POL00423307
POL00423307
Internal Audit
Risk and Compliance Committee Report
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
1. Audits completed since last RCC.
Contract
Management
Financial Crime
Key gs
Supplier contract portfolio is not fully known.
Contract Management Framework (CMF) remains in draft (since its
development in 2012) and requires further development, finalisation
and implementation.
Staff have the ability to define their own roles and responsibilities.
Management are unable to effectively foresee and manage expiration
of contracts.
Analysis and management of risks to drive contract management.
Staff are not clear on where and how to report suspicions or concerns.
Effective mechanisms to prevent and detect fraud and corruption are
not incorporated into policies, procedures and systems.
Focus of proactive / reactive activity is directed towards customers
and customer facing areas of the business.
There is no corporate / PO wide approach.
Final Report issued (see
Appendix 1). Actions will be
followed up with management
as appropriate.
Report discussed with relevant
management and actions
agreed (see Appendix 2).
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
2. Work in progress.
ee rr
FS Conduct Risk
Drop and Go
Review -
Enhancement
Drop and Go
Review - Product
Development
Subject to management clearance — detail on findings will be shared
with members once agreed.
Number of Drop and Go active accounts are unknown.
Transaction data is not personalised.
No communication solution has been developed covering : When will
the Online Mails portal go live? What can I tell my customers? What
is happening with Click and Drop?
Postmasters and central fund make up the difference when some
customers have insufficient funds in the Drop and Go account. There is
no formal process for debt recovery.
Negative behaviour scenarios were not considered during testing.
Insufficient regression testing performed resulting in bugs going un-
detected at migration.
Project risks were not transparently communicated to stakeholders.
Project management principles were not formally applied.
Scale of change and interdependencies were not understood.
Scope and deliverables changed a number of times yet the business
case was not rebaselined.
Draft report completed.
Preparation for clearance in
progress — Mgt clearance w/c
14 September (due to leave).
Fieldwork complete.
Findings with management,
report in draft.
Fieldwork complete.
Findings with management,
report in draft.
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
2. Work in progress cont.
IT Towers Delivery
On-going
Assurance
Management
Information
Fujitsu exit
Telecoms
Fieldwork on-going.
Majority of emerging issues raised have been addressed by the recent
restructure and creation of new Post Office Programme Manager
roles.
Meetings held with the Finance Directors to determine sample of
critical metrics for testing.
Fieldwork commenced.
Fieldwork was placed on hold pending Board decision (and internal
restructure) — updating approach with management
Terms of Reference agreed.
Fieldwork commenced.
First highlight report agreed
and shared with management.
Fieldwork in progress.
Reporting due end September.
Current position being
determined with management
prior to recommencing audit.
Co source resource being
secured to commence this
work in September
Fieldwork in progress.
Reporting due end September.
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
3. What we will do - Next 3 months.
Assurance
Framework
Data
Protection
Fujitsu exit
Jane
MacLeod
Jane
MacLeod
Lesley
Sewell
Assessment and review of the assurance providers On-going
within PO.
Terms of Reference drafted and shared with Risk team.
Linked to Business Transformation programme.
Assessment and review of ISAG Data Protection November
processes and controls in place.
Controls and mechanisms in place to control Fujitsu September
services and minimise exit cost.
Initial work commenced but subsequently held
pending Board decision — updating approach with
management.
TBC
November
October
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
4. Other matters.
Business Transformation
Mails Collection Service
Independent Transformation Assurance (ITA) reviews have started. A Front Office Mobilisation review
and Portfolio Governance, Management and Change Methodology Design review are currently
underway supported by Internal Audit, due to report in September 2015.
Deloitte has been appointed as the assurance partner to deliver the on-going ITA plan. They will be on-
boarded in early September before starting to deliver reviews later in the month .
This has been incorporated into the Drop and Go findings and associated actions which is currently
with management for their responses.
4. Other matters cont.
POL00423307
POL00423307
Post Office Internal Audit RCC Report - September 2015
Pare Cormments
Internal audit has continued to work with Legal in assisting Property to implement adequate governance and
controls around regulatory compliance requirements and attended the Property Compliance Forum.
Property Regulatory
Compliance
The following issue was highlighted at the last Forum ( held on the 13* of August):
the safety certifications have expired for all lifts within the Post Office estate as the assessments have not been
carried out by the service provider (Norland). The assessments are the independent means of verification, proving
lifts are safe and providing assurance to the regulator and third parties (i.e. Health and Safety Executive) that PO
has done everything reasonably possible to ensure lifts are well maintained. The verification exercise has now been
approved by PO. Although no detailed formal programme of works has yet been provided by Norland. The
verifications are expected to be completed by mid-October.
The issues highlighted at the August RCC meeting have not been fully addressed:
Responsibilities to oversee property compliance matters have not been assigned to any GE sub-committee.
The Property Compliance Forum operates without formal Terms of Reference (a draft version has been prepared
but still not formally approved and adopted). There is no formal mechanism to escalate the issues and risks
identified to a higher management level or committee.
There are no PO dedicated compliance resources providing first line of defence and assurance to mitigate property
compliance issues. PO is currently reliant on an interim manager seconded (part time) from Norland, who is
technically competent but in no way independent.
There is a need for more rigorous contract management of the services provided by Norland and Servest to ensure
expected performance levels are maintained and the necessary compliance is achieved in a timely manner.
An initial meeting have been scheduled for the 4th of September between Legal, Internal Audit and Procurement
team to discuss how address the above issues.
Business
continuity
Business
continuity
Business
continuity
Business
continuity
Benefits
Realisation
Benefits
Realisation
Benefits
Realisation
Overdue actions from audits
Prepare and issue BC guidelines to GE / Top
management
Continue negotiations as necessary for recovery
desks / options for other key office centres
Draw up testing schedule for use as plans are
implemented
Embed crisis management into the BC process
work being carried out across POL
Finance committee to discuss if and how non
financial benefits can be tracked centrally e.g.
categories of non financial benefits could be
developed and assigned to senior individual across
the business.
Finance committee to discuss how accountabilities
for the delivery of benefits can be enhanced. Eg
through the company appraisal / PDR process
A column will be added to the benefits tracker to
show the sources of data used and any
assumptions made
Assigned to
Corporate Services
—Risk Team
Corporate Services
-Risk Team
Corporate Services
-Risk Team
Corporate Services
-Risk Team
Finance (Nick
sambridge)
Finance
Finance — new
owner taking over
this area
Forecast
Completion Date
Nov 2014
Mar 2015
Mar 2015
Dec 2014
Feb 2015
Feb 2015
Feb 2015
POL00423307
POL00423307
Progress
Guidelines are being revised and
are subject to he need to test
before issue
Ongoing as a result of recent BC
test issues (Warrington)
Plans not currently in place,
therefore unable to test as yet
Risk team are reviewing the
current crisis management
processes for rationalisation.
Paper to be presented to future
RCC
Whilst the Transformation Design
Group will discuss non financial
benefits going forwards it is not
currently happening. Nick
Sambridge has taken an action to
recruit someone to focus on this
area
Finance are awaiting output from
OEE consulting review of benefits
management — due imminently
Update column still needs to be
added to Benefits Tracker
Management (CIO) have accepted the risk of
limited remote access security, taking into
consideration the level of change being
undertaken in IT.
ISAG will perform a risk-costs benefit analysis,
based on industry remote access trends.
Controls will be implemented to ensure that new
accounts are granted access based upon job
description access requirements and appropriate
authorisation.
