidential
ARC 17 March 2016
POL-BSFF-0078725_0036
POL00240662
POL00240662
POSTsO GRICE PAGE 1 OF 3
AUDIT AND RISK COMMITTEE
4bi) General Control Framework update
Author: Deana Herley Sponsor: Mike Morley-Fletcher Meeting date: 17 March 2016
Executive Summary
Context
To get the best from our general controls we are seeking to understand which ones are
key, how they inter-relate to each other, and how we can combine them in a “General
Controls Framework" (“GCF”) to provide the foundations for more effective control. We are
supporting the business to check these controls exist, that they are focused correctly and
operating as we would want. Having piloted our approach within Finance, developing tools
and templates, we have received support from General Executive (GE) Control Owners to
implement more widely.
Questions this paper addresses
1. What progress have we made?
2. What are the next steps?
3. How do we ensure general controls are represented in accountabilities?
Conclusion
1. To date we have identified prospective GE Control Owners and SMEs* (see Appendix 1)
and developed a roll out plan (see Appendix 2), plus supporting tools including a Test
Plan and Reporting Template, a Self-Assessment Template, guidance to support
completers and consistent Assessment criteria. We have tested our approach with
Finance, in preparation for a Current State Assessment across the organisation (April to
June), actioning a dry run at the half year (July to September), in preparation for full
roll out at the year-end (January to March 2017), for inclusion in the Board’s Annual
Assessment and to support our 2016/ 17 year-end reporting.
* 5 GE Control Owners (Paula, Neil, Al, Jane and David) and 12 SMEs.
2. We will be working collaboratively with SMEs to perform initially a current state
assessment to map the environment to our GCF. The Self-Assessment Template will be
populated with the findings from this work. This will be the prime mechanism by which
GE Control Owners with their teams assess the effectiveness of the control environment
going forward, devising action plans to address any weaknesses or gaps identified and
ultimately signing off their self-assessment. The project timeline is to complete in time
to provide support for the Board’s year-end Annual Assessment of Internal Controls.
3. We have explored with the CEO and HR how best to ensure that General Controls are
represented in GE accountabilities, either through role descriptions or objectives, or a
combination of both, depending whether they are current or new responsibilities.
Input Sought
The Committee is asked to review the information provided and feedback on the proposed
approach and timings.
Strictly Confidential ARC 17 MARCH 2016
POL-BSFF-0078725_0037
POST OFFICE
Appendix 1 - General Control Framework — Details of GE Owners
and proposed SMEs
POL00240662
POL00240662
PAGE 2 OF 3
GCF Component
Owner (GE)
SME Deliverer (SLT)
1) Strategy, objectives and targets
Paula Vennells
Martin Edwards, Strategy Director
2) Code of Business Standards and
Tone from the Top
Neil Hayward
Colin Stretch, Head of Employee Relations
3) Social Purpose
Paula Vennells
Mark Davies, Communications & Corporate
Affairs Director
4) 3 Year and Annual Plans
Alisdair Cameron
Martin Edwards, Strategy Director
5) Risk assessments
Jane MacLeod
Mike Morley-Fletcher, Head of Risk and
Assurance
6) Performance monitoring
Alisdair Cameron
Dave Carter, Financial Controller
nal Structure,
s and Segregation of
Duties
Neil Hayward
David Hussey
C) ORGANISATIONAL DESIGN & DELEGATION
h
Tom Moran, Head of ER and Engagement
and Alison Japp, TOM
8) Delegation of Authority, including
Capital Investment limits
Jane MacLeod
Alwen Lyons, Company Secretary and Dave
Carter, Financial Controller
9) Staff calibre, experience and Neil Hayward Sarah Malone, Head of Learning, Resourcing
qualifications, including personal
development and appraisal
10) Senior Management remuneration Neil Hayward Natasha Wilson, Director of Reward and
Pensions
11) Operational, financial and
regulatory policies (and control
activities) framework
Members of GE
Various SLTs, see Policy Framework project
12) IT policies (and control activities)
framework
Alisdair Cameron
Chris Broe, CIO
13) Board and Audit Committee
Jane MacLeod
) GOVERNANCE & FEEDBACK
Alwen Lyons, Company Secretary
14) Assurance capability
Jane MacLeod
Mike Morley-Fletcher, Head of Risk and
Assurance
15) Whistleblowing and Complaints
Jane MacLeod
Mike Morley-Fletcher, Head of Risk and
Assurance and TBC for complaints
16) External Reporting
Alisdair Cameron
Alwen Lyons, Company Secretary and Dave
Carter, Financial Controller
Strictly Confidential
ARC 17 MARCH 2016
POL-BSFF-0078725_0038
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 3
Appendix 2 —- Project Plan - Overview
Set out below is an overview of our approach and timings to prepare the business for
attestation of GCF effectiveness reporting at year-end 2016/ 17, including key activities
and reporting milestones.
[ Month Activity Update to ARC
January Design GCF ¥ ARC
February Scope testing and developing tools ¥
March Current State Assessment preparation Vv ARC
April
May Current State Assessment of GCF components
June
September
November
December
Strictly Confidential ARC 17 MARCH 2016
POL-BSFF-0078725_0039
POL00240662
POL00240662
POSIMOEEECE
ARC COMMITTEE
4bii) Policy Framework Project update
hor: Mark Rodgers Sponsor: Mike Morley-Fletcher Meeting date: 17° March 2016
Executive Summary
Context
The purpose of the Policy Framework Project (“PFP”) is to ensure that we know what our
key policies are and that they are up to date, implemented and that we can demonstrate
this to the Board. An additional benefit is if we need to share with third parties, as we
currently do for the the Partnership Banking Agreement (“PBA”), which requires us to
provide evidence of 5 key policies.
The Project is prioritised into two sequential, but independent, phases: the first for
Corporate Services policies; the second for policies owned by other areas of the business.
Our external auditors, Ernst & Young, have offered to provide benchmarking on the type of
policies that should be considered in phase 2.
This paper provides an update on the progress of the Policy Framework Project.
Questions?
1. Are we on target with the plan, especially in respect of Corporate Services and in
supporting the Partnership Banking Agreement project?
2. What are the next steps?
Conclusion
1. We have a clear plan for a phased approach using the Key Policies Framework and
tools for policy assessment, review and drafting. We are currently on schedule to
complete the review and remediation of Corporate Services policies in time to meet
the end-March 2016 deadline for the PBA project. Remediation of 16 out of the 18
CS policies is underway and resources for the other 2 have been identified (see
Appendix 1). The review of Non-Corporate Services policies will commence in April
2016.
2. We will seek RCC confirmation of the desired list of Non-Corporate Services policies
(see Appendix 2) using benchmarking provided by Ernst & Young as guidance. Then,
using lessons learned to date, we will complete the current state assessment of key
Non-Corporate Services policies and project manage any resultant remediations with
policy owners.
Input Sought
The Committee is requested to review this report and provide any input or suggestions it
has on the project’s goals, direction and progress.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0040
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 3
Appendix 1: Corporate Services — progress to date
Policies required under the Partner Banking Agreement are shown in bold.
1 7 I a Fal
hd
Corporate Governance, including
P01/ 01) Board Constitution Alwen Lyons No existing policy _I No (*See Note 1) (*See Note 1)
PO1/ 02) Conflicts of Interest Alwen Lyons Yes In progress April 2016
Mike Morley-
PO1/ 03) Enterprise Risk Fletcher Yes In progress April 2016
PO1/ 04) Internal Audit Charter_I Garry Hooton N/A (*See Note 2) I N/A(*See Note 2) _I N/A (*See Note 2)
PO1/05) Whistleblowing Nisha Marwaha Yes Yes April 2016
PO1/ 06) Investigations Nisha Marwaha No existing policy __I Yes April 2016
Security
PO1/ 07) Physical Securit John Scott Ltn progress I tn progress [ april 2016
Information Security, including
PO1/ 08) Cyber and Information Not required, pe teauired,
and Sei Poli Julie George Ye: approver approver
Ind Security Policy ule seer = during 2015 during 2015
PO1/ 09) IS - Acceptable Use _I Julie George Yes (*See Note 3) (*See Note 3)
POi/ 10) Business Information
Systems Policy Julie George Yes
In progress
Data Protection
PO1/ 11) Information Assurance amendments
Policy (incl. Data Protection) Julie George Yes required April 2016
Financial Crime, including
PO1/ 12) Fraud Risk
Management John Scott Yes Yes End March 2016
PO1/ 13) Anti-Bribery and
Corruption (incl. Gifts Policy) I Ben Foat Yes In progress End March 2016
PO1/ 14) Anti-Money
Laundering (incl. Counter
Terrorism & Sanctions) John Scott Yes In progress End March 2016
In progress
Forensics
PO1/ 15) Cyber Fraud amendments
(Part of 08 above) Julie George Yes required April 2016
PO1/ 16) Prosecution Policy Completed Feb 16 I Completed Feb 16
(England & Wales ) Rodric Williams _I Yes (*See Note 4) (*See Note 4)
Business Continuity, including
PO1/ 17) Business
Continuity (incl. Disaster Jonathan
Recovery) Waples Yes In progress End March 2016
PO1/ 18) Crisis Management Jonathan Waples I No existing policy _I In progress April 2016
Notes
* Note 1. There is no overarching Board Constitution policy. Direction is provided by the existing Articles of Association,
Matters reserved for the Board, TORs, Delegation of Authority
* Note 2. The Internal Audit Charter is denoted N/A because it is already a compliant document with Internal Audit
International Professional Practice Framework Standards.
* Note 3. Information Security Policies 08, 09 & 10 have been reviewed and already meet policy standards. RCC
approved these policies during 2015. The next reviews will be as per the policy review cycle in each case.
* Note 4. The Group Prosecution Policy (England & Wales) was approved by the Board in February 2016.
Strictly Confidential ARC 47 March
POL-BSFF-0078725_0041
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 3
Appendix 2: Key Policy Framework (non-C$S policies)
The Key Policy Framework is a strawman of possible ‘Big P’ policies* - this is a latest
suggestion for Non-Corporate Services. These will be benchmarked, reviewed by RCC and
presented to ARC in May 2016.
Policies required under the Partner Banking Agreement are shown in bold.
PO2/ 01 Commercial, including
A. Brand Guidelines/ Tone of Voice Martin George
B.__ Customer (including Treatment)
PO2/ 02 Socal Purpose - Distribution Network Coverage (Entrustment Letter, Nov Kevin Gilliland
P02/ 03 Change Management (Deivering Change methodology)" David Hussey
02/04 Finance, including
A. Accounting and Reporting
B. Treasury Risk Management Alisdair Cameron
C. Capital Expenditure Approval (7Fc6 Tor)=*
D._ Procurement
P02/ 05 Human Resources, including
Talent and Resourcing»
Reward and Recognition
Learning and Development Neil Hayward
Performance, Attendance and Behaviour
Health & Safety
Code of Business Standards
™moODD
Notes
* ‘Big P’ policies are those which are “materially” important because they provide directions and
instructive content, regarding the extent and style of what and how our Board expects the company and
our staff to behave. These policies meet the “key” needs of our stakeholders.
** Where there is no policy document, details of alternative documentation that provide the direction of a
policy are given in italics. For instance we do not have a Board Constitution policy, but direction is
provided by the Board approved Articles of Association, Matters referred to Board, Terms of References,
Delegation of Authority.
*** The HR Vetting policy is one of the policies within the Talent and Resourcing Policy that is required
for the Partners
Strictly Confi ARC 47 Ma:
POL-BSFF-0078725_0042
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 4
PAPER FOR ARC GOVERNANCE UPDATE
4biii) Business Continuity & Crisis Management Project update
Author: Jonathan Waples__ Sponsor: Jane McLeod Meeting date: 17" March 2016
Executive Summary
Context
Activities are developing to draw Business Continuity (BC) & Crisis Management (CM)
disciplines in line with best practice guidelines, as defined by the Business Continuity
Institute, and measured against IS022301:2012 Social Security - Business Continuity
Management Systems.
Questions this paper addresses
1. Is there a clear plan, with defined milestones, to deliver the best practice goals?
2. Does progress to date meet expectations re Crisis Management process
construct and Business Continuity capabilities for top suppliers?
3. Does progress to date match that expected from the plan, and what does this
suggest for the future?
Conclusion
1. A plan has been devised and shared with management and the sponsor; phase one
milestones will deliver revised, improved and tested Crisis Management processes
by the end of April 2016, and BC activities by the end of May; phase 2 is estimated
for completion by early August; and phase 3 by end of October 2016.
2. The January RCC request for a view on our Crisis Management process construct is
outlined in the body of this report, consisting of a high-level view of assignable roles
& responsibilities and an explanation of escalation routes.
In addition, the ARC requested a view on top suppliers and their Business Continuity
capabilities, and a reach-out to top suppliers has been initiated to request visibility
of BC planning & capability as well as testing regimens.
3. The plan is currently on-track, but contingency has now been exhausted by resource
involvement in significant BAU activity - there is no other central Business Continuity
resource. We are considering whether the plan requires rebase-lining to
accommodate future slippage, which will push out delivery times. Potential further
risks to project completion could come from other resource pinches or actual crises.
Input Sought
The Committee is requested to review this report and highlight any input or suggestions
it has on the project’s goals or progress.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0043
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 4
The Report
1. Is there a clear plan, with defined milestones, to deliver the best practice goals?
A plan has been shared with management and the sponsor; phase 1 milestones are
scheduled to deliver revised, improved and tested CM processes by the end April 2016.
BC activities under phase 1 are scheduled through to the end of May. See Appendix 1,
for a high-level view of progress to date and future planned activity.
2. Does progress to date meet expectations voiced at the previous RCC?
Crisis Management Construct:
The Crisis Management construct should dovetail the incident management processes
for various business units, where they exist (ISAG, IT, Security etc.), and accommodate
distinct communication routes as well as defined escalation points and their triggers.
Appendix 2 demonstrates this escalation & comms management flow.
This flow differs only slightly from previous versions, however it does utilise a capability
for escalation, communication & management currently undeveloped. Provisioning this
capability would require deployment of a Crisis Management System, or development
of an in-house alternative, potentially making use of the Grapevine system already in
use at POL - a paper has been prepared for the Head of Security.
Top Suppliers’ Capability:
POL’s standard contract schedule includes business continuity requirements, verified at
time of procurement, however on-going reviews have not been routinely recorded. So
a reach-out to top suppliers, identified from the list held by the Internal Audit Team,
has requested visibility of suppliers’ current BC planning & capability as well as testing
regimens. Once available, the information will be complied and shared, including a
summary for RCC and ARC.
3. Does progress to date match that expected from the plan, and what does this
suggest for the future?
Project Activity vs BAU:
During the course of the Discovery Phase significant resource time has been expended
on project activity due to the pressures of significant business as usual demands, as
the project SME is the only qualified resource available. To avoid this, we are considering
whether BAU activities could be managed by another resource, for instance within the
current Central Risk team, with escalation when required.
Potential for Rebase-lining
The plan has adapted to take on new priorities, and is still expected to achieve the initial
goals. The risk identified in response to question 3 however, whilst not impacting
delivery on project goals to date, has eroded contingency during this phase, and for
future activities, making delay to subsequent plan activities a significant risk. Plan
rebase-lining is being reviewed to accurately set expectations on final delivery.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0044
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 4
Appendix 1: High Level Business Continuity Project Plan
Phase Three
(Current State)
End Phase End Phase End Phase
One Two Three
Late May Late October
2016 2016 2016
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0045
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 4
Appendix 2: Crisis Management Construct - Overview
Governance
Major Incident Escalation
Group
Critical Incident Strategic
(Silver Team)
Major Incident Tactical
(Bronze Team)
Incident Escalation
Comms & & Control
Management (Red Team)
Lines of Service Incident Lines of Service Incident Lines of Service Incident
Management Management Management
(e.g. IT / Atos) (e.g. ISAG) (eg. Security) Geese
Incident (Blue Team)
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0046
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 12
AUDIT AND RISK COMMITTEE Internal Audit Update
Internal Audit Report
Author: Garry Hooton Meeting date: 17 March 16
Executive Summary
Context
The purpose of this paper is to update the Committee on the PO Internal Audit and
Business Transformation Assurance activity and key outcomes. This includes details of the
work completed since the last Audit and Risk Committee (ARC) in January; and the
progress against the 2015/16 Internal Audit Plan which is due to complete for the May
RCC/ARC, see Appendix 1.
Questions this paper addresses
1. What progress has been made since the January ARC?
2. Is the Internal Audit Plan on track?
3. Do we have the resources we need to deliver the plan and actions arising?
4. Have any significant issues arisen that the committee should be aware of?
Conclusion
1. During the period three audits, one Internal Audit (IA) and two Business
Transformation Assurance (BTA), see Appendix 2, have been completed, with actions
being agreed with management, but they have not yet been finalised with GE Sponsors.
This period is when the IA team focus on drafting the Internal Audit Plan for
2016/17 - see separate paper - and the team have continued to contribute in a
business assistance capacity to the Property Compliance Forum.
We have also reviewed and updated our approach to annual and individual review
reporting as part of our internal continuous improvement activity, see Appendix 3.
2. The IA plan is designed to run through to 31 March with the remainder of the audits
due for reporting at the May ARC. These audits are now either being cleared with
management or are well underway, except for Client Contract Management and
Workforce Planning. Whilst scoped, we have moved the fieldwork of CCM to April, given
the transition of reporting accountabilities from Management Services to product pillars
is not yet complete. This will allow time for changes to embed. The consequential freed
up resource has been invested in developing and piloting our proposed methodology
to check the effectiveness of the General Control Framework (GCF) and Control
Strictly Confidential
POL-BSFF-0078725_0047
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 12
Self-Assessment (CSA) - see separate paper. Workforce Planning cannot currently
be resourced (see item 3. Below). We expect to complete all reviews for the May RCC/
ARC (see Appendix 1).
3. We continue to be impacted by the long term sickness of one of the team (since
November) which has affected the delivery of audits in Q4. We have another member
of the team due to go on maternity leave in mid-March.
4. There are no significant issues that we believe the committee should be made aware
of.
Input Sought
The Committee is asked to note and provide directions as necessary.
Strictly Confidential
POL-BSFF-0078725_0048
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 12
The Report
2015/16 Reviews in Progress
5. The following reviews are in progress:
Data Protection
SISD Delivery
Common Digital Platform
Social Media
Assurance Framework
Agent Remuneration
FRES
Treasury Operational Risk
Internal Audit
Cross Towers Governance and PAA
© End to end Financial Management of
Transformation
© Digital Programme Mobilisation
© Winning with Retailers
BTA
Updates on Completed Reviews
6. Actions arising from our Internal Audit activity are tracked and reported. A process is
being designed and implemented which will allow agreed audit actions to be tracked
and esculated to the GE sponsor monthly to reduce the number of overdue actions.
The details below highlight progress since the last meeting.
Contract Management
Since the last update in January, limited progress has been made on implementing
actions primarily due to the departure of the Procurement Director and the handing over
to an Interim Head of Procurement. However, work has been done on amending Bravo
to ensure that the right information is being collected around contracts. A detailed follow
up of Contract Management is within our proposed audit plan for 2016/17.
Financial Crime
A Fraud Policy is currently being drafted as a part of the Policy Framework Project which
will address 6 of the 10 overdue actions. Progress has been made with 10 further due
actions implemented. Additional actions relating to internal controls in prevention and
detection of Financial Crime require further action from the business (5 of 13 due actions
have been implemented).
Strictly Confidential
POL-BSFF-0078725_0049
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 12
Summary of Overdue Actions
Overdue Audit Actions
12
10 3- Contract
Management
3-Financial Crime
4-Wave
7 4-Contract Management
3-FC-Additional Controls
2
2s
tg
© 6 ~~ 6-Financial Crime
3 1-Contract Management
E 1-Wave
I
3-FC Additional Controls
4
2-FC Additional Controls
2
1- Wave
te)
i)
0-30 31-60 61-90 91-120
Number of days overdue
gHeM
Strictly Confidential
POL-BSFF-0078725_0050
POL00240662
POL00240662
POST OFFICE PAGE 5 OF 12
Business Assistance
7. Internal Audit has continued to work with Legal to assist Property with the
implementation of adequate governance and controls to address regulatory compliance
requirements. We have also continued to attend the Property Compliance Forum to
monitor progress.
8. Further to the update from the Head of Property to the last RCC meeting, we note
below our view on the progress made and residual risks:
Progress with Statutory Compliance activities
« a formal plan is now in place to address all of the required statutory compliance
checks/risks assessments for the elements and sites. However, our Facility
Management providers have still not managed to achieve full compliance across the
PO property estate.
« We understand the electrical testing programme was only performed on a limited
part of the electrical circuits as tests were performed during trading hours and the
electricity in the branches could not be closed down. The certificates obtained are
hence classified as not “satisfactory” and premises will need to be visited again to
test the remainder of the circuits and to carry out remedial work. The Head of
Property is taking up this issue with CBRE (Facility Management service providers).
« Health and Safety requirements for residential properties are not effectively
managed. The suppliers (CBRE and BNP Paribas) will provide a plan to achieve full
compliance for residential properties by the first week of March.
Property Compliance Governance
* an exercise to produce a Property Compliance Control Framework has commenced.
This is scheduled to be completed by the end of March 2016. The early findings
reveal the needs for: strengthening the Facility Management Department to allow
a more efficient monitoring of the suppliers’ activities; clarifying the scope of
‘Safety, Environment and Wellbeing’ in relation to Property Compliance and Health
and Safety management; update and improve current policies and handbook.
* The exercise aims at addressing all the gaps identified and designing a new
operating model covering all roles and responsibilities with regards to property
compliance.
Ongoing issues not yet fully addressed
e There is no formal mechanism to escalate the issues and risks identified to a higher
management level or committee. Responsible person - duty holders and compliance
persons (to provide first line controls) have not yet been trained to fulfil their duties.
Initial training is due by the end of February 2016.
« The responsibilities to be taken on by the new Property Compliance Manager going
forward have still not been finalised.
Strictly Confidential
POL-BSFF-0078725_0051
POL00240662
POL00240662
POST OFFICE PAGE 6 OF 12
Business Transformation Assurance
9. During Q4 the BTA team have completed two reviews, with two more due to finalise
shortly. These reviews are generating recommendations for programmes going forward
and aim to create more effective and efficient processes within Transformation and
across Post Office as a whole.
10.The BTA plan has been impacted by the changes to the underlying Transformation Plan
and progress, namely the putting on hold of the Branch Technology Transformation
Programme (BTTP) which includes the Common Digital Platform (CDP) and Front Office
system replacements. This has resulted in a number of planned assurance reviews
being put on hold. If there are permanent changes to BTTP then a more comprehensive
re-planning of BTA activity will be required.
11.Overall six reviews for the upcoming quarter have been identified and approved at
Transformation Risk Assurance Group (TRAG); of which three reviews have been
scoped and fieldwork is in progress and three are still in the process of being scoped.
A full list is included within Appendix 2
Strictly Confidential
POL-BSFF-0078725_0052
POL00240662
POL00240662
POST OFFICE PAGE 7 OF 12
Strictly Confidential
POL-BSFF-0078725_0053
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 10
AUDIT AND RISK COMMITTEE 2016-2017 Audit Plan
Internal Audit Plan — proposal for 2016/17
Author: Garry Hooton Sponsors: Mike Morley-Fletcher Meeting date: 17 March 2016
Executive Summary
Context
During December 2015 to February 2016, we have developed a risk-based Internal
Audit Plan (the ‘Plan’) for 2016/17, based on our team’s research and input from ARC,
GE members and their teams. The Plan includes 12 prospective reviews (based on
current resource levels) and an additional separate ‘watch’ list of other reviews
identified for consideration now or during the year if risk profiles/ priorities change
(these are not resourced).
We now seek confirmation that individually and collectively these reviews represent an
appropriate Plan to support senior management in their activities and provide assurance
to the Audit & Risk Committee (ARC) over key risks to the Post Office. Additional
assurance is provided by the Business Transformation Assurance programme and
further assurance is planned through the introduction in 2016/17 of Control Self-
Assessment for Financial Reporting Controls - see separate paper.
