ARC 04/1 TO ARC 04/13
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
RMH(04)84
ROYAL MAIL HOLDINGS plc
(Company no. 4074919)
AUDIT AND RISK COMMITTEE
Minutes of the meeting held at 148 Old Street on 18 March 2004
Members of the Committee Present:
Bob Wigley
John Neill
Rosemary Thorne
In attendance:
Elmar Toime
Adam Crozier
Marisa Cassoni
Jonathan Evans
Derek Foster
Frank Schinella
David Lindsell
Rachel Harper
Alison Duncan
Andrew Poole
ARC04/01
ARC04/02
(a)
Non Executive Director, Chair of the Committee
Non Executive Director
Non Executive Director
Executive Deputy Chairman
Chief Executive, Royal Mail Holdings plc
Chief Financial Officer
Company Secretary
Internal Audit and Risk Management Director
Director, Financial Management & Control
Ernst &Young
Ernst &Young
Ernst &Young
Notes
CHAIR OF THE COMMITTEE
As approved by the Holdings Board on the 9 March 2004,
Bob Wigley had been appointed as Chair of the Committee,
taking over from Rosemary Thorne, whose tenure as non-
executive director of the Company was scheduled to end on
25 March 2004. Bob Wigley thanked Rosemary Thorne for
her hard work as Chair of the Audit & Risk Committee over
several years, and expressed the wish that the Committee
would continue to build on the high standards she had set.
MINUTES OF PREVIOUS MEETING
The minutes of the meeting of the 11 November 2003 were
considered and approved subject to the following amendments
being recorded;
ARC03/37: Bob Wigley noted that some of the responses to
the Committee's questionnaire on H&S issues had not been
completed and in other cases, the responses indicated non-
compliance with regulation. The non executive members of
the Committee observed that non compliance with Audit
Committee questionnaires on a timely
and comprehensive basis was unacceptable and non-
ARC04/03
(b)
(a)
(b)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
compliance with H&S regulation could not be tolerated. Bob
Wigley asked if there were actions the committee could take
to support management in effecting the required culture
change. Elmar Toime said he had built measuring
compliance with H&S regulation into his direct report review
processes and he would need the completion of one
appraisal cycle to see whether this effected the required
changes. The Committee asked that they be kept in touch
with progress. Adam Crozier said he and Elmar Toime would
address the issue of non-compliance with Audit Committee
questionnaires so that this was not repeated.
ARCO03/41: In relation to the issue of when the current pay
round increases would be consolidated into basic pay based
on achievement of agreed productivity targets, John Neill
said that he was concerned that leaving the judgment of the
achievement of targets to local management left the process
open to more risk. Bob Wigley asked how the Committee
could be sure that pay increases would not be consolidated if
targets were not genuinely achieved and also asked how we
could be sure efficiency would not fall to below target levels
again once the pay increase had been consolidated.
Management assured the Committee that this could not
happen. It was explained that to make the targets, walks had
to be reorganised, and at this point heads would be gone or
on the way out, thus ensuring targeted savings were
permanently achieved.
CORPORATE RISK MANAGEMENT COMMITTEE
The minutes of a meeting of the Corporate Risk Management
Committee held on 20 February 2004 were noted. The
Committee further noted in response to questions raised by
the Chairman:
CRMC action point 7 — the Committee received a note from
Roger Durrant, Group Treasury Director setting out the
comparative data relating to insurance premium spend, limits
of cover and deductible levels. Bob Wigley asked for an
explanation of the minute which noted that “RM retains a
fairly large risk appetite in comparison to the other
companies” Marisa Cassoni explained that whilst the
conclusion drawn in the minutes was true it should be seen in
the light of the Company having a captive Insurance
company, which took the risk for losses of between £1 million
and £5 million. The Corporate Risk Management Committee
had responsibility for reviewing the Insurance strategy
annually as part of its remit. The Committee was satisfied
that the trade off between premium charged and deductible
level was optimal and taking into account the existence of the
captive Insurance Company, in line with benchmark
Companies;
Bob Wigley asked whether the Joint Venture with the Bank of
Ireland would have an FSA Compliance Officer and if so who.
The Secretary tabled a note setting out the Compliance
2
ACTION
Jonathan Evans
ARC04/04
(a)
(b)
(c)
(d)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
arrangements between Post Office Limited and the Bank of
Ireland in relation to the provision of Financial Services.
Bob Wigley asked that the Compliance Officer present to a
future meeting of the Committee.