Forecast
sel
j I awa I acon I Arsen Completion Date
IT— Roger
Middleton October 2014
IT— Roger
Middleton Apr 2015
Progress
The initial control objectives
which were intended to be
covered by actions 8 and 9 are
now to be considered under the
deployment of the EUC tower,
which includes remote access
management and new account
creation.
The new IAM audit (Q4 in the IA
audit plan will be looking at the
new controls deployed by EUC
tower once in place.
Refer to 8 above
POL00423307
POL00423307
POL00423307
POL00423307
POST
OFFICE
POL00423307
POL00423307
&
CONTRACT MANAGEMENT
Contract Management
Internal Audit Report
August 2015
CONFIDENTIAL 1
CONTRACT MANAGEMENT
POL00423307
POL00423307
Audit Highlights
Background
The management of supplier contracts within PO is split between the
Procurement team and business area that benefits from the relevant service. For
IT contracts some elements of contract management are undertaken by Atos.
The objective of the review was to assess the adequacy and effectiveness of
current processes and controls over contract management with a specific focus
on managing supplier performance.
* There have been some changes to management during the review with leads
for both non-IT and IT contracts leaving PO in December (non-IT) and March
(IT). The Bravo (portfolio management tool) Administrator also left PO in
February 2015, under Wave 1 - Business Transformation. The Purchasing
Director and Governance, Systems and Reporting Manager have been
appointed post review. Actions have been re-agreed with management as a
result,
Whilst it is acknowledged that the focus of Procurement has been on the
Town Hall cost saving targets, it is our assessment that there is the risk
that the lack of focus on ‘business-as-usual’ contract management has
brought its own associated costs.
(Refer to Appendix A for PWC’s suggested Best Practice Framework)
Key issues
Assessment
1. Supplier contract portfolio is not fully known.
2. Contract Management Framework (CMF) remains in draft (since its
development in 2012) and requires further development, finalisation
and implementation.
3. Staff have the ability to define their own roles and responsibilities.
4, Management are unable to effectively foresee and manage expiration
of contracts.
5, Analysis and management of risks to drive contract management.
The findings of our work reveal long-standing and significant issues in the
management of non-IT contracts. The root cause of the number of findings is
thought to result from the Contract Management Framework (which provides
standard operating processes) not being fully developed, finalised and
implemented.
The report has three overarching messages on contract management at PO:
1. The split of roles and responsibilities between Procurement and the
business is not clearly understood or communicated.
2. PO does not fully recognise and understand the different risks and
complexity attached to different types of contracts.
3. PO contract portfolio is not fully known at present.
Priority actions
1. Updating Bravo information as a matter of urgency.
2, Further development, finalisation and implementation of the CMF.
3. Review, communication and formal allocation of roles and
responsibilities.
4. Classification of all active contracts in accordance with the CMF.
5, Review of expired and contracts due to expire in the next six months
in terms of risk and potential value leakage. All material value
contracts are being managed.
CONFIDENTIAL
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
11. Policies, procedures and process documentation.
1.1 I Contract A review of PO contract I Staff do not act High a) The CMF should I a) The most I Governance,
Management management activity was I quickly and be reviewed and recent CMF I Systems and
Framework completed by the Best I decisively when further developed material was I Reporting
Practice team I making (where required) produced in I Manager
(Procurement) in 2012. I decisions. and finalised. The 2012 and is
This involved reviewing document should far from a I Action Plan -
PO existing portfolio of I Lack of be approved by comprehensiv I October 2015
contracts. The output of
the work was an outline
Contract Management
Framework (CMF). The
document has not been
fully developed and
remains in draft. We
noted that the CMF has
no overall owner due to
the individual who
developed it leaving the
business in early 2014.
recognition over
the importance
of contract
management.
PO fails to
continuously
improve.
Chief Financial
Officer.
The CMF should
be assigned an
overall owner.
c) An
implementation
plan to support
the
communication /
embedding of the
CMF should be
developed.
b
e policy and
what does
exist (.ppt’s
and _ .xlss’s)
was never
implemented.
A practical
and
pragmatic
approach to
implementing
CMF within
PO is
required.
b) We have
specified the
role of
Governance,
Systems and
Reporting
Manager
(recruitment
of which will
commence
shortly).
CONFIDENTIAL
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
c) The action
plan will be
agreed with
the new
Purchasing
Director and
issued (end
October,
2015).
1.2 I Templates Templates for elements I Inconsistent Medium I Templates should I See response to I Governance,
of the CMF have been I working mandate a standard I 1.1 Systems and
developed (completed as I practices may application of Reporting
a part the activity in I lead to processes to ensure Manager
2012). The location of I inefficiencies, consistency and
the templates is not I duplication and efficiency of Action Plan -
clearly understood by I gaps in control. approach, October 2015
staff (held on a_ local Consideration
drive) and they are not should be given to
mandatory in their ensuring that:
application. We found « storage is
that templates are held centralised and
on a local drive they are
(individual has not left accessible to
PO) and remain in draft. everyone.
Testing found they had * they are flexible
only been used in one of enough to be
10 contracts sampled. proportionate to
This lack of take up is value and risks of
likely to have contributed each contract.
to the high degree of * are streamlined
variation in — contract to clearly show
management activity the ‘must do's’.
observed during testing. « address the Atos
on- boarding
element.
CONFIDENTIAL
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
1.3 I Business Non-IT contracts which I The business I Medium I The CMF _ should I See response to I Governance,
guidance are not classified as I has strong incorporate business I 1.1 Systems and
‘critical’ or ‘strategic’ are I technical / owner guidance Reporting
currently managed by I operational (including roles and Manager
the business area which I skills, built responsibilities) to
benefit from the I through years of ensure those Action Plan -
contract. Management I experience; individuals October 2015
from Procurement have I however it has responsible for day-
recognised from I currently un- to-day, contract
experience that the I leveraged management
business does not have I commercial activities are carried
(in the majority of cases) I skills which out as required.
the commercial skills or I could lead to
knowledge to ensure I value leakage on
effective and efficient I contracts.
contract management.
With this in mind,
business owners need
the support and guidance
of Procurement to ensure
contract management
activities are carried out
as required. This
guidance is not available
to those individuals and
this is partly due to the
lack of CMF.
1.4 I Classification The criteria required by I Contract High a) Contracts should I See response to I Governance,
of contracts the CMF to classify PO I management be classified I 1.1 Systems and
contracts as _ Critical, I activities are using clearly Reporting
Strategic, Acquisition or I ineffective, over defined criteria Manager
Leverage is not clearly I engineered and consistent
CONFIDENTIAL
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
defined, inconsistently I and/or do not terminology, in Action Plan -
applied and, once
assigned is not re-
assessed on a_ regular
basis.
focus on areas
of most risk or
potential benefit
to PO.
accordance with
the CMF,
b) The following
should be
considered to
strengthen
overall
arrangements:
« whether
classifications
consider the
level of risk
and
complexity of
a contract.
e the meaning
of
classifications
for Service
Delivery and
Atos teams to
inform the
contract
management
approach.
ea single
definition and
clear
approach for
each
classification.
° benefit of
reviewing the
classification
at least
annually as a
October 2015
CONFIDENTIAL
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
part of on-
going review
of the
contract.