Questions this paper addresses
1. Does our approach to planning focus the Plan on the right priorities to support the
Post Office objectives?
2. Does the Internal Audit Team have sufficient resources to deliver the plan?
3. What are the next steps?
Conclusion
1. We have followed a standard risk-based approach to draft the Internal Audit Plan
that is consistent with Internal Audit Standards. We researched a range of risk types
that most organisations face as well as reviewing those identified by management
in their risk registers and via discussion - a number of these are among
management's Top Risks in the Group Risk Profile and particular attention has been
given to those when prioritising selection. Also we sought assurance expectations
from our key stakeholders: the ARC Chair and members, GE members, Senior
Managers and other assurance providing functions. The Plan has been drafted taking
into account the following considerations:
a. Total audit universe.
b. Top identified risks and risk registers from business units.
c. Current control frameworks.
Strictly Confidential
POL-BSFF-0078725_0054
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 10
d. Assurance already received.
e. Feedback from senior management.
f. Findings and follow up from previous years.
g. Other items identified by Internal Audit and ARC members.
In addition to the Internal Audit Plan, assurance on the Business Transformation is
provided under the Business Transformation Assurance Programme. The BTA plan
for 2016/17 is being rebased and will be approved by the Transformation Risk
Assurance Group (TRAG) shortly, and subsequently reported to the ARC. The Head
of Internal Audit oversees the delivery of this activity, led by Deloitte. Internal
Audit also provide assistance to Post Office Managed Services (POMS) in the
planning, sourcing and delivery of Internal Audit activity, which is resourced from
POMS’s budget, and overseen by the POMS ARC.
2. The reviews proposed for 2016/17 will be delivered by a combination of our
Internal Audit staff and our co-source service providers (PwC) who facilitate
specialist skills when required - this approach is consistent with 2015/16. Current
permanent resources consist of 5 FTE (4 Internal Audit Managers and 1 Head of
Audit), supplemented by the PwC co-sourcing arrangement which is equivalent to
approximately 1 %2 FTE. As noted above, resourcing for POMS audits comes from
POMS's budget. This level of resource is considered sufficient to deliver the Plan as
currently constructed.
3. Further suggestions from ARC members will be considered for inclusion. We expect
to be able to circulate the approved plan to GE members at the end of March, to
enable local planning and preparation.
Input Sought
The Committee is requested to review the proposed Plan, identify and discuss any
items that are on the ‘watch’ list that could be swapped or suggest items not listed
for consideration.
Strictly Confidential
POL-BSFF-0078725_0055
POST OFFICE
Detail
Explanation of plan and proposed candidate list
POL00240662
POL00240662
PAGE 3 OF 10
4. The table below (see Appendix 1 for further detail) outlines the proposed audits to
take place in 2016/17, including timings sorted by Main Sponsor. The plan for the
year is indicative based on current known risks and priorities. However, internal and
external events may mean that priorities and risk profiles change, and management
may have additional requests during the year for advisory support or audit
assistance. In consequence, we may consider amending the plan as the year
progresses. We will seek ARC approval for all changes.
Ref Proposed Review Main Sponsors I Period
‘A. Cameron
1 i i 1
Identity and Access Management (Joiners, Movers, Leavers) (N. Hayward) Q
2 IT & Operations Governance and IT Risk Management A. Cameron Qi
3 I FS Training and Competence schemes - PO Network N. Kennett Qu
(K. Gilliland)
4 =I Branch Audit (revisit and update) K. Gilliland Q2
5 a a A.Cameron Q2
IT Disaster Recovery and Resilience (J.MacLeod)
6 Financial Controls Framework Programme - Independent Testing A. Cameron ca
7 " N. Kennett
FS Sales Compliance (kK. Gillland) 3
g_ I Network Branch Service Centre - Handling of Agents Queries and K. Gilliland [or]
Complaints (A. Cameron)
9A,B . K.Gilliland
Business Continuity and Crisis Management - PO (J. MacLeod) Q@
10 I Procurement Process A. Cameron 4
11 I IT Third Party Management A. Cameron Q4
12 FS Sales Operations -1st Line of Defence N. Kennett. Q4
selected decrease or risk levels for items on our watch list increase - we will
¥ associated GE members are included in brackets
5. Although not included in our Plan the additional areas in our watch list are for
consideration during the year should either our assurance needs for those areas
monitor both dimensions throughout the year.
Watch List
A Product Development M. George
B I Digital Channels M. George
Cc I Third Party Contact Centres Management M. George
D I HR Policies and Processes N. Hayward
E I POCA - Lesson Learned M. George
F I Cyber Security J. MacLeod
G_ I Business Planning and Investment ACameron
H__I Property Regulatory Compliance Assurance K. Gilliland
Strictly Confidential
POL-BSFF-0078725_0056
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 10
6. In addition, we will conduct full follow up reviews on three audits performed in
2015/16:
Ref Follow Up Review Main Sponsors I Period
1 I Project wave M. George Qi
2 I Financial Crime J, MacLeod Qu
3 Col M A. Cameron Q2
ntract Management (J. MacLeod)
7. A breakdown by Business Area and Risk Universe Category is shown in the
diagrams below (see also Appendix 2) :
by area
of the business
FS Compliance
25%
Network Operations
17%
‘ontinuity
Business Continuity
8%
by Risk Universe
Categories
‘Transformational Risks
Legal and Regulatory
Ri
Financial Risks
Operational Risks
50%
Financial Risks: although we have selected only one review associated to the financial
risk category, the review of the Financial Controls Framework Programme (following
KPMG work on financial processes) will be performed on several processes covering a
number of financial risks.
Strictly Confidential
POL-BSFF-0078725_0057
POL00240662
POL00240662
POST OFFICE PAGE 5S OF 10
8. The criteria used to determine the reviews for inclusion include:
« Link to Top Risks in Group Risk Profile.
e Link to Strategy and our key priorities (i.e. simpler to run, better for customers,
great place to work).
« Changes involving: people, systems, processes, suppliers, clients, etc.
« Regulatory environment.
« Known incidents or non-compliance issues.
e Level of controls provided by other assurance providers.
« Frequency of audit coverage.
« Status of audit actions.
« Financial materiality.
« Potential impact on reputation and customer experience.
e Value added by performing a review at a specific point in time.
« Resources.
Strictly Confidential
POL-BSFF-0078725_0058
POL00240662
POL00240662
POST OFFICE PAGE 6 OF 10
Appendix 1 - Draft Internal Audit Plan by Sponsor (Detail)
Martin George
Ref I Proposed Review Rational for the review Objectives Period
Watch List
A I Product ‘Some of the products launched in the I Provide assurance over the design I _ N/A
Development past have not delivered the expected I and effectiveness of the product
returns impacting PO profitability. development process.
B I Digital Channels I PO business is becoming more digital, I Assess how risk appetites have I N/A
requiring effective management of I been set and controls designed
digital risks. The lack of digital I around the digital channels.
competency is one of the top risks in the
Group Risk Profile.
c Third Party A high volume of sales and customer I Assess the effectiveness of the N/A
Contact Centres interactions are made via a number of I processes, controls and
Management Contact Centres managed by third party I management information in place
service providers. This area has not I to monitor the third parties
been audited previously. providing Contact Centres services
for key PO products (including
managed services such as Fujitsu
for mobile products).
E POCA Lessons The implementation of the new POCA I Review POCA lessons learned, N/A
Learnt agreement presents risks in delivery of I followed implementation of new
service, and overall brand reputation. I process.
Nick Kennett
Ref I Proposed Review Rational for the review Objectives Period
3 I FS Training and Risks of non-compliant practices around I Assess the training provided to PO
Competence the product distribution process and I and Agency employees involved in
schemes - PO staff training is top of the POMS risk I the selling process. Review the I oy
Network register. This area has not been I process for assessing competence
previously audited. in selling FS and Insurance
products.
7 I FS Sales Increasing sales is a key success factor I Assess compliance _ behaviours
Compliance for the FS business. I across all the sales channels:
New processes in place, such as roll out I CRMs operations, agents and
of the Customer Relationship Managers I counter staff, FS and MS. Q4
(CRMs) to boost sales within Agency I Considering the results of the
Network. Exposure to compliance risks. I Video Mystery shoppers, products
cancellation and rejection.
12 I FS Sales Risks around the role of the AR inI Assess the effectiveness of the
Operations -ist I monitoring sales operations are key in I controls provided by the first line
Line of Defence I the risk Universe. of defence around sales operations I Q3
(including oversight of Insurance
products).
Strictly Confidential
POL-BSFF-0078725_0059
POST OFFICE
Kevin Gilliland
POL00240662
POL00240662
PAGE 7 OF 10
Ref I Proposed Review Rational for the review Objectives Period
4 ‘I Branch Audit Recent changes in the ‘Field Auditing I Provide assurance over the
(revisit and Team’ and ‘Branch Standards Team’ I effectiveness of Second line of
update) may impact effectiveness of the Second I defence provided by the Branch Q2
line of defence functions. field audit team.
8 Network Branch Given the recent changes to the Agents I Provide assurance over the
Service Centre - I contracts and the overall Network I effectiveness of the Network
Handling of proposition it is important to ensure I Branch Service Centres support
Agents Queries I that Agents receive adequate support I in dealing with complaints @B
and Complaints I from PO to develop an engaged and I queries from agents.
sustainable Network. This area has not
been previously audited.
9A I Crisis The risks around the availability of IT I Review Crisis Management I Q3
Management - systems and the support from the processes across the Network.
Network NFSP are among the Top Risks within
the Group Risk Profile which could
impact operations of the Network.
Watch List
H_ I Property Property and Health and Safety teams I Provide assurance on the
Regulatory are reviewing the Property Regulatory I effectiveness of the compliance
Compliance Compliance process and control I processes and controls over PO N/A
Assurance framework to improve _ their I property.
effectiveness.
Neil Hayward
Ref I Proposed Review Rational for the review Objectives Period
Watch List
D HR Policies and Previous audit highlighted areas for I Review of end to end HR
Processes strengthening within HR policy and I processes, including: Payroll,
application of processes. Recruitment, Talent I ya
Management and Flexible
Benefits.
Strictly Confidential
POL-BSFF-0078725_0060
POST OFFICE
Alisdair Cameron (Finance)
POL00240662
POL00240662
PAGE 8 OF 10
Ref I Proposed Review Rational for the review Objectives Period
6 I Financial Controls I KPMG have been engaged to map the I For a number of selected finance
Framework key financial controls. The risk of I controls, assess the
Programme - financial misstatement is a Top Risk in I effectiveness of the design; the
Independent the Group Risk Profile. implementation of KPMG
Testing recommendations and perform Q2
sample tests to validate KPMG
deliverables. The initial pilot will
be conducted on the Postmaster
Compensation Controls.
10 I Procurement Recent changes in the procurement I Provide assurance over the
Process process and resourcing. Weaknesses in I effectiveness of the procurement I 4
the contract management processes I processes.
were identified by Internal Audit in
15/16.
Watch List
G I Business The risk of taking sub-optimal I Assess the adequacy of
Planning and investment decision is a top one. There I monitoring controls surrounding
Investment are currently a high number of I Business Planning —and
investment initiatives and changes I Investment processes (focusing
across the business. Effective I on: i. — Non-Transformation N/A
processes are required to support both I investment and _ ii. “other
sound investment planning _ and I business investments")
delivery.
Alisdair Cameron (IT)
Ref I Proposed Review Rational for the review Objectives Period
1 I Identity and Gaps in the identity and access I Review the end to end identity Qi
Access management (IAM) processes have I and access = management
etegement been identified by external and internal I processes, including joiners,
(Goiners, Movers,
Leavers) audit in the last years. A new IAM I movers and leavers process
process will be deployed with the I (employees and contractors)
implementation of the EUC tower. defined by the business.
2 IIT&Operations I In supporting the PO strategy ITI Review the IT & Operations
Governance and I adopted the SIAM (service integrator I organisation structure and
Blaeed and management) model for its I defined processes to ensure the
Management services, which requires a clear - Qi
governance structure and effective risk I IT risks are managed. Service
Management on PO side to ensure I Integrator and Management
desired objectives and benefits are I model is adequately governed.
achieved.
5 I IT Disaster Continuity and availability of systems I Review PO service (application
Recovery and (infrastructure, applications) is critical I and infrastructure) agreements
Resilience to customer services. and processes in place to ensure
continuity and availability of I Q2
service is guaranteed. Assess
the links between DRP and BCP
and crisis. + management
processes.
11 (I IT Third Party The IT & Operations organisation, set I Review the controls and
Management up a newly Vendor Management team I processes defined by IT &
from 2016. This model requires clear I Operations Vendor Management
definition of roles and responsibilities I team and widely within the IT& I gq
and clear assurance processes between I Operations organisation to
PO, Atos and the other suppliers. ensure the IT supply chain is
effectively managed according
to contracts.
Strictly Confidential
POL-BSFF-0078725_0061
POST OFFICE
Jane MacLeod
POL00240662
POL00240662
PAGE 9 OF 10
Ref I Proposed Review Rational for the review Objectives Period
9B I Business Ensuring continuity of customer service I Review design and effectiveness of I Q3
Continuity - PO I is a critical aspect of the PO business. A I the Business Continuity Processes
new BC process was developed in 2015. I across PO operations. Ensure PO
Links to the IT Disaster Recovery review I has adequate DRP agreements
planned for 2016. with IT suppliers and links to PO
BCP and crisis management are
considered within —_—those
agreements.
Watch List
F I Cyber Security PO business is becoming increasingly I Review and assess the cyber risks I N/A
digital and the cyber threats are I and the controls designed and
increasing. implemented to protect PO from
cyber-attacks.
Strictly Confidential
POL-BSFF-0078725_0062
POST OFFICE
POL00240662
POL00240662
PAGE 10 OF 10
Appendix 2- by Risk Universe Categories and Business Areas
External/ Strategic risk
ar
Timing of
reviews
Financial risks
Regulatory risks
‘Ault on Network
faaven eee
=I
re
autos
subvens ee
ls
Strictly Confidential
POL-BSFF-0078725_0063
POL00240662
POL00240662
PAGE 1 OF 6
POST OFFICE BOARD
AUDIT RISK AND COMPLIANCE COMMITTEE
MEETING
AML and CTF Risk Update
Author:John Scott Sponsor: Jane MacLeod Meeting date: 17th March 2016
Executive Summary
Context
. During 2015 a review of Post Office’s Anti Money Laundering (AML) and Counter
Terrorist Financing (CTF) Framework was commissioned from external
consultants (Promontory). This was completed in December 2015 and delivered
in February 2016. The report highlights a significant number of areas for
improvement. Coincidentally in February 2016 HMRC advised Post Office that it
would undertake an AML/CTF compliance audit.
. This paper updates the Committee on the scope of these two activities and the
work being undertaken to address issues.
Questions this paper addresses
die What are the AML/CTF risks for Post Office?
2. What are the key recommendations of the Promontory report?
8. What is Post Office’s response to the Promontory report and the HMRC audit?
Conclusion
AML/CTF Risks
1. Post Office is regulated by HMRC for (i) bureau de change (walk in on demand,
buy back and branch pre order), (ii) third party cheque encashment, and (iii) bill
payments. AML Regulations require a series of mandatory activities such as
Customer Due Diligence checks and completing and filing suspicious activity
reports, with risk based activities such as staff vetting, training, risk based
monitoring of activities, and controls built into the design of products.
2. The products and services which are assessed to carry the greatest risk are
bureau de change, cheque encashment, MoneyGram, personal & business
banking and services provided to third party money bureau services by Supply
Chain.
3. Additionally, there are a number of products and services (particularly with Bol,
Partner Banks, FRES and MoneyGram) where Post Office is not directly regulated,
but has an obligation to ensure that AML/CTF controls are in place.
4. A number of potential non-conformances in the Network were identified in the
last 12 months. Additionally we are aware that law enforcement services are
investigating a number MSB clients for suspected AML/CTF breaches.
POL-BSFF-0078725_0064
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 5
5. We have recently been advised by HMRC that they propose to conduct an
AML/CTF compliance audit on Post Office. This audit will be conducted over a 9
month period and will require the supply of significant amounts of documentation,
interviews with relevant staff as well as managing visits to over 150 branches
including Crowns, multiples, and agency branches.
6. Receiving a less than ‘satisfactory’ audit findings may have potentially material
adverse impacts on relevant business activities, as well as creating issues with
stakeholders such as HMRC, Treasury, BIS and the FCA (as the regulator for both
POMS and Payment Systems); and will also be of concern for Post Office’s
principals (Bank of Ireland and POMS), financial services clients including under
the Banking Services Framework and also for the ultimate provider of the POCA
Banking Services.
What are the key recommendations of the Promontory Report
Fe The Promontory report made 59 recommendations in a number of key areas
which are further described in this paper. These include governance oversight,
policies and procedures, resourcing and MI.
What is Post Office’s response to the Promontory Report and the HMRC
Audit?
8. Post Office accepts these recommendations and we are currently developing a
plan to assess and implement the recommendations. Details of the plan and
observations of issues arising under the compliance audit will be reported
regularly to the ARC
9. Implementation of the recommendations will require resource, systems and data
and this work cannot be absorbed into the current Financial Crime team resource.
We are therefore establishing a project to manage the implementation of the
Promontory recommendations and respond to, and manage the requirements of
the HMRC Audit.
Input Sought
10. Re-affirm the Board’s Risk appetite in relation to AML/CTF (regulatory) risks as
averse.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0065
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 5
The Report
What are the AML/CTF risks for Post Office?
11. Post Office is regulated by HMRC for Money Service Business (MSB) specifically
bureau de change, third party cheque encashment and bill payments. This
requires a series of mandatory activities such as Customer Due Diligence checks,
completing and filing suspicious activity reports, risk based activities such as staff
vetting, training, risk based monitoring of transactions and activities, and controls
built into the design of products.
12. Those products and services which carry the greatest risk are bureau de change,
cheque encashment, MoneyGram, personal & business banking and services
provided to third party MSBs by Supply Chain.
13. Post Office operates under Appointed Representative (AR) agreements with Bank
of Ireland and Post Office Management Services Limited (POMS) for several
regulated products and services, and has a number of partnerships and strategic
distribution alliances with suppliers including GVS Prepaid Limited and First Rate
Exchange Services Limited (FRES). These are directly supervised by a
combination of FCA, PRA and HMRC. Post Office’s AML/CTF responsibilities for
these products and services are limited but there is an obligation to ensure that
Post Office is not used as a conduit for money laundering or terrorist financing, a
requirement to report suspicious activities, provide appropriate AML/CTF training
for relevant individuals, and maintain adequate transaction records.
Background to the Promontory Report
14. The incoming MLRO conducted an internal review in the first half of 2015 which
identified, among other findings, weaknesses and deficiencies in the knowledge
and application of Post Office’s regulatory responsibilities, poor access to the data
and MI required to support AML/CTF monitoring requirements, and insufficient
liaison with key clients and suppliers. Contemporaneously we suspected high
levels of non-conformance across Post Office counters and became aware, in
conjunction with law enforcement agencies, of significant money laundering
activities by Supply Chain customers.
15. In addition, the requirements of the 4th Money Laundering Directive will be
introduced in the UK within the next 18 months and will require significant
changes for Post Office.
16. Accordingly, I commissioned Promontory to review Post Office’s framework and
controls as applied to anti-money laundering and counter-terrorist financing
activities. The final report was delivered in February 2016 and identified a
number of controls and activities that need to be introduced to ensure that our
regulatory obligations are met as well as ensuring that we would be best placed
to meet the requirements of the 4'* Money Laundering Directive. A copy of the
Promontory report is available on request.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0066
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 5S
Promontory recommendations
17. Promontory’s review includes 59 recommendations and highlights a number of
key areas that require enhancement; in particular:
e Board, GE and R&CC accountability and oversight;
e Requirements for improvement in Post Office AML/CTF policy;
e Improved governance, MI and reporting;
e Enhanced risk assessment and awareness both across the Post Office and at
specific product and service level;
e Better recording of risk decisions;
e Improved policies and procedures across the business that impact AML/CTF
regulatory activities;
e Development of AML/CTF transaction and non-conformance monitoring at
customer and product level;
e Enhanced Training, awareness and communication across the business;
e Improvements in the Suspicious activity reporting (‘SARs’) processes;
e Other System improvements; and
e Supply Chain due diligence and monitoring.
18. Additionally, the Security team have identified that Politically Exposed Persons
and Sanctions screening had not previously been identified as a requirement for
Supply Chain Money Service Business clients (MSBs). The contracts currently in
place for MSB clients also need to be reviewed and updated, as they do not
include specific regulatory obligations.
HMRC Compliance Audit
19. In February 2016 we were advised by our regulator (HMRC) that they will be
undertaking regulatory supervision of Post Office during 2016. This audit will
include a review of all back office regulatory activity as well as visits to branches
to test compliance (number yet to be ascertained but potentially 100-200).
HMRC have advised that as one of the top 3 regulators within the UK, they expect
to be subject to forensic audit by FATF! as part of their UK audit in 2018. HMRC
advise that by most metrics ((financial, branch, people, complexity), Post Office
is the largest and most key organisation that they supervise. HMRC therefore
expect that FATF will audit HMRC’s supervision of the Post Office. Accordingly
the current audit is part of HMRC’s own preparation for the FATF review.
20. As part of the review HMRC has already identified that our processes for ensuring
that new branches are pre-registered with HMRC prior to opening, are flawed and
1 The Financial Action Task Force (FATF) is an
set standards and promote effective implemen
measures for combating money laundering, terrorist fi
integrity of the international financial system
inter-governmental body established in 1989 to
‘ation of legal, regulatory and operational
cing and other related threats to the
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0067
POL00240662
POL00240662
POST OFFICE PAGE 5 OF 5
we are therefore liable to correct the under-reporting and pay outstanding
registration fees.
What is Post Office’s response?
21. Post Office currently does not have the internal resources to address either the
Promontory findings or respond to the audit. Accordingly we are setting up a
project and will contract with the necessary specialist resource to be able to
address both requirements in parallel over the next 9 months (being the expected
duration of the HMRC audit). A steering committee has been established which I
chair and which includes not only representatives from relevant parts of the
business, but also external financial crime legal specialists. A project manager
has been appointed and protocols have been agreed to manage the interaction
with HMRC.
22. A comprehensive training, awareness and communication programme around
AML compliance is being implemented, including training of all Post Office
employees for the first time (not just customer facing).
23. We are currently procuring licences to Thomson Reuters Worldcheck to enable
PEPs and Sanctions screening to be undertaken.
24. Weare also undertaking a review across the branch network to confirm the gaps
in registration so as to ensure that we can correctly register all branches as
quickly as possible and remediate the registration fee issue. There is also a
reasonable risk that we will be fined for historic non-compliance.
What are the possible outcomes?
25. Banking clients are under increased regulatory supervision in relation to
AML/CTF, and under the new Partner Banking Framework, there is more focus on
Post Office’s AML/CTF activities. Again, they will be concerned to ensure that Post
Office is compliant with its regulatory responsibilities.
26. Post Office understands that it is important that it appropriately implements the
Promontory recommendations and deftly handles the HMRC audit. Any other
outcome is likely to have potentially material adverse impacts on relevant
business activities, as well as creating issues with stakeholders such as HMRC,
Treasury, BIS and the FCA (as the regulator for both POMS and Payment
Systems).
27. Adverse findings would also be of significant concern to both principals (Bank of
Ireland and POMS), our partners under the Banking Services Framework, and
also for the ultimate provider of the POCA Banking Services.
28. In the extreme, this could lead to HMRC fines or HMRC revoking our Money
Service Business registration.
Strictly Confidential ARC 17 March 2016
POL-BSFF-0078725_0068
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 3
Lessons Learnt — Postmasters’ Compensation
Author: Sharon Bull Sponsor: Al Cameron Date: 17 March 2016
Executive Summary
Context
1. We identified that a provision for compensation for Sub-Postmasters (SPMs) was understated
in our accounts at September 2014 and March 2015. This was corrected in the interim
accounts as at September 2015. We agreed to provide a summary of the lessons learnt,
including changes to the relevant processes.