STATUS REPORT
The status of actions from the meeting held on
11 November 2003 was noted, in particular:
ARC03/31(d): Bob Wigley had requested confirmation from
David Burden that he was satisfied with the IT security
measures being undertaken with Prism, RM’s outsourcing
alliance. In response to a request for an update David Burden
confirmed in a written reply that “The Company had a strong
internal IT security group which sets policy and monitors IT
security activities by all our suppliers and our own staff.
The PRISM (CSC) contract includes specific clauses
stipulating that CSC will follow Royal Mail IT security policies
and standards.
For certain major applications (and the infrastructure on
which they run) we have achieved BS7799 certification. This
covers all the Finance and Procurement systems.
We had to press CSC to perform against the contract but we
are now satisfied with their response. We are in the process
of introducing a higher level of security (involving smartcard
authentication and full file encryption) to cover the senior
executives and their secretaries. This includes vetting of the
immediate technology support staff and those people with
administrator privileges over critical file servers.”
The DTI had raised the issue of the effectiveness of the
continuity plans (see page 3 of the CRMC minutes) and a
request from Bob Wigley to receive a short presentation at a
future Committee meeting on these Plans and noting that TSI
and Finance were noted on page 20 of the March 2004
Internal Audit & Risk Management report to be least
compliant. The Chairman requested that a presentation to
the Committee addressed these two areas in particular;
ARCO03/37(d) — a paper had been circulated providing an
update on the progress to communicate the key control
activities within the business in an attempt to mitigate the
majority of major risks. The Committee noted the process
and structure with the idea that each Unit/function had a clear
list of control activities that had impact at unit and corporate
level. The effect of this revised structure was to ensure that
the business addressed the key risks, and focused control at
the local level which could transparently impact the
management of high level risks and the achievement of
objectives;
ARCO03/40(g) Bob Wigley observed that contrary to the
ARCO04/05
ACTION
Bob Wigley/
Jonathan Evans
(a)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
undertaking contained in the previous minutes that “action is
being taken to fill the vacancies” in Internal Audit, the number
of people employed by the Internal Audit function had
reduced by 30% as part of the Company restructure. Bob
Wigley observed that if RM could not prudently have a
situation where Internal Audit was below the headcount
contained in its own Internal Audit Plan, Internal Audit Plans
were not being produced on time relative to that Plan and
significant numbers of the reports contained limited or no
assurance outcomes. Internal Audits latest plan noted that
the department had reviewed ways of working to ensure that
Royal Mail issues continued to be addressed. The
department had a mix of new, externally recruited staff and
internal staff and some departmental cost had been made
variable by budgeting for co-sourced activity. Adam Crozier
confirmed that the Company recognised the need to upgrade
and recruit good quality staff into this area and to have an
adequate level of resource in line with the Internal Audit Plan.
John Neill said the Company should recruit full time staff as
this would provide an excellent source of future finance
people and that he preferred to see the Company at the top
end of any benchmarking exercise, as it was important that
the Company had adequate in-house resource. Bob Wigley
said that ultimately the number of people employed in the
audit function should be increased. Management agreed to
take action prior to the next meeting and revert with details.
POSSIBLE CHANGES TO AUDIT COMMITTEE
PROCEDURES
Bob Wigley introduced a note that he had circulated to the
Committee on a number of issues relating to the operation of
the Committee, as he was very keen to continue the high
standards in the way in which the Committee had operated in
the past and in order to comply with best practice. Bob
Wigley believed that if the Audit Committee process was
used properly it should be helpful to and support
Management in achieving culture change within the
organisation by reinforcing accountability and sanctions for
non-compliance. In that regard, having received the paper for
this meeting and having met with the Head of Internal Audit
and John Neill, Bob Wigley had concluded that it would be
appropriate in future to review in detail Management’s
proposed actions to deal with Internal audit reports which
concluded with limited or no assurance. Other proposals
included:
arrangements for the self-assessment of the effectiveness of
the Committee annually. A template provided by the Audit
Committee Institute would be utilised for this purpose and the
Secretary would work with the Chairman in order to get these
forms completed prior to the next full meeting. The Chairman
would then organise a discussion on the output and consider
any changes suggested as necessary by the assessment;
ACTION
Jonathan Evans
ACTION
Derek Foster
ACTION
Derek Foster
ARC04/06
(b)
(c)
(d)
(e)
(f)
(9)
(h)
(i)
()
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
a review of the Committee’s terms of reference would be
undertaken against the specimen provided by the Audit
Committee Institute and to identify any necessary
amendments;
noted that papers circulated to the Committee would continue
to be reviewed by the Finance Director and Company
Secretary prior to circulation. In addition the papers would be
notated as having been reviewed by the Finance Director and