2. Definition of roles and responsibilities of Procurement, Business and ATOS.
2.1 IAllocation andI There is no_ clear I Key contract I Medium I a) Roles and I This is a I Governance,
documentation I allocation of the roles I management responsibilities potential issue I Systems and
and responsibilities with I activities could across the I that will be I Reporting
regard to contract I fall through the contract addressed by I Manager
management activity I gaps between management the appointment
from Sourcing handover I roles and teams. lifecycle should I of the new role I Action Plan -
through to contract I Issues may not be reviewed. set out in 1.1 I October 2015
continuance (extension / I be resolved in a b) An assessment I above.
retender) or exit stages. I timely manner should be carried
Issues with individuals I and out over the
understanding their own I opportunities to efficiency and
and others roles and I mitigate risks effectiveness,
responsibilities were I and optimise with which roles,
apparent in all contracts I services are responsibilities
sampled with no Atos I missed. This and
involvement. may also have a accountabilities
negative impact for contract
on PO management
financially. activity are
delegated
throughout PO.
2.2 IHandover A lack of knowledge I Key contract I Medium I a) Contracts should I a) All Non-IT I a) Complete
transfer and staff I management be reassigned contracts are
continuity between I activities may where the now assigned I b-c) Governance,
procurement lifecycle I not be Contract to the correct I Systems and
phases has been an issue I completed. Manager Category Reporting
on some contracts. This assigned on Manager _ in I Manager
was evident during Bravo has_ left Bravo.
sample testing on PO. Confirmation I b) Will be }Action Plan -I
contracts such as, Capita should be sent addressed as I October 2015
and Key Property by the relevant per the
CONFIDENTIAL 7
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
Solutions. The observed Category response to
reasons for this include: Manager (non- 1.1 above.
*« Contract Managers IT) and Sourcing I c) Agreed = and
leaving PO without Manager (IT) Non-IT team
adequate handover. with an agreed have been
« Lack of formalised deadline for instructed
process for handover completion. accordingly.
and tendering b) Handover The broader
documents not being processes to issue will be
loaded onto Bravo. transfer addressed as
« Whilst a template has responsibilities per the
been developed to on Bravo should response to
support the handover be clear when: 1,1.above
process, our testing « the named
found that it was not ‘Contract
being used by Manager’ or
Contract Managers. business
* Contracts are owner
assigned to leaves PO.
individuals on Bravo ¢ A contract
(30%) that have left becomes
PO. active.
c) Bravo
maintenance
responsibilities
should be
delegated e.g.
Category
Manager (non-
IT) and Sourcing
Manager (IT).
2.3 IBusiness owner I The business owner for I Responsibilities Medium I a)A_ record listing I a) Practically Governance,
the contract is not I jn managing the business this is very I Systems and
currently captured i.e. I contracts could owner against difficult Reporting
not listed or named on I be unclear or contract — should because the I Manager
Bravo. There is no field I missed through be developed. business
CONFIDENTIAL 8
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
on Bravo to enter this. I a lack of b) Responsibility for stakeholders I Action Plan -
This information is I accountability or ensuring the can be many I October 2015
particularly important I ownership. record is kept up- and can
when Procurement does to-date should be change often.
not actively manage the delegated. The broader
contract. c) Bravo issue will be
functionality to addressed as
support this per the
exercise — should response to
be explored. 1,1.above
b/c) A
pragmatic
solution needs
to be developed
once the new
role is recruited
2.4 ICustomer Procurement currently I The best I Medium I The benefits of I Agreed and I Jim Rawlings
contract has no involvement in I commercial involving of I whilst we are I 30 September
management the business-as-usual I value from the Procurement in the I informally 2015
management of in-flight I contract during business-as-usual engaged in
customer contracts (third I the life of the management of in- I some areas of
parties). The focus of I contract may flight customer I FS, I am happy
contract management for I not be achieved. contracts (third I to discuss how
Procurement has been parties) should be I we engage more
directed towards considered. formally in the
suppliers. The potential process with
gap in commercial other groups.
thinking and challenge
offered by Procurement
could be a _ missed
opportunity for PO.
CONFIDENTIAL
POL00423307
POL00423307
Active and 19 Expired
will be based on
« check expiry date
Non-IT
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
2.5 I Executive The most important, high I Formalised Low The benefits (e.g. I Agree and this Governance,
involvement risk and complex I executive owner service needs to be Systems and
contracts are not I involvement performance) of I incorporated Reporting
formally assigned an I within contract formalised Executive I into PO's Manager
Executive owner to drive I management owner involvement I supplier
supplier performance. could be a within contract I management Action Plan -
missed management governance October 2015
opportunity for activity for the most I model.
PO. important, high risk I A pragmatic
and complex service I solution needs
performance should I to be developed
be considered, once the new
role is recruited.
3. Contract administration.
3.1 IBravo For accuracy the contract I Created High a) Contract a) All contracts }a) Complete
status in Bravo must be I contracts on Managers should that should Ib) Governance,
correct i.e. Created I Bravo which are be requested to be classified Systems and
(Sourcing), Active (Live) I expired (or due complete the as ‘Active’ Reporting
or Expired (Exit, I to expire) are following actions now are and Manager
Extension or Retender). I not captured within an agreed have correct
As at November 2014, I within the deadline: end dates. Action Plan -
according to the I management * ensure the status I b) Whether or October 2015
management information I information. of their respective not this
from Bravo, PO contract contracts on functionality c) Complete
portfolio totalled: 77 I Invoices raised Bravo is correct. can be added Id) Jim Rawlings
30 September
CONFIDENTIAL
10
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
contracts. However, we I rates within the of contract is Category 2015
found the management I expired entered. Managers are
information generated I contracts. * where contracts requesting he
from Bravo used by the I Therefore, PO are being Bravo
Procurement teams to be I may not get the managed _ offline administrator
inaccurate. This was due I most create a record to ‘Archive’
to Bravo being I competitive on Bravo. all contracts
inconsistently used by I rates and billing ea confirmation that are no
staff (ie. Contract I mechanisms, email of actions longer
Managers had not in all I given time completed sent to ‘Active’ or are
instances been changing I methods move the System no longer
the contract status from I on and_ these Administrator for valid for
Created to Active in I changes will not Bravo, whatever
Bravo once live). Of the I be reflected by b) Contract “de- reason,
Created contracts on I operating under active’ status on I c) This was
Bravo, 111 contracts had I expired Bravo should be performed
expired. For 52 expired I contracts. added if the and actioned
contracts with a Created functionality in March,
status, we found that I PO is currently allows for this. 2015.
payments had been I unable to c) Bravo System I d) PN will
made to a_ significant I effectively Administrator validate
number of those I foresee and should generate whether
suppliers after the expiry I manage management these still
date. This could be due I expiration so information — for exist.
to various reasons: that contractual the Sourcing
« Contract has expired. arrangements Council on:
« Expired contract has I can be revisited, . expired
been replaced, but I closed or contracts,
remains on Bravo. updated on a including
« Bravo has no I timely basis. date.
‘deactivated’ status. ¢ contracts
+ New contract has not due to
been uploaded on expire in the
Bravo. next 6
months.
d) Bravo entries
recorded as:
CONFIDENTIAL
11
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
‘expired contract
' catch all
vendors’ should
be reviewed.
3.2 IDirect Awards I A ‘Direct Awards’ paper I Delays in the High a) A review of I A response has Complete
was presented to the I contract award retender been prepared
Sourcing Council on 19 I jeading to value requirements for each and
February 2014. At the I leakage, given (including every contract
meeting a total contract I that no value associated risk / I set out within
award of £29 million was I benefits are potential value I the Direct
approved for 12 I currently being leakage) for I Award paper.
contracts to the previous I realised by PO. contracts as per
Royal Mail Group (RMG) I The opportunity the ‘Direct
suppliers following I to realise cost Awards’ —_ paper
separation. The value I reduction / presented to
was based on contract I increased value Souring on 19
duration of 18 months. I or exit at the February 2014
The paper mentioned I earliest should be
that re-tendering I opportunity may performed.
exercises would be I be missed. b) An Action Plan
subsequently run on an documenting the
individual case-by-case next steps
basis to capture should be
maximum — procurement subsequently
value for the business. prepared.
