POL00413174
POL00413174
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Accountable Person Meeting Date: I 26 January 2021
Christine Kirby, Financial Controls feria ‘
7 r - ms . Alisdair Cameron, Group Chief
Authors: pata in Tom Lee, Financial Sponsor: Finance Officer
Input Sought: Noting
The Committee is asked to note:
i. the responsibilities of the Accountable Person; and
ii. how those responsibilities have been met for year ended 29 March 2020
(“FY19/20”) and as such why the Annual Report and Accounts (“ARA”) can be
approved.
Previous Governance Oversight
e Update reported to Risk & Compliance Committee (“RCC”) June 2020
e Update reported to Audit, Risk and Compliance Committee (“ARC”) June 2020
Executive Summary
This paper is an updated version of the one provided to the ARC in June 2020.
This paper has been prepared to outline the responsibilities of the Accountable Person (“AP”),
in line with the principles of Her Majesty’s Treasury’s (“HMT’s”) Managing Public Money (“MPM”)
and describe how these responsibilities have been met during FY19/20 and continue to be met
thereafter up to the point of signing the FY19/20 ARA, which is planned for March 2021.
The AP has a number of responsibilities which are focused around the key principles of the
Government's Value for Money (“VFM”) guidance, being:
. Regularity - ensuring adherence to legislation and regulations;
. Propriety —- ensuring good governance;
. Feasibility - ensuring affordability and sustainability; and
. Value for money — ensuring that value for the business and the exchequer as a whole is
met.
Adherence against some of these requirements cannot be easily monitored and assessed due
to their subjective and behavioural nature. However, the current governance and reporting
frameworks in place at the Post Office ensure that all relevant aspects are met. Business areas
such as the Risk, Compliance, Internal Audit and Company Secretariat (“CoSec") teams ensure
compliance around governance. The Financial Reporting Controls Framework ensures
adherence to the financial reporting requirements, with other finance and governance functions
providing assurance over financial management. Specific requirements, such as signing the
ARA, including a governance statement, will be achieved following approval of the FY19/20 ARA
and subsequent signature by the Group Chief Executive Officer (“CEO”).
Strictly Confidential
POL-BSFF-0233682
POL00413174
POL00413174
@
Post Office utilises its Internal Audit function and the findings of the External Auditors, along
with its 2"¢ line functions (including Central Risk and Central Compliance), to drive change and
ensure internal systems of controls and governance are adequate and meet all regulatory and
statutory requirements. Value for money is controlled through regular monitoring and approval
of spend through either the Portfolio Review Board (“PRB”) and/or the Investment Committee
(“IC”), as well as routine reporting to UKGI. It is the AP’s responsibility to ensure the
requirements are met, however the information within this paper around organisational
structure and processes in place, is prepared to assist with this and provide sufficient assurance
that the ARA for FY19/20 can be signed, subject to finalisation of the relevant disclosures and
financial postings.
Questions addressed
1. What and who is the Accountable Person at the Post Office?
2. What are the responsibilities of the Accountable Person?
3. How have the responsibilities been met?
4. Are there any departures from expected governance and, if so, what are the associated
mitigations?
5. Can the FY19/20 ARA be approved by the AP?
Report
What and who is the Accountable Person?
6. There is no specific guidance made available by HMT which outlines what or who an AP is
in respect of a non-departmental public body such as Post Office Limited (“POL”).
7. Communication from UKGI to POL has stipulated that an AP can be considered the same
as an Accounting Officer (“AO”), for which guidance exists. As such, for the remainder of
this paper the term AP will be used, however the reference material for which decisions
have been made have come from available guidance on AO’s.
8. The AP is a singular designated individual within an organisation who is accountable for
both the operations of the organisation and the preparation of its Annual Report and
Accounts.
9. Nick Read, Group CEO, is the AP as at time of presenting this report.
Responsibilities of the Accountable Person
10. The primary responsibilities of the AP are outlined within the MPM guidance, which states
that the AP should ensure the organisation abides by, and delivers on, a number of defined
standards designed to help meet the overall objective of the role. These are outlined in
Appendix 1.