Questions this paper addresses
2. The purpose of this paper is to update the ARC on changes that have been implemented. The
specific questions covered in this paper are:
e¢ What were the contributing factors and what changes have been made to the NTP
compensation provision process?
* What are the wider cultural learnings and considerations?
Conclusion
3. The NTP compensation process and controls are much stronger and work is ongoing to
improve them even further.
Input Sought
4. The ARC is asked to note the changes that have been implemented.
Strictly Confidential
POL-BSFF-0078725_0069
POL00240662
POL00240662
POST OFFICE
PAGE 2 OF 3
The Report
What were the contributing factors and what changes have been made?
5. The main learnings and the steps undertaken to improve the processes are set out below:
Issue
Change
Multiple, unconnected databases were
used to store data
A single database capturing all of the data
for each branch has been built and will be
fully operational before year-end
Data sources were not cross-checked
Cross-references have been designed,
with each item of data having at least one
point of cross-reference
The flow of information was incomplete
The information flow has been re-
designed, with all information passed to
both the network and the finance teams
Details of conditional resignations and
values, the primary driver of provision,
were not stored in one place
All CRPs have been captured on a single
spreadsheet, supported by monthly
sample testing. From February 2016, all
new offer letters are held centrally
including indicative amounts.
The end-to-end process was not
understood
The process has been documented and is
currently under review by the KPMG
controls team.
Accountabilities for individual process
steps and between the different teams
were unclear
Accountabilities have been agreed for
each individual and team and will be
included within objectives for 2016-17
Controls were not formally identified,
owned or tested
Controls will be included within the self-
assurance and internal audit testing plans
for 2016-17
The provision and its movements were
not reconciled to the underlying activity
set or the forecast of the programme
cost
A full listing has been developed showing
the situation of each branch within the NT
journey. This is used to check movements.
and completeness. The provisions have
been agreed at high-level to the overall
business case for NT: a branch by branch
business case is nearing completion.
The external audit did not satisfactorily
test the completeness of the provision
The external audit has been re-designed
to ensure adequate testing (see separate
paper)
Strictly Confidential
POL-BSFF-0078725_0070
POL00240662
POL00240662
POST OFFICE
What are the wider cultural learnings and considerations?
6. Across Finance, we are pursuing an end-to-end programme to improve the control
environment. This is set out in a separate paper, updating the Committee on the progress
made. The intention is that we should have every control that we rely on clearly identified and
owned. Owners will be required to self-assurance that they have the evidence the control is
working at pre-determined intervals and this will be supported by Internal Audit testing.
7. For financial reporting, this process will be completed in 2016-17. Decisions can then be made
whether to extend this discipline into other areas of the business.
8. Bonus schemes include the right to claw-back awards in certain circumstances.
Strictly Confidential
POL-BSFF-0078725_0071
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 4
Financial Reporting and Controls
Author: Dave Carter Sponsor: Al Cameron Dat 7 March 2016
Executive Summary
Context
1. We agreed to provide an update to each ARC on the plans and progress to create sustainable
and controls to support reliable financial reporting.
Questions addressed in this report
2. The questions covered in this paper are:
« What progress has been made?
« What are we doing to provide assurance that we can sign the 2015-16 financial statements?
« What are the longer term plans to create sustainable and reliable financial reporting?
Conclusions and recommendations
3. We have continued to progress the various workstreams as set out in the table in the
main report below.
4. No further issues have been identified, although there is focused activity to review
aspects of income on some government contracts: specific aspects, such as profit
shares, are managed on spreadsheets that have been owned outside of Finance.
5. Plans are in place to ensure we have appropriate support for the 2015-16 financial
statements. A management attestation process has been created and signed off by the
Group Executive. A revised audit plan has been agreed with EY. Both are covered in
separate agenda items at this ARC.
6. Longer term plans to develop a sustainable control environment in 2016-17 are on
track.
Input Sought
7. The ARC is asked to comment on the progress and plans.
Strictly Confidential
POL-BSFF-0078725_0072
POSIP Qlririel=
The Report
Progress and Plan
8. Details of the progress and plans are set out below:
PAGE 2 OF 4
POL00240662
POL00240662
embedded operationally
Workstream Progress since January Plans to support the 2015-16 year- I Plans to support the 2016-17
end year-end
Governance The weekly control meetings are Continue Continue until BAU
Structure and
Accountabilities
The core role changes have been
agreed with individuals and are fully
operational. More junior role
accountabilities have been agreed.
The role changes will be embedded as
part of the consultation process
expected to start in early April
Systems
New BI architecture has been
delivered, reducing complexity and
the need for manual intervention.
Balance sheet reporting update
completed, p/I underway.
New income, expenditure and spend
reporting will be reconciled at end
March and will fully replace current
reporting from end April.
Progressively replace income
spreadsheets with embedded
system capability. Re-plan the core
CFS architecture to enable product
and channel reporting from the
systems.
Strictly Confidential
POL-BSFF-0078725_0073
POSIP Qlririel=
POL00240662
POL00240662
reconciliation
each product from source systems to
the financial reporting has been
demonstrated and the method
proven
Workstream Progress since January Plans to support the 2015-16 year- I Plans to support the 2016-17
end year-end
Controls Phase 1 complete, subject to final Phase 2 Complete - gap analysis on Phase 3 complete
review and sign off - gap analysis payroll, treasury, settlement, control Remediation of control gaps
over Fixed Assets, Project environment completed
pein Bill to Cash and Record Phase 3 started - gap analysis on
0 Repo purchase to pay and taxation
Income The ability to reconcile income for Complete the reconciliation for Periods I Consider the need to repeat
1-10 YTD for both volumes and values,
extending the volume analysis to
reconcile with client settlement and
comparing the terms to the contracts
Postmasters’
Compensation
Further planned controls have been
implemented
Review and test
Balance Sheet
The financial reporting risk has been
assessed for each balance sheet
account and actions agreed to
mitigate it
Open purchase orders have been
reviewed and cleared
Deliver the required actions, including
substantial post balance sheet event
testing
Strictly Confidential
POL-BSFF-0078725_0074
POSIP Qlririel=
PAGE 4 OF 4
POL00240662
POL00240662
Workstream Progress since January Plans to support the 2015-16 year- I Plans to support the 2016-17
end year-end
Self-certification Management attestation process has I Management attestation process Self-assurance software
been agreed implemented implemented. Self-assurance
required over every financial
control at regular intervals
Assurance External Audit re-plan agreed External audit undertaken Internal Audit testing of self-
assurance
Strictly Confidential
POL-BSFF-0078725_0075
POL00240662
POL00240662
Post Office Limited
Planning Audit Report to
the Audit and Risk
Committee
for the 52 weeks ending 27 March 2016
17 March 2016
EY
Building a better
working world
Confidential ~ all rights reserved
OEY 2013
POL-BSFF-0078725_0076
_ wt
EY
Building a better
working world
Emst & Young LLP
1 More London Place
London
SE1 2AF
Private and confidential
Audit and Risk Committee
Post Office Limited
20 Finsbury Street
London
EC2Y 9AQ
Dear Members of the Audit and Risk Committee
Audit Planning Report
POL00240662
POL00240662
rtd Apa] my,
Fax: I y
eyoot™ _é
avaroese tase
17 March 2016
We are pleased to attach our updated audit planning report for the forthcoming meeting of the Audit Committee
in which we outlines our audit approach to consider all relevant emerging business and financial statement risks
which could materially affect the consolidated financial statements of Post Office Limited (‘POL’).
The purpose of this report is provide the Audit and Risk Committee with a basis to review our proposed audit
approach and scope for the audit, in accordance with the requirements of the auditing standards and other
professional requirements, but also to ensure that our audit is aligned with the Audit and Risk Committee's service
expectations.
The audit is designed to express an opinion on the consolidated financial statements of POL for the 52 weeks
ending 27 March 2016. This report summarises our assessment of the key issues which drive the development of
an effective audit for POL.
This report is intended solely for the information and use of the Audit Committee, Board of Directors and
management, and is not intended to be and should not be used by anyone other than these specified parties.
We welcome the opportunity to discuss this report with you on 17 March 2016 as well as understand whether
there are other matters which you consider may influence our audit.
Yours faithfully
Peter Mclver
Engagement Partner
For and behalf of Ernst & Young LLP
The Uk firm Emst & Young LLP is a limited liability
partnership registered in England and Wales with
registered number 0C300001 and is a member
firm of Ernst & Young Global Limited. A list of
ners’ names is available for inspection at
More London Place, London SE1 2AF, the firm's
Pp place of business and registered office.
POL-BSFF-0078725_0077
The contents of this report are subject to the terms and conditions of our
appointment as set out in our engagement letter of 22/01/2016.
This report is made solely to the Audit Committee, Board of Directors and
management of Post Office Limited in accordance with our engagement letter. Our
work has been undertaken so that we might state to the Audit Committee, Board
of Directors and management of Post Office Limited those matters we are
required to state to them in this report and for no other purpose. To the fullest
extent permitted by law we do not accept or assume responsibility to anyone
other than the Audit and Risk Committee, Board of Directors and management of
Post Office Limited for this report or for the opinions we have formed. It should
not be provided to any third-party without our prior written consent.
POL00240662
POL00240662
Contents
Overview of the audit strategy
Risk based approach
Areas of audit emphasis
Controls based audit
Audit scope and execution
Service delivery
Appendices
A Nature of Substantive Audit procedures
Audit fees
B
c Independence report
D
Required communications with the audit and risk committee
POL-BSFF-0078725_0079
00
Overview of audit
strategy
POL00240662
POL00240662
Overview of 2015/16 audit strategy
Audit risks
Our risk assessment is based on our understanding of your business risks and how they impact the consolidated
financial statements. For our 2015/16 audit the key risks, which are described further in Section 2 are as follows:
Risks Changes from prior year
» Postmasters compensation provision is not _ Given the historical data integrity issues associated with the provisioning process and the
complete due to the underlying records of I assumptions embedded in the calculations (success rates on finding replacement postmasters
agreements with postmasters, on which the and conversion anniversary payment instances and amounts); We deem this an ongoing area
this provision is based are incomplete of audit focus. Risk is highlighted following last years restatement.
» Revenue recognition across diverse range of
: No change from prior year; still considered a significant risk in the current audit.
revenue streams
> Classification and completeness of Inthe prior year we had an associated risk of exceptional items primarily with classification only.
exceptional items and utilisation of In the current year we have associated risk against completeness and existence to broaden our
Government Grant. area of focus.
> Risk of management override around
estimates and judgements*
In particular we note that Management makes
critical estimates and judgements in the
following areas:
+ Classification of exceptionals;
+ Revenue recognition; No change from prior year; still considered a significant risk in the current audit.
+ Provisions;
+ Pension assumptions; and
+ The appropriateness of Management's
impairment policy as it becomes more likely
that Post Office will be cash generative
without reliance on government grants.
» Pension valuation and accounting No change from prior year; still considered an inherent risk in the current audit.
> VAT Accounting No change from prior year; still considered an inherent risk in the current year.
> Horizon Subpostmasters claim No change from prior year; still considered an inherent risk in the current year.
No change from prior year; still considered an inherent risk in the current year. Our audit focus
> IT and SAP CFS (Core Finance System) changes from migration of ESFS to CFS in the prior year to the overall IT control environment
and processing that impacts the financial statements.
*Fraud risk as defined by auditing standards and professional judgment
Our audit approach is designed to appropriately respond to the above risks. We will continue to focus on the key
areas where we believe there is higher inherent risk to the integrity of the financial statements due to the nature
and level of change and judgement involved. We will also consider changes in financial reporting standards and
regulations and their impact on the presentation and disclosures in the financial statements.
POL-BSFF-0078725_0081
POL00240662
POL00240662
Overview of 2015/16 audit strategy
Cont'd
Materiality
For the purposes of determining whether the accounts are free from material error, we define materiality as the
magnitude of a misstatement that could reasonably be expected to influence the economic decisions of the users
of the financial statements. Materiality has been set at £10.8m, which represents 1% of the 2015/16 forecast
revenue. Based on our risk assessment and consideration of POL's control environment, we have determined
performance materiality be set at 50% of our materiality for the group, (prior year and historically this has been set at
75%). Performance materiality is the application of materiality at an individual account or balance level and is set to
reduce to an appropriately low level the probability that the aggregated of uncorrected and undetected misstatements
exceeds materiality.
Our assessment requires professional judgement and takes into account qualitative as well as quantitative
considerations. We would be happy to discuss with you your expectations regarding our detection of
misstatements in the financial statements.
We will report all individual uncorrected audit differences over £542,000.
Audit scope
POL's consolidation is made up of three reporting units; the Post Office Limited parent entity (which contains the
majority of transactions), the POL joint venture First Rate Exchange Services (‘FRES’) and Post Office Management
Services Limited (“POMS”), a fully owned subsidiary of POL incorporated on 25 March 2013 which commenced
trading on 1 December 2014 and which we will cover in our audit for the first time as its initial audit.
Through on-site work, we will cover 100% of the Group's revenue, the Group's Total assets and 100% coverage of
Profit Before Tax is expected from a full scope audit for all components of the Group.
We have specifically considered the scope of our audit in response to the identified risks above, which has
impacted the components in which we performed our work and the extent of our procedures performed in these
areas. Section 4 provides an overview of the nature of our planned involvement in the work to be performed by
the component auditors of significant reporting unit auditors.
POL-BSFF-0078725_0082
O1
Risk-based audit
approach
Our understanding of which risks impact
the financial statements and drive where
we focus our audit effort
POL00240662
POL00240662
‘Risk based approach
audit based scope and Jali .
© approach emphasis audit execution delivery
The table below is a summary of POL'‘s risk universe obtained from POL's Risk and Assurance team:
POL'S RISK UNIVERSE
Market dynamics Strategic Alignment» Commercial > Market > Regulatory
» Stakeholder » Project Planning >» Network and Sales » Liquidity and Credit Compliance
Relations/ Alignment » Resource » Financial Services > Unplanned Costs > Legal
> Governance and Management Misco chen Me vccomntingend
ne 4 > End Users Meereetng Reporting
> Planning ani > Financial Management i > Taxation
Resource Allocation Senn 2 ena
. > Benefit Realisation SB Eerp
» Strategic Investments EB
>» Change Management jy
(complexity and ,
eapaiiey > Information
rea icvente > Premises (Crown/HO)
> Procurement
> Fraud and Security
> Business Continuity
We have considered the above risks in our identification of significant and other financial statement risks and have
identified the following areas where there is a higher risk of material misstatement:
RISK ASSESSMENT
Postmasters compensation provision is not complete due to the underlying records of agreements with
postmasters, on which the provision is based are incomplete*
Revenue recognition across diverse range of revenue streams*
Classification of exceptional items and utilisation of government grant*
Risk of management override around estimates and judgements*
Pension valuation and accounting
VAT Accounting
Horizon Subpostmasters claim
SAP CFS accounting system
Our audit approach to address these risks and other areas of audit emphasis is included in pages 10 to 16 of this
report.
“Significant risk as defined by auditing standards and professional judgment
POL-BSFF-0078725_0084
POL00240662
POL00240662
Risk based approach
Areas of Controls Audit Servi
audit based scope and adie
emphasis audit execution y
Once we have identified those risks that could impact POL's financial statements, we evaluate both the magnitude of
any potential misstatements and the probability of occurrence as demonstrated on the chart below.
Of the risks identified, we consider some of them to be significant to our audit and these require special audit
consideration. Auditing standards define significant risks as those with a high likelihood of occurrence and, if they
were to occur, could result in a material misstatement of the consolidated financial statements and are
demonstrated in the shaded area in the top right of the chart below.
Once identified, we are required by auditing standards to perform specific procedures over significant risks;
including the identification and assessment of controls that address the risk.
Higher
Financial impact
Lower .
Likelihood of occurrence Higher
POL-BSFF-0078725_0085
O02
Areas of audit
emphasis
How we form an opinion on the Group's
consolidated financial statements
POL00240662
POL00240662
Areas of audit emphasis
. Controls Audit i
"approach act scopeand Geivery
audit execution
Significant risks
Significant risks are risks with both a higher likelihood of occurrence and a higher magnitude of effect that
require special audit considerations. The risks we have identified as significant risks are detailed below, along
with how we propose to address those risks.
We will perform an independent reconciliation of
i nee rn P 1 the total branches as well as an analysis of their
The Postmasters compensation provision is a key area which carries a material data and status at 27 March 2016. We will
level of reporting risk. There is a risk that the postmasters compensation
provision is not complete due to the underlying records of agreements with
postmasters, on which the this provision is based being incomplete.
Given the historical data integrity issues associated with the provisioning process,
and the assumptions embedded in the calculations (success rates on finding
replacement postmasters and conversion anniversary payment instances and
amounts); in the current year we deem this an area of significant audit focus.
Further in preparing the financial statements for the current year, the comparative
figures for the year ended 29 March 2015 will be restated as reported in the 27
September 2015 interim financial statements.
Postmasters compensation provision
compare this to managements results and use
this to identify anomalies and challenge the
provision analysis provided by Management.
To ensure that every branch in the Post Office
Network is classified correctly we will
independently categorise each branch into their
categories at 27 March 2016, based on their
individual attributes and we will challenge POL's
assessment by comparing results.
_. og > Our sample based testing will include checking
For the above reasons above this is an area of audit emphasis as it will be the attributes and classification of the branches in
important to ensure that the provision has been appropriately monitored and the network. This will be done by checking signed
adjusted through out the year so that at the year end it is complete and accurate. contracts (where applicable) and ensuring that
where a provision is applicable, it has been
recognised in the correct period by obtaining the
signed contracts and checking that the dates of
the signed agreements. We will also ensure that,
branches selected for testing are not duplicated
in any other category. If our sample identifies
unusual items or categories, these will be
communicated to POL and investigated and
adjusted where necessary.
> To check the validity and accuracy of POL's
records we will undertake sample based testing
on the Conditional Resignation Pack (CRP)
contracts and checked dates for correct cut off
and sign off. We will also trace the contracted
amounts of these CRPs per POL’s records to the
payment listing and bank statements, showing the
amount being settled post year end.
> We will performed an unrecorded liabilities test
by reviewing all cash payments made to
postmasters in the months subsequent to the
year end (up until the date of signing the financial
statements). We will independently sample
selected payments and vouch to actual bank
statements and also ensure that provision is
accrued in correct period.
> To further gain assurance on the completeness of
the provision at the balance sheet date, we will
performing a reasonableness test on each
category of the postmaster's compensation
elements by comparing costs incurred to date
against budgeted costs and estimated costs to.
complete for the various programmes. This will
involved understanding the number of open
projects and how the estimated costs to complete
are computed and corroborating this to tests
performed on the branch reconciliation.
> We will discuss with the management the progress
they have made since interim in their plans for
implementing a formal policy of procedures and
controls for the postmasters compensation process
and assess the new controls and check those
implemented by management to address the risks
around completeness of the provision and we will
carry out additional testing where appropriate.
Post Office Limited
POL-BSFF-0078725_0087
Areas of audit emphasis
Risk based Snr
approach sudit
POL00240662
POL00240662
Audit -
Service
scope and delivery
execution
Revenue recognition across diverse range of revenue streams
POL sells a wide variety of products/services across a number of distribution
channels, from providing ATM services through the Bank of Ireland
arrangements, to providing telephony broadband services under POL's
Homephone brand. These revenue streams will have their own specific rates,
commissions and calculations for allocating the amount of revenue owing to Post
Office, which are dependent on their underlying contracts.
Whilst we note that most of the revenue lines are not overly complex in their
revenue calculations, the main risk associated with the diverse range of revenue
streams is in the correct contractual terms being applied to the revenue lines and
inputs from third parties.
We also note that reward and incentive schemes are based on achieving profit
targets which may also place undue pressure on Management to achieve revenue
forecasts, which makes us identify revenue recognition as a fraud risk.
Post Office Limited
> We will perform detailed controls work on
revenue during the year, which will include
testing whether the revenue lines selected are
using the correct contractual rates and volumes
data in their calculations.
> We will perform detailed testing on revenue.
Our detailed tests included checking that
revenue rates and commissions for each
revenue line is being appropriately applied in
accordance with the terms of the relevant
sales contracts. Where a revenue estimate is
made for a revenue line for a month prior to
actual sales volumes and billing reports being
available, we will check that an adjustment is
subsequently posted in order to adjust the
estimated revenue figure to reflect the actual
sales for all reporting periods.
> We will perform a detailed analytical review to
analyse and evaluate the movements in the key
revenue lines across the business using full
population of data extracted from the system.
> We will examine the fluctuations of revenue
against budget and prior year by corroborating
variances to the relevant evidence obtained
through our other testing procedures. In
addition, where appropriate , we will
corroborate management's explanations for
movernents using our knowledge of
developments in the industry and business.
» For significant new products or revenue
streams, we will review the accounting
treatment in line with the revenue recognition
accounting standard and relevant contractual
terms.
» To ensure that revenue has been included in
the correct period, in addition to the
procedures above, we will perform detailed
cut-off procedures over revenue postings
before and after period end, and check that
the amounts recognised as revenue are
appropriate, and that they have been
correctly recognised in trade debtors,
accrued revenue or deferred revenue in the
appropriate period.
> We will assess the risks around Management's
use of third party data and Management's
oversight of this data and carry out additional
testing where appropriate. Where manual
spreadsheets are used to compute revenue
we will test the integrity of the spreadsheets.
POL-BSFF-0078725_0088
POL00240662
POL00240662
Areas of audit emphasis (cont'd)
A Controls
Risk based Racer
approach audit
Audit Ps
Service
See[vo and delivery
execution
Classification and completeness of exceptional items and utilisation of
Government Grants
POL has been executing a Network Transformation across its network in order to.
modernise it as part of the overall strategy to make the Post Office competitive
for the future. This one-off programme is expected to continue until FY2017-18.
Management note that the costs of Network Transformation are exceptional in
nature given that a branch modernisation programme of this scale has not been
carried out before. As such, management believe this requires separate
presentation on the face of the income statement to allow a better understanding
of financial performance in the year.
In addition, the Department of Business, Innovation & Skills (‘BIS’) provides a
government grant to POL to subsidise network transformation expenditure,
agents compensation and related capital expenditure. POL offsets this
government grant against the related expenses in the exceptionals section of
their P&L, in line with IAS 20 Government Grants.
Network Transformation related costs make up the largest element of
exceptional costs in the income statement.
Risks include:
> Agents compensation charge is not complete due to the underlying records of
agreements with postmasters, on which the this charge is based are incomplete;
> Costs are provided for before or after they have been committed and are
recognised in the incorrect period; and
> Other costs not associated with the Network Transformation are
inappropriately included within this category and reported outside trading
profit.
Post Office Limited
>
We will confirm receipt of the Government
Grant and review any updates to the terms
and conditions of the funding agreement.
We will revisit the appropriateness of
classifying such costs as exceptional, and
make inquiries of management to understand
how these costs are distinguished from
normal operating costs, and the nature of the
costs classified as exceptional costs
We will review management's monitoring
process for being able to differentiate
between Network Transformation costs and
normal operating costs, and assess whether it
captures the appropriate information and
detail to track these costs.
We will understand and docurnent
management's process for ensuring
completeness of the exceptional items
expensed in the year including life to date
reconciliations over the full branch portfolio for
agent compensation and transformation
provisions.
To gain assurance on the completeness of the
exceptional items we will perform
reasonability test on each category of
exceptional items by comparing costs incurred
to expected costs and against budgeted costs
and estimated costs to complete the various
programmes. This will involve understanding
the number of open projects and how the
estimated costs to complete are computed.
We will review the detail of the costs provided
and establish when the committed obligation
arose to assess whether the cost has been
recorded in the appropriate period.
The costs included will be reviewed to
understand whether they are directly linked
to the Network Transformation and
appropriately included within this category
and reported outside trading profit projects
and meet with the requirement under IAS 1 to
be presented as exceptional costs in the
financial staternents. We will review and
challenge whether the costs should be
recognised within exceptional items or not.
POL-BSFF-0078725_0089
POL00240662
POL00240662
Areas of audit emphasis (cont'd)
pA Controls
Risk based based
PP audit
Audit .