No action plan to support
the re-tender exercises
has been developed to
date. The 18 months is
due to expire in
September this year.
3.3 IRetention andI The lack of formal I Suppliers could I Medium I A_ review of PO I We are in the I Jim Rawlings
management guidance on the I claim that an documentation / I process of I30 September 2015
of contractual] retention and I electronic copy data management I verifying now
documentation I Management of I of the contract policies to ensure I that Bravo has
contractual records has I has been they are appropriate I been brought up
CONFIDENTIAL
12
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
led to hardcopy contracts I doctored. and applied I to date.
are being stored consistently across
inconsistently (e.g. I Contract could contact
Contract Managers, I be lost or management. If
Business Users, I misappropriated. necessary, specific
Company Secretary and policies and
archiving). The location procedures should
of the hardcopy contract be developed and
was unknown in 40% of communicated for
suppliers sampled. contract
management. This
Anecdotal evidence from should cover:
interviews with Contract « Storage
Managers also suggests /archiving of
that some contracts are hardcopy
being managed offline contracts; and
and therefore have no « Retention
Bravo system record. A periods.
reconciliation between On completion the
suppliers paid, against existing hardcopy
Bravo system records contracts should be
indicates that this is stored to this effect.
likely to be the case.
3.4 IReview of I The accountability for the I Contracts do not I Medium I A process should be I Major contracts I Governance,
contracts on-going review of the I meet the put in place for I are being I Systems and
contract (e.g. quality of I evolving planning and I actively Reporting
service, delivery, I business needs. coordinating the on- I managed. A I Manager
adherence to contractual going review of I governance
requirements, Potential cost contract. process is
relationship and value I saving required. See I Action Plan -
etc.) is unclear at I opportunities in response to 1.1 I October 2015
present. There is no I contract being above.
formalised timetable or I missed by PO.
review process agreed.
Sample testing found no
evidence of review on
CONFIDENTIAL 13
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
four of five non-IT
contracts sampled. In
these instances _ the
contracts had expired.
Whilst a Town Hall with
suppliers was recently
held, which _ involved
review the value of all
contracts and_ identify
cost saving
opportunities, this should
not be a one off exercise.
4. Supplier performance management including SLA, KPIs and service credits, validation, escalation and resolution
of issues.
4.1 ISupplier — self-I PO relies on supplier self- I Supplier poor I Medium I a) Self-reporting of I See response to I Governance,
reporting reporting of performance I performance or performance 1,1 above. Systems and
in the majority of cases. I inaccurate maybe an Reporting
We identified some I reporting appropriate to Manager
instances during our I remains performance
sample testing where I unknown. measurement in Action Plan -
there was limited some cases, October 2015
challenge to performance I Performance However the
reported by suppliers. penalties are not appropriateness
being correctly should be
Whilst it was found that I applied. determined by
there are some ad-hoc or associated risks,
one-off assurance I Payments are complexity and
activities which occur I made to type of data
informally on some I suppliers for being reported
contracts, this is only on I services that by the supplier.
a silo basis. This could be I have not been b) Where processes
partly due to the lack of I delivered. are identified as
CMF to formalise the “high risk’
process for seeking through risk
assurance. assessment, PO
CONFIDENTIAL 14
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
Sample testing identified should consider
there was no Service the value of
Level Agreement drafted collecting its own
for the Mindshare performance
contract. We noted that data in order to
there was some independently
confusion from the measure and
business over who was validate data.
responsible for c) Procurement
developing this. should make a
recommendation
to the Business
Owner on
whether a
Service Level
Agreement (SLA)
is required
during Sourcing.
If this is not
completed, prior
to contract
signature or a
decision is taken
by the Business
Owner not take
forward, then
this should be
reflected in the
relevant local
risk register.
5. Contractual and supplier risk management.
5.1 I Risk Guidance on how risk I Risks and issues I Medium I a) Contractual and I See response to I Governance,
Management and issues should be I may not be supplier risk I 1.1 Systems and
documented, escalated I identified, fully management Reporting
etc. has been developed I recognised and processes should Manager
(back in 2012); however I understood by be aligned to the
CONFIDENTIAL
15
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
it has not been shared I PO, in terms of overall corporate Action Plan -
with the relevant I the different risk management October 2015
business owner I risks attached to approach for PO
responsible risk I the different and clearly
management. The impact I types of communicated.
of this was observed in I contracts and b) Risks should be
the absence of risk I suppliers. actively managed
management on PO non- to ensure that
IT contracts. No risk controls are in
registers had been place for
developed for any of the mitigation and
non-IT contracts sampled on-going
instances. monitoring.
c) Assurance should
be planned
against the risk
dependent on risk
rating.
6. Management information and reporting.
6.1 I Continuance The timing of the I suppliers could I Medium I a) The decision I As part of the I Governance,
Decision continuance decision I potentially making process I CMF we will I Systems and
needs to be such that PO I complete trading for contract I establish Reporting
is in a position where it I arrangements continuance variable notice I Manager
ideally does not operate I without effective (exit, extension I periods for
expired contracts. I renewal which or retender) I contract expiry I Action Plan -
Feedback from some of I could lead to should be I according to the I October 2015
the contract I other business reviewed. time it would
management community I or — operational b) The take to
suggests that the six I issues. responsibility for I undertake a re-
month trigger on Bravo monitoring tendering
does not usually give contract expiry / I exercise.
adequate time for a triggering the
retender exercise to be process should
completed. This has led be delegated.
to behaviours observed
such as, extending
CONFIDENTIAL
16
POL00423307
POL00423307
CONTRACT MANAGEMENT
Ref I Area Reviewed Findings Risk Priority Agreed Action Management Owner
Response Date
contracts due to lack of
time and resource to
retender.
7. Atos
7.1 IAtos. The Atos contract is I The new _ IT I Medium I a) A timescale for I IT Procurement I Governance,
currently being I environment review of the I issue, See I Systems and
stabilised. A review of I fails to deliver Atos contract I response to 1.1 I Reporting
the contract by I the expected (including (IT Procurement I Manager
Procurement is due to be I benefits eg. detailed view of I should not work
completed in April 2015. I cost savings, obligations) to a different I Action Plan -
We observed: risks and should be I governance October 2015
«There is a_ lack of I efficiencies agreed, process than
certainty over whether I compared with b) The assurance I Non-IT).
PO is correctly paying I current requirements for
for Atos services. This I environment. the Atos contract
is primarily due to the should be
complexity of the determined.
contract (i.e. c) PO should
obligations, costs were reconsider the
written around = an decision not to
integration model with have visibility
4 towers). The Contract over risks dealt
Manager for Atos is with by Atos and
currently pulling therefore closed.
together a more
detailed overview of
Atos obligations.
«There is no ‘Assurance
Plan’ for the Atos
contract.
« Atos operationally holds
a risk register for each
supplier on-boarded.
Risks which have been
dealt with by Atos and
therefore closed are
CONFIDENTIAL 17
POL00423307
POL00423307
CONTRACT MANAGEMENT
currently not shared
with PO.