Company Secretary. It was understood that internal audit
papers in particular would not be “approved” by Finance
Director and Company Secretary, to ensure any perception of
compromise of independence was avoided;
a review of the agenda items of the Committee had been
undertaken against the Audit Committee Institute guidelines
and items had been added to future meetings covering inter
alia self assessment, whistleblowing, policy on non-audit
services, financial personnel succession planning, directors
expenses and related party transactions, internal audit
performance and legal/compliance developments;
the Committee would meet privately with the External
Auditors at the beginning of the Audit Committee meeting. At
the meeting the auditors would be asked, inter alia, the
‘Warren Buffet’ questions;
a contract be established setting out the respective
responsibilities of and relationship between the internal and
external auditors;
implementation of personal compliance reports from the CEO
and CFO together with upward reports from line personnel;
Senior Management demonstrate to the Committee that
when Business Unit managers prepare business plans, there
is adequate identification and discussion of business risks
and that these are aggregated and tracked during the Risk
Management review process;
where the Audit department had given a ‘limited’ or ‘no
assurance’ rating following the audit then Management would
be required to attend and present their proposed action plan
to the Committee;
Adam Crozier suggested that it would be helpful to
incorporate the views of the Management into future audit
reports to the Committee whilst recognising the imperative of
maintaining audit independence. Derek Foster confirmed
that management comments and views were reflected as
part of the audit sign off process, and this would continue.
FORWARD PLANNER 2004
The Committee noted a revised forward planner of business
ARC04/07
ACTION
Frank Schinella
(a)
(b)
(c)
(d)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
for the rest of the year.
YEAR END 2003/4 UPDATE
Statutory Audit/Close process- Marisa Cassoni introduce a
paper on the year end process and proposed timetable of
events leading to the publication of the Annual Report and
Accounts. The Audit Committee had requested a minimum of
one to two days’ clearance between the Audit Committee
meeting to review the accounts together with the auditor's
findings and the final date on which the accounts were
approved by the Board Accounts Sub Committee. To meet
this request the timetable had been reviewed. Bob Wigley
said that it was important to have sufficient time between the
Audit Committee meeting and publication of the accounts
such that if the Audit Committee wished to change anything
presented to it, there was time for this to be practically
possible without changing the proposed publication timetable.
The Committee noted;
* aproposed year-end close timetable leading to
publication on or around the 26/27 May 2004. The
exact publication date for this years accounts would
be confirmed;
e the potential to accelerate the Audit Committee
meeting currently scheduled for 24 May 2004;
« the potential to reduce the year end close by some
two weeks next year;
Statutory Audit Hours — the Committee had requested further
details of the hours that Ernst & Young had budgeted for this
year’s statutory audit. The total hours were budgeted at
7,328. The agreed fees of £864,000 provided for a recovery
rate of 70% after allowing for estimated cost savings of
£100,000. John Neill said that it was helpful to have details of
the hours as the purpose was to improve quality and to
reduce costs. Rosemary Thorne said that the information
would allow for the possibility of transferring work from the
External auditors to the Internal Audit function;
Regulatory Accounts Year-End process — the Committee
noted a paper seeking approval for the approval and
publication of the Regulatory Financial Statements. It was
noted that discussion had taken place with Postcomm to
simplify the Financial Statements. The Committee agreed the
proposed timetable and agreed that the accounts could be
authorised by the directors of Royal Mail Group plc;
Regulatory Accounts Audit Fees - the Committee noted the
proposed fee and analysis of hours and that they had been
agreed with Management and approved the proposed audit
fee for this work of £482,000;
ARC04/08
Action
Derek Foster
(e)
(f)
(9)
(a)
(b)
(c)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
Provision of non-audit services by Ernst &Young — the
Committee approved a proposal for a policy and approval
process for the provision of non-audit services by the external
Auditor. This was designed to ensure that best practice is
followed and that the independence of Ernst & Young with
respect to their audit services and sign off was preserved;
International Financial Reporting Standards- the Committee
noted a paper providing an update on the progress made
towards the adoption of International Financial Reporting
Standards (IFRS) as the basis for producing and reporting
the Royal Mail Holdings group statutory and management
accounts;
E&Y Early Warning Report — David Lindsell introduced the
report dated 18 March 2004. In particular he emphasised the
importance of providing key messages on business
performance, and for the need to clearly state these in the
Report and Accounts. It would be critical that misleading
statements were avoided. The Auditors expressed a wish to
see more disclosure on LTIP along with evidence to support
Provisions. A good understanding between Management and
the Auditors had been developed on these issues. Rosemary
Thorne sought and received assurance from Management
that the Provisions at year end would be fully supported by
Management.
