ARC (08)15"
01-12
POL00396009
POL00396009
Royal Mail - Strictly Confidential
ROYAL MAIL HOLDINGS pic
(Company no. 4074919)
AUDIT AND RISK COMMITTEE
Minutes of the meeting held at 148 Old Street on 6” March 2008
Members of the Committee Present:
Helen Weir
Richard Handover
Margaret Prosser
In attendance:
Adam Crozier
lan Duncan
Jonathan Evans
Doug Evans
Derek Foster
Mike Moores
Sarah Hall
Alison Duncan
Will Rainey
Anup Sodhi
Andrew Poole
Robin Dargue
Frank Schinella
Jane Morley
ARCO08/01
ARC08/02
(a)
ARC08/03
(a)
Non Executive Director, Chair of the Committee
Non Executive Director
Non Executive Director
Chief Executive
Group Finance Director
Company Secretary
General Counsel
Internal Audit & Risk Management Director
Financial Management & Control Director
Chief Accountant
Ernst &Young
Ernst &Young
Ernst &Young
Deputy Company Secretary
Group Chief Information Officer
Finance Director, Letters
Director of Tax
MINUTES
The minutes of the meeting of the 6” November 2007 were
considered and approved as an accurate record of the
meeting.
STATUS REPORT ARC(08)01
The Committee noted the status of actions from the previous
meetings. In particular;
ARCO07/45(e): Derek Foster confirmed that the Internal
Auditor at GLS would have a dotted reporting line to the
Internal Audit and Risk Management Director at Group.
2007-08 YEAR END ARC(08)02-07
The Committee noted a paper presenting the draft format for
the 2007-08 Royal Mail Holdings plc Group Accounts for
review and comment as appropriate and setting out the
timetable. The proposed dates for the year end Report and
1
(b)
(c)
()
(e)
(f)
POL00396009
POL00396009
Royal Mail — Strictly Confidential
Accounts and Regulatory Accounts production were noted.
The proposed timetable would result in an announcement in
39 working days after the year end which was broadly in line
with 2004-05 and 2005-06 and as planned for 2006-07;
the Committee noted the draft format of the Royal Mail
Holdings plc Group Accounts for the year ended 30
March 2008 and approved the proposed year end
timetable for recommendation to the Board;
ColleaqueShares: the Committee noted a paper setting out
the proposed accounting treatment for the Royal Mail
ColleagueShare scheme. The Committee agreed that:-
e the costs of ColleagueShares (share costs and
stakeholder dividend) charged to the income
statement should be treated as an exceptional item
throughout the life of the scheme and presented on
the face of the Income Statement within the Operating
Exceptional Items;
e stakeholder dividends should be charged to the
income statement in the financial year to which they
relate;
e the share costs of ColleagueShares should be spread
throughout the life of the scheme;
e the ColleagueShares would be valued at the latest
plan forecast for the share value; and that the
ColleagueShares share costs would be discounted.