Service
scope'and delivery
execution
Risk of management override around estimates and judgements
We have identified managernent override around estimates and judgements as a
significant and fraud risk. In particular we note that Management makes critical
estimates and judgements in the following areas:
+ Classification of exceptionals;
Revenue recognition;
+ Provisions;
Pension assumptions; and
+ The appropriateness of Management's impairment policy as it becomes more
likely that Post Office will be cash generative without reliance on government
grants.
These areas involve a level of Management judgement, and thus gives rise to the
risk that some transactions may be inappropriately accounted for.
Post Office Limited
> We will focus our audit procedures on
performing tests on the appropriateness of
journal entries and other adjustments made in
the areas identified giving specific
consideration to evaluating and corroborating
the business rationale for significant unusual
transactions around business estimates and
judgements.
() We will develop a journal entry approach specific
to management override over classification of
exceptionals and revenue recognition; this will
include :
> Testing material manual journals posted to
revenue accounts which are not posted as part
of the routine financial statement close process
(FSCP), journals posted by personnel who do
not normally post journal entries, and journal
entries with descriptions which may indicate
they were made on the instruction of senior
finance team members;
> Testing transfer journals from business as usual
cost centres into exceptional cost centres;
> Testing journals with reference to business as
usual activities but included in exceptionals;
> Testing large journal postings around the year
end that are outside of our expectations
and/or out of the ordinary course of business;
> Testing material manual journals charged and
released to the provision accounts (that are
outside our expectations).
Gi) Our journal entry approach specific to
management override over provisions included:
> Testing material manual journals charged and
released to the provision accounts (that are
outside our expectations);
> Testing manual journals which are not posted
as part of the routine financial statement close
process; and
> Testing of journal entries with reference to
wording that appears outside the ordinary
course of business.
ii) We will perform testing on the appropriateness
of journal entries and other adjustments made in
the preparation of the financial statements.
(iv) We will review accounting estimates used in
provisions for evidence of management bias.
Gv) For all significant new provisions and
exceptionals we will review whether they have been
appropriately identified and meet the requirement
of IAS 37 and IAS 1 respectively.
(v) In addition to the above we will focus on
evaluating the business rationale for significant
unusual transactions around estimates and
judgements.
14
POL-BSFF-0078725_0090
Areas of audit emphasis (cont'd)
POL00240662
POL00240662
A Controls
Risk based (epanl
approach suit
Audit -
Service
Sogo and delivery
execution
Areas of audit emphasis
Other areas of audit emphasis are set out below:
Pension valuation and accounting
Following the implementation of the Pension Solution and the accounting of the
transfer of the RMPP, we no longer assess pensions valuation to be a significant
risk. However, given that the pension related disclosures may continue to be
politically sensitive due to the number of stakeholders involved, including the
Government and the Communications Workers Union, we assess pensions as an
inherent risk area during the current year audit.
There is risk around judgements made by Management to satisfy themselves that
the assumptions used in calculating the pension obligation at the year end are
reasonable and the appropriate disclosures are made in consultation with its
actuaries.
We will audit the accounting treatment in line
with IAS 19(R) and IAS 1.
We will review the significant assumptions
used in the calculations. This includes meeting
with the Companie's actuaries and reviewing
their key inputs and understanding the
methodologies utilised to arrive at key
assumptions, such as discount rates, inflation
rates and expected rate of return on plan
assets. We will involve our own actuarial
specialists who are established members of
our audit team.
We will benchmark POL assumptions against
peers. We will assess and provide insight into
the relative position of the assumptions
adopted.
We will be involving our actuarial specialists
to review the note disclosure and
communicate best practice to the finance
team.
We will review any changes in terms of
pension schemes and the related accounting
treatment.
We will obtain evidence and support for the
valuation of pension assets.
Horizon Subpostmasters claim
The ongoing Horizon Subpostmaster claim continues to be an area of judgement
in determining potential accounting treatment. To date, no legal claim has been
made against POL in the civil courts, and no appeal has been made against any
conviction in the criminal courts.
POL's legal position appears not to have changed since the prior year.
Management has not been found legally liable to pay out any claims related to the
claim to date. Given the media coverage, we will continue to monitor any
developments in this matter in FY2015/16 and we assess this to be an inherent
risk area during the current audit.
POL's Mediation Scheme aimed at resolving individual non-criminal complaints
made by ex-Subpostmasters is ongoing and applications are still being progressed
through the Scheme.
Post Office Limited
We will challenge Management's conclusion
that no provision or contingent liability
disclosure is required based on our enquiries
with management and POL's legal counsel
corroborated by our review of information in
the public domain and POL response.
We will review any updates on the legal advice
from Linklaters to ensure that the financial
impact of POL's position is correctly accounted
for and disclosed in the financial staternents.
We will understand timeline and mediation
process.
POL-BSFF-0078725_0091
POL00240662
POL00240662
Areas of audit emphasis (cont'd)
Risk based Controls
approach et
scope and
iXwalls Service
execution deliveny
VAT Accounting
The POL VAT recovery (“partial exemptio
material level of reporting risk.
‘A new partial exemption method of recovery was agreed with HMRC on 23 July
2014, The new method resulted in a residual VAT recovery percentage of
approximately 60%. However POL continued to apply a provisional recovery rate
of 40% throughout FY13/14 and FY14/15 to calculate residual input VAT
recovery. This resulted in material VAT recoveries in FY13/14 and FY14/15.
During the year management increased the recovery rate applied in the system
from 40% to 55%.
") method is a key area which carries 2
For this reason VAT accounting remains an area of audit emphasis as it will be
important to ensure that the assumed VAT recovery rate is appropriately
monitored and adjusted through out the year.
> We will check that the recovery rate applied
in the system has been correctly updated by
testing a sample of VAT coding's in relation to
the recovery rate.
» We will examine the VAT records, including
the June 2015, September 2015, December
2015 and March 2016 VAT return
calculations, submissions and backing
documentation to check the calculations are
accurate.
> We will review the operation of the VAT
partial exemption calculation to check if
consistent with the method agreed with
HMRC. We will also check the annual
adjustment based on the application of the
VAT partial exemption residual VAT on the FY
15/16 VAT returns.
> We will enquire from the POL VAT team about.
any complex, unusual or significant
transactions that have occurred during FY
15/16 which have a VAT impact to
understand the status of any significant VAT
issues, and consider any VAT provisions
which have been or should be made by POL.
We will review the calculation of any
provisions made to check whether they are
robust, performing audit procedures
wherever necessary.
> We will review any other special VAT
agreements with HMRC, including any
agreement in relation to alternative evidence
for input tax recovery on standard rated
supplies from Royal Mail, to check that they
have been implemented correctly.
itis
IT audit and SAP CFS (core finance system) post implementation
The following IT applications are in scope for our audit: HNGX, POLSAP, SAP HRP
and SAP CFS.
One of the key considerations for the IT audit this year is the completion of POL's
separation from RMG, which directly affects the audit approach for the SAP HRP
system supporting the payroll for POL employees. The system was operated by
RMG until February 2015.
Following the migration of the finance system SAP ESFS to SAP CFS which went
live on the 1 September 2014, it will also be important to ensure management is
able to fulfil its accounting and reporting obligations using the new system.
Post Office Limited
> We intend to continue to place reliance on the
ISAE 3402 report for Fujitsu managed
systems HNGX and POLSAP
> NoISAE 3402 report is available for CGI
managed systems - SAP CFS and we will
therefore continue to perform independent
testing of IT general controls (ITGCs).
> The 2015-16 audit approach for SAP_ HRP
will be to perform independent testing in
relation to both the ITGCs and the transition,
including review of the controls over the new
hardware platform. We envisage being able to
continue to rely on CSC's ISAE 3402 subject
to the report having appropriate coverage of
the new POL owned SAP HRP environment.
> We will also understand the challenges that
Management is facing post implementation of
SAP CFS and understand how these have
been addressed.
POL-BSFF-0078725_0092
03
Controls based audit
POL00240662
POL00240662
Controls based audit
: Areas of Audit 7
emphasis execution
Layers of Entity level
controls
control we
rely on Risk management
functions
Business and IT controls
Underpinning our entire approach is a controls-based audit. We will continue to adopt a controls-based
approach, being the most efficient approach to a business with a high volume of low value transactions.
In adopting an efficient controls based approach we consider the various layers of assurance and
leverage where there is potential to do so. This informs our basis of working with management.
We will seek to place reliance on entity level controls and IT general controls.
> IT systems and applications: we will review the IT general controls built in to POL's core IT
applications, together with IT application controls over your critical business processes.
> Entity level controls: we will maximise efficiency by seeking to rely on entity level controls and
processes, such as POL's budgeting process.
>» Weaim to continue to place reliance on the ISAE 3402 report, which opines on the design and
operating effectiveness of POL's third party IT provider Fujitsu’s controls.
We will test controls for POL's payroll, network cash, purchase to pay, cash settlement, revenue and
fixed assets processes.
As noted in last year's planning report to you, we are aware that the POL finance systems and control
environment will continue to change and work is being undertaken by consultants to enhance internal
controls and systems. We will communicate to you any significant deficiencies in internal control that we
identify and follow up last years items. We will also provide you a detailed letter at the end of the audit
incorporating certain recommendations for process improvements noted by us in the performance of
this year's audit.
Post Office Limited
POL-BSFF-0078725_0094
POL00240662
POL00240662
Controls based audit
, Areas of Audit 7
Aye audit scope and Hae
emphasis execution
Gaining assurance through the control environment
IT Control Planning - Background
IT underpins a significant proportion of POL‘s transactions. Our audit plan is designed around reliance on
certain IT applications and the use of electronic audit evidence.
The following IT applications are in scope for our audit: HNGX, POLSAP, SAP HRP and SAP CFS.
As part of POL's separation from Royal Mail Group (RMG), the IT support arrangements for SAP HRP have
transitioned from RMG to POL.
In addition, as a result of the ongoing IT transformation, IT services have started to transition over to the new
third party providers and will continue to do so in the coming years.
2015-16 IT Audit Strategy - key considerations
Separation from RMG
> One of the key considerations for the IT audit this year is the completion of POL's separation from RMG,
which directly affects the audit approach for the SAP HRP system supporting the payroll for POL
employees.
» The system was operated by RMG until February 2015. At that point, POL transferred from an RMG
supported environment to a POL owned and supported delivery model, under the ‘Safe Haven’. SAP HRP
continues to be supported by third party CSC through direct contractual agreements with POL.
» The previous audit approach adopted for this system was based on the audit efficiencies gained from
assessing the controls managed by CSC, which are common across RMG's key financial systems. The 2015-
16 audit approach will be to perform independent audit procedures in relation to both the ITGCs and the
transition, including review of the controls over the new hardware platform. We envisage being able to
continue to rely on CSC's ISAE 3402 subject to the report having appropriate coverage of the new POL
owned SAP HRP environment.
HNGX and POLSAP.
» Our understanding is that POL will again be commissioning an ISAE 3402 report from Fujitsu .
> We plan to continue to place reliance on the ISAE 3402 report to reduce our independent testing.
> The extent of our reliance will be dependent on the opinion expressed in the ISAE 3402 report. We may
need to perform additional procedures if the report notes any significant exceptions.
>» To support this approach we plan to follow the protocols agreed in prior years by the POL, Fujitsu, EY IT
audit and EY ISAE 3402 teams to keep the parties updated with the progress of ISAE 3402 testing.
IT transformation
>» POL continues to execute its IT transformation programme, and has already begun to implement the new
IT service delivery model; we have been working with POL management to assess its impact on the audit.
» We understand that third party Atos will provide support for the incident management process across
in-scope applications.
> Whilst there have been additional IT support service contracts awarded to new suppliers during 2015,
the transition will not be fully completed until 2016, and therefore we do not anticipate these
transitions to have a significant impact on the 2015-16 audit strategy. As further changes occur we will
reassess the impact on our audit strategy.
POL-BSFF-0078725_0095
Controls based audit
oN. Risk based
approach
Areas of
Controls
audit based
emphasis audit
scope and
execution
POL00240662
POL00240662
exec \ Service
delivery
We outline below an overview of our audit approach broken down by the key stages of the audit.
Processes and
controls work
We identify key financial
processes and key
controls which provide the
platform for POL's
internal financial control
environment.
We walk through those
key processes and
controls end to end to
assess whether they have
been designed effectively.
Where the design is
effective and it is practical
to do so we then test the
implementation of
relevant controls to
assess whether our
preliminary decision to
take a controls reliance
strategy is still
appropriate.
Similar to prior year we
will test controls for POL’s
payroll, network cash,
purchase to pay, cash
settlement, revenue and
fixed assets processes.
IT system and
controls
testing
In order for us to place
reliance on IT controls
and reports generated by
the key financial systems
IT systems (HNGX,
SAPHR, CFS and
POLSAP) for our audit,
we need to be able to
rely on the IT general
control environment
throughout the whole
year. This includes
effective controls over
access and the ability to
make system changes.
We plan to perform this
testing and issue reliance
using our IT specialist
team for support.
Data analytics
We plan to use bespoke data
analytics tools to form part of our
substantive testing in the following
financial statement audit areas
across the CORE locations:
General ledger: testing the whole.
population of data to analyse
trends
Revenue analytics: testing of the
entire population and to analyse
trends.
General journals: testing the
entire population to identify
potential instances of
management override
Substantive procedures
We design and perform substantive
procedures so that the combination
of our procedures (including tests of
controls) provides sufficient
appropriate audit evidence
Test of details: these provide
direct audit evidence of
transactions or balances and
include recalculations and
obtaining corroborating evidence
and external confirmations.
(Refer to Appendix A)
Detailed analytical procedures:
provide evidence when applied to
large volumes of transactions
that tend to be predictable over
time.
POL-BSFF-0078725_0096
Audit scope and
execution
POL00240662
POL00240662
Audit scope and execution
Risk based esas ch conte Service
approach emphasis audit delivery
Our objective is to form an opinion on the group's consolidated financial statements under International
Standards on Auditing (UK and Ireland).
POL's consolidation is expected to be made up of three reporting units; the Post Office Limited parent entity
(which contains the majority of transactions), the POL joint venture First Rate Exchange Services (‘FRES') and
Post Office Management Services Limited ("POMS"), a fully owned subsidiary of POL incorporated on 25
March 2013 which commenced trading on 1 December 2014.
The vast majority of the audit work is carried out by the EY team from London, except for the POL joint
venture First Rate Exchange Services (‘FRES') Joint Venture which is audited by PricewaterhouseCoopers.
FRES is deemed to be a significant reporting unit based on size and will be subject to a full scope audit,
covering all significant accounts and processes using materiality levels assigned by EY's POL group team for
purposes of the consolidated audit. Procedures are full-scope in nature.
ISA 600 (UK and Ireland) requires that we provide you with an overview of the nature of our planned
involvement in the work to be performed by the component auditors of significant reporting units.
Our involvement can be summarised as follows:
> We will instruct PricewaterhouseCoopers to report the results of their full scope audit to us, in line with our
reporting timetable;
> We will attend the planning event and closing meetings by conference call;
> We will review their work papers relating to the significant audit areas through a site visit from the Group
audit team at year end;
> We will obtain signed memorandum of audit work and conclusions formed; and
> We will receive a signed conclusion opinion.
We set our audit scope to ensure that we are able to perform sufficient work to be able to give an opinion on
POL's consolidated financial statements a whole. We determine the extent of audit work to be performed
based on our assessment of the risks of material misstatement (set out in Section 1) and of the materiality of
the Group's business operations in that component. We have based our scoping on the latest forecast data
provided by management and will recalculate based on the final reported information.
» Components deemed significant based on size or pervasive significant risk factors.
» Audit procedures will be performed for Group reporting purposes to the allocated proportion of
group performance materiality covering all significant accounts and processes of that
component to the group
» Full scope components will be Post office Limited (Parent entity) and First Rate Exchange
Services (‘FRES') and Post Office Management Services Limited (“POMS”).
» For components that are insignificant to the Group but that require local statutory audits, our
teams will perform their audits outside the Group audit cycle and update us at the centre with
any significant findings. We perform an annual assessment to review the results of statutory
procedures performed and consider their impact on the group financial statements. Statutory
scope components will be Post Office Management Services Limited (‘POMS").
Statutory
scope
POL-BSFF-0078725_0098
POL00240662
POL00240662
Audit scope and execution
Risk based esas ch ala Service
approach emphasis audit delivery
Materiality
For the purposes of determining whether the accounts are free from material error, we define materiality as
the magnitude of an omission or misstatement that, individually or in the aggregate, in light of the
surrounding circumstances, could reasonably be expected to influence the economic decisions of the users of
the financial statements. Our evaluation of it requires professional judgement and necessarily takes into
account qualitative as well as quantitative considerations implicit in the definition.
In determining the basis on which to assess materiality levels, we are required to consider what financial
metrics the users of the financial statements focus on and the magnitude of a misstatement that we believe is
important to them. We have determined that the most appropriate basis for materiality is revenue, as
revenue is used prominently in the entity's communications to the users of the financial reports. This is the
most stable indicator of performance based on our knowledge of the entity and is consistent with the prior
year basis for materiality. Historically POL has been loss-making when network subsidy payments provided by
the government are removed and POL is again forecasting to report a loss before tax for FY15-16, therefore
profit is an unsuitable basis for determining materiality.
We have determined materiality to be £10.8m which is approximately 1% of Revenue. Based on our risk
assessment and consideration of POL's control environment, we have determined performance materiality be
set at 50% of our materiality for the group, (prior year and historically this has been set at 75%). Performance
materiality is the application of materiality at an individual account or balance level and is set to reduce to an
appropriately low level the probability that the aggregated of uncorrected and undetected misstatements
exceeds materiality. The threshold for reporting corrected and uncorrected audit misstatements to you has
been set at £542,000.
Post Office Limited
POL-BSFF-0078725_0099
05
Service Delivery
POL00240662
POL00240662
Service Delivery
fi Areas of Controls Audit
Riskibased audit based scope and
PP emphasis audit execution
Your POL audit team
The POL engagement team is led Peter Mclver who will be ultimately responsible for all audit-related services
provided to POL by EY for the full year audit. Peter has been a Senior Audit Partner in Perth, Australia for ten
years and was recruited in 2006 from Deloitte where he was a partner for ten years. Peter will sign the
consolidated and parent company Post Office Limited audit opinions and be responsible for oversight of all
other statutory and related work.
Peter is supported by Elena Belyaeva as Senior Manager and Mounia Mukina as Manager. We have established
our engagement team with the principle of providing the right blend of industry and technical experience to
execute the audit and deliver on our commitments to you. We recognise how important continuity of key EY
team members is to your organisation.
Specialists & Advisory Partners
As you are aware from prior years, our audit strategy relies significantly on testing IT systems and controls.
Denise Fabb (Executive IT Director) will continue to oversee delivery of the IT element of the audit. Our
Pension specialists, who have assisted us both at the prior year end and during the current half year, will
continue to be headed by Christopher Brown (Pensions Partner). Claire Evans also continues to take
responsibility for the audit of POL tax, supported by Susan Lever. Our audit team will also be supported by EY
VAT specialists, headed by Audrey Fearing and supported by Stephen Henshaw.
Peter Mciver
Group Engagement Partner
Claire Evans
ecutive Director
Susan Lever
nior Manager
Information Systems
IT Director
Pensions VAT IT Senior Manac
Sa parner
Partni Partner
‘Stephen Henshaw
Senior Manager
Elena Belyaeva
Audit Senior Manager
Mounia Mukina
Manager
POL-BSFF-0078725_0101
POL00240662
POL00240662
Service Delivery
A Areas of Controls Audit
Riese audit based scope and
PP! emphasis audit execution
2015-16 EY services
Financial reporting > Express opinions on, and report to the Audit and Risk Committee the results of, our audits of
» The consolidated financial statements of Post Office Limited (IFRS) and parent company financial
statements (FRS101) for the period ending 27 March 2016.
> Express opinions on, and report to appropriate members of management and the Board of Directors on the
results of our audits of:
The separate statutory financial statements for subsidiary company Post Office Management Services
~ The separate statutory audit of the consolidated financial statements of Postal Services Holdings Company
PSH’) (IFRS) and parent company financial statements (FRS102) for the period ending 27 March 2016.
> The following procedures are required by UK company law:
> Opining on whether the information contained in the Directors’ Report is consistent with the financial
statements
> Auditing the disclosures that unquoted companies are required to make with respect to directors’
remuneration
> Perform a review in accordance with ISRE 2410 “Review of Interim Financial Information Performed by the
Independent Auditor of the Entity", on the consolidated half year financial statements of Post Office
Limited, prepared in compliance with 1AS34 Interim Financial Reporting.
Internal control > Express our views on control themes and observations, including recommendations for improvements in
communications controls and procedures.
>» We will issue a written communication at year end to management and the Audit and Risk Committee
describing significant deficiencies and material weaknesses identified during our audit, if any
> Following the year end audit board results report, we will separately issue a Controls Themes &
Observations Report to management describing all deficiencies (not previously communicated to
management in writing) in internal control over financial reporting identified during our audit that are of
a lesser magnitude than significant deficiencies
Regulatory audit and» In addition to the statutory audit requirements, we are required, as auditors of POL, to perform certain
other assurance related procedures on a number of reports required by postal regulation and related matters, including:
Eo > Procedures in connection with the Post Office Limited credit facilities from BIS and DVLA motor vehicle
license transactions.
» Procedures in connection with the Bank of England Note Circularisation Scheme, which includes an ISAE
3000 Report delivered to POL management and the Bank of England
Post Office Limited
POL-BSFF-0078725_0102
POL00240662
POL00240662
Service Delivery
A Areas of Controls Audit
Riese audit based scope and
PP! emphasis audit execution
Timetable of communication, insight and deliverables
We set out below a timetable showing the key stages of the audit and the deliverables we have agreed to
provide to you through the 2015-16 audit cycle.
We will provide formal reports to the Audit and Risk Committee at the planning stage and at year end for the
consolidated POL accounts. These reports will incorporate the outputs from our planning review and our year
end audit procedures respectively. From time to time matters may arise that require immediate
communication with the Audit and Risk Committee and we will discuss them with the Audit and Risk
Committee Chairman as appropriate.
Following the conclusion of our audit we will prepare a Control Themes and Observations report for Post
Office Limited, outlining our comments on areas where we believe the Company exposes itself to risk, where
control matters exist or where we believe improvements can be made. This will be circulated to senior
management and to the Audit and Risk Committee in 2016, following the end of the audit. We will also provide
you with real-time control themes and observations as identified throughout the year as appropriate, as well
as practical business insights, updates on corporate governance and regulatory matters through our reporting
to the Audit and Risk Committee.
Agree audit scope/planning
> Agree service commitments
> Develop audit strategy 8 @
> Agree audit fees
Interim reviews
> Half year eo
Process reviews
> Review of key processes Le
> Controls testing PE
Year end substantive testing
>» Progressive substantive [I
>» Year end procedures
» Results report to the audit I)
committee
> Control themes and I @
observation report
Deliverables:
HY Results Review Report & 2015-16 audit planning
2015-16 Revised Audit Planning
@ 2015-16 Year-end Results report
e 2015-16 Control Themes & Observations Report
Post Office Limited
POL-BSFF-0078725_0103
POL00240662
POL00240662
Appendices
Nature of Substantive Audit procedures
Audit fees
Independence report
Required communications with the Audit and Risk Committee
POL-BSFF-0078725_0104
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
In this section we address at a high level the nature of the substantive tests which we will performed on
significant financial statements line items.
We have designed our substantive procedures so that the combination of our procedures (including tests of
controls) provides sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and
enables us to draw reasonable conclusions on which to base our opinion.
The procedures below are listed in the order of the financial statements:
BALANCE SHEET
Intangible Assets and Property Plant and equipm
We will obtain a schedule of tangible and intangible assets, including capitalised leases, and related additions, disposals,
reclassifications and depreciation, depletion and/or amortisation and agree balances to the respective general ledger accounts.
For significant additions (including capitalised labour, borrowing costs and other acceptable costs) and disposals during the period, we
will examine invoices, capital expenditure authorizations, leases and other data that support these additions and disposals.