INTERNAL AUDIT AND RISK MANAGEMENT PLAN
Derek Foster introduced the Internal Audit and Risk
Management Plan for 2004-05. A risk-based approach had
been adopted in identifying the areas of coverage. Key inputs
to the planning process included the Corporate Risk
Scorecard, Risk & Control Self assessment returns, previous
internal audit reviews and input from senior management.
The Committee discussed the plan in some detail and
approved the plan. In particular:
John Neil asked if operational management had been asked
for their input on where they thought the risks might be.
Derek Foster confirmed that the process followed did allow
for input from operational managers;
Bob Wigley asked if Derek Foster felt sufficient provision had
been made for the training of audit staff next year. He asked
Derek Foster to produce a matrix showing the recommended
level of training for each grade of audit staff and commentary
on the degree to which current staff meet the recommended
level of training. Derek Foster confirmed that a budget had
been developed and undertook to provide these details for
the next Audit Committee meeting;
Bob Wigley asked if in light of the findings of the 500 Internal
Audit Report, Derek Foster was content that sufficient days
ARC04/09
(a)
(b)
(c)
(d)
(e)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
were included in the Plan to adequately address risks in this
area. Derek Foster confirmed that he was content with the 65
days allowed in the plan for audit work on Single Daily
Delivery, noting that some contingency time could be made
available if necessary.
INTERNAL AUDIT AND RISK MANAGEMENT QUARTERLY
REPORT
Derek Foster introduced the Internal Audit and Risk
Management report for the period November 2003 to
February 2004.The Committee noted the contents of the
report and further noted:
the one page overview of key indicators of the state of Royal
Mail control environment. Derek Foster explained the
schedule and pointed out that the financial indicators showed
financial controls appeared to be to a large degree in place or
improving, but that the indicators for customer experience
and successful business transformation remained at
unacceptable levels.
that the gap between the reported workflows from operations
and actual income received provided an indication of the
effectiveness of the Revenue Management process. Current
estimates were that a gap of some £90 million existed. Whilst
this was not necessarily lost revenue it did highlight the
potential inconsistency of the data. Derek Foster noted that
the gap had reduced from some £400m here years ago.
Elmar Toime noted that the current gap noted was consistent
with or better than his experience of postal operations
generally. Work was continuing to improve the Revenue
Management process. Derek Foster noted that the audit &
risk management department was working closely with the
business on risk solution activity in the area of revenue
management;
that the audit review of Single Daily Delivery had resulted in a
‘no assurance’ rating. The cumulative percentage of ‘no
assurance’ in the year is now 12%. Of the 196
recommendations due for completion in the year to date, 25
were overdue for completion;
due to the importance and high risk of the SDD programme
to the Renewal Plan (highlighted in the internal audit report at
the last Audit Committee meeting in Novermber 2003),
Internal Audit had carried out a review of the implementation
management of SDD, including deployment and processes
for benefit target setting, equipment costs, voluntary
redundancy, employee pay awards and unit post
implementation reviews;
the review of findings had highlighted a number of significant
potential weaknesses including:
(f)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
robustness of targets
consistency of communication
errors in submission forms
consolidation of payments for achievement of target in
inadmissible weeks
¢ potential for manipulation of training to achieve
targets
¢ inconsistent treatment / use of staff on VR
e inconsistent payment of increment to staff serving
notice
pressure on VR business plan forecast
«lack of implementation of budget control process for
equipment
Adam Crozier reported on a whole series of actions he had
taken since this issue had come to his attention. He had
reviewed with senior line management why exceptions had
been declared and how/why data had been incorrectly
recorded. He confirmed that further checks were being made
‘on the ground’ to ensure that the necessary changes had
been implemented. John Neill said that this was a serious
issue for the business and that the issue needed to be
addressed by the Committee in detail. This matter would be
discussed further at the first special meeting of the
Committee to be convened to examine audits with ‘limited’ or
‘no assurance’ completed in the preceding review period;
Bob Wigley noted that agencies providing staff to RM had
clearly not been complying with RM vetting policies. This was
a serious issue since it could involve a breach of RM licence.