Fines Compensation and Materia! Litigation: the Committee
noted an update on fines, Quality of Service compensation
and current material litigation. The Committee noted the
amount for accruals for fines and compensation and
provisions held for material litigation at Period 11; and
noted the range of between £10.6m - £127.6m and agreed
the approach to setting the accrual for 2007-08 bulk
compensation at the year end;
New Subsidiaries: two new subsidiaries had started trading
during the year — iRed Redefining Document Management
Ltd (formerly known as DMS) and Royal Mail Courier
Services Ltd (RMCS). The Audit and Risk Committee noted
the establishment of the two new subsidiaries and the
approach to accounting for them;
Audit Update and Independence Report: the Committee
noted the 2007-08 audit update and in particular that a
detailed report of any material audit findings would be
presented to the May meeting. Further to a discussion at the
September 2007 meeting E&Y confirmed that the planning
materiality had been reset to £24 million (2006-07 £23
million). The main impacts on the audit approach resulting
from the lowering of the planning materiality from £48m to
£24m were noted;
ACTION
lan Duncan
ACTION
Secretary
(g)
(h)
(i)
()
(k)
()
(m)
POL00396009
POL00396009
Royal Mail - Strictly Confidential
E&Y confirmed that they had considered the potential impact
of the ‘credit crunch’ on the Group's financial position
including key assumptions on which accounting valuations,
including for example valuations for pension obligations and
impairment reviews were based and made a number of
observations which were noted;
the Financial Statements for 2007-08 would be prepared for
the first time in accordance with IFRS 7 Financial Instruments
Disclosure, which required greater disclosure in relation to
the nature and extent of risks to which the Company was
exposed;
Auditor independence: as part of the audit E&Y were required
to review their independence and objectivity, and to confirm
their ability to act as the Company's auditors. E&Y noted that
they were not aware of any relationships between member
firms of Ernst & Young International and Royal Mail that, in
their professional judgment, would reasonably be thought to
bear on their independence or the objectivity of the audit
engagement team. Accordingly E&Y confirmed that the firm
was independent and the objectivity of the audit engagement
partner and staff had not been compromised;
there had been 3 breaches of the Royal Mail non-audit
services policy during the year. The Committee agreed that
E&Y could re-invoice the Company for £245,000 in respect of
the work undertaken on Tele2 which had been previously
invoiced and then credited as it exceeded the pre-approved
amount of £100,000. The Committee noted that the fees for
the remaining two breaches had been refunded to the
Company. The Committee further agreed to pay £34,000 in
respect of the additional work undertaken in relation to the
2006-07 accounts as this was considered to be a reasonable
charge for the work done;
Auditors Remuneration for Non Audit Services: the
Committee approved the schedule of proposed maximum
fees set out in the paper for the 2008-09 year amounting to
£1,370,000 and noted that the process would operate in line
with the Audit & Risk Committee paper previously approved
in May 2007. Helen Weir noted that the non audit fees were
high in relation to the audit fees and the Committee agreed
that E&Y would not be used in acquisition related work
beyond the engagement in Spain;
GLS A&RC report: lan Duncan reported on the recent GLS
Audit & Risk Committee meeting held on the 4” March 2008,
and the progress that had been made in establishing an
Internal audit function at GLS with the recent appointment of
a Group Internal Audit Manager. The Committee agreed that
the minutes of the GLS Audit & Risk Committee would be
presented to the Group A&RC on a regular basis;
lan Duncan updated the Committee on the GLS risk
ACTION
lan Duncan
ACTION
lan Duncan
ARC08/04
(n)
(0)
(p)
(a)
(b)
POL00396009
POL00396009
Royal Mail — Strictly Confidential
assessment report noting GLS Management's view of the top
five key risks facing the Business. The Committee expressed
surprise that the risks were all short term operational matters
rather than longer term strategic issues such as the loss of
senior management or a significant downturn in volumes.
The risk assessment would be discussed at the next meeting
of the GLS Supervisory Board;
the Committee was advised that in October 2007 Italian
lawyers had been contacted by a whistleblower hinting at
fraudulent activities by local management. Having received
an indemnity, the whistleblower made his detailed allegations
in December 2007. In January 2008 GLS appointed forensic
accountants to commence investigations into the allegations
made. In parallel GLS had commenced investigations into the
value of the GLS head office in Milan; the alleged activities
concerned the local GLS management having a significant
interest in a company that owned the Milan Head office
building which, it was claimed, was rented to GLS at an
inflated rent. Other allegations related to the lease value of
satellite navigation systems and the purchase price of
acquired franchise businesses;
investigations were continuing with the focus on gaining
evidence which would be used to restrict and if possible
recover any losses, and to evaluate the case against the
individuals involved;
the Committee was very concerned with the report, in
particular at the apparent delay in dealing with the individuals
- who were still in post - and in the non-reporting of the issue
formally by GLS management until two days earlier. The
Committee requested, as a matter of urgency, to know the
details of the actions being taken to reduce exposure
together with an explanation and timeframe of when all the
issues became known to GLS and to RMG.