CONFIDENTIAL 18
POL00423307
POL00423307
CONTRACT MANAGEMENT
APPENDIX A - PWC Framework
Best Practice
A mature contract management control environment is based on a formal framework which all personnel involved in contract management are aware of,
understand and follow in the sourcing, procuring, managing and operating of contracts. A framework should include the following:
Categorisation of contracts This allows flexibility across different contracts dependent on the size, risk, value and complexity of a contract
arrangement. Each category is subject to different levels of oversight with the most basic contracts requiring
very minor on-going monitoring and the more complex contracts requiring more regular and detailed
monitoring, independent assurance and collaboration across the organisation.
Roles and responsibilities These should be clearly defined within the framework. It should be clear who is accountable for what and
individuals should be incentivised accordingly (e.g. fixed reward or variable).
Clear linkage between The individuals responsible for the operation of the contract should be involved in agreeing the scope, Service
procurement and the business Level Agreements and KPIs set within the contract as they will be responsible for managing the contract once in
function operation. At the very least there should be a formal handover from procurement to the business function.
Clear plan for Depending on the length and complexity of a contract it can take a number of months to renew/tender a
renewing/renegotiating contract. Trigger dates should exist for all contracts for this process to begin to avoid operating expired
contracts on expiry contracts.
Minimum management A minimum level of management information should be defined up front and be maintained for each contract
information requirements (the level of which will depend on the categorisation of the contract) as this allows for consistency across
contract management.
CONFIDENTIAL 19
POL00423307
POL00423307
POST
OFFICE
POL00423307
POL00423307
&
Financial Crime
Internal Audit Report
September 2015
FINANCIAL CRIME
POL00423307
POL00423307
Background
Key issues
Financial crime risk is defined as the vulnerability, or exposure of the
organisation towards financial crime and irregularity. The prevention, detection
and resolution of financial crime is a management responsibility and the
business must satisfy itself that it exercises suitable control over ‘financial crime
risk’ covering Head Office functions, corporate services, network, depots and
branches, Before separation RMG was responsible for fraud risk management.
The focus of our review has been on the financial crime of fraud. Further reviews
of anti-money laundering, bribery and corruption and cyber will be considered as
a part of our on-going review of Internal Audit Plan for 2015/16.
Our overall assessment
PO currently has a culture where not knowing what you don’t know is accepted.
To be confident in conclusions over fraud risk maturity, PO will need to ascertain
what it does not know, and how it will go about learning it. As a first step, PO
will need to determine its fraud risks organisation-wide and how effectively they
are being managed. GE will also need to determine the ideal future state,
commission a gap analysis, and prioritise activities that will help to enable the
development of an organisation-wide anti-fraud programme. Fraud risk will need
to be owned at the top to set the right tone. Ethical behaviours will also need to
be communicated to staff, given the lack of clarity noted during the review. Such
a programme will not only help to enable appropriate compliance with regulatory
mandates, but will also help PO align its behaviours, values and performance
drivers as well as, protecting its assets and reputation. The current culture will
be hard to change and will require a focused and coordinated approach as well
as investment. A sound ethical culture and effective system of internal control
will be essential elements for building an anti-fraud strategy going forward.
However, this will not provide complete protection against all fraudulent
behaviour, highlighting the continued importance of prevention and detection
measures provided by the Security - Fraud Risk and Analysis teams. PO now has
the opportunity to build its own defences against fraud risk under a wider remit
than at present; however fraud risk will need to be moved up the agenda for
this to be realised.
+ No Exec owner to set the tone.
« No organisation wide policy or coordinated approach for management
of financial crime.
« Effective mechanisms to prevent and detect fraud and corruption are
not incorporated into policies, procedures and systems as standard.
« Risk of losing independent and specialist oversight of branch activity
by Security - Fraud Analysis under Wave 3.
« Staff are not clear on where and how to report suspicions or concerns.
« No formalised process for detecting internal staff or agent
remuneration fraud.
« Technology and tools to detect fraud are limited.
«A healthy dose of professional scepticism is not generally applied by
staff when considering the potential for fraud.
Priority actions
«Formally nominate a GE member to be responsible for financial crime
risk management.
«Identify financial crime risks organisation-wide and effectiveness of
management.
« Determine the future state, commission a gap analysis and prioritise
activities.
® Delegation of roles and responsibilities to deter, detect and respond to
all fraud across PO.
Moving management of fraud risk and more widely financial crime risk
to one place.
POL00423307
POL00423307
FINANCIAL CRIME
Contents
Detailed Findings
Appendix 1: Areas of Best Practice - Noted at Audit.
Appendix 2: Fraud Risk Management (FRM) - The Journey since Separation...
Appendix 3: Audited internal controls to assist in preventing and detecting financial crime.
Appendix 4: Audit and Risk Committee Terms of Reference
POL00423307
POL00423307
FINANCIAL CRIME
Detailed Findings
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
1. Financial crime risk strategy, policies, procedures and guidelines
1.1 I Anti-fraud There is no enterprise level or I Staff do not have a High a) Financial Crime Strategy / I Jane MacLeod
policies, corporate policy for the I Clear Policy should be January 16
procedures management of fraud, or I understanding over developed and
corresponding owner. This is I what part they play implemented. This should:
likely to have contributed to the
lack of clarity over management
and staff responsibilities for
ensuring that appropriate action
is taken for preventing and
detecting fraud. The impact
observed has been the
significant fragmentation of its
management (particularly with
regards to internal staff fraud).
in the management
of fraud risk.
Organisational
restructure / staff
reductions may
result in fewer
internal controls
such as
segregation of
duties, approval
processes,
supervision and
rotation of staff.
Tolerance levels for
fraud and
corruption are not
defined.
«have a GE owner to
promote Board
commitment.
« Board approval.
* cover components:
prevention, detection,
deterrence and
response.
«roles and responsibilities
clearly described.
b) Relevant financial crime
documents should be
communicated.
c) Effectiveness should be
measured. This should be
reported to ARC on an
agreed basis.
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
1.2 I Fraud Risk I whilst the Security team have I Financial, operation High PO management of fraud risk I Jane MacLeod
Management I built a fraud risk management I and __ reputational and more widely financial I January 16
framework covering the I risk. crime risk should sit in one
fundamental elements within the place.
remit of their activity, it is Fraud goes
focused on customers and I undetected,
branch facing activities
(Network, Supply Chain and
change projects), This does not
currently cover: cyber, internal
staff and supplier/partner, speak
up (whistle blowing) and
remuneration.
1.3 I Policies, When designing and I Staff are swayed High a) Catalogue of policies and I Jane MacLeod
Procedures implementing new systems, I by the opportunity procedures should be John Scott
and policies and procedures controls I (little fear or assessed to identify which I January 16
Programmes have not always been built-in to I exposure or like should be ‘fraud proofed’.
reduce the risk of fraud (refer to
detailed findings in Appendix 3).
This is partly due to PO not fully
understanding the high fraud
risk areas. Whilst there is a
Policy Review Group the
Security - Fraud Risk team are
not represented or requested for
input to ensure ‘fraud proofing’
where relevant.
hood of detection)
to commit fraud.
Investigation
outcomes and
fraud risk is not
incorporated into
policies and
procedures.
b) A risk based approach
should be taken on the
order of priority.
Fraud proofing of policies
and procedures should be
incorporated into the
remit of Policy Review
Group.
¢
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
1.4 I Fraud PO has not conducted a staff I Staff may not have Low a) PO should undertake a I Jane MacLeod
Awareness fraud awareness survey since I the same level of fraud awareness survey of March 17
Survey separation to assess the level of I understanding of staff to assess their level
understanding of anti-fraud
policies, procedures and
processes. Most organisations of
similar size would do this as a
matter of course.
