POL00362236 - POL Terms of Reference for Audit, Risk and Compliance Committee

Evidence on official site

POL00362236

POL00362236

Post Office Limited
(“the Company”)

Terms of Reference of the Audit, Risk and Compliance Committee

The Audit, Risk and Compliance Committee (the “Committee”) is a Committee of
the Post Office Limited Board (“the Board”) from which it derives its authority
and to which it reports after each meeting. Its authority is always subject to the
powers and duties of the Board, as set out in the Articles of Association.

A.

1.

PURPOSE

The purpose of the Committee is to assist the Board of Directors in fulfilling
its fiduciary responsibilities by:

i. Contributing an independent view on the accounting, financial
control and financial reporting practices of the Group’;

ii. Taking all reasonable steps to ensure accurate and informative
corporate financial reporting and disclosures which meet
appropriate accounting and corporate governance standards; and

iii. Providing oversight of the Group’s risk management systems,
operational controls and key systems, including monitoring
exposures to the Group Risk Appetite.

DUTIES AND RESPONSIBILITIES

Financial Reporting
The Committee shall:

Monitor the integrity of the financial statements of the Company, including
its annual report and half yearly reports and any other formal statements
relating to its financial performance, and review and report to the board on
significant financial reporting issues and judgements which those
statements contain having regard to matters communicated to it by the
auditor.

Review and approve for recommendation to the Board the Annual
Report and Accounts, including but not limited to:

i. Reports of the External Auditor;

ii. any proposed changes in presentation of the financial statements or
accompanying notes which the auditors may recommend; and

iii. the Management letter.

Review and approve for recommendation to the Board the half year
financial report or trading statement for publication.

ce Lim
d Payzone Bil

Post Office Management Ser

PUBLIC 1
POL00362236

POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

5.

10.

11.

Review and report to the Board on significant financial reporting issues,
including, but not limited to:

i. the consistency of, and any changes to, significant accounting policies
both on a year on year basis and across the Company/Group;

ii.the methods used to account for significant or unusual transactions
where different approaches are possible;

iii. whether the Company has followed appropriate accounting standards
and made appropriate estimates and judgements, taking into account
the views of the External Auditor;

iv. the clarity and completeness of disclosure in the Company’s financial
reports and the context in which statements are made;

v.all material information presented with the financial statements, such
as the business review and the corporate governance statements
relating to the audit and to risk management; and

vi. an overview of the extent to which the Annual Report and Accounts
are fair balanced and provide the information necessary to the
Shareholder? to assess the Company’s performance, business model
and strategy.

Report to the Board where the Committee is not satisfied with any aspects
of the proposed financial reporting by the Company;

Approve the Group Treasury and banking policies, including methods of
mitigating against foreign currency exposure and any use of financial
derivatives.

Approve for recommendation to the Shareholder any changes to the
accounting reference date, practice or policy by any Group Company, if
different from those previously adopted by the Group, unless required by
law or generally accepted accounting principles.

Approve any changes to accounting policies required by law or generally
accepted accounting policies.

Internal Controls and Risk Management Systems
The Committee shall:

Along with the external and internal auditors, monitor the adequacy and
effectiveness of the Company’s internal financial controls and other internal
control and risk management systems.

Review recommendations for the improvement of the Company’s internal
controls, processes and systems.

> The Department for Business, Energy and Industrial Strategy

PUBLIC 2
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

12. Review and approve the statements to be included in the Annual Report
concerning internal controls and risk management.

13. Review the overall risk management framework and strategy in place for
the Group including its risk appetites and tolerance.

14. Review the Company's overall risk position and periodically invite
management to outline risk management strategy and status within their
specific business units.

15. Review management's assessment of the degree of risk the Company
prudently incurs in achieving a reasonable balance between the cost of
managing risk and control systems and the benefits derived.

16. Review areas of specific risk as highlighted by management, including
enterprise and business risk.*

17. Monitor the Risk and Compliance Committee activities and receive
summary reports as appropriate.

18. Review legal, regulatory and any other matters that may have a material
impact on the financial statements, related Group compliance policies, and
programmes and reports prepared to manage and monitor Group
compliance policies.

19. Review whether any remuneration policy adopted by either the Company
or its subsidiaries, or the implementation of any such policy is consistent
with the risk appetite particularly in relation to conduct risk.

20. Monitor the impact of any new legislative, regulatory, market or other
developments which could materially or adversely affect the Group.

21. Receive reports on specific breaches and incidents and review
management plans for resolution. The Committee will also review
management plans for root cause analysis resulting from breaches and
issues.

22. Approve the overall levels of insurance for the Group, including directors’
and officers’ liability insurance and any arrangements for indemnity of
directors.

Compliance, Whistleblowing and Fraud
The Committee shall:

employees,

PUBLIC 3
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

23. Review with the internal auditors and the external auditors the results of
any review of the compliance with the Company’s codes of ethical conduct
and similar policies including whistleblowing?>.