11. Many of the standards required in the MPM represent desired behaviours and ways of
working which are difficult to formally monitory and assess. However, the way in which
Strictly Confidential
POL-BSFF-0233682_0001
POL00413174
POL00413174
@
POL is governed helps to ensure that these standards are met and the role of the AP is
delivered.
12. More formally the AP is required to sign the ARA, taking personal responsibility for delivery
against the MPM standards. Within the ARA, the Governance section lists the key
structures, actions and committees in place that help to meet the desired standards of the
AP.
13. When making key decisions or assessments, several standards can and should be used to
assess whether an initiative meets the VFM guidance and therefore whether the AP can
justify the decision to parliament as required. These standards are:
a) Regularity and propriety - compliance with relevant legislation and ensuring good
governance.
b) Feasibility - Ensuring affordability and sustainability.
Cc) Value for money - systematically evaluating relevant processes to ensure sustainability
and value for the organisation and the Exchequer as a whole.
14. Other standards where the AP is held responsible include:
d) Control - personally approve all Cabinet Committee papers and major initiatives.
e) Management of opportunity and risk - achieve the right balance for POL’s risk appetite.
f) Learning from experience.
g) Accurate accounting - ensure the ARA is correct and transparent, whilst recording the
efficiency of the organisations use of resources.
15. When the AP is unavailable for a significant period of time, the role should be deputised
to another senior member, with any significant absences being highlighted to UKGI in
order to appoint a temporary AP as required.
Assessment of how these responsibilities were met during FY19/20
16. Within the draft FY19/20 ARA is a dedicated governance section. The draft ARA has
been reviewed by the External Auditor with no material review points noted, albeit
there are a number of significant updates to be finalised in the ARA prior to signing
(see paragraph 40 for more detail). Final approval of the ARA by the External
Auditors will evidence that the requirements around accurate accounting have been
formally met for FY19/20.
17. Formal processes, detailed within this section, are in place to ensure the
requirements are met on an ongoing basis so that they can be attested to annually.
18. There is a UKGI representative on the POL Board, who have oversight of the Group
Executive (“GE”) and are able to challenge and review relevant decisions made by
the AP and the GE team. POL’s internal Financial Planning and Analysis team
(“FP&A”) are responsible for governance of budgeting and forecasting across POL.
UKGI are kept up to date on budgeting and forecasting through quarterly Board
reporting, as well as ad hoc communications with FP&A.
Strictly Confidential
POL-BSFF-0233682_0002
POL00413174
POL00413174
@
19. Across all levels of POL, governance frameworks are in place. For example, POL
has terms of reference for Board and Executive level Committees, there are clear
levels of delegated authority and regular monitoring and reporting of risks to the
Board which help the AP to make appropriate decisions. The terms of reference are
reviewed and updated annually.
20. Regarding the key components of VFM and risk appetite, review boards, such as
Portfolio Review Board (“PRB”) and Investment Committee (“IC”), are in place,
ensuring all significant spend within the organisation goes through a formal review
and authorisation process. The structure, delegation of authority and key
considerations are routinely reviewed to ensure the requirements for the AP are
being met. Financial processes are intertwined with these review boards to ensure
actual spend is controlled in line with the governance framework.
21. Asa public sector funded company, POL’s procurement activities must comply with
Public Contract Regulations (“PCR”) 2015. There are exceptions for Post Office
Insurance and Payzone which sit outside PCR and the Telecoms business which is
subject to the Utilities directive but must meet standards of transparency and
fairness due to its ownership by a public body. Public sector procurement is subject
to a legal framework which encourages free and open competition and value for
money, in line with internationally and nationally agreed obligations and
regulations. The over-riding procurement policy requirement is that all public
procurement must be based on VFM. This should be achieved through competition,
unless there are compelling reasons to the contrary.
22. POL risk management is based on a number of key principles including that (i) risk
must be embedded in all Post Office activities, (ii) all material risks must be
identified, measured, monitored, managed and reported on a continuous basis at
an individual and aggregate level and (iii) risk reporting must allow for the effective
review, challenge and monitoring of risk exposure against approved risk appetites.