PO's
strategy.
anti-fraud
of understanding of fraud
related policies and
procedures.
b) Findings of the survey
should be used to develop
an action plan to address
areas, where staff
understanding of policies
and procedures is not
consistent.
c) Such a survey should be
conducted on a_ three
yearly cycle.
2. Roles and responsibilities with respect to financial
crime risk management (including cultural aspects).
21
Responsibility
for Fraud Risk
Whilst Security has taken on
some of the mitigating fraud risk
management activities, no
function, team or individual has
been formally delegated to act
on behalf of Board or Audit and
Risk Committee (ARC) to ensure
that PO has appropriate
arrangements to: deter, detect
and respond to fraud.
Fraud risk
management is low
on the PO agenda.
Sound ethical
culture is not
established.
Lack of
empowerment to
inform and enforce
policy.
High
a) Delegation of roles and
responsibilities to deter,
detect and respond to
fraud across PO. This
should cover as a
minimum:
«Develop framework of
anti-fraud policies and
procedures across the
business.
«Raising awareness of
fraud risks and
developing mechanisms
to maximise the
opportunities for fraud
risk reporting.
Jane MacLeod
a-c: Jan 16
d: July 16
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
« Responding to Speak Up
and other — concerns
raised with
management.
Investigation of
suspicions and other
irregularities.
«Providing advice and
recommendations to
managers across PO on
appropriate controls to
help prevent and detect
fraud.
« Monitoring anti-fraud
activity across PO.
« Communicating of
outcomes as
appropriate.
b) Division of responsibilities
should be defined across
(as appropriate): General
management; Risk and
Compliance Committee;
Audit and Risk
Committee; CFO; HR;
Security; ISAG; Legal;
Mediation; Contract
Advisors; Field Auditors;
Internal Audit; Risk;
External Audit; and
Insurers.
c) Clarified roles and
responsibilities should be
clearly communicated
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
organisation-wide.
d) Provide RCC, ARC and
wider GE with relevant
training.
2.2 IGE Ownership I Direct responsibility for anti- I Board tone over High GE member to be responsible I Jane MacLeod
fraud efforts does not currently I fraud risk for coordinating financial Sept 15
reside with a member of GE. I management is not crime risk management.
This lack of ownership has I incorporated into
created significant challenges for I working practices.
Security, when attempting to
prioritise the management of it. Fraud risk
To exemplify, Security is reliant I management is not
on the resources of Field Audit I prioritised.
team within Network to
complete visits on branches at
risk. Due to Network
Transformation priorities and
resource limitations the monthly
Field Audit visits have reduced
from 50 (25 selected by Cash
Management) to 30 (10 selected
by Cash Management), whilst
the risk exposure to PO given
the change in suspension policy
has increased.
2.3 I Behaviour Whilst PO has a clear Behaviour I Culture at PO I Medium I Consideration should be I Jane MacLeod
Framework Framework acting with honesty I shapes itself. This given to the inclusion of January 16
and integrity is not a defined I may result in honesty and integrity as
behaviour shaping the way we I inappropriate defined behaviours within the
do things. behaviours. Behaviour Framework.
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
3. Reporting of suspicious activity and investigation processes.
3.1 I Speak Up I Roles and Responsibilities Financial loss or I High I Consideration should be I Jane MacLeod
Policy, The Risk team is responsible for I exposure to given to the following July 16
framework the development and I regulatory or legal opportunities relating to
and high level I maintenance of the Speak Up I action. Speak Up:
processes Policy, framework and high level
Processes to support it. We
noted that a framework has not.
yet been developed and staff
awareness of — high level
processes has not been tested.
There is also no formal link into
the Head of Security or Security
- Fraud Risk team (responsible
for investigation of suspicions).
However, there is a proposal to
move the monitoring of the
Speak Up (whistle blowing) line
to Grapevine for business
efficiency purposes.
Maintenance:
Whilst the Speak Up Policy has
the fundamental elements,
testing identified it was not up-
to-date. The following concerns
were raised with the Risk team
and In touch (supplier):
« the number within the Speak
Up Policy was for RMG rather
than PO.
«whilst the number on the
intranet was correct when
tested the script used was for
Ability to prevent a
corporate crisis
could be
undermined.
Staff do not report
suspicions.
Culture of silence.
« Having Speak Up Policy,
framework / high level
processes under remit of
Security.
« Speak Up Policy has a GE
owner with published
contact details.
« Location of Policy on the
intranet reviewed.
« Speak Up contact
methods are checked at
agreed intervals.
« Speak Up Policy’ is
reviewed at least
annually.
« Policy applies to all i.e,
employed in or working
with PO.
« Staff understanding is
arrangements tested.
« Speak Up arrangements
are incorporated into
training.
« Intranet page for Speak
Up should bring together
various PO policies,
procedures and codes
relating to anti-fraud.
FINANCIAL CRIME
POL00423307
POL00423307
Ref
Area Reviewed
Findings
Risk
Priority
Proposed Action
Owner/Date
RMG.
« the intranet page and Speak
Up Policy offers an online web
reporting service, however the
link referred users to the RMG
portal rather than PO.
Arrangements:
A review of arrangements
identified the following areas for
strengthening:
«there is no overall named GE
owner, including relevant
contact details.
«there is no formal training to
support the Policy.
«the location of the Policy is not
overtly obvious on the
intranet.
eno suspicions of fraud have
been reported via the hotline
in the past 18 months.
« the Policy does not apply to all
i.e. employed in (staff and
contractors) or working with
PO (employees of suppliers).
« Speak Up
number is
published on the intranet
home page.
3.2
Investigations
PO has a clear investigations
process in place when a
suspicion or concern related to
fraud is reported to Security.
However feedback from staff
has indicated a_ lack of
consistency of response, if
raised with and investigated by
Line managers
may not have the
necessary skills,
experience or
independence to
undertake
investigations to
the required
Medium
a) An organisation-wide
Investigation Policy
(which includes a Fraud
Response Plan) should be
developed
means of
clearly the
for dealing
as a formal
setting down
arrangements
with detected
Jane MacLeod
31 Jan 16
10
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
line) management. Additionally I standards. This or suspected cases of
management have highlighted I may result in loss fraud.
confusion over who should I or damage of b) Financial Crime and Speak
conduct internal staff I evidence, abuse of Up policies should refer to
investigations and how this I process or failure the Investigation Policy.
should be reported. of the c) Investigation Policy should
investigation. be linked to staff Code of
Business Conduct.
d) Investigation Policy should
be owned. The document
should be published via
the intranet.
4. Governance structures for overall monitoring and upwards reporting of financial crime activity and financial crime risk.
4.1 IARC Whilst the Terms of Reference I Inadequate — anti- High a) ARC should review its I Jane MacLeod
responsibilities I for the Audit and Risk I fraud programs. responsibilities to ensure 31 Jan 16
Committee (ARC) refers to I and _ controls in it has sufficient oversight
various responsibilities for I place to identify over the design, execution
managing the risk of fraud (refer I potential fraud. and monitoring of
to Appendix 4) it is not obvious antifraud controls.
these are formally being I Investigations are b) Head of Security should
performed. We noted that: not undertaken be invited to attend the
e fraud risk and more broadly, I when _ fraud is RCC and ARC when
financial crime is not a I detected. required (at least
standing agenda item. annually).