24. Review at least annually the adequacy and security of the Company’s
arrangements for its employees and contractors to raise concerns, in
confidence, about possible wrongdoing in financial reporting, regulatory
breaches or other matters. The Committee shall determine that these
arrangements allow proportionate and independent investigation of such
matters and appropriate follow up action

25. Review the Group’s procedures for detecting fraud and the systems and
controls for prevention of bribery and any non-compliance.

26. Review any summary of frauds, thefts and other irregularities of any size.

27. Review the regular reports from the Money Laundering Officer and monitor
he adequacy and effectiveness of the Group’s anti-money laundering
systems and controls.

28. Review regular reports from the Director of Compliance and monitor
adequacy and effectiveness of the Group’s compliance function.

29. Review late statutory filings and the circumstances around such lateness.

Internal Audit
The Committee shall:

30. Approve the appointment or termination of appointment of the Head of
Internal Audit.

31. Approve the Internal Audit Charter every two years®.

32. Review and approve the annual Internal Audit Plans, including any
changes to these plans, to ensure they are aligned to the key risks of the
business and review reports on work carried out. The review should
include methods employed by the internal auditors to assess risk and to
prioritise the various audit proposals identified in the annual plan.

33. Ensure internal audit has unrestricted scope, the necessary resources and
access to information to fulfil its mandate.

ng the company’s supply chain and pr

be to grant Internal Audit unfettered

dards.

PUBLIC 4
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

34.

35.

36.

37.

38.

39.

40.

41.

42.

Ensure the Internal Auditor’ has direct access to the Board Chair and to
the Committee Chair, and is accountable to the Committee.

Monitor and review annually the effectiveness of the internal audit
function in the context of the Group's overall risk management system
and the work of compliance, finance and the external auditor and as part
of this assessment:

i. Meet with the Head of Internal Audit without the presence of
management

ii. Review the annual internal audit plan work and results
iii. Determine whether it is satisfied that the quality, experience and
expertise of internal audit is appropriate for the business
iv. Review actions taken by management to implement the
recommendations of internal audit and to support the effective
working of the function.

Ensure the independence of the internal auditor including an annual
review of any non-audit services provided by internal audit.

Determine whether an independent, third party review of processes is
appropriate.

External Audit
The Committee shall:

Approve for recommendation to the Board the appointment,
reappointment or removal of the independent external auditors, the
proposed fees (in consultation with management) and the acceptance of
the scope and general extent of the engagement.

Review and approve the selection procedure for the appointment of the
audit firm in accordance with applicable regulatory requirements, ensuring
that all tendering firms have access to all necessary information and
individuals during the tendering process.

If an Auditor resigns, review the issues leading to this and determine
whether any action is required.

Review and approve the agreed annual external audit plans and
approach to risk assessment and the scope and plan of their audits.

Review the findings of the audit with the external auditor. This shall
include discussing any major issues which arose during the audit including
(but not limited to) key accounting and audit judgement and the levels of
error identified.

the Internal Au

provider

or include the Head of Internal Audit (or their representative) and tl

PUBLIC 5
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

43. Review any representation letter(s) requested by the External Auditor
before they are signed by management.

44. Review the management letter and management's response to the
auditor’s findings and recommendations.

45. Monitor and review annually the independence of the external auditors
including level of fees paid, an annual review of any non-audit services
provided by the external auditors and auditor’s processes for maintaining
independence.

46. Approve the Group’s policy on non-audit services by the auditor.

47. Meet regularly with the external auditor (including once at the planning
stage before the audit and once after the audit at the reporting stage)
and, at least once a year, meet the external auditor without management
being present, to discuss the auditor’s remit and any issues arising from
the audit.

48. Review annually the qualifications, expertise and resources of the
external auditor and the effectiveness of the audit process, which shall
include a report from the external auditor on their own internal quality
procedures, an assessment of the quality of the audit, handling of key
judgement by the auditor and the auditor’s response to questions from
the Committee.

49. Ensure co-ordination of the external audit with the activities of the
internal audit function.

Cc. REPORTING RESPONSIBILITIES

50. The Chair shall report formally to the Board on its proceedings after each
meeting on all matters within its duties and responsibilities and shall also
formally report to the Board on how it has discharged its responsibilities.
This report shall include:

i. the significant issues that it considered in relation to the financial
statements (required under paragraph 5) and how these were
addressed;

ii. its assessment of the effectiveness of the external audit process
(required under paragraph 48), the approach taken to the
appointment or reappointment of the external auditor, length of
tenure of audit firm, when a tender was last conducted and advance
notice of any retendering plans; and

iii.any other issues on which the board has requested the Committee’s

opinion.