For all significant additions in the year we will examine and verify evidence to support the existence and ownership of property, plant
and equipment and/or intangible assets.
We will re-perform the depreciation, depletion and amortisation expense with reference to the entity's accounting policies and
applicable financial reporting framework
We will review and examine support for rentals under operating leases and for significant charges to repairs, maintenance and other
expense accounts to determine if they should capitalised or expensed.
We will use the information obtained during the audit to determine whether management has identified appr
impairment and verify that appropriate adjustments are made in accordance with the entity's accounting pol
financial reporting framework.
+ We will discuss with management the impact on the financial statements and forecasting as it becomes more likely that Post Office
will be cash generative without reliance on government grants.
riate indicators of
and applicable
Investment in joint vet
We will verify the existence and ownership of recorded investments through confirmation or, when appropriate, examination of evidence of
ownership
We will inspect financial statements of investees and other evidence of current value, cost or equity amount of investments and test that
investments are classified, recorded and measured in accordance with the entity's accounting policies and applicable financial reporting
framework.
We will recalculate all changes in the value of investments and verify that they are properly recorded in the income statement , balance
sheet and other comprehensive income.
We will instruct PricewaterhouseCoopers to report the results of their full scope audit of First Rate Exchange Services Holding Limited to
us, in line with our reporting timetable; in addition
+ We will attend the planning event and closing meetings by conference call;
* We will review their work papers relating to the significant audit areas through a site visit from the Group audit team at year end;
* We will obtain signed memorandum of audit work and conclusions formed; and
= We will receive a signed conclusion opinion.
Ret
We will examine the composition and computation of post-employment benefit obligations and other employee related non-current
provisions for reasonableness including all significant assumptions used in the calculations. This includes meeting with the Companies’
actuaries and reviewing their key inputs and understanding the methodologies utilised to arrive at key assumptions, such as discount
rates, inflation rates and expected rate of return on plan assets. We will involve our own actuarial specialists who are established members
of our audit team.
Post Office Limited
POL-BSFF-0078725_0105
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
Retirement benefit surplus (continued)
We will benchmark POL assumptions against peers. We will assess and provide insight into the relative position of the assumptions.
adopted.
review any changes in terms of pension schemes and the related accounting treatment.
Trade and other receivables
We will obtain sufficient detail to enable us to ensure correct classification presentation and disclosure of trade and other receivables by
comparison to prior year, interim and our knowledge of changes in the business.
We will re-perform the client prepared reconciliations at year end and review for evidence of unusual non -standard journals and
investigate as necessary.
We will evaluate the adequacy of the allowance for doubtful debts . This includes the following:
* Consideration for industry , economic and climate expectations .
* We will also discuss management credit control and bad debt policies and procedures and follow up as appropriate.
= We will inspect and verify the aged debt listing and confirm that old debts have been appropriately provided .
= We will also test the receivables ageing by selecting a sample of invoices to ensure that the clients aged debt listing is consistent
with the supporting documentation.
We will inquire about and review the list of credit balances included in trade and other receivables. Based on this we will investigate why
major credit balances have arisen and consider the impact on year end receivables and ensure that the correct accounting treatment is
applied
We will understand the make up of the client receivables balance at year end. We will obtain and re-perform all material reconciliations
performed by Management to support the year end balance by vouching amounts and cut off information o third party supporting
documentation (i.e. customer information ). We will also check the settlement by the client receivable post year end to verify the
existence of the client receivable at year end.
Post Office Limiter
POL-BSFF-0078725_0106
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
We will obtain a complete list of bank accounts (debit and credit balances) and obtain direct confirmations of bank balances for all
accounts, and bank accounts closed during the period to confirm the existence and valuation of cash including any contingencies,
liens, pledges, restrictions on the entity's assets, guaranteed amounts, etc.
We will agree confirmed balances to Management prepared reconciliations and ensure correct classification presentation and
disclosure in the financial statements
We will also check the appropriateness of the presentation of balances within the financial statements (e.g. overdrafts classified
‘as current liability) and consider the impact of any set off agreements and banking covenants.
We will test the cut off cash receipts and payments for transfers between different bank accounts at the balance sheet date. This will
include checking the completeness of these receipts and payments transfers pre and post year and ensuring that receipt/payment is
only recorded in one account on the ledger.
Trade and other payables (ncluding client payables)
We will obtain sufficient detail to enable us to ensure correct classification presentation and disclosure of trade and other payables by
comparison to prior year, interim and our knowledge of changes in the business.
We will re-perform the client prepared control account reconciliations at year end and review for evidence of unusual non standard
journals and investigate as necessary by understanding how they have occurred and whether they have been treated correctly.
We will inquire about and review the list of debit balances included in trade and other payables Based on this we will investigate why
major debit balances have arisen and consider the impact on year end payables and ensure that the correct accounting treatment is
applied.
We will perform a search for unrecorded liabilities at the year end date by inspecting post year end bank statements and selecting
significant payments post the year and identifying those payments relating to liabilities in existence at the balance sheet date to ensure
that liability was accrued in correct period.
We will also select invoices which have been posted but not yet paid, after period end and obtain supporting documents ensure that
liability was accrued in the correct period and;
Further we will review purchase invoices received post year end and ensure that these liabilities have been accrued on reporting period
where applicable.
POL-BSFF-0078725_0107
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
Trade and other payables (including client payables)
Continued
We will review summaries of activity for the month pre and post year end balance sheet date (cut-off date). This will involve comparing
the activity to that expected and with the same period in the prior year and budget. Where actual activity significantly differs from our
expectation we will ascertain the reason for this change and corroborate this to our other testing procedures.
We will also inspect a sample of transactions from the activity listing before and after the cut-off date. Inspect supporting
documentation to ensure that the transactions were recorded in the proper period; we will also compare the results of this cut off to
cut off in related areas.
For deferred income and to ensure that revenue has been included in the correct period, in addition to the procedures we will perform
‘on revenue, we will performed detailed cut-off procedures over revenue postings before and after period end, and checked that the
amounts recognised as revenue are appropriate, and that they have been correctly recognised in trade debtors, accrued revenue or
deferred revenue in the appropriate period.
Interest bearing loans and borrowings
We will obtain a summary of interest bearing loans and borrowings and interest , obtain a summary from Management and agree balances
to the general ledger. We will re-perform the calculations of interest expense and interest payable for reasonableness . We will also test
compliance with the terms, maturities, restrictive covenants, or other provisions of the loan agreements in place.
For new agreements in the period under audit, we will inspect original or authenticated copies of interest bearing loans and borrowings
agreements, or other related documents to test the terms, restrictive covenants and other pertinent provisions of the loans and
borrowings.
We will review confirmation replies (including those for assets and liabilities) for evidence of liens, security interests, derivatives and assets
pledged as collateral for loans, cross-reference to the corresponding general ledger accounts and verify proper disclosures.
We will confirm directly with third party all loans and borrowings to check amounts owed, terms, collateral, restrictions and the entity's
compliance with the provisions of the agreements.
Provisi (postmasters compensation)
We will perform an independent reconciliation of the total branches as well as an analysis of their data and status at 27 March 2016. We
will compare this to managements results and use this to identify anomalies and challenge the provision analysis provided by Management.
To ensure that every branch in the Post Office Network is classified correctly we will independently categorise each branch into their
categories at 27 March 2016, based on their individual attributes and we will challenge POL's assessment by comparing results.
Our sample based testing will include checking the attributes and classification of the branches in the network. This will be done by checking
signed contracts (where applicable) and ensuring that where a provision is applicable, it has been recognised in the correct period by
obtaining the signed contracts and checking that the dates of the signed agreements. We will also ensure that, branches selected for
testing are not duplicated in any other category. If our sample identifies unusual items or categories, these will be communicated to POL
and investigated and adjusted where necessary.
To check the validity and accuracy of POL’s records we will undertake sample based testing on the Conditional Resignation Pack (CRP)
contracts and checked dates for correct cut off and sign off. We will also trace the contracted amounts of these CRPs per POL's records to
the payment listing and bank statements, showing the amount being settled post year end.
We will performed an unrecorded liabilities test by reviewing all cash payments made to postmasters in the months subsequent to the year
end (up until the date of signing the financial statements). We will independently sample selected payments and vouch to actual bank
statements and also ensure that provision is accrued in correct period.
To further gain assurance on the completeness of the provision at the balance sheet date, we will performing a reasonableness test on
each category of the postmaster’s compensation elements by comparing costs incurred to date against budgeted costs and estimated costs
to complete for the various programmes. This will involved understanding the number of open projects and how the estimated costs to
complete are computed and corroborating this to tests performed on the branch reconciliation.
We will discuss with the management the progress they have made since interim in their plans for implementing a formal policy of
procedures and controls for the postmasters compensation process and assess the new controls and check those implemented by
management to address the risks around completeness of the provision and we will carry out additional testing where appropriate.
Post Office Limited
POL-BSFF-0078725_0108
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
Provisions (other)
We will review all other provisions for correctness and completeness, including whether the other liabilities are consistent with our
understanding of the entity's business, we will test recorded amounts by performing recalculations of the provisions and vouching inputs to
supporting documentation.
We will review accounting estimates used in provisions for evidence of management bias.
For all significant new provisions we will review whether they have been appropriately identified and meet the requirement of IAS 37 and IAS 1
respectively.
In addition to the above we will focus on evaluating the business rationale for significant unusual transactions around estimates and
judgements.
Our journal entry approach specific to management override over provisions included:
» Testing material manual journals charged and released to the provision accounts (that are outside our expectations);
» Testing manual journals which are not posted as part of the routine financial statement close process; and
» Testing of journal entries with reference to wording that appears outside the ordinary course of business.
We also will perform testing on the appropriateness of journal entries and other adjustments made in the preparation of the financial
statements.
To further gain assurance on the completeness of the provision at the balance sheet date we will performed an unrecorded liabilities test
by reviewing a sample material of cash payments in the months subsequent to the year end (up until the date of signing the financial
statements). We will independently sample selected payments and vouch to actual bank statements and also ensure that provision is
accrued in correct period.
To further gain assurance on the completeness of the provision at the balance sheet date, we will performing a reasonableness test on each
category of the provisions by comparing costs incurred to date against budgeted costs and estimated costs to complete for the various
programmes. This will involved understanding the number of open projects and how the estimated costs to complete are computed and
corroborating this to other tests performed.
We will obtain an equity reconciliation schedule, including shares and retained earnings, agree to general ledger accounts and test
movements from prior period-end to current period-end to verify proper accounting for changes in equity e.g., profit distributions,
other equity reductions or increases) and determine completeness and compliance with laws and regulations including taxation issues.
Further we will reconcile opening balances with prior period workpapers and closing balances with the consolidation schedule and agree
significant movements to supporting documentation to determine that it is valid, accurate and complete.
If applicable, we will verify that all dividend payments are appropriately approved and declared, and that tax regulations have been
followed.
We will review board of director, shareholder and committee meeting minutes as well as changes to the articles of incorporation for
issues affecting the financial statements including the notes. If applicable, confirm all significant transactions with the share registrar
and agree any changes where applicable to the general ledger.
Post Office Limited 33
POL-BSFF-0078725_0109
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
INCOME STATEMENT
Revenue
We will perform detailed controls work on revenue during the year, which will include testing whether the revenue lines selected are
using the correct contractual rates and volumes data in their calculations.
We will perform a detailed analytical review to analyse and evaluate the movements in the key revenue lines across the business using
full population of data extracted from the system.
We will examine the fluctuations of revenue against budget and prior year by corroborating variances to the relevant evidence obtained
through our other testing procedures. In addition, where appropriate , we will corroborate management's explanations for movements
using our knowledge of developments in the industry and business.
To ensure that revenue has been included in the correct period, in addition to the procedures above, we will perform detailed cut-off
procedures over revenue postings before and after period end, and check that the amounts recognised as revenue are appropriate, and
that they have been correctly recognised in trade debtors, accrued revenue or deferred revenue in the appropriate period.
We will assess the risks around Management's use of third party data and Management's oversight of this data and carry out additional
testing where appropriate. Where manual spreadsheets are used to compute revenue we will test the integrity of the spreadsheets.
POL-BSFF-0078725_0110
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
People costs excluding restructuring costs
We will develop and document an expectation for changes in people costs (including pension cost). This involves compare the average
pay per employee to prior period including employee benefits and performing a detailed analytical review to analyse and evaluate the
movements on a monthly basis using full population of data extracted from the system
In addition, we will review full population of data for anomalies, and review reconciling items between data and ledger.
We will also test the correctness of journal entries in connection with pensions and post retirement expenses, current payments and for
changes in pension reserves by reviewing movements in pensions accounts throughout the year and agreeing significant movements to
supporting documentation (where applicable actuarial valuation report)
Other Operating costs
All significant transactions identified in the" contents of administrative and other operating expenses" we will agree to underlying
documentation for reasonableness and business purpose.
In addition we will test a sample of transactions and vouch to underlying documentation for reasonableness and business purpose.
Exceptional items
We will confirm receipt of the government grant and review any updates to the terms and conditions of the funding agreement.
We will review management's monitoring process for being able to differentiate between Transformation costs (exceptional items) and
normal operating costs, and assess whether it captures the appropriate information and detail to track these costs.
To gain assurance on the completeness of the exceptional items we will perform a reasonability test on each category of exceptional items by
comparing costs incurred to expected costs and against budgeted costs and estimated costs to complete the various programmes. This will
involve understanding the number of open projects and how the estimated costs to complete are computed.
The costs included will be reviewed to understand whether they are directly linked to the Network Transformation and appropriately
included within this category and reported outside trading profit projects and meet with the requirement under IAS 1 to be presented as
exceptional costs in the financial statements. We will review and challenge whether the costs should be recognised within exceptional
items or not.
POL-BSFF-0078725_0111
POL00240662
POL00240662
Appendix A
Nature of our Substantive Testing
Taxation
POL-BSFF-0078725_0112
POL00240662
POL00240662
Appendix B
Audit fees
As part of our reporting on our independence, we set out below a summary of fees for the year ending 27
March 2016.
- Post Office Limited core audit fee* 346,000 391,000
-IAS34 Half year review of consolidated accounts 40,000 40,000
- CFS implementation review (one off fee) - 70,000
- Note Circulation Scheme ISAE 3000 Report 78,000 78,000
- BIS Agreed Upon Procedures Report 12,000 12,000
- DVLA Agreed Upon Procedures Report 13,000 13,000
-Turnover Certificate 2,500 2,500
Total* 491,500 606,500
“Excludes out of pocket expenses incurred
Please note the following regarding our fees:
* The audit fee has been reduced to reflect our investment in the relationship with POL
+ Our time incurred on the 31 March 2015 restatement and testing of the Post Masters compensation
Provision of £75,000 has been written off.
+ Aseparate fee of £26,000 (2015 £26,000) will be charged for the audit of Postal Services Holdings
Company Limited.
+ A separate fee of £70,000 will be charged for the audit of Post Office Management Services.
Post Office Limited 37
POL-BSFF-0078725_0113
POL00240662
POL00240662
Appendix C
Independence report
Introduction
In order to carry out our duties and responsibilities as auditor, EY are required to consider our independence
and objectivity within the context of the regulatory and professional framework in which we operate.
UK APB Ethical Standards, International Standard on Auditing (UK and Ireland) 260, Communication of audit
matters to those charged with governance, and Rule 3526 Communication with Audit Committees Concerning
Independence of the Public Company Accounting Oversight Board (PCAOB) require us to communicate on a
timely basis and at least annually on all significant facts and matters that bear upon our independence and
objectivity since our last letter. The Ethical Standards, as revised in December 2010, require that we
communicate formally both at the planning stage and at the conclusion of the audit, as well as during the
course of the audit if appropriate. The aim of these communications is to give you full and fair disclosure on
matters in which you have an interest.
Planning stage
> The principal threats, if any, to objectivity and independence
identified by EY including consideration of all relationships
between the you, your affiliates and directors and us;
The safeguards adopted and the reasons why they are
considered to be effective, including any Engagement Quality
Final stage
> Awritten disclosure of relationships (including the provision
of non-audit services) that bear on our objectivity and
independence, the threats to our independence that these
create, any safeguards that we have put in place and why
they address such threats, together with any other
information necessary to enable our objectivity and
independence to be assessed;
Details of non-audit services provided and the fees charged
in relation thereto;
Written confirmation that we are independent;
Details of any inconsistencies between APB Ethical
Standards and your policy for the supply of non-audit
services by EY and any apparent breach of that policy; and
‘An opportunity to discuss auditor independence issues.
Review;
The overall assessment of threats and safeguards;
Information about the general policies and process within EY
to maintain objectivity and independence.
In addition, during the course of the audit, we are required to communicate with you whenever any significant
judgements are made about threats to objectivity and independence and the appropriateness of safeguards
put in place, for example, when accepting an engagement to provide non-audit services.
We also provide information on the amounts of any future services that have been contracted, and details of
any written proposal to provide non-audit services that has been submitted.
We will also make sure that the total amount of fees that EY and our network firms have charged to you for
the provision of services during the reporting period, analysed in appropriate categories, are disclosed.
POL-BSFF-0078725_0114
POL00240662
POL00240662
Appendix C
Independence report (cont'd)
Relationships, services and related safeguards
We are not aware of any relationships between EY and the Company that may reasonably be thought to bear
on our independence as of the date of this report. As part of our considerations for any non-audit
engagement, we review potential threats in respect of self-interest, self-review, acting as management and
advocacy. We establish appropriate safeguards, which we communicate to the Audit and Risk Committee in
respect of any potential threat.
Other required communications related to independence matters
The APB Ethical Standards require total fees you have paid us in the period ending 29 March 2015 to be
communicated to you. Details of all fees are provided to the Audit and Risk Committee as part of our year-end
results board report.
Listed on the following page are EY'‘s key firm-wide policies and processes to maintain independence and
objectivity which are required to be communicated to you by APB Ethical Standards.
Confirmations
We are not aware of any inconsistencies between the company’s policy for the supply of non-audit services
and APB Ethical Standards. We are not aware of any apparent breach of that policy.
Relating to our audit of the financial statements of Post Office Limited for the year ending 27 March 2016,
for the year to date we are independent with respect to the Company within the meaning of regulatory and
professional requirements, including the requirements of International Standard on Auditing (UK and Ireland)
260 Communication of audit matters to those charged with governance; UK APB Ethical Standards; the
independence and Rule 3520 of the PCAOB. We will provide a further update as part of our year end
reporting.
We consider that our independence in this context is a matter that should be reviewed by both you and
ourselves. It is therefore important that you consider the facts of which you are aware and come to a view. We
look forward to discussing these matters with you at our upcoming meeting later in November 2015.
This report is intended solely for the information and use of the Audit and Risk Committee of the Board of
Directors, management, and others within the Company and should not be used for any other purpose.
POL-BSFF-0078725_0115
POL00240662
POL00240662
Appendix C
Independence report (cont'd)
Firmwide policies
EY has policies and procedures that instil professional values as part of firm culture and ensure that the
highest standards of objectivity, independence and integrity are maintained. Listed below are some of the key
policies and processes in place within EY for maintaining objectivity and independence:
Financial interests Our partners and client facing (technical) staff are prohibited from investing in any audit client around the
World.
All partners and staff are required to confirm their compliance each year with the firm's independence
policies. Monitoring of compliance in respect of all partners and professional managers takes place through
a worldwide investment tracking system.
New starters are required to confirm their compliance with the firm's independence policies on
commencement of their employment.
Training All partners and professional staff are required to undergo regular mandatory training on our Independence
and Ethical policies and processes.
Partner rotation The firm has detailed policies on the rotation of the audit partner, and in the case of listed clients key audit
partners, the independent partner and ‘other partners and staff in senior positions’.
Consultation The firm requires consultation outside the audit tear on complex accounting, auditing and ethical matters.
Major issues of principle arising on all audits are referred to a panel of independent experienced audit
partners.
Independent partner Before listed company audit opinions are issued, an audit partner independent of the audit team reviews the
reviews nature of the relationship with the client, aspects of the accounts that are subject to significant estimates
and judgements, and the adequacy of the presentation of information in the accounts.
Quality reviews The firm operates a worldwide programme under the direction of senior partners that annually assesses the
quality of our work. Over a three year period, a proportion of the work of all audit partners is reviewed. The
results of the programme help us to evaluate the firm's quality controls and personnel performance and
identify areas for improvement.
‘As with other firms, EY's audit practice is subject to annual review by the Audit Inspection Unit (AIU) and
the Quality Assurance Directorate (QAD) of the Institute of Chartered Accountants in England and Wales
(ICAEW) for compliance with Audit Regulations. As part of its visits, the AIU/QAD evaluate the system of
quality control operated by the firm for its audit practice.
Business relationships _EY has implemented a centralised process for the review and pre-approval, by our quality and risk
management team, of all new business relationships. A submission must be made and approved for each
new business relationship before committing the firm.
In addition, all new business relationships must be notified and approved by the lead audit or client service
partner before committing the firm.
Ethics Our Global Code of Conduct provides an ethical framework on which we base our decisions and our actions~
as individuals and as members of our global organisation. EY has also established the EY/Ethics hotline
which will allow any person, inside or outside of EY, to confidentially and anonymously report an activity
that they believe may involve conduct that is unethical, illegal, in breach of professional standards, or is
otherwise inconsistent with EY's established policies and Code of Conduct.
Non-audit services Our audit engagement partners must approve any non-audit services offered to their clients. This allows
them to:
» Ensure the objectives of the proposed engagement are not inconsistent with the objectives of the audit
of the financial statement;
> Identify and assess any related threats to our objectivity; and
» Assess the effectiveness of available safeguards to eliminate such threats or reduce them to an
acceptable level.
Where no satisfactory safeguards exist we do not carry out the non-audit service.
Post Office Limited 40
POL-BSFF-0078725_0116
Appendix D
POL00240662
POL00240662
Required communications with the Audit
and Risk Committee
There are certain communications that we must provide to the Audit Committees of UK clients. We have
detailed these here together with a reference of where and when they were covered:
Communications required on all audits
Overview of planned scope and timing of the audit
Other information in documents containing audited financial
statements
Significant audit adjustments
Unrecorded misstatements considered by management to be
immaterial
Expected modifications to the audit report
Our judgements/views about qualitative aspects of the
Company's accounting practices and financial reporting
Disagreements with management
Consultations with other accountants
Serious difficulties encountered in dealing with management
when performing the audit
The adoption of, or a change in, an accounting policy
Discussed within this report.
We will review the other information
included in annual financial statements
and report to you in the Audit and Risk
Committee report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
If applicable, this will be included, as
necessary, within our 2015-16 year end
audit report.
This will be included within our year end
2015-16 Audit and Risk Committee
report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
Post Office Limited
a1
POL-BSFF-0078725_0117
Appendix D
POL00240662
POL00240662
Required communications with the Audit
and Risk Committee (cont'd)
Communications required on all audits (cont'd)
Methods of accounting for significant unusual transactions
and for controversial or emerging areas,
Events or conditions that cause us to conclude that there is
substantial doubt about the entity's ability to continue as a
going concern
Sensitive accounting estimates
Consideration of laws and regulations
Fraud and illegal acts involving senior management and fraud
and illegal acts that cause a material misstatement of the
financial statements
Significant matters arising during the audit in connection with
the entity's related parties
Management's refusal for us to request external
confirmations or our inability to obtain relevant and reliable
audit evidence from other procedures
Representations that the auditor is requesting from
management
Significant deficiencies and material weaknesses in internal
control over financial reporting
Group audits
> An overview of the type of work to be performed on the
financial information of the components
> An overview of the nature of the Group audit team's
planned involvement in the work to be performed by the
component auditors on the financial information of
significant components
» Instances where the Group audit team's evaluation of the
work of a component auditor gave rise to a concern about
the quality of that auditor's work
Any limitations on the Group audit, for example, where the
Group engagement team's access to information may have
been restricted
Fraud or suspected fraud involving Group management,
component management, employees who have significant
roles in Group-wide controls or others where the fraud
resulted in a material misstatement of the Group financial
statements.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v This will be included, as necessary,
within our 2015-16 year end audit
report.
v We will provide the management letter
of representation as part of our audit
planning report and year end report.
v This will be included, as necessary,
within our Controls, Themes and
Observations Report which will be
shared with you after the conclusion of
our audit.
v ‘An overview of the planned approach
for the audit is included within this
report.