« the ARC does not receive any I Fraud is not
regular reporting in this I prevented.
respect,
e Head of Security is not an
attendee at ARC or Risk and
Compliance Committee (RCC),
11
FINANCIAL CRIME
POL00423307
POL00423307
Ref
Area Reviewed
Findings
Risk
Priority
Proposed Action
Owner/Date
5. Financial crime risk
management (including appetite,
identification, monitoring and awareness of financial crime risks).
and monthly spread sheets
(limited number) from which
they identify a fixed number of
branches of higher risk (due to
the resource constraints of the
Field Audit). These are assigned
for further investigation. Part of
this investigation includes use of
a tool they have built called a
“fraud checker’ that pulls on the
reports.
There are a number of inherent
challenges and risks:
eit does not update
automatically or allow for real
time queries.
and quick enough.
Significantly large
losses
impacting
the bottom line.
Judgemental error
when
analysing
reports,
detection tool.
5.1 I Risk The Risk Register for Security I PO does not High a) A fraud risk assessment I Jane MacLeod
includes areas within its remit I effectively manage should be performed in all 31 Jan 16
where PO is susceptible to fraud. I fraud risk. areas.
However PO does not fully b) PO regularly identifies and
understand its exposure to fraud assesses fraud risks -
risk more widely, due to the perhaps as part of an
localised approach taken and overall risk management
therefore does not know process,
whether it has the right range of
mitigating controls in place.
6. Use of technology to detect financial crime.
6.1 IFraud PO lacks enabling technology to I Fraud remains High The need to move from John Scott
identification robustly detect fraud at I undetected. Horizon to a new Front Office I Immediate
process branches. The Security - Fraud Application (FOA) provides an
Analysis team uses a number of I Losses are not ideal opportunity to reassess
data sources to produce weekly I found consistently the requirement for fraud
12
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
eit requires significant human
input, intervention and
specialist knowledge (it takes
one FTE a week to complete
the initial analysis) i.e. it does
not automatically flag
branches requiring review.
edoes not include data upon
which Sub Postmaster
remuneration is based (circa
£500m per annum).
«there are instances of large
losses occurring where the
reports have not flagged the
branches as high risk.
6.2 I Front Office I The move from Horizon to the I Significant Medium I a) Impacts on Security - John Scott
Security -I Front Office Application (FOA) I resource impacts Fraud Analysis team I Immediate
Fraud Risk} Will have significant operational I during transition resource and business-as-
Team Impacts I (Pacts for Security - Fraud I leading to a usual activity during
Analysis team in terms of I reduction in the transition which should be
continuity of data provision used I number of considered by the project
for interrogation. branches that can team.
be reviewed for i i i
At the time of the review I anomalous >) feneticn ahoatd _
Security had not been invited to I behaviour. reflected within the
the FOA project workshops. Security Risk Register.
Larger losses due
to untimely audits.
13
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
6.3 IFront Office -—I Security has documented I Lessons learnt High a) Any proposed de-scoping John Scott
Design detailed design requirements for I from Horizon are of end-user requirements I Immediate
Requirements I the FOA which have been I not _ incorporated should be communicated
captured by the project team. I into FOA.
Approximately, 80% of the
requirements are either already
in plan or will be included within
the detailed requirements
phase. This has been validated
by the National Federation of
Sub Postmasters.
The most important requirement
will be for Security - Fraud
Analysis team to have direct
access to all the FOA data.
to Head of Security.
b) End user requirement for
being able to directly
access all FOA data for
investigation purposes
should be considered as
mandatory.
14
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
7. Training and communication.
7.1 I Anti-Fraud Security uses various techniques I Staff do not have a I Medium I a) A financial crime I Jane MacLeod
Culture to foster fraud awareness within I clear awareness _—_ programme 31 Jan 16
Network, Supply Chain and I understanding over should be developed PO
change projects. Success is I what part they play wide. This should include
limited due to a_ lack of I in the management reminding relevant staff at
promotion by the business of its I of fraud risk or least annually of their
expectations over fraud risk I behaviours fraud risk responsibilities.
management, behaviours etc. expected. b) Partners and suppliers
should be reminded of
their counter _ financial
crime responsibilities and
PO commitment to protect
funds.
c) Regular awareness
messages concerning
emerging fraud risks that
affect PO and its staff
should be publicised.
1s
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
7.2 ITraining A training programme is I Staff who have a I Medium I a) Financial crime awareness I Jane MacLeod
developed on an annual basis I role in prevention training (including Speak 31 Jan 16
within Security focusing on I and detection of Up Policy) should be
known areas of fraud weakness I fraud miss _ flags covered during induction
within Network and Supply I through lack of for new staff in all
Chain (particular focus of remit). I clarity over what business areas.
Whilst the programme is signed I constitutes fraud, b) Consideration should be
off by the Head of Security, I how to identify given for regular financial
there is currently no input or I such behaviour and crime training for all staff
endorsement from ARC, RCC or I how to respond if it being mandated by the
GE. is suspected. Board.
Apart from the Annual Info
Security Day conducted within
branch there is no coordinated
training activity that addresses
fraud risk.
8. Implementation of actions to reduce identified financial crime risks to acceptable levels.
8.1 I Post Post Investigation Reviews I Sufficient action I Medium I a) PIRs should be renamed / I Sally Smith
Investigation (PIRS) are completed by the I may not be taken branded to avoid Immediate
Reviews Security - Fraud Analysis team I more widely by the confusion with the Post
for any Network losses over I business Investment Review etc.
£25K as a_ lessons learned I (business-as-usual b) Outputs should be shared
exercise. Actions are proposed
in response. PIRs are shared
with various Security
stakeholders. These are shared
more widely for larger losses,
however this is not formalised.
or policy changes).
Large losses
increase.
with GE owner for fraud
risk and formally reported
to Risk and Compliance
Committee (RCC).
16
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
8.2 I Products Prior to the new ‘Change I Project moves I Medium I a) PO should be confident Sally Smith
Process’ the Security - Fraud I through its lifecycle that controls are sufficient I supported by
Risk team Senior Manager I which exposes PO to ensure the right Change
attended the Project Delivery I to fraud _risk stakeholders are identified I Management
Governance Forum to ensure I outside of appetite and adequately consulted. team
that fraud risk was considered I or tolerance levels. For example the change 30 Oct 15
when PO is designing, changing methodology could
and implementing products. mandate a minimum set
Under the current arrangements. of stakeholders to be
the Forum has been disbanded consulted which could be
and replaced by Clearing House enforced / validated via
and Transformation Committee. gating processes.
Whilst the membership of these b) Security - Fraud Risk
Groups is more senior to ensure
robustness of challenge and
elevate decision making, there
are no formalised controls to
ensure key stakeholders such as
the Security - Fraud Risk team
are duly consulted.
team should be viewed as
a key stakeholder at
Gating points.
17
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
8.3 IRisk A Risk Assessment Tool for I Products are I Medium I a) A formal risk assessment I Sally Smith
Assessment projects has been proactively I developed which process should be I supported by
Tool developed by Security - Fraud I expose PO and established, reviewed and Change
Risk team to determine the I SPMs to significant endorsed by Clearing Management
fraud risks to PO and level of I risk or exposure to House. team
team input required. To be I fraud. b) Completion by Project 30 Oct 15
effective this should be I Costs associated Managers (prior to moving
completed by the Project I with cancelling a through Gate 1) should be
Manager after ‘blue — sky’ I project or building mandated.
thinking. There has been push I jn controls at a c) Compliance should be
back over the requirement to I later stage. monitored by the
complete due to lack of I Impact on bottom Transformation
endorsement by Clearing House. I jing, Committee.
Recognising the need to still
engage with the business the
Security Fraud Risk Senior
Manager continues to meet with
the Portfolio Managers to
establish the pipeline in the
attempt to engage and build in
controls. This is due to the
diligence of the individual rather
than a formalised and robust
approach to assess fraud risk
exposure of projects.