IT CONTROL ENVIRONMENT
Robin Dargue was welcomed to the meeting. Derek Foster
provided an update on the work that the Internal Audit & Risk
Management (IA&RM) function had undertaken in relation to
IT controls. Group Technology was currently undergoing
significant change. The Group Chief Information Officer had
recently presented to the Holdings Board an overview of the
challenges facing IT in Royal Mail and this had concluded
that the IT capabilities were inadequate for the current and
future environment;
IA&RM reviews and the risk management process had
consistently echoed many of the challenges set out in the IT
Strategy. These included the need for a comprehensive IT
strategy, concerns over data quality, weaknesses in
management of IT projects, lack of accountability, non-
compliance with policy and procedures, concerns over
4
ACTION
Robin Dargue/
Derek Foster
ARC08/05
ARC08/06
(c)
(a)
(a)
(b)
(c)
(a)
(b)
POL00396009
POL00396009
Royal Mail - Strictly Confidential
system access, over-reliance on, and lack of control over,
end-user computing;
currently IT control activities focused on the priority areas of
IT Strategy, Information Security, and Disaster Recovery.
Following the reorganisation, a more wide-ranging IT control
framework would be introduced;
the internal audit and IT audit qualifications and interrogation
tools used in Royal Mail were consistent with those
commonly used in other major organisations. IA&RM
tecognised that it needed to align its IT audit effort with the
needs of the business and also to ensure it had the right IT
technical capabilities going forward. !A&RM was working
with a leading co-sourcing partner to augment its IT audit
capability. The Audit & Risk Committee noted the update on
the IT control environment and the assessment of IA& RM's
{T audit resource capability and quantity;
the Committee asked that the IT control environment be
considered as a regular item at future ARC meetings to
enable the Committee to be updated on progress.
ANNUAL REVIEW OF GROUP TREASURY POLICIES
ARC (08)08
tan Duncan introduced a paper which enabled the Committee
to conduct the annual review of Group Treasury policies on
behalf of the Holdings Board. The Group Treasury policies
were last reviewed and agreed by the Committee in March
2007 (ARC (07)06 refers. In the interests of good corporate
governance over the Treasury area the Committee had
previously agreed to review the policies on an annual basis;
the current, revised, policies were noted. Whilst there were
some minor changes of substance, the main amendments
were factual ones to reflect the renewed financing facilities
for Mails and POL, agreed with Government in 2007,
including the new Pension escrow arrangements;
the Audit & Risk Committee agreed the changes to the Group
Treasury Policies and noted that they would be notified to the
Holdings Board via the next Quarterly Group Treasury report.
CREDIT MANAGEMENT CONTROLS
Frank Schinella introduced a presentation updating the
Committee on a review of Royal Mail’s approach to credit
management following implementation of the new Online
Business Account (OBA) Sales Order System. The
Committee noted:
the objective of the review was to assess how automated
credit controls could be introduced on OBA or an associated
system, to provide a greater level of protection to the
5
ACTION
Frank Schinella
ARC08/07
ACTION
Derek Foster
(c)
(a)
(a)
(b)
(c)
POL00396009
POL00396009
Royal Mail — Strictly Confidential
business whilst not discouraging customers from using the
service. RM incurred a relatively controlled level of bad debt
write off per annum considering its diverse customer base,
manual processes and the size of the business;
that detailed specifications including feasibility options and a
cost benefit analysis would be produced by the end of
Quarter 1 and that the business was committed to introducing
automated credit checks to improve debt management
controls;
Frank Schinella would provide an update on progress and
timeframes at the end of the first quarter.