Operational management, Central Risk and Internal Audit are the three lines of
defence for risk management.
23. POL has compliance teams in place to ensure regulatory requirements are adhered
to across the myriad of environments in which POL operates. Compliance is
monitored and reported regularly to ARC as required.
24. POL’s Financial Reporting Controls Framework (FRCF) is designed to mitigate the
risk of fraud and error in financial reporting, thus providing assurances around
accurate accounting and safeguarding assets.
25. Control frameworks are also in place for IT and Change processes and, as well as
the FRCF, fall under control self-assessment regimes. POL has a suite of POL wide
policies which define the minimum control standards expected to be performed
within the applicable business areas.
26. CoSec have a number of processes in place to allow formal oversight of the
Committees and the Board, whilst also ensuring specific requirements, such as
control over Board papers, is adhered to.
27. Internal Audit provide an independent evaluation of the adequacy and
effectiveness of the POL’s framework of governance, risk management and control.
4
Strictly Confidential
POL-BSFF-0233682_0003
POL00413174
POL00413174
@
Throughout the year, Internal Audit track audit actions to ensure all
recommendations are implemented.
28. External Auditors advise POL if control recommendations have been identified as
part of the audit. POL follows up on recommendations and they are discussed at
ARC meetings and during audit meetings throughout the year.
29. Continuous review of management information systems, organisation structures
and governance frameworks is ongoing within POL, thus ensuring that areas of
development are identified and improved as required. The ultimate driver is to
ensure the requirements of the AP’s organisation are met. The level of change seen
within the organisation in recent years, and which is still ongoing, is evidence of
this focused development.
30. Onan annual basis, a report will be provided to the AP and ARC to provide rationale as to
why the AP can sign-off on the ARA. Finance are accountable for producing the ARA and
input is sought from relevant teams across POL where required, including Legal,
Compliance, Communications and CoSec. Relevant legislation and guidance is taken into
account for sensitive areas, such as remuneration.
31. No known significant departures from the above have been identified during the year. POL
performs an annual Group Executive Declaration exercise, whereby the GE is required to
formally disclose items of ‘materiality’ not already disclosed by other corporate
disclosures, such as through the regular updating of the Group risk profile, internal control
assessments, legislative & regulatory compliance assessments etc. The FY19/20 exercise
identified a very small number of additional disclosures. This exercise was reported to the
June 2020 ARC in the Group Executive Annual Declaration paper.
Known and potential departures from expected governance and associated
mitigations
32. The pipeline of active and planned procurement activities are reviewed with business units
regularly, and where exceptions from UK regulations and PCR are requested, these are
raised to senior management staff and/or GE at Post Office for approval setting out the
rationale and the mitigation steps to bring back into compliance as soon as possible.
Following discussion at Board meetings around a review of the formal risk appetite, all
exceptions over £189k must now be approved in advance to Board for approval, with
exceptions between £25k and £189k retrospectively reported to ARC.
33. Unfortunately, the performance of one of our contractors, CBRE, was identified to be falling
below the standard expected of it, with the direct consequence being that POL was found,
in one area of sampling, to have been operating in breach of relevant Healthy and Safety
(“H&S”) legislation. CBRE have recognised the criticality of the findings of the HSE report
and POL’s follow up review, openly admitted their failings, they have re-resourced the POL
Account accordingly and are delivering against the recovery plan. Compensation for
service delivery failures has been set at £500k and whilst legal teams are resolving we
are withholding payment of invoices.
34. Subsequent to the GLO settlement, an action was taken to review whether the processes
around branch accounting for stamps has historically led to postmasters being incorrectly
financially disadvantaged. Third party specialists were brought in to review historical
5
Strictly Confidential
POL-BSFF-0233682_0004
POL00413174
POL00413174
@
processes and conclude on whether this was the case. No evidence of material financial
adjustment was identified as a result of this review. Internal Audit will test controls in the
stamps process in FY21/22 based on third party review findings.