8.4 I Supplier The Security - Fraud Risk team I Losses that could I Medium I Agreed wording regarding the Sally Smith
Management have faced challenges when I have been requirement of suppliers to I Next review of
Information requesting suppliers to share I prevented. report significant fraud contract
management information (MI) events should be precedence.
on significant fraud events, incorporated into the
allowing PO to protect itself and precedents at next review.
agents against risk. This is
partly due to PO not generally
owning the product and contract
18
FINANCIAL CRIME
POL00423307
POL00423307
Ref
Area Reviewed
Findings
Risk
Priority
Proposed Action
Owner/Date
obligations not mandating such
information sharing.
For example Money Gram has
been subject to the biggest
external fraud for PO. In 2014,
1K attempts were made
(approximately £310K worth of
losses). The fraud exposure was
known to Money Gram, yet PO
was not aware of this until
Security - Fraud Risk team
raised the losses with the
supplier.
The Security - Fraud Risk team
has raised with Legal the need
for wording to be included within
PO contracts to ensure that
suppliers make PO immediately
aware of any — significant
fraudulent event that impact a
particular product. Legal have
agreed to include such wording
within the next review of the
contract precedence in 2015.
19
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
9.1 IMaking Good Prior to the Second Site review, I PO strategy may High a) PO needs to be clear when Angela Van-
of SPM losses unexplained losses at audit led I take precedence SPMs are making good Den-Bogerd
to temporary suspension of the I over ethical losses, what is considered 30 Nov 15
PM or SPM and in a significant
number of instances this led to
prosecution. This resulted in
significant disruption and cost to
the Network (i.e. using a
temporary SPM). Against the
backdrop of the Second Sight
review and cost pressures this
policy was changed.
PO now investigates as far as
possible without suspension.
SPMs have the opportunity to
“make good” the losses or
missing monies “with no
prejudice wherever it has come
from". The nature of the loss is
considered as opposed to the
total sum. This involves a
discussion been Field Support
Adviser and Contracts team. The
SPM also has the opportunity to
settle centrally. Essentially,
SPMs in the majority of cases
are now being given a second
chance to “improve
performance”.
Whilst it is acknowledged that
this move was strategic the new
approach introduces a lack of
clarity over whether such
actions by SPMs are inherently
dishonest or a direct result of
decision making.
Dishonesty is not
punished,
Reputation
damage.
SPMs use PO
money for interest
free loans.
Larger losses are
not prevented.
as:
« dishonest behaviour.
«requiring performance
improvement
b) A review of SPM’s
Business Case should be
incorporated into PO
decision making over
whether behaviour is
dishonest or requiring
improvement.
20
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
performance improvement
needs,
9.2 IImproving The low number of further I Reputation damage High A full fraud check (developed Craig Tuthill
Performance losses in those branches where I from knowledge of by Security - Fraud Analysis) 31 Jan 16
SPMs have been allowed to
make good has been viewed by
the business as a success in
improving performance. Seven
repeat occurrences have been
found as at May 2015.
This is against a background of
incomplete information being
provided for analysis. The
process for determining branch
monitoring following the making
good a loss was not in place at
the time of the change in the
policy. Consequently for the past
year there has been no
formalised focused monitoring of
those branches (of higher risk)
from a fraud or loss perspective.
SPMs being allowed
to make good
losses.
Negative impact on
SPM performance.
Tensions between
teams (Security,
Contract Advisers
and Field Audit)
with competing
priorities.
will be completed against a
checklist to ensure
consistency of those branches
on a quarterly basis, until no
longer required. Branches will
also receive a visit by the
Field Audit team roughly a
year after non-suspension or
reinstatement.
Retrospective reviews have
been scheduled over a period
of time. A list of non-
suspensions will be reviewed
by the Security - Fraud
Analysis team going forward.
The change in policy on
precautionary suspensions
should be reviewed within the
next 6 months against
relevant metrics in order to
assess whether it is deemed
to be working.
21
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
9.3 ISparrow Sub-Postmasters (SPM) are I SPMs exploit POs High Whilst the lack of clarity over Angela Van-
continuing to cite errors in I perceived the response to such Den-Bogerd
Horizon as the reason for losses, I reluctance to challenge was less clear over Immediate
Interviews with the I pursue case linked the past year, on closure of
Investigations team highlighted I to Horizon. SPARROW and following the
that there is a _ continued PO response to Second Sight
reluctance to pursue such cases. I Large losses the position going forward
impacting the should be agreed and
bottom line. communicated (externally
and internally).
Morale of _ staff
detecting and
investigating fraud
is damaged.
9.4 I Proceeds of Security is responsible for the I Withdrawals could Low The Security team have N/A
Crime Bank Proceeds of Crime bank account. I be made which worked with Treasury to
Account This does not form part of the I remain resolve the issues
PO automatic pooling process. I unidentified. highlighted. The purpose of
The following issues (a result of
an error in handover) were
discussed with Security and
Treasury:
« the account had not been
defunded for 18 months. As
at March 2015 the account
balances over £500k.
¢ staff were not aware of the
bank account existence due
to those managing it leaving
PO (error in handover).
¢ three individuals named on
the bank mandate had left
PO without cancelling and
transferring such
the account has been re-
clarified including the process
for defunding and £343k was
been defunded during the
audit. The chequebook has
been cancelled and new
signatories set up on the
Bank Mandate.
We are working with Treasury
to ensure lessons learnt are
built into processes going
forward.
A memo has been issued to
the Treasury (outside of the
review) which summarises
concerns relating to bank
22
POL00423307
POL00423307
FINANCIAL CRIME
Ref IArea Reviewed Findings Risk Priority Proposed Action Owner/Date
responsibilities. accounts currently out of
« the purpose of the bank scope of Treasury. Areas for
account required re- strengthening have been
clarification due to monies suggested — relating _to:
deposited into it not relating maintenance of bank
to the intended reasons for mandates, alignments of
set up. roles and responsibilities to
¢ staff within Security were PO Treasury Policy
unaware of the requirement requirements, rationalisation
to defund the balance into of such accounts, defunding
the central profit / loss process and management of
account. cheque books.
« the process of defunding was
unclear.
e the location of the cheque
book was unknown.
9.5 Prosecution Prosecution Policy remains in I Lack of publicised I Medium I Prosecution Policy is formally I Jane MacLeod
Policy draft since 2012, GC_ has I deterrent. approved. 30 Sept 15
recently taken ownership of it.
Pr)
FINANCIAL CRIME
Appendix 1: Areas of Best Practice - Noted at Audit.
POL00423307
POL00423307
Area
Key areas of good practice
Strategy
The Security team mitigating fraud risk management actions within remit.
Communication between Security - Fraud Risk, Cash Management, Field Audit and Contract Adviser teams.
Security liaison with external stakeholders re: fraud risk and investigations.
Significant reduction of excess cash (at risk) within the Network.
Joined up approach between teams across Security to ensure best outputs for PO / reducing overall fraud risk exposure.
Governance
Head of Security attends Corporate Services Lead Team meetings.
Quality checking processes are incorporated into the Security - Fraud Analysis team processes.
Head of Security has a dotted reporting line into GC.
Security - Fraud Analysis team make the most of tools available to them to detect fraud within the Network.
On-going communication between Security - Fraud Analysis team and branches relating to non-conformance.
Security - Fraud Analysis team response to ad-hoc enquires by the business.
Formalised and documented processes for selecting branch for visits.
Specialist skills and experience of Security - Fraud Risk team.
Risk
Action taken by Security to mitigate risks