Bob Wigley requested details of what contractors were
requested to do on vetting in RM contracts with them,
whether Royal Mail checks that they comply with the contract
and what financial or other penalty was imposed if they did
not comply. A note from David Burden on Contractor vetting
(attached) confirmed that the contracts with Manpower and
Reed included, as Schedule 4, a requirement for security and
vetting. This stipulated:-
« a fully documented career or education history
over the past 2 years
*® apersonal declaration concerning criminal
convictions
* a personal declaration that the information
supplied is accurate
« aminimum of two referees, with one preferably an
employment referee or someone of standing
within the community
* a National Insurance number
proof of home address
In addition, agency casual employees were to be screened
through the Corporate Security Personal Identification
Bureau for any previous debarment notice and through the
Inland Revenue for N.I. checks.
ARC04/10
ARCO04/11
(a)
(b)
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
The terms and conditions of this vetting process had recently
changed to take account of new legislation, which came into
force from 1st April 2004.
Management could not comment at this stage on any specific
penalties, which may be available to us, should the labour
supplier fail in these areas. The contracts are being looked at
in more detail.
It was worth commenting that it was likely that one of the
reasons why we had failed to take fully vetted people was
because of the pressure we put the supplier under to supply
labour at short notice, with the promise that vetting will be
carried out subsequently.
The Chairman had personally reviewed the contracts with
both Manpower and Reed and noted that they contained
warranties given by the Contractors which they could be in
breach of. He suggested that senior management take up the
issue with senior management at each contractor and asked
for an update at the special audit committee meeting to be
held on the 6 April 2004.
SECURITY REPORT
The Security report for March 2004 was received which
highlighted any emerging security risks and the actions taken
to mitigate them and in particular the following was noted:
probity checks performed by the P&OS payroll centre in
Sheffield identified a number of advance payments that could
not be traced and did not have supporting documentation.
Further investigation had highlighted that 11 fraudulent
payments had been made, with a total value of £249,000. A
number of improvements had been implemented intended to
eliminate the risk of similar occurrence;
Adam Crozier reported that the Company was reviewing the
way in which the Company undertook prosecutions and in
particular potentially reducing the staff in the Corporate
Security department by increasing Police involvement. John
Neill said that it was good to review these processes but that
it was important to have our own people carrying out this
work, as the Police would only investigate and prosecute in
extreme cases. Jonathan Evans reported that three
constabularies had already been approached and had
indicated that they would prioritise out work for Royal Mail.
Bob Wigley asked that the Committee be informed if there
was any intention to reduce headcount in Security.
WHISTLEBLOWING PROCEDURES
At the Audit Committee meeting on the 11 November 2003
the Chairman had asked if the Company had adequate
(a)
(b)
ACTION
Jonathan Evans
(c)
ARC04/12
ARC04/13
POL00423144
POL00423144
Royal Mail - Strictly Confidential
DRAFT
whistle blowing procedures in place. The Committee:
noted the current arrangements contained within the Code of
Business Standards document. Bob Wigley reported that he
had requested a log of calls to the helpline from the Head of
Corporate Security and also said that a concern had been
expressed to him that the organisation did not appear to have
been particularly effective at protecting the anonymity of the
employees who had come forward with information. He
observed that this was clearly critical to the efficiency of the
system and asked Management to consider how this could
be improved;
agreed that the policy should include wording on raising
concerns about possible improprieties in matters of financial
reporting or other matters. The inclusion of a policy statement
on illegal substances would also be reviewed;
endorsed the need to refresh the communication of the
procedure generally.
ANY OTHER BUSINESS
Bob Wigley said that he would like the minutes in to be
circulated promptly after the meeting and for them to reflect
the dialogue of the meeting. The Chairman thanked Derek
Foster for the quality of the Audit papers.
DATE OF NEXT MEETING
The Committee noted that the date of the next scheduled
meeting of the Committee was Monday 24 May 2004 and that
a special meeting would be convened in advance of the next
full board meeting to receive and review Management’s
proposals to deal with the recommendations contained in the
Internal Audit Report on Single Daily Delivery
implementation, Management processes (Feb 2004) The
assessment of Policies and Processes to support PAYE
payments for Management Board and Holdings Board
directors (Feb 2004), the follow up review of People and
Organisational Development, review Vital Few Controls,
receive Managements proposals to increase Internal Audit
resource and receive an update on discussions with
Manpower and Reed about their performance on vetting
agency staff .