We will report on any further items with
our year end audit report.
v This will be included, as necessary,
within our 2015-16 year end audit
reports.
Post Office Limited
POL-BSFF-0078725_0118
Appendix D
POL00240662
POL00240662
Required communications with the Audit
and Risk Committee (cont'd)
Audit and Risk Committee pre-approval of services, including
specific pre-approval of internal control-related services and
non-prohibited tax services
Critical accounting policies and practices. ISA 260 (UK and
Ireland) requires the auditor to communicate the auditor's
views on the qualitative aspects of the Company's accounting
practices and financial reporting
All material alternative accounting treatments discussed with
management
Fees
Other material written communications with management
Communication of independence matters
Other findings or issues regarding the oversight of the
financial reporting process
Post Office Limited
This will be included, as necessary,
within our 2015-16 year end audit
reports
This will be included in our 2015-16
year end audit report.
This will be included in our 2015-16
year end audit report.
Discussed within this report and within
our 2015-16 year end audit report.
We will provide our 2015-16 year end
audit report.
Included in planning audit report and
this will also be included in our 2015-16
year end audit report.
This will be included, as necessary,
within our 2015-16 year end audit
report.
POL-BSFF-0078725_0119
POL00240662
POL00240662
Post Office Limiter
POL-BSFF-0078725_0120
POL00240662
POL00240662
Post Office Limiter
POL-BSFF-0078725_0121
EY I Assurance I Tax I Transactions I Advisory
About EY
EY is a global leader in assurance, tax, transaction
and advisory services. The insights and quality
services we deliver help build trust and confidence
in the capital markets and in economies the world
over. We develop outstanding leaders who team to
deliver on our promises to all of our stakeholders.
In so doing, we play a critical role in building a better
working world for our people, for our clients and for
our communities.
EY refers to the global organization and may refer
to one or more of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited
by guarantee, does not provide services to clients.
For more information about our organization, please
visit ey.com.
Ernst & Young LLP
The UK firm Ernst & Young LLPis a limited liability partnership
registered in England and Wales with registered number 0C300001
and is a member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.
© 2013 Ernst & Young LLP. Published in the UK.
All Rights Reserved,
Gh ener
been printed on paper with a high recycled content,
Information in this publication Is intended to provide only a general
outline of the subjects covered. It should neither be regarded as
comprehensive nor sufficient for making decisions, nor should it be
Used in place of professional advice. Ernst & Young LLP accepts no
responsibility for any loss arising from any action taken or not taken
by anyone using this material.
ey.com/uk
Confidential ~ all rights reserved
OEY 2013
POL00240662
POL00240662
POL-BSFF-0078725_0122
POL00240662
POL00240662
POST OFFICE - AUDIT RISK PAGE 1 OF 10
COMMITTEE
Production Approach for Report and Accounts 15/16
Author: Mike Granville Sponsor: Alisdair Cameron March 2016
Executive Summary
Context
1. Post Office is now commencing the process to enable the publication of the 2016/17
Annual Report and Accounts (ARA) during June/July 2016. This paper outlines the
development and production timeline for the document and the proposed approach to
format, tone and key messages.
Questions
2. The following questions are addressed in this paper:
e What are the key dates for production of the ARA?
e What is the proposed structure of the document?
e Who has responsibility for production?
e What tone, style and narrative approach should be adopted for the ARA?
e What will be the general stakeholder and communication approach on publication?
e What are the cost implications of the approach?
e What other approaches to the ARA have been considered?
¢ What are the next steps?
Conclusions
3. The ARA will be compiled by Communications, Company Secretariat and Finance, with
appropriate sectional sign off by Directors, in order to be presented for Board approval on
24 May. Publication will be scheduled for late June/early July.
4. The format of the document will retain the general structure that was successfully used in
2015 with some developments which take into account Ernst and Young (EY) feedback.
5. The development and production of the document will be undertaken in house (working
with EY) with costs absorbed within existing budgets. The significant cost savings achieved
in previous years will therefore be maintained.
6. The narrative approach will emphasise that significant progress is being made ina
challenging environment, but there remains much to do necessitating the continued
imperative of transformation. The themes of ‘better for customers, simpler to run, great
place to work’ and values, ‘care, challenge, commit’ will be woven through the narrative.
7. Communication and stakeholder liaison at the point of publication will be determined
nearer the time to enable full account to be taken of environmental issues that will then
apply. Broadly the ARA will be presented as a positive ‘reference point’ in the continuing
journey of progress and company transformation.
Input Sought
8. ARC endorsement of the approach, process and timescales outlined in this paper to
produce the 2015/16 Annual Report and Accounts.
Strictly Confidential
POL-BSFF-0078725_0123
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 10
The Report
Background
9. Post Office Ltd now has a clear track record in producing its own ARA as an
independent company separate from Royal Mail. The document stands as a
statutory accounting record and, although the document does not in itself have a
shareholder market impact, it is a key reference point for stakeholders and
interested parties to understand business confidence, progress and performance.
It is also a prompt for internal and external communication of key messages which
can be used positively in terms of promoting Post Office strategy. Conversely it
can carry a risk as being used as a focal point for marshalling stakeholder
opposition to our strategy.
10. The 2015/16 ARA will be published in late June/early July. It will show significant
year on year progress - particularly on EBITDAS and subsidy reduction - and it
will show this has been achieved via flat income and significant cost reduction. It
will be published at a time when a further series of cost reduction measures
(Crowns, Supply Chain, Pensions) will be live in the external environment; when
potential post 2018 strategy discussions with Government are underway; and
when Government may still be conducting its own consultation on future policy
options. Post Office will be driving forward with its ‘transformation at pace’
narrative and with its activity to embed the ‘better for customers, simpler to run,
great to work for’ themes and the ‘care, challenge, commit’ values. The ARA will
recognise the need for further cost reductions but also note the opportunities for
growth they will enable and reveal. In its comparisons with the prior year, the ARA
will make reference to the restatement of subpostmasters’ compensation provision
for 2014/15.
e What are the key dates for production of the ARA?
11. Work on the ARA commences in March with agreement on the overall approach
via GE and the ARC. Narrative content and Finance work with the auditor takes
place over April, enabling clearances on the final document through the ARC and
Board to be achieved in May. Signing can then take place in early June with
publication taking place in late June/early July. The precise date for publication
will be determined nearer the time. In 2015 we published on 10* July.
12. A table of key dates in given at Appendix 1.
e@ What is the proposed structure of the document?
13. The structure of the document for 2014/15 provides an efficient template which
minimises production costs, meets professional guidelines and provides a platform
Strictly Confidential
POL-BSFF-0078725_0124
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 10
for appropriate narrative. The content structure will therefore continue to be based
on four elements;
- Overview - high level pictorial representation of highlights together with the
Chairman’s foreword and Chief Executive’s Statement
- Strategic Report - background description of the nature of the Post Office’s
business and its overall strategy followed by a narrative on performance and
progress built around business transformation, service to customers, our
people and our role as part of the community. Within this structure the
themes of ‘simpler to run’, ‘better for customers’ and ‘great place to work’
will be emphasised. This is then underpinned by the CFO's Financial Review
and Business Risks
- Governance - information on Board members and Committees, corporate
governance approaches and Directors’ Remuneration Report
- Financial Statements — detailed financial information — such as cash flows,
balance sheet, auditors report.
@ Who has responsibility for production?
14. The content in the above sections will be compiled by Communications, Company
Secretariat and Finance liaising with GE Directors. Responsibilities for preparing
the relevant sections is outlined at Appendix 2. The overall document - both ‘Front
Half’ (Overview, Strategic Report and Governance) and ‘Back Half’ (Financial
Statements) - will be subject to overall ARC and Board sign off which will then
devolve authorities for final signature.
15. Production will be ‘in house’ via the communications team - an approach which
saved £60,000 in producing the 2015 document compared to previous years.
e@ What tone, style and narrative approach should be adopted for the ARA?
16. The general approach of the document will reflect continued, confident progress in
an ambitious transformation being undertaken in the face of challenging markets.
It will be made clear that there is much still to do and a continued need for bold
and recognisably difficult decisions to create a sustainable future. The tone will be
one of determined and professional implementation of a challenging task and a
track record of delivery.
17. Within this framework, the business themes (better, simpler, great) and values
(care, challenge, commit) will recur. The positive narrative of delivering for
customers and communities will be presented as inseparable from the delivery of
commercial results - ‘two sides of the same coin’. The narrative and structure will
take account of feedback from EY on the 2014/15 ARA as outlined at Appendix 3.
Strictly Confidential
POL-BSFF-0078725_0125
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 10
e What will be the general stakeholder and communication approach on
publication?
18. A full stakeholder and communications plan covering external and internal
audiences will be established for publication. The precise detail and timings will be
determined later to take account of the environment at the time. The approach
will be one of transparency, demonstrable progress and ongoing challenge which
will illustrate the benefits of, and need for, continued transformation.
e@ What are the cost implications of the approach?
19. As in 2015, preparation and production activity will be kept in-house. The small
costs incurred in production (e.g. limited hard copy printing) will be absorbed
within existing budgets.
e@ What other approaches to the ARA have been considered?
20. Consideration has been given to a radical change in format. However, necessary
budgetary constraints and the experience of the 2015 format (which met statutory
and stakeholder expectations) suggest that continuing to adopt the current
approach is appropriate. We are not looking for the ARA to signal a significant
shift of strategic approach - we are aiming for it to be a record of progress and
validation of the continuing professional, determined transformation strategy.
21. Consideration has been given to more extensive outsourcing of the activity. This
would incur additional cost, and introduce risk to tight timescales (it will be
important that the ARA is published promptly). The 2015 experience indicates that
a strong product can be produced in house.
e@ What are the next steps?
22. Following consideration by the GE, the ARC is now asked to endorse the overall
approach and timescales for the Annual Report and Accounts. Activity will then
progress in accordance with the timeline given at Appendix 1.
Strictly Confidential
POL-BSFF-0078725_0126
POST OFFICE
Appendix 1
POL00240662
POL00240662
PAGE 5 OF 10
High Level Timetable showing key dates
Date Activity
10 March GE Meeting to cover high level
approach to ARA document and key
messaging
17 March ARC to cover high level approach to
ARA document and key messaging
(including Board photographs -
individual shots)
10 March to 18 April
‘Front Half Content’ liaison between
Communications and GE members
8 April
Flash Results for Year End available
from Finance
11 April to 6 May
Finance Liaison with EY / Finance
collation of ‘Back Half Content’
8 April to 18 April
Communications collation of ‘Front Half
Content’
18 April Collated ‘Front Half Content’ circulated
to GE for comment
12 May Full Report/Accounts draft and EY
Report to ARC and Chairman
17 May Full Report/Accounts draft sent to the
Board with associated Communications
Plan
19 May ARC - review of full Report and
Accounts
24 May Board - approval and delegations to
prepare for publication. (This date is
subject to all necessary internal and
external work required to satisfy
requirements on all numbers)
June (date tbd)
Signing of Report and Accounts
June/ early July (tbd)
Publication of Report and Accounts with
associated PR / Stakeholder Plan
Strictly Confidential
POL-BSFF-0078725_0127
POST OFFICE
Appendix 2
POL00240662
POL00240662
PAGE 6 OF 10
Format / Structure / Responsibilities for content production within
the 2015/16 Report and Accounts
Section of Report
collation (links to
Directors as
appropriate)
section sign off
Overview
Our Year in Numbers Mike Granville / Mark Davies
Paul Swanton
Chairman’s foreword Mike Granville / Tim Parker
Mark Davies
Chief Executive’s Mike Granville / Paula Vennells
statement Mark Davies
Strategic Report
The business and
strategy of the Post
Office
Mike Granville
Al Cameron
Our transformation
Mike Granville
David Hussey /
Al Cameron
Our service to
Mike Granville
Martin George /
customers Nick Kennett /
Kevin Gilliland
Our people Mike Granville Neil Hayward
Part of the Community I Mike Granville Mark Davies
Financial Review Briony Tristram / Al Cameron
Dave Carter
Business Risk
Mike Morley-Fletcher
Jane MacLeod
Governance
Overall Structure Victoria Moss Alwen Lyons
Board of Directors Victoria Moss Alwen Lyons
Corporate Governance
Victoria Moss
Alwen Lyons/
Jane MacLeod
Strictly Confidential
POL-BSFF-0078725_0128
POL00240662
POL00240662
POST OFFICE PAGE 7 OF 10
Directors’ report Victoria Moss Alwen Lyons
Directors’ remuneration I Victoria Moss / Ken McCall /
report Natasha Wilson Alwen Lyons
Financial Statements
Statement of Directors’ I Briony Tristram / Al Cameron
responsibilities Dave Carter
Independent Auditor’s I Briony Tristram / Al Cameron
Report Dave Carter
Consolidated income Briony Tristram / Al Cameron
statement Dave Carter
Consolidated statement I Briony Tristram / Al Cameron
of comprehensive Dave Carter
income
Consolidated statement I Briony Tristram / Al Cameron
of cash flow Dave Carter
Consolidated balance Briony Tristram / Al Cameron
sheet Dave Carter
Consolidated statement I Briony Tristram / Al Cameron
of changes in equity Dave Carter
Notes to the financial Briony Tristram / Al Cameron
statements Dave Carter
Parent company Briony Tristram / Al Cameron
financial statements Dave Carter
Corporate Information I Briony Tristram / Al Cameron
Dave Carter
Overall full document Communications, Mark Davies
sign off process to Finance and Company _ I Al Cameron
ensure narrative Secretariat will develop
coherence key points in each
section and then
develop narrative in
liaison with responsible
Directors. Sign off for
narrative coherence at
key stages.
Production and Paul Swanton Mark Davies
Publishing
Strictly Confidential
POL-BSFF-0078725_0129
POL00240662
POL00240662
POST OFFICE PAGE 8 OF 10
Appendix 3
Comments received from Ernst and Young on 14/15 Annual Report
and the approach to be taken for the 15/16 Report
Subject to ARC approval, we have agreed not to publish a statement about
compliance with the UK Corporate Governance Code. Our approach is to maintain
standards of corporate governance appropriate for our ownership structure, our
commitment to our social purpose and our strategy for commercial sustainability.
However, we will seek to follow EY’s advice, based on last year’s ARA, on the balance
and understandable nature of the report with the approach outlined below.
(Note - a paper entitled ‘Corporate Governance capability and ARA disclosure’ is being
taken at the ARC on 17 March).
Points made by EY are in italics followed by the approach that Post Office will
take for the 2015/16 document.
The following points relate to the document generally:
1. In the accounts ‘the strategy’ doesn’t jump out - it is important because there
should be clear links to the strategy and other parts of the report (e.g. KPI and
risk sections). Leading practice is to have a key with the strategy that runs
through the whole report.
The Business and Strategy of the Post Office will be made clear at the start of the
‘Strategic Report’ section. This will introduce the key strategic themes - Simpler
to Run, Better for Customers and Great Place to Work. These key themes will
then provide a key to subsequent sections in the report - ‘Our transformation’
(simpler to run), ‘Our service to customers’ (better for Customers) and ‘Our
people/part of the community’ (great place to work).
2. The business model is not described.
A high level description of the business model will be included in the ‘Business
and Strategy’ section.
3. The KPIs are listed at the front and then the financial ones are in the financial
review section. All the KPIs should be disclosed with some context and after the
strategy, and linked to it. Targets should be added and report on whether or not
the target was met.
Strictly Confidential
POL-BSFF-0078725_0130
POL00240662
POL00240662
POST OFFICE PAGE 9 OF 10
KPIs will be collated in one place within the report and linked to the strategy
section above with a general overall indication given on our position against
targets. Processes have been established to cross check overall coherence of the
report.
4. The business and strategy review and financial review cover much of the same
ground - however, the business and strategy review section puts a much rosier
spin on it than the financial review (this could be interpreted as not being
balanced?). Potentially there could be a cut down of pages by removing the
repetition between these two sections and between the Chairman and CEO
introductions.
We will avoid repetition through having a differing focus for the Chairman and
CEO sections. The Chairman section will focus on the high level direction,
development and governance of the company; the CEO section will comment on
‘in year’ achievement and the ‘forward year’ drive for continued transformation
with the ambition, determination and confidence to face the challenges ahead.
The ‘Business and Strategy Review’ will be shortened to provide the primarily
narrative framework which is supported and underpinned by the numbers and
factual statements in the Financial Review.
5. Risk section is good - it could be improved by adding a description of each risk
e.g. emerging, increasing, decreasing. Some companies also add a map showing
the level of risk and likelihood of it occurring. This section should be improved for
FY15/16 - especially if the plan is to provide a viability statement.
The Risk section will be developed to show the trajectory of the risk - although
we won't provide a ‘heat map’ of level of risk/likelihood (the complexity of the
Post Office environment and operation across multiple markets would mean that
explanation of any such mapping would need to be substantial).
The following points refer to the Corporate Governance section;
6. We would suggest putting the part about Post Office not being listed etc. at the
front. It is Government owned so we all own it - as well as the public being
customers.
The overview of ownership and governance structure will start the Corporate
Governance part of the report.
7. Board bios etc. - it is best practice to describe the skills each member brings to
the board.
This point will be taken into account in the biographies provided.
Strictly Confidential
POL-BSFF-0078725_0131
POL00240662
POL00240662
POST OFFICE PAGE 10 OF 10
8. Best practice is to have the Chair of each Board committee write the committee
overview. (It was done the previous year for the RemCo but not the other
committees - 2015 does not seem like the RemCo report is either).
We will liaise with the Committee Chairman to ensure they are comfortable that
their views are reflected in the reports from the Committees. The Directors’
remuneration report is a specific issue given the greater extent of data which will
need to be included.
9. All the board committee reports lack content and specific, relevant information.
The audit committee does not describe significant issues and how the AC
addressed them or how the effectiveness of the auditor was assessed.
As above the Board committee reports will be strengthened to include relevant
information and content.
10. Nomination committee section - Post Office could have described the process
they went through to appoint the new CFO and General Counsel. For 2012/16
this should include the new Chairman.
This content will be included in the Nomination Committee Section.
11. Fair, balanced and understandable is not mentioned in the audit committee
report and there is no mention of how this assessment was made.
The approach taken will be to produce the report as per the statement at the
start of this Appendix.
Strictly Confidential
POL-BSFF-0078725_0132
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 3
Investment Strategy Considerations
Author: Tim Giles and Ross Mitchell, Aon Hewitt Date: 8 March 2016
Introduction
The following paper summarises recent discussions with the Trustee of the Royal Mail
Pension Plan (‘RMPP') and Post Office Limited's (‘POL') advisors with regards to the
future strategy of the Scheme.
Appendix - Post Office Limited Q4 2015 Quarterly Report
The attached report details the Section's position as at 31 December 2015.
As a result of active members exiting the business highlighted through the 2015
valuation process, the resulting smaller number of active members has significantly
reduced the cost of future accrual in nominal terms (the cost as a percentage of salary
roll is still high, but the salary roll has diminished). While the 31 March 2015 valuation
has not been completed, the Trustee has reflected this change to the membership
data and applied it to the 31 March 2012 valuation basis.
The report highlights the following:
= On the Trustee's technical provisions basis the Section is expected to remain above
the crossover point? until beyond 2022.
= When considering a more prudent measure of the Section's liabilities, the gilts ABO
basis, the Trustee estimates that the Section will remain above the crossover point
until c.2021.
Appendix - Buy-out estimate for the POL Fund of the Royal Mail
Pension Plan
The attached report details LCP's estimate of the cost of buying out the POL Section
with an insurance provider. The report highlights the following:
«= Based on market conditions as at 22 February 2016, the estimated cost of buy-
out, including accrual to 31 August 2016, was £375m leaving a surplus of £40m.
= The LCP report also details the sensitivity of this position to enhancement in
member benefits.
at which the
le Trustee as the
ic model moves
This has been defined
stoch.
percentile of expected
outcomes from its
Strictly Confidential
POL-BSFF-0078725_0133
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 3
Commentary
The following sections provide further details of Aon Hewitt's advice regarding the
ongoing strategy of the Scheme in addition to further considerations when
interpreting analysis detailed in the attached appendices.
Monitoring of crossover point
Despite the improvement in the Section's funding position, recent correspondence
with Trustee has focused on the following three scenarios for the Section's investment
strategy.
a) run the Section with a low risk investment strategy with continuing accrual.
b) as in a) but with no accrual after August 2016.
c) as in b) but with benefits being insured through buy-out.
Recent discussions to date have been on the use of a 'buy-out' basis when valuing the
Section's liabilities. This has in part been driven by recent discussions regarding the
Section's covenant.
While it is possible for the Trustee to make steps to implement a) and b) before the
ongoing consultation has concluded, it would be significantly more challenging for
progress to be made towards c).
As noted above, recent analysis has shown that under the Trustee's technical
provisions basis, it may be possible for the Section to remain open indefinitely. It was
however acknowledged by the Trustee that other factors, such as the Section's
covenant, make this measure less relevant and inappropriate. The ISC acknowledged
this and the communication issues which it may cause.
Following the receipt of advice from Aon Hewitt, POL has confirmed it was happy with
proposals set out and encouraged the Trustee to make any steps to derisk the Plan
given prevailing market volatility. Given this market environment it was noted that
the Trustee's proposals seemed appropriate irrespective of the outcome of the
ongoing consultation.
Strictly Confidential
POL-BSFF-0078725_0134
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 3
Use of surplus
Discussions to date indicated that the Trustee would like for any surplus to be passed
to members. It should be noted that under Project Robin, it is not possible for the
transfer payment to be passed to POL. Given any surplus accrued to date is a result of
these assets; we believe that it would be reasonable to assume this remains the case.
While no decision has been reached as to which members' benefit would be
supplemented with any surplus, we understand that this would likely be designed to
reflect the prospective loss of benefit.
Potential for buy out
As noted above, LCP's analysis indicated that the estimated buy-out surplus at 22
February 2016 was c. £40m. This implies that it is feasible for the Scheme to be
bought-out should the Section be closed to future accrual in August 2016.
This is substantially different to the gilts ABO position identified by the Trustee as at
31 December 2015. There are good reasons for these differences:
a) The buy-out number from LCP will place a higher value on the liabilities as
insurers' basis is generally more prudent, pricing in a greater degree of
uncertainty.
b) LCP has included future benefits being accrued between January and August 2016.
c) Market conditions have moved since 31 December 2015.
We would highlight that the risks associated with the Section remaining open are
likely understated by the less-prudent nature of the Trustee's ABO basis.
The risk remains substantial that insurance pricing conditions and accrual of benefits
move against you to remove any buy-out surplus. While this does not directly impact
POL's response regarding the derisking of the Section's investment strategy, POL may
wish to discuss the risks connected with any crystallisation of the pension liabilities by
insurance in terms of the potential amount and timing of any potential payments from
POL.
Strictly Confidential
POL-BSFF-0078725_0135
POL00240662
POL00240662
Quarterly Report
Post Office Limited
POL-BSFF-0078725_0136
1. Executive summary
DRAFT
POL00240662
POL00240662
Post Office Limited
2015 Q4
Strategic parameters
Return objective Gilts + 1.5% pa.
Objective for return-secking Cash + 3.1% p.a.
Target date 31 Mar 18
Funding position
Asset value £378.0m —£370.9m
Liability value £2qi.9m_ £244.6m
‘Surplus / (deficit) £136.1m —£126.3m
Funding ratio 156.3% 151.6%
Current accrual cost (% of pay) 46.6% 44.9%
Projected crossover point Late 2022 -
lon the technical provisions basis, the median projection is for the Section to remain in
surplus to at least the end of 2022. In order to project benefit accrual beyond that point
reliably, we would need more detailed liability data from the Scheme Actuary.