PUBLIC 6
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

51. Advise the Board on any area it deems appropriate within its remit where
action or improvement is needed.

52. Report on its activities in the Group’s annual report. The report should
describe the work of the Committee, including®:

i. the significant issues that the Committee considered in relation to
the financial statements and how these issues were addressed;

ii. an explanation of how the Committee has assessed the
independence and effectiveness of the external audit process and
the approach taken to the appointment or reappointment of the
external auditor, information on the length of tenure of the
current audit firm, when a tender was last conducted and
advance notice of any retendering plans; and

iii. an explanation of how auditor independence and objectivity are
safeguarded if the external auditor provides non-audit services,
having regard to matters communicated to it by the auditor.

53. The Company’s Subsidiary Companies shall provide reports to the
Committee on a regular basis and as requested by the Committee.°

D. AUTHORITY
The Committee is authorised to:

54. Seek any information it requires from any employee of the Company in
order to perform its duties.

55. Obtain, at the company’s expense, independent legal, accounting or
other professional advice on any matter if it believes it necessary to do
so.

56. Call any employee to be questioned at a meeting of the Committee as
and when required.

57. Have the right to publish in the company’s annual report, details of any
issues that cannot be resolved between the committee and the board. If
the board has not accepted the committee’s recommendation on the
External Auditor appointment, reappointment or removal, the annual
report should include a statement explaining the Committee’s
recommendation and the reasons why the board has taken a different
position

PUBLIC 7
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

58. Conduct or authorise investigations into any Group matters within the
Committee’s cope of responsibilities.

59. In the absence of express authority from the Board, the Committee will
not, without the concurrence of both management or discharge of the
independent auditors, have either the responsibility or authority for the
altering of the financial statements or the accounting procedures of the
Group.

E. COMPOSITION AND GOVERNANCE
Membership

60. The Chair and members of the Committee will be appointed by the
Board, acting on the recommendation of the Nominations Committee.

61. The Committee shall consist of at least two independent non-executive
directors and only independent non-executive directors shall be eligible
to be members of the Committee. The Chair shall not be a member of
the Committee.

62. The Committee Chair shall be appointed by the Board. In the absence of
the Committee Chair and/or an appointed deputy at a Committee
meeting, the remaining members present shall elect one of themselves
to chair the meeting.

63. The Chair of the Company and Executive Directors may be invited to
attend any meeting, or any part of any meeting, by the Committee
Chair.

64. The Group Chief Financial Officer, the Group General Counsel, the Head
of Risk, the Director of Compliance and the Head of Internal Audit (or
those holding positions with responsibility for such roles, howsoever
named) will be permanent invitees.

65. The External Auditors may attend all or part of any Committee meeting
at the invitation of the Chair. As a minimum the External Auditors will
attend to present their external audit plan for approval and to present
their reports.

Quorum

66. Quorum shall be two members, of whom one will have recent and
relevant financial experience.

Committee Secretary

PUBLIC 8
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

67. The Company Secretary, or his or her nominee, shall act as Secretary to
the Committee and shall attend all meetings to keep minutes and record
actions.

Frequency

68. The Committee shall meet as often as required but at least three times
per year.

Governance

69. Meetings may be held in person or by telephone or other electronic
means, so long as all participants can contribute to the meeting
simultaneously.

70. Notice of each meeting shall be given to all those entitled to participate
at least three working days before the meeting. Meetings shall be
planned in accordance with key reporting and financial planning dates.

71. Meetings for the Committee will be convened by the Secretary, at the
request of Chair or any of the members and the External Auditor or Head
of Internal Audit, if they consider it necessary. The Secretary will be
responsible for setting the venue date and time of meetings in
consultation with the Chair. All papers supporting the meeting will be
issued in good time, one week in advance of the meeting date.

72. The Chair will report regularly to the Board. Minutes of each Committee
meeting will be circulated to all members of the Committee and, once
agreed, to all members of the Board.

73. The Company will provide current and new Committee members with any
training, briefings or induction required. The Group Company Secretary
(or his/her nominee), the Group Chief Financial Officer, the Group
General Counsel, the Head of Risk, the Director of Compliance, the Head
of Internal Audit (or those holding positions with responsibility for such
roles, howsoever named) and the External Audit Partner will keep
members informed of relevant published guidance as necessary.

F. ANNUAL REVIEW AND APPROVAL

74. The Committee will undertake an annual review of its performance and
the Terms of Reference. The outcome of these review will be
recommended to the Board for approval (notwithstanding amendments
approved by the Committee whenever so required).

{Approved by: I Date: Version: [Effective from:

PUBLIC 9
POL00362236
POL00362236

Post Office Limited
Terms of Reference of the Audit, Risk and Compliance Committee

Post Office Limited Board) 23 January 2013
Post Office Limited Board) 26 March 2014
Post Office Limited BoardI 22 September 2015
Post Office Limited Board] 8 April 2020

23 January 2013
26 March 2014

22 September 2015
09 April 2020

tea teates
Couey eaten

PUBLIC 10