35. In addition to point 35, another GLO action was to review whether the current processes
around suspense accounts could lead to postmasters being financially disadvantaged. The
review has been completed. The findings indicate there are no issues with the current
processes which would result in postmasters being adversely impacted. The review raised
recommendations regarding suspense account best practice which POL is implementing,
due to be completed by FY20/21 year end. In addition to this, a review over historical
processes was performed and a number of findings and specific instances of issues were
identified. There were no further amendments required to current processes as a result.
36. An annual update is made to the Royal Mail tariff, with the change coming into effect in
February 2020 during FY19/20. This change was incorrectly applied by ATOS leading to a
‘phantom' stock discrepancy in some branches, resulting in a£0.5m surplus. The surplus
has been settled with Royal Mail and a detailed management review has deemed the event
to be due to a singular error, with no further issues being identified.
37. As part of the work being performed on the partial buy-out of the RMPP defined benefit
scheme, historical errors have been identified in the final basic pensionable salary data.
The extent and magnitude of the anomalies are still being investigated and the impact on
the FY19/20 ARA is yet to be finalised. However, given the review of issues and finalisation
of remediation activities will not occur until after the expected signing date of the FY19/20
ARA, it is anticipated that the amendments required to the ARA will be minimal and may
be in the form of additional wording around estimates and assumptions used in creating
the ARA.
38. We have single source data from third parties for occasions when a Postmaster should be
paid for generating a lead, which is triggered by the customer including a branch code on
the third party website. The amounts are small (£2m - £4m per annum) but given the
sensitivities we are exploring how we can assure ourselves on the completeness of agent
pay. An internal audit is due to be performed in Q4 FY20/21 to review controls over third
party data that feeds into Postmaster remuneration.
Signing of the FY19/20 ARA
39. There are a number of outstanding items to be finalised and included within the FY19/20
ARA, including going concern assessment, impairment reviews, finalisation of the defined
benefit pension scheme disclosures and adjustments in respect of provisions and
contingent liabilities the most notable of which are the Historical Shortfall Scheme,
Criminal Cases Review Committee and Starling, prior to signing. The remaining items are
due to be finalised, where possible, ahead of the February 2021 ARC, ready for signing in
March 2021. See the ARA update presented to the January 2021 ARC for more detail.
40. Once the remaining items are finalised and assuming the AP agrees that this paper
demonstrates that the organisational structure and governance processes in place allow
him to meet the requirements of the role, the ARA can be signed, thus meeting the formal
requirement of the role as set out above.
Strictly Confidential
POL-BSFF-0233682_0005
Appendix 1
Standards expected of an Accounting Officer’s organisation, per “Managing Public Money”
guidance, last updated in 2019.
.
Box 3.1: standards expected of the accounting officer's organisation
Acting within the authority of the minister(s) to whom he or she is responsible, the accounting officer
should ensure that the organisation, and any ALBs it sponsors, operates effectively and to a high
standard of probity. The organisation should:
governance
have a governance structure which transmits, delegates, implements and enforces decisions
have trustworthy internal controls to safeguard, channel and record resources as intended
work cooperatively with partners in the public interest
operate with propriety and regularity in all its transactions
treat its customers and business counterparties fairly, honestly and with integrity
offer appropriate redress for failure to meet agreed customer standards
give timely, transparent and realistic accounts of its business and decisions, underpinning public
confidence;
decision-making
support its ministers with clear, well reasoned, timely and impartial advice
make all its decisions in line with the strategy, aims and objectives of the organisation set by
ministers and/or in legislation
take a balanced view of the organisation's approach to managing opportunity and risk
impose no more than proportionate and defensible burdens on business;
financial management
use its resources efficiently, economically and effectively, avoiding waste and extravagance
plan to use its resources on an affordable and sustainable path, within agreed limits
Carry out procurement and project appraisal objectively and fairly, using cost benefit analysis and
generally seeking good value for the Exchequer as a whole
use management information systems to gain assurance about value for money and the quality
of delivery and so make timely adjustments
avoid over defining detail and imposing undue compliance costs, either internally or on its
customers and stakeholders
have practical documented arrangements for controlling or working in partnership with other
Organisations, as appropriate
use internal and external audit to improve its internal controls and performance.
Strictly Confidential
POL00413174
POL00413174
POL-BSFF-0233682_0006