Investment performance
[Last gm 0.4 on 02
[Last 12m 15 0.6 0.9
Plan YtD -0.3 0.4 -08
48 0.6 4a
This quarter the return-seekingI
assets generated a positive return, I
but lagged their objective. Gilt
yields rose during the quarter,I
reducing the liability value,I
though the benefit of this wasI
mostly offset by the liability]
hedge, as one would expect.
At quarter end, the nominal
liability hedge was overweight
relative to its target. Within
return-seeking, investment gradeI
credit was overweight due to theI
recent allocations to CLOs andI
infrastructure debt, andI
developed equities underweight.
Backdated to 31 March 2015, the liability values have been
approximately updated to reflect the prelimnary results of the
2015 valuation. That is, the 2012 valuation basis applied to the
2015 member data. This improved the funding position by £39.4
million on the technical provisions basis as at 31 March 2015.
Asset value incl. conts to TD £436.2m £4229m >
Liability value inel. accrual to TD £399.1m £383.3m > [Currency hedging
Surplus / (deficit) £371m = -£39.5m >
Funding ratio 109.3% 1103% =>
Current accrual cost (% of pay) 55.4% = 53.3% D>
Projected crossover point’ Late 2020 2021 >
F Calculated on an accrued to date basis
Will be available following completion of the actuarial valuation
Risk management (Gilts ABO basis)
Surplus VaR (12m, 5%) 8m/1.6% — £71m/1.7% >
Crossover date at risk (5%) c.24 mths eg5mths A
Prob. of 2£40m deficit in 12m 0.0% 0.0% >
Prob. of 2£4om deficit at TD? 0.0% 0.0% >
Liab. hedge = nominal 6.44 yrs 6.36yrs >
= real 5.82 yrs 5.84yrs >
Collateral adequacy* 253bps 2q3bps
* Calculation allows for projected asset returns between quarter end and target date
* Collateral would run out ifnominal yields move by this much, and real yields by half as much
Risk to the funding position was
broadly unchanged on _ most!
metrics over the quarter.
Against the updated Gilts ABO)
liabilities, the hedge now
represents nearly the full 6.0
years of accrual.
POL-BSFF-0078725_0137
POL00240662
POL00240662
DRAFT Post Office Limited
2. Performance 2015 Q4
2.1 Evolution of surplus - technical provisions basis
Backdated to 31 March 2015, the technical provisions proxy has been
updated using preliminary data from Towers Watson. This represents
180 a valuation of March 2015 member data, using the assumptions from
the 2012 valuation. CSDB revaluation for actives is assumed to be RPI.
The effect was to increase the surplus by £39.1 million at
31 March 2015.
200
Chart 2.1 shows the history of the funding position on the technical
provisions basis and the projection out to March 2018. As at the
quarter end, the median projection was that the Section would reach
March 2018 with a technical provisions surplus of around £90
million.
* i= jvm! Median projection based on ourrentatrategy Note: Here and throughout the report, the central projection is the
20 « 90% confidence interval median, and the funnel of doubt represents the 5th and 95th
Surplus/Deficit* (in £) percentiles.
Mar12 Sep12 Mar13 Sep13 Mar1q Sep1q Mari5 Sep15 Mar16 Sep16/ far17 Sep 17far 18
2.2 Projected crossover dates
Technical provisions median Late 2022 *
Technical provisions 5th percentile Jate 2019 July 2020
IGilts ABO median Late 2020 2021
IGilts ABO 5th percentile October 2018 December 2018
POL-BSFF-0078725_0138
Disclaimer
Kempen Fiduciary Management is a trading name of the UK branch of
Kempen Capital Management N.V., which is registered in the United Kingdom
(BRo17904) at 60 Cannon Street, London EC4N 6NP and which is a limited
liability company incorporated in the Netherlands, authorised by the Dutch
Authority for Financial Markets (AFM) and subject to limited regulation by the
UK Financial Conduct Authority (FCA). Details about the extent of our
regulation by the FCA are available from us on request.
This document is intended for professional clients only and shouldynot be
relied upon by any other parties. No modifications or amendmey this
presentation may be made without the prior permission of Kemp. Fi
and the document may not be forwarded to a third party wit!
of Kempen Fiduciary Management.
document using its best efforts on the basis of information from a variety of
data sources. No party shall have any right of action against Kempen Fiduciary
Management in relation to the accuracy or completeness of the information
contained in it, or any other written or oral information made available in
connection with it.
Any forecasts or opinions are Kempen Fiduciary Management's own at the
date on which this document was distributed and may change. They should not
be regarded as a guarantee of future performance. Past performance is not a
guide to future performance. While expected risk measures aim to provide an
indication of the range of potential future performance, all expected risk
measures are based on assumptions which may not be realised in the future.
Expected risk measures are therefore only a best effort indication of potential
future performance. The value of investments may go down as well as up,
particularly in the short term. The value of an investment may fluctuate and
cannot be guaranteed.
POL00240662
POL00240662
Post Office Limited
2015 Q4
POL-BSFF-0078725_0139
POL00240662
POL00240662
Post Office Limited
2015 Q4
Kempen Fiduciary Management
60 Cannon Street
London EC4N 6NP
United Kingdom
te _
:I GRO
www.kempen.co.uk
POL-BSFF-0078725_0140
POL00240662
POL00240662
+ INSIGHT
CLARITY
ADVICE
The Post Office Limited
24 February 2016
Buy-out estimate for the POL:
Fund of the Royal‘Mail.,
Pension Plan
Lane Clark & Peacock LLP Trustee Consulting Investment Consulting
Corporate Consulting Insurance Consulting Business Analytics: www.icp.uk.com
POL-BSFF- (0078725. 0141
POL00240662
POL00240662
Introduction LCP:
This presentation has been prepared by Lane Clark & Peacock LLP (“LCP”) for Post
Office Limited (“POL”) in respect of POL Fund of the Royal Mail Pension Plan (“RMPP”).
We are happy for POL to share this presentation with Chris Hogg for information only.
The purpose of the presentation is to set out our estimate of the current cost to the POL
Fund of securing benefits on a buy-out with an insurer. We also highlight the
uncertainties in our estimate, some of which are material, ahead of accurate pricing
being obtained from insurers.
We understand that POL does not plan to make any decisions based on this information
as further advice may be appropriate depending on the nature of the decision.
Clive Wellsteed FIA Charlie Finch FIA
PENSION
AND INVESTMENT
PROVIDER AWARDS
POL-BSFF-0078725_0142
POL00240662
POL00240662
Estimated buy-out position LCP
Headline results 30 September 2015 22 February 2016
(incl accrual and contributions
to 31 August 2016)
Asset value £378m £415m*
Gilts ABO valuation £261m n/a
Estimated buy-out cost 1 % ®
(leaving service benefits) £315m £375m
Estimated buy-out surplus £63m* £40m*
Estimated buy-out funding ratio 120%* 111%*
Source: Approximate estimates using LCP’s insurer pricing model and information provided by POL. *These figures are estimated.
1 The buy-out cost is the cost of securing the benefits for all members by the purchase of annuity policies from an insurance company. 3
POL-BSFF-0078725_0143
Sensitivity of buy-out position
Example benefit changes
30 September 2015
POL00240662
POL00240662
LCP
22 February 2016
(incl accrual and contributions to
Estimated buy-out funding ratio
31 August 2016)
0, 9
(leaving service benefits) 120% 9%
Estimated buy-out funding ratio 0 °
(RPI-linked benefits) 110% 102%
Estimated buy-out funding ratio
(leaving service benefits but with N/A 98%
an uplift of one year of extra service)
Example sensitivities
(at 22 February 2016 with accrual
and contributions to 31 August)
Central
estimate at
22 February 2016
Price 5% higher than
central estimate
Insurers assume
members live
1 year longer than
Estimated buy-out cost
central estimate
(leaving service benefits) £375m £395m £385m
Estimated buy-out surplus £40m £20m £30m
Estimated buy-out funding ratio 111% 105% 108%
(leaving service benefits)
Source: Approximate estimates using LCP’s insurer pricing model and information provided by POL.
POL-BSFF-0078725_0144
POL00240662
POL00240662
Limitations in our estimates LCP:
= Commentary on the methodology and information used in producing our
estimates is set out in the appendix.
= New reserving rules (“Solvency II”) for all insurers became effective in
January 2016. There is no transacted precedent since then on how insurers
will price a long duration block of mainly deferred pensioner liabilities and so
estimating buy-out pricing at the current time is more uncertain than normal.
= Accurate pricing will critically depend on third party insurer appetite, the yield
and duration of suitable assets available to insurers to hold in their annuity
portfolios, the availability of reinsurance to support the transaction pricing and
insurer/reinsurer views on the longevity of the POL Fund members.
= We have set out our central view of the best price insurers could achieve in our
estimate, but it would not be surprising to see variations in the best price (which could
be material) against our central view.
POL-BSFF-0078725_0145
Appendix
+
++ +e 4+
++ + +
+ + +
1
+ + +
+
+ + +
ds
+ + + +
++ + + +
+
++ t+ + +
POL00240662
POL00240662
t INSIGHT
CLARITY
ADVICE
re
+ + + + + +
+ + + + + + +
+ + + + + +
+ + + + + +
+ + t+ t+ et + t+
+ + t+ t+ HF + + +
++ + t+ t+ + + t+
++ + t+ + te + + t+
x
+
a:
+
POL-BSFF-0078725_0146
POL00240662
POL00240662
Methodology LCP:
= The estimate of the buy-out cost is based upon the POL Fund’s gilt-based ABO valuation as at
30 September 2015, approximately adjusted to reflect our expectation of the price an insurer will charge.
= The assumptions adopted are set out on slide 9.
= The actual buy-out cost could be higher or lower than our estimate, potentially materially so, and can only
be determined by seeking firm quotations from insurers and running a competitive selection process.
= There are a number of factors which will influence the ultimate buy-out position:
= market conditions will be different from those applying at the valuation date and the assets held by
the POL Fund are only partially matched against insurance company pricing;
= the asset opportunities available to insurers at the time — particularly for long-dated debt-like
instruments — as even a small change in the risk-adjusted investment yield can significantly impact
pricing;
= availability of longevity reinsurance particularly for non-pensioners, which make up a significant
proportion of the liabilities;
= insurance company pricing is particularly uncertain at the current time as insurers get to grips with the
capital reserving requirements under Solvency II, which came into force on 1 January 2016.
= the insurers’ assessment of the life expectancy of the membership and the proportion married; and
= the level of insurer competition and other transactions which are competing for insurer capacity.
POL-BSFF-0078725_0147
POL00240662
POL00240662
Information used LCP“:
= The estimate of the buy-out cost relies on the information provided. In particular we have relied on:
= summary information provided in the 31 March 2015 funding update, the Q3 2015 quarterly report,
and the draft 2015 Q4 quarterly summary;
= assets have been approximately projected forward from 31 December 2015 based on changes in
suitable asset indices and the breakdown of the assets set out in the Q3 2015 quarterly report (we
have assumed there have been no investment changes since 30 September 2015);
* high-level allowance for benefit accrual and member and company contributions based on
information in the Q3 2015 quarterly report; and
= the sensitivity information in the Willis Towers Watson report dated 16 November 2015 setting out
the POL preliminary results for the 31 March 2015 valuation and an estimate of the proportion of
leaving service benefits that are CPI-linked.
= We understand that the gilts ABO valuation is based on:
= leaving service benefits which are linked to CPI revaluation in future;
= all accrued benefits including any salary increases granted to date of calculation; and
= full gilt yield curves; and
= no allowance for expenses.
= To the extent there are liabilities of the POL Fund that are not included in the Gilts ABO valuation, those
liabilities will not be included in our buy-out cost estimate either.
POL-BSFF-0078725_0148
POL00240662
POL00240662
Assumptions used LCP
The following table summarises the assumptions adopted as at 22 February 2016.
Discount rate 2.30% 2.15%
Inflation — RPI linked benefits 3.25% 3.25%
A deduction from RPI of
Inflation — CPI linked benefits RPI price inflation less 1% pa 0.2% to 0.4% pa
oo Caps and floor applied used Caps and floors applied
PRnEtOn InGreeines a fixed volatility model using swap market rates
Pre-retirement mortality Consistent with Statement of Funding Principles
Consistent with Statement of Funding Principles
Post-retirement mortality Future improvements in line with the CMI 2014 core model
with a 1.5% pa long term rate
Marital assumptions Consistent with Statement of Funding Principles
Commutation None
The financial assumptions are based on full yield curves and have been expressed as approximate single-
equivalent rates above.
POL-BSFF-0078725_0149
POL00240662
POL00240662
Scope
This document is a visual aid to complement an oral presentation and does not
constitute our written professional advice.
Written advice about any matters discussed should always be sought in order to
clarify the data relied upon, assumptions, conclusions and recommendations.
If you would like any assistance or further information, please contact the partner
who normally advises you.
This document should not be passed to any third party without our formal written
agreement as set out in the introduction (or by separate correspondence).
Our work in preparing this document is subject to and complies with the
Technical Actuarial Standard on reporting actuarial information (version 2), on
data (version 1) and on modelling (version 1), together with the Pensions
Technical Actuarial Standard (version 2) and the Transformations Technical
Actuarial Standard (version 1).
© Lane Clark & Peacock LLP 2016
tered in England and Wales with registered number OC301436. LCP is a registered trademark in the UK
Lane Clark & Peacock LLP. A list of members’ names is available for in:
(Regd. TM No
igmore Street
V1U 1DQ, the firm's pr f business and registered office. The firm is regulated by the Institute and Faculty of Actuaries in respect of a range of investment business
activities. Locations in London, Winchester, Belgium, the Netherlands, Ireland and the UAE.
POL-BSFF-0078725_0150
POL00240662
POL00240662
POST OFFICE PAGE 1 OF 11
AUDIT AND RISK COMMITTEE DECISION PAPER
Review of ARC Terms of Reference
Author: Alwen Lyons — Sponsor: Alwen Lyons Meeting date: 17 March 2016
Executive Summary
Context
In line with best practice and as recommended by the UK Code of Corporate
Governance a clear Terms of Reference (‘TOR’) for the Audit Risk and Compliance
Committee (‘ARC’) should be in place and reviewed on an annual basis.
In September 2015 the ARC TOR was amended to incorporate areas of risk previously
covered by the Pensions and Financial Services Board Committees, this change was
approved by the Board on 22" September 2015 with effect from 1%* October 2015.
See appendix 1 for current TOR.
Questions addressed in this report
1. Does the ARC have a clear and agreed TOR?
2. Has the Committee fulfilled the requirements of the TOR over the last year?
3. How will the Committee ensure it uses its time effectively in future and fulfils the
requirements set out in its TOR?
Conclusion
1. The requirements specified by the TOR are clear and approved by the Board.
2. The analysis carried out confirms that the ARC has fulfilled the requirements of its
TOR.
3. The draft ARC timetable set out in Appendix 2 is a proposed forward agenda for
ARC meetings which will ensure the ARC fulfils the requirements of its TOR in
2016/17.
Input Sought
The members of the ARC are asked to:
1. Confirm they believe they have fulfilled the requirements of the ARC TOR as
specified by the Board.
2. Feedback to the Company Secretary any comments on the proposed timetable
for future agendas.
Strictly Confidential
POL-BSFF-0078725_0151
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 10
The Report
1. The ARC is responsible for providing, among other responsibilities, oversight of
Post Office’s risk management systems, operational controls and key systems. It
was recognised in September 2015 that the ARC should have sole delegated
responsibility for oversight of risk across Post Office.
2. After the dissolution of the Pensions and Financial Services Board Committees the
ARC TOR was updated to incorporate risk across the Post Office. The current TOR
was agreed at the ARC meeting on 21% September 2015 and approved at the
Board on 22 September 2015.
3. The areas of the TOR (Appendix 1) have be assessed against the Committee
agendas, papers and decisions to ensure that the Committee has fulfilled its
requirements to the Board:
a) The ‘Purpose’ of the Committee is clear and agreed by the Board on 22
September 2015.
b) The ‘Composition and Terms of Office’ have been adhered to throughout the
year.
c) The ‘Meetings’ have convened in accordance with the TOR.
d) All ‘Other Governance Responsibilities’ have been discharged, including this
review of the TOR.
e) ‘Auditing Services’ are provided by Internal and External Auditors and both
the Head of Internal Audit and the External Auditors attend every ARC meeting.
Internal and External audit plans are agreed by the ARC.
f) The CFO attends the ARC and has time on the agenda to provide a regular
update on the ‘Accounting, Financial Control and Financial Reporting and
Disclosure’. The Interim and Annual Report and Accounts were reviewed by
the ARC.
The Annual statements and management’s explanatory notes were reviewed at
the May 2015 ARC in the presence of the External Audit partner. The External
Audit partner also provided confidential feedback on management to the ARC
members. A similar process was undertaken for the Interim Report at the
November 2015 ARC.
g) The ARC receives Risk and Internal Audit reports at every meeting. These
reports covers the ‘Risk Management, Operational Controls and Policies’.
The Board agreed a Risk Appetite Statement on 28" January 2015 and this will
be reviewed during 2016/17. Management are putting in place a Risk
framework which is regularly reviewed at the Executive Risk & Compliance
Committee before discussion at the ARC. The work currently undertaken will
integrate back into the internal audit plan, which will be agreed by the ARC.
Areas of specific risk have been reported throughout the year and key further
actions agreed, for example cyber security in November, and incidents such as
the Subpostmaster Compensation Risk or the AML audit are reported when they
arise.
Strictly Confidentiat
POL-BSFF-0078725_0152
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 10
Reports have been received from Post Office Management Services Ltd ARC
(POMS ARC) at every meeting since the POMS ARC first met in September
2015.
4. The analysis shows that the ARC has fulfilled the requirements specified in the
TOR.
5. To enable the ARC to ensure it fulfils its TOR in 2016/17 a proposed ARC forward
agenda timetable is provided at Appendix 2, for feedback from ARC members.
Strictly Confidentiat
POL-BSFF-0078725_0153
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 10
APPENDIX 1
TERMS OF REFERENCE OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE
AS APPROVED BY THE BOARD ON 22™ SEPTEMBER 2015
Purpose
1. The purpose of the Audit, Risk and Compliance Committee (“ARC” or the
“Committee”) is to assist the Board of Directors in fulfilling its fiduciary
responsibilities by:
(a) I Contributing an independent view on the accounting, financial control and
financial reporting practices of the Company;
(b) Taking all reasonable steps to ensure accurate and informative corporate
financial reporting and disclosures which meet appropriate accounting and
corporate governance standards; and
(c) Providing oversight of the company’s risk management systems,
operational controls and key systems.
2. The responsibilities undertaken by the ARC under delegated authority from the
Board will be subject always to the powers and duties of the Board, as set out in
the Articles of Association
Composition and Terms of Office
3. The Committee shall serve as a standing committee of the Board. Its Chairman
and members will be appointed by the Board. It shall consist of at least two
independent non-executive directors.
4. Only non-executive directors shall be eligible for membership of the Committee.
Members of the Committee will normally serve for a period of three years. Their
appointment may be renewed on an annual basis thereafter with the consent of
the Chairman of the Committee but no director shall serve for more than six years.
5. The quorum shall be two directors, of whom one will have recent and relevant
financial experience.
6. The Committee shall meet as often as required but at least three times per year.*
7. The Company Chairman and executive directors may be invited to attend any
meeting, or any part of any meeting, by the Committee Chairman.
8. The CFO, the General Counsel, the Head of Risk Governance and the Head of
Internal Audit (or those holding positions with responsibility for such roles,
howsoever named) and the Director, Financial Services will be permanent invitees.
9. The Company Secretary shall act as Secretary to the Committee and shall attend
all meetings to keep minutes and record actions.
Strictly Confidential
POL-BSFF-0078725_0154
POL00240662
POL00240662
POST OFFICE PAGE 5 OF 10
10. The Committee Chairman will report regularly to the Board. Minutes of each
Committee meeting will be circulated to all members of the Committee and, once
agreed, to all members of the Board.
11. The External Auditors may attend all or part of any Committee meeting at the
invitation of the Committee Chairman. As a minimum the External Auditors will
attend to present their external audit plan for approval and to present their
reports.
12. The Company will provide current and new Committee members with any training,
briefings or induction required. The Company Secretary, Head of Internal Audit
and the External Audit Partner will keep members informed of relevant published
guidance as necessary.
Meetings
13. Any member of the committee or the Company Secretary may convene a meeting.
The External and Internal auditors may request a meeting with or without
management present.
14. Meetings may be held in person or by telephone or other electronic means, so long
as all participants can contribute to the meeting simultaneously.
15. Notice of each meeting shall be given to all those entitled to participate at least 2
working days before the meeting.
16. Meetings shall be planned in accordance with key reporting and financial planning
dates.
Other Governance Responsibilities
17. The Committee will:
(a) I Review and update its terms of reference annually.
(b) Conduct an annual evaluation of the performance of its duties and
responsibilities and of its effectiveness, and discuss the results with the
Board of directors.
(c) I Prepare an annual report on its activities for inclusion in the Annual Report
and shall review and approve on behalf of the Board statements to be
included in the Annual Report concerning financial controls, internal control
and risk management.
(d) In the absence of express authority from the Board, the Committee will
not, without the concurrence of both management and the auditors, have
either the responsibility or authority for altering the financial statements
or the accounting procedures of the Company.
Auditing Services
18. The Committee will:
(a) I Review and recommend to the Board the nomination or discharge of the
independent external auditors, the proposed fees (in consultation with
management) and the acceptance of the scope and general extent of the
engagement.
Strictly Confidentiat
POL-BSFF-0078725_0155
POL00240662
POL00240662
POST OFFICE PAGE 6 OF 10
(b) I Formally review, challenge and approve the agreed annual external audit
plans and approach.
(c) Periodically review the scope, resourcing and capabilities of the Internal
Audit function.
(d) I Review and re-approve the Internal Audit Charter on an annual basis.
(e) Approve each year in advance the Internal Audit plans and review both
resources and any proposed amendments that may occur through the
following year. The review should include methods employed by the
internal auditors to assess risk and to prioritise the various audit proposals
identified in the annual plan.
(f) Assume a primary role in the appointment, assessment and if necessary
the discharge of the Head of Internal Audit.
(g) I Ensure the independence of the external and internal auditors including an
annual review of any non-audit services provided by either.
(h) Ensure free and effective communication between the Committee, external
auditors and internal auditors and hold separate sessions, or informal
meetings and contact as required. These meetings may discuss matters
that any of these groups believes should be discussed privately with or
without management.
(i) Ensure lines of communication are maintained with the Board.
Accounting, Financial Control and Financial Reporting and Disclosure
19. The Committee will:
(a) Review, discuss and consider with the external auditors their approach to
risk assessment and the scope and plan of their audits.
(b) I Review the annual financial statements which are to be submitted to the
Board, including Management's explanatory notes. The review may
include:
« Reports from the external auditors as to the results of their examination
to date.
e Discussion of any problems regarding financial reporting which may
need to be reported in the annual report to the shareholders including
any disagreements that may have arisen between the auditors and
management in any area.
e Meeting(s) with the senior financial executives who shall outline any
problems as to financial policies, financial reporting or matters relating
to internal control and any matters in contention with or under
consideration by the external or internal auditors.
e The appropriateness of existing accounting principles being employed
and any change in accounting policies or practices which the corporate
auditors may refer to in their report to the shareholders, and the impact
on the Company’s financial statements.
e Any proposed changes in the presentation of the financial statements
or accompanying notes which the auditors may recommend.
e reviewing the annual report and accounts and advising the board on
whether, taken as a whole, it is fair, balanced and understandable and
provides the information necessary for the Company’s shareholders to
assess the company’s performance, business model and strategy
Strictly Confidentiat
POL-BSFF-0078725_0156
POL00240662
POL00240662
POST OFFICE PAGE 7 OF 10
¢ Other matters related to the conduct of the audit communicated to the
Committee under generally accepted accounting standards.
« The Management Letter.
(c) The Committee shall review with management any half yearly trading
statements or financial reports and the contents of any press release
concerning the Company’s financial performance or situation, before
release to the public or to shareholders.
Risk Management, Operational Controls and Policies
Risk Management Framework
20. The Committee will:
(a) Review the overall risk management framework in place for the Company
including its appetite for risk.