TAX ISSUES ARC (08)09 - 10
VAT: the Audit & Risk Committee noted Jane Morley’s report
that the VAT compliance failure which had occurred related
to the annual calculation of the extent to which the VAT which
RMG incur on expenditure was recoverable. The Committee
noted the potential liability of £30 million, the explanation of
the compliance failure and the actions being taken to prevent
a similar control failure in future. In particular the Committee
noted the Tax Director's conclusions:
. that the actions that were underway would ensure
there was no repeat of the non EU revenue VAT
compliance failure;
. that Internal Audit had reviewed tax department
controls generally;
. that a specific control risk existed in respect of poor
VAT management information, and that, when good
information systems were built, this may possibly
reveal further material VAT underpayments;
. that if VAT was to be managed effectively, using good
quality information systems, and with the level of
control recommended in this paper, the size of the
VAT team needed to increase from one to at least
four, two of whom should be accountants with
considerable experience of Royal Mail's accounting
system;
E&Y provided an overview of the audit work they had
performed and an outline of the support that E&Y had
provided to management in its review of previous tax returns
and the exercise to quantify the potential VAT exposure;
Tax Audit Executive Summary: the Committee noted the
review of the Tax Department Control Environment carried
out by IA&RM and endorsed the actions being taken to
improve the control environment. The Committee asked for
an update report to be given at a future meeting.
ARC08/08
I
ARC08/09
ARCO8/10
ARCO08/11
(a)
(b)
(c)
(4)
(e)
(f)
(g)
(a)
(a)
(a)
POL00396009
POL00396009
Royal Mail - Strictly Confidential
INTERNAL AUDIT & RISK MANAGEMENT QUARTERLY
REPORT ARC (08)11
Derek Foster introduced a report summarising the activity of
IA&RM for the period November 2007 to February 2008. The
Committee noted:-
twenty-seven reports had been issued in the period with 6
tated as not satisfactory. The number of agreed
recommendations overdue for completion had increased from
4% at September 2007 to 10% in January 2008;
during the period IA&RM had carried out a number of reviews
including a review of the Smartstamp & Online Postage
Control environment, to provide assurance on the control
environment supporting delivery of the Smartstamp and
Online Postage payment channels. The conclusion reached
was that the channel design and controls were not sufficient
to prevent RMG being exposed to an unsatisfactory level of
fraud or revenue loss. A number of activities were now
underway to help reduce any such losses. Richard Handover
was surprised that a new product could be launched without
such risks being properly managed;
the Committee discussed the merits of the IA&RM function
being closely involved at an early stage in product and
process design;
Adam Crozier logically linked the extent of the transformation
and the valuable role that [A&RM could play and confirmed
that it would make sense to bolster the IA&RM team;
the Committee recognised the issues and endorsed a greater
role for IA&RM but would want to ensure that Internal Audit
independence was not jeopardised;
the Committee noted the quarterly IA&RM report dated
March 2008.
2008 SCHEDULE OF BUSINESS ARC(08)12
The Audit & Risk Committee noted the schedule of business
for 2008.
CRMC MINUTES
The Audit & Risk Committee noted the CRMC minutes of the
meetings held on the 31 October 2007 and 5” February
2008.
INTERNAL AUDIT & RISK MANAGEMENT CHARTER &
EFFECTIVENESS QUESTIONAIRE ARC(08)13
The Audit & Risk Committee noted the IA&RM charter
providing a framework for the conduct of corporate risk
7
(b)
ACTION
Committee
Members
ARC08/12
POL00396009
POLO0396009
Royal Mail — Strictly Confidential
management and audit activity within Royal Mail. The
Charter set out the role, responsibilities, authority and
positioning of Internal Audit & Risk Management (IA&RM);
as part of the annual Internal Quality Assessment performed
by IA&RM (in accordance with International Standard for the
Professional Practice of Internal Auditing Standard 1311),
IA&RM were seeking the views of the Audit & Risk
Committee on the various aspects of the department's work.
The responses from the questionnaire provided would be
used to update the rolling [A&RM annual plan to ensure
appropriate coverage of areas of particular concern to
members of the Committee. [A&RM would also use the
responses when considering amendments to the
departmental policies and procedures. Responses were
requested from Committee members by 31st March 2008.
DATE OF NEXT MEETING
The date of the next meeting of the Committee was Monday
12" May 2008.