(b) Oversee the Risk and Compliance Committee activities and receive
summary reports as appropriate.
(c) Review the Company's overall risk position; regularly review the risk
register for the Post Office and its subsidiaries, and periodically invite
management to outline risk management strategy and status within their
specific business units.
(d) Review management’s assessment of the degree of risk the Company
prudently incurs in achieving a reasonable balance between the cost of
managing risk and control systems and the benefits derived.
(e) Consider and review areas of specific risk as highlighted by the Risk and
Compliance committee. This should include, but is not limited to, sufficient
coverage of strategic risk, financial risk, operational risk, technology risk
and cyber security, risk relating to the investment strategy and funding
requirements of existing and new pensions schemes established for the
benefit of previous, current and future employees, conduct risks relating
to the financial services businesses operated by both Post Office Limited
and its subsidiaries and joint ventures, reputation, legal and regulatory
risks, major change initiatives and people risks.
(f) Review legal, regulatory and any other matters that may have a material
impact on the financial statements, related Company compliance policies,
and programmes and reports prepared to manage and monitor Company
compliance policies.
(g) I Consider whether any remuneration policy adopted by either Post Office or
its subsidiaries, or the implementation of any such policy is consistent with
Post Office risk appetite particularly in relation to conduct risk.
(h) Consider the impact of any new legislative, regulatory, market or other
developments which could materially or adversely affect Post Office and its
subsidiaries.
Controls and Policies
21. The Committee will consider and review with the external auditors and the internal
auditors:
(a) I The adequacy of the Company’s internal controls.
Strictly Confidentiat
POL-BSFF-0078725_0157
POL00240662
POL00240662
POST OFFICE PAGE 8 OF 10
(b) I Recommendations for the improvement of the Company's internal controls,
processes and systems.
(c) — Significant findings (the “management letter” from external auditors) and
recommendations together with management's responses.
(d) Any reportable restrictions experienced regarding scope or access to
required information by either external or internal audit.
Fraud, Theft and Ethics
22. The Committee will:
(a) Review with management their fraud assessment, detection measures and
their investigation of illegal acts, as appropriate.
(b) Review any summary of frauds, thefts and other irregularities of any size.
(c) I Review with the internal auditors and the external auditors the results of
any review of the compliance with the Company’s codes of ethical conduct
and similar policies including whistleblowing.
Risk Management - Other
23. The Committee shall specify from time to time the reports and management
information which it requires in order to discharge its responsibilities. The minutes
of the POMS ARC will be provided to the Committee for noting.
24. The Committee shall have the power to conduct or authorise investigations into
any company matters within the Committee’s scope of responsibilities. The
Committee shall be empowered to obtain independent legal advice, and engage
counsel, accountants, or others to assist it in the conduct of any investigation.
25. The Committee shall perform such other functions as may be assigned or
delegated to it by the Board, and may review other items of an internal control or
risk management nature which may from time to time be brought before the
Committee.
Strictly Confidentiat
POL-BSFF-0078725_0158
POL00240662
POL00240662
POST OFFICE PAGE 9 OF 10
APPENDIX 2
ARC FORWARD PLANNER - proposed topics and allocation (assuming 5
meetings per year)
Items 10% Proposed
Nov
2015 1) I 2) 3)
Jan I Mar I May
>
i]
5)
Nov
8
Standing Agenda Items
viviv
sidjs SJ <
isn <
iW) <
its Sy oS
is] <
Governance Items
« Review of ARC Terms of Reference and
Internal Audit Charter
VI iisisd <
e External Auditor - review/ appointment/ v
re-appointment/ non-audit fees —
recommendation to Board
« ARC effectiveness self-assessment Vv
(triennial by independent)
3. Financial Reporting and Disclosure
¢ Financial statements - interim review v v
e Financial statements - full year review v
and recommendations to the Board
« External Audit management letter v
« Review and approve External Audit plan v
4. Internal Audit and Risk Management
and Control
« PO Risk Profile (including Horizon v v
Scanning)
¢ Internal Audit - approval of the v v
upcoming plan
« Key Policies Framework - progress
5. Compliance
e Regulation
= Anti Bribery & Corruption
= Anti Money Laundering
= Competition Law
"Data Protection Keep Keep
* Conduct/ People free free
= Customers (e.g. Vulnerable, Conduct v
issues)
= Ethics and Code of Conduct
* Fraud and Theft
<
<4
uN
US
Strictly Confidential
POL-BSFF-0078725_0159
POST OFFICE
POL00240662
POL00240662
PAGE 10 OF 10
CONT. proposed topics and allocation (assuming 5 meetings per year)
Items 10% Proposed
Nov
2015/1) ] 2) ] 3) I 4) I 5)
Jan I Mar I May I Sep I Nov
6. Deep Dives
« FS Deep Dives on specific issues v v
¢ Pensions v Vv
e Health and Safety Keep I v_ I Keep
e Incident Management, Disaster free Vv I free
Recovery & Crisis Management
¢ Cyber / IT Security Vv v
7. Other
« Insurance Renewals
Strictly Confidential
POL-BSFF-0078725_0160
POL00240662
POL00240662
Annual Self Assessment of the Internal Audit Charter by Garry Hooton 3/3/16
Charter Component Evidence
1. Goals of Internal Audit
e To provide the Board with independent and objective
assurance over Post Office organisations controls.
e Provide assurance that the Post Office processes for
identifying, assessing and managing risks are
effectively deployed.
e To help management improve their decision making
processes, controls and operations through risk and
control advice and support.
2. Independence . The reporting lines as described are in place and
21
.
Reporting Line
The Head of Internal Audit will report to the Chairman
of the Audit Committee who is a Non Executive
Director of the Board, and on a day to day basis to the
General Counsel. The Head of Internal Audit has
access to the Board Chairman, Non Executive Directors
and the CEO. The Internal Audit staff report to the
Head of Internal Audit.
working effectively.
3. Role and Scope
The role of Internal Audit is to understand the key risks
of the organisation and to examine and evaluate the
adequacy and effectiveness of the frameworks of risk
management and internal control as operated by the
e The role and scope is well understood and reinforced
with regular meetings with management. Greater
involvement at GE level has recently been
formalised.
Confidential ver 1.1 Page 1 of 8
POL-BSFF-0078725_0161
POL00240662
POL00240662
Charter Component
Evidence
organisation.
Internal__Audit, will therefore review, appraise,
evidence and report o
The adequacy and effectiveness of the frameworks of
Operational control across the organisation including
outsourced services.
Financial control
Management control
The integrity of processes and systems, including
those under development, to ensure that controls
offer adequate protection against error, fraud and
loss.
Company policies, standards and procedures including
their use and appropriateness.
National and International legislation where applicable
are effectively recognised and acted upon.
The operation of the organisation’s corporate
governance and risk governance arrangements.
Significant aspects of the organisation’s activity
including major projects and change programmes and
as directed by the Audit Committee.
Fraud
Management remain responsible for establishing and
maintaining systems for the prevention of fraud and
theft.
The internal audit department may be requested to
assist in the investigation of significant suspected fraudulent
Confidential ver 1.1 Page 2 of 8
POL-BSFF-0078725_ 0162
POL00240662
POL00240662
Charter Component
Evidence
activities and notify the Audit Committee of the results.
e Where regular audit work may reveal fraud risk or
actual fraud and irregularities, this will be reported to
management, the risk and audit committees.
Other key stakeholders
° The Internal Audit team will liaise with other providers
of assurance including second line defence functions, external
audit and Risk Governance Compliance.
4. Access and Authority
e The Post Office Internal Audit team have unrestricted
access to all functions, records, property and
personnel at all management levels including the
external auditors and contractors insofar as it applies
to authorised audits, reviews and investigations.
e All members of the Internal Audit team will abide by
company and professional standards with regards to
confidentiality. Audit files and evidence will be
appropriately secured.
e Where information is of particular sensitivity,
management may request that access be restricted to
the Head of Internal Audit only.
e If required access has not been forthcoming and
following due process remains as such and this has a
significant restriction on the effective completion of an
audit, the limitation should be reported. Effort to
resolve the situation should be undertaken and only
after these steps should such limitations be reported
e Liaison is in place with all of the relevant functions
within Post Office and its key partners.
¢ No restrictions have been encountered.
e All team members are professionally qualified and
abide by the relevant standards — all records are
appropriately secured.
e Such instances would be noted for ARC
e Escalation mechanisms are in place via General
Counsel
Confidential ver 1.1 Page 3 of 8
POL-BSFF-0078725_ 0163
POL00240662
POL00240662
Charter Component Evidence
to the Audit Committee.
4.1 Reporting on activity
e The findings on engagements shall be cleared upwards e Report clearance process is through line
through line management and to the appropriate GE
member. Reports will be summarised for the Audit
Committee, who may request access to the full
reports. Reports will also be provided to the CEO, CFO
and Head of Risk Governance Compliance as
appropriate.
e Formal reports will be classified as confidential.
Access to final reports by individuals not directly
associated with the audit, shall be approved by the
Head of Internal Audit and the owning Executive
Committee member.
management and relevant GE member, prior to RCC
and ultimately the ARC.
5.Audit Plan
e The Head of Internal Audit will submit an rolling risk
based plan for approval by the Audit Committee,
review progress with the audit committee quarterly
and where necessary amend the plan to reflect
changing risk priorities.
e The plan will project a maximum of 6-12 months into
the future although some areas will require annual
review.
e This plan will also be made available to the Board and
the Executive Committee and be flexible to requests
from the business that arise during the year.
e Audits will generally be planned alongside
management and announced but at times visits,
e Annual plan to ARC each March meeting for approval
with updates at each subsequent ARC, with requests
for changes as necessary.
Confidential ver 1.1 Page 4 of 8
POL-BSFF-0078725_ 0164
POL00240662
POL00240662
Charter Component
Evidence
checks and investigations may be unannounced to the
business area concerned. This includes all aspects of
the group including head office functions
e A follow up process will be implemented. The results
of follow ups including the implementation rate of
recommendations will be reported to the Audit
Committee on a periodic basis.
e Process in place, under regular review
5.1 Management Requests
Management may make requests for audits or reviews
through the year.
e Requests will be evaluated in terms of risks and effort
will be made to address these requests wherever
possible.
e Other than short assignments, the Audit Committee
should be informed of proposed changes to the plan
especially where this will impact delivery or delay start
of currently planned work.
© The Chair of the Audit committee and the Head of
Internal Audit will discuss significant changes to the
plan and agree steps with the business.
6. Audit Committee Liaison
e The Head of Internal Audit should meet with the
Chairman of the Audit Committee outside of regular
audit meetings, without the presence of management
at least twice a year.
e The Head of Internal Audit may meet with any of the
other members of the Audit Committee and with the
external audit partner outside of Audit Committee
e All such requests are reviewed and referred as
necessary
e One meeting has already been held, further meetings
will be planned.
Confidential ver 1.1 Page 5 of 8
POL-BSFF-0078725_ 0165
POL00240662
POL00240662
Charter Component Evidence
meetings.
e All members of the committee may request a meeting
with the Head of Internal Audit to discuss risk, control
and audit matters.
e The Head of Internal Audit will ensure that all audit
committee members are confident in fulfilling their
responsibilities and provide support and guidance
where requested.
7. Staffing and Resource
e The Head of Audit shall ensure that the department is e
sufficiently resourced to carry out its duties in terms of
professional competency, business knowledge and
awareness and technical proficiency. Additional
technical training needed to ensure an audit can be
effectively conducted should be arranged.
e Specific audit tools to improve efficiency and .
effectiveness of audits (such as for extraction and
analysis of large quantities of data) should be
identified and obtained.
e In accordance with international standards, the °
department should not undertake audit work where it
does not feel it is sufficiently skilled to do so. In which
case, specialised services or staff from either within
the organisation or external to it should be considered
and sought.
Audit plan is prepared with resource constraints in
mind. Exceptional additional work requests would be
met by suitably qualified Co-source colleagues
(subject to authorised additional budget).
Tools would be identified and sourced as necessary
with the relevant business cases presented.
We have an existing Co-source agreement with PwC
which is used in such circumstances.
Confidential ver 1.1 Page 6 of 8
POL-BSFF-0078725_ 0166
POL00240662
POL00240662
Charter Component
Evidence
8. Advice and support
e Internal Audit should not be required to:
e Perform operational duties
e Operate controls, other than those within the
department
e Approve accounting transactions outside of the
department.
e Implement controls that are the responsibility of
management.
e {It is within normal accepted practice and International
Internal Auditing Standards for Internal Audit to be
requested to assist in a facilitative or consulting
nature. Where this falls within the general remit of
advising on risk and control this will be considered
part of the service offering, with regard to resources
available and time required.
e Where it is agreed as appropriate for a member of the
IA team to provide significant input to an activity or
project that is beyond the normal remit which means
they should be temporarily seconded to another
department or team, then the following will take
place.
e The request will be approved jointly by the Head of
Internal Audit and the Chairman of the Audit
Committee.
e The resource impact on the approved audit plan
should be approved by the Audit Committee who will
either approve the reduction in scope to the audit plan
or request the Board to approve temporary resource
to address the short fall.
. The work conducted by the seconded mesmkeniwill be p}
the responsibility of the receiving manager, not the Head of
Internal Audit. The work will not be defined as internal audit.
e The IA team are not involved in any such activities.
e We are currently assisting Legal/Property with
ensuring Property Compliance is effective.
e Any such request would be referred to both GC and
Chair of ARC
ge 7 of 8
POL-BSFF-0078725_ 0167
POL00240662
POL00240662
Charter Component Evidence
9. Standards of Audit Practice
e The Head of Internal Audit will implement recognised e International Auditing Standards as published by the
international internal auditing standards and Global Institute of Internal Auditors are followed.
techniques such as those developed by the Institute of
Internal Auditors, COBIT and COSO as appropriate to
the Post Office.
Head of Internal Audit Dated: 3" March 2016
Garry Hooton
Confidential ver 1.1 Page 8 of 8
POL-BSFF-0078725_ 0168
POL00240662
POL00240662
POST OFFICE BOARD
AUDIT RISK & COMPLIANCE COMMITTEE GOVERNANCE UPDATE
‘Horizon Spotting’ Report
Author: Jane MacLeod Meeting 17 March 2016
Executive Summary
Context
As part of its remit, the Board Audit Risk & Compliance Committee should consider legal,
regulatory and other external developments on behalf of the Board in order to ensure
that impacts on Post Office (including its customers, staff, suppliers and stakeholders)
are understood and being appropriately managed. This report highlights current
developments of relevance to Post Office and the work that is being done to monitor
these.
Questions this paper addresses
1. What are the material legal, regulatory and other external risks the Post Office
executive and Board should currently be aware of?
2. What work is being undertaken to assess, monitor and mitigate these risks?
3. Who is accountable for this work and how will it be reported through Post Office
governance structures?
Conclusion
1. There are a number of material developments which either will or could impact Post
Office and details of these are set out in this summary.
2. In each case work is being undertaken to monitor and assess the risks arising from
these developments. The Corporate Services team is working with the different
stakeholders to progress this assessment.
3. Governance structures and reporting lines will be developed to ensure there is
appropriate representation from across Post Office in formulating responses to, and
mitigation plans for, these developments.
Input Sought
The ARC is asked to note these developments.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0169
POL00240662
POL00240662
POST OFFICE PAGE 2 OF 5
The Report
Money Laundering
1. The UK has, consistent with international developments, a comprehensive
regulatory framework to mitigate against the risk of money-laundering and
terrorist financing. Post Office is regulated by HMRC for a: bureau de change (walk
in on demand, buy back and branch pre order), b: third party cheque encashment
and c: bill payments. AML Regulations requires a series of mandatory activities
such as Customer Due Diligence checks and completing and filing suspicious
activity reports, with risk based activities such as staff vetting, training, risk based
monitoring of activities, and controls built into design of products.
2. Those products and services which carry the greatest risk are bureau de change,
cheque encashment, Moneygram, personal and business banking and services
provided to third party money bureau services by Supply Chain.
3. Post Office’s anti-money laundering (‘AML’) and counter-terrorist financing (‘CTF’)
frameworks are still at an immature stage and work in this area has been absorbed
by the pre-existing financial crime team, with no additional resource. Following
suspected breaches of the anti-money laundering framework in branches last year,
I commissioned a report from a regulatory specialist firm — Promontory, to assess
the state of Post Office’s framework (particularly in light of the 4*° Money
Laundering Directive enacted during June 2015 and which must be implemented
by mid-2017) and identify those areas requiring improvement. That report has
now been received and contains recommendations covering policies, procedures,
MI, detection and monitoring tools and resourcing.
4. In addition, the new Partner Banking Framework has driven work to upgrade
certain policies - including that in relation to AML.
5. We have recently been advised by HMRC that they propose to conduct an AML/CTF
compliance audit on Post Office. This audit will be conducted over a 6-8 month
timeframe and will require the supply of significant amounts of documentation,
interviews with relevant staff as well as managing visits to over 150 branches
including Crowns, multiples, and agency branches. HMRC have flagged that their
review will include (but not be limited to) reviews of:
e relevant activities and supervisory responsibility;
e Current operational structure in relation to relevant activities;
e POL Compliance team roles and high level overview of compliance monitoring
activity;
e documentation covering AML Risk Assessment, policies and procedures,. staff
training and Sub post office on-boarding procedures;
e over counter transaction data (from Horizon System);
e monitoring activity; and
e bill payment, cheque encashment and MSB supply chain activity.
6. In order to manage this increased workload on top of the BAU activity for both
financial crime and AML, we have established a project which I am sponsoring, to
address both the compliance audit and the parallel work to respond to the
Promontory recommendations.
7. ‘Failing’ the compliance audit is likely to have potentially material adverse impacts
on relevant business activities, as well as creating issues with stakeholders such
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0170
POL00240662
POL00240662
POST OFFICE PAGE 3 OF 5
as HMRC, Treasury, BIS and the FCA (as the regulator for both POMS and Payment
Systems); and will also potentially be de-stabilising for financial services clients
including under the Banking Services Framework and POCA.
8. I will provide regular reports to the ARC on the progress of this work, the findings
from it, and the implications for Post Office.
Brexit
9. The date for the EU Referendum has now been established as 23" June. Although
the Post Office trades within the UK, the embedded nature of the EU within UK
economic, corporate and political life, and Post Office’s complex supplier, Client
and partner base, mean that the implications to Post Office of a potential exit vote
are substantial.
10. There are a number of direct risks (such as changes in employment, procurement
legislation etc) which would impact Post Office but which will play out over a
lengthy period (at least two years notice of leaving the EU plus a potential period
of more than five years for establishing replacement trade relations with the EU).
There are also a number of indirect risks (impact on sterling, politics, economic
growth, uncertainty, a further Scottish independence referendum) which may have
more immediate impact. For example, if there is a Brexit vote, the policy and
legislative implications may become all-consuming for Government's time and
energy from Summer 2016 - at the very time Post Office and Government are
seeking to determine the funding and policy arrangements that need to apply post
2018.
11. Iwill establish a steering group (reporting to the Group Executive - membership
to be agreed) to oversee and coordinate the work to identify the potential risk
areas and potential mitigation activities. In addition the corporate affairs and
communication approaches of the company during the referendum campaign are
being established (with due recognition of Post Office’s public ownership status
and any ‘quasi purdah’ arrangements that will be relevant to the referendum
campaign period). The Post Office will prepare a position of ‘informed readiness’
to be effectively placed to readily navigate the very complex and uncertain
environment in the case of potential Brexit.
General Data Protection Regulations (GDPR)
12. On 15th December 2015, the European Parliament and the Council of the European
Union reached an informal agreement on the GDPR. It is expected that the
European Parliament and the Council will formally adopt the GDPR early
in 2016. Although these new regulations will not come into effect for 2 years,
there will be significant changes required to Post Office’s operations to ensure we
are compliant as at the date of implementation.
13. The changes include:
e Wider definition of ‘personal data’ ;
¢ Stricter criteria for consent;
e More onerous information security standards and notification requirements for
breach;
e More onerous governance and accountability requirements;
e Greater emphasis on only holding the minimum data necessary;
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0171
POL00240662
POL00240662
POST OFFICE PAGE 4 OF 5
e Contracts - likely that new additional mandatory terms will be required.
e Right to be forgotten and data portability
e Profiling - There will be impacts on the extent to which profiling is permitted.
This will have a material impact on data analytic solutions.
e Fines & compensation -
e Maximum fine for infringement will increase. Onerous notification requirements
will be imposed where breaches have occurred, and
e Greater powers for regulator.
14. Scoping the impact of these new rules on Post Office will be a major exercise. I
will shortly initiate a project to scope the impact of these regulations on Post Office
to understand the scope of the work that will be required. The results of that
scoping work will be reported to the Group Executive with the expectation that a
formal project will be established to facilitate implementation.
Networks and Information Security Directive
15. This Directive will come into effect during 2017 and aligns cyber security reporting
and standards across the EU. The Information Security team (reporting to me)
are leading work to ensure that our systems will facilitate compliance; this includes
working with the CIO function to ensure new technical controls are applied for the
reporting of risk control requirements. This directive will align with the GDPR.
Progress on implementation will be reported to the RCC.
Modern Slavery Act 2015
16. This legislation is now in force. The Act has introduced changes designed to
increase transparency in supply chains. Specifically, large businesses will be
required to disclose the steps they have taken to ensure their business and supply
chains are free from modern slavery (that is, slavery, servitude, forced and
compulsory labour and human trafficking). This will include making a statement
each year of the steps taken (if any) to ensure modern slavery is not taking place
in the organisations’ own business and its supply chains. Businesses with a year
-end of March 2016 will be required to publish a Statement covering that financial
year. The statement will need to be approved by the board and signed by a
director.
17. The HR and Legal teams are working together (under the leadership of the Group
People Director) to scope the implications for Post Office and prepare the
statement to be contained in the Post Office Annual Report.
Enterprise Bill
18. The Enterprise Bill which has now been tabled in parliament, includes proposals to
cap termination payments to certain public sector employees at £95,000. This will
impact Post Office and POMS. A number of government owned businesses have
sought to be exempted from the effect of these provisions on the basis that they
will voluntarily comply with the new rules. The components of pay that are
included within the cap are drafted widely and it is therefore believed by
commentators that this cap will catch a significant number of employees.
19. The impact on Post Office and POMS is being considered by HR and Legal and we
are monitoring the progress of the Bill, as well as exploring whether Post Office
and POMS could be exempted and if so on what terms. The key concern is that
these restrictions will make it more difficult for Post Office as a commercial
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0172
POL00240662
POL00240662
POST OFFICE PAGE 5 OF 5
business to compete for the recruitment of staff from the private sector which is
obviously not subject to any such restriction.
Senior Managers’ Regime
20. The Senior Managers’ Regime came into effect on 7 March 2016 for major banks
and those insurance companies which are subject to Solvency II. The FCA has
flagged that it proposes to extend the regime to all financial service entities (which
would include POMS) by end 2018 although the scope and timing of this are as yet
unclear. Appointed Representatives will also become subject to the regime in this
timeframe. My team, together with representatives from Financial Services and
POMS are monitoring developments with a view to assessing the impact that the
extension of the regime will have on POMS as a regulated entity, and on Post Office
as an appointed representative of each of Bank of Ireland and POMS.
21. Regular updates will be provided to the ARC from time to time as we obtain greater
clarity on the requirements and implications.
Mails — International Data Capture
22. New EU regulations will come into effect in May 2016 requiring mail operators to
capture sender and receiver information for international parcels. Penalties for
non-compliance will be levied from December 2020. Aspects of the regulation are
not clear - including in particular whether this regulation applies directly to Post
Office, or whether the principal obligation applies to Royal Mail. Nevertheless, Post
Office will need to make systems changes to allow this data to be collected and
transmitted and RMG have raised a contractual change request to implement this
change. Post Office is unlikely to be able to meet the May implementation date.
Legal is supporting the mails team to understand the regulatory obligations,
determine whether the primary liability falls on Post Office or Royal Mail, and to
assess the risk of non-compliance. Updates on this will be provided to the
executive Risk & Compliance Committee once the position has been clarified.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0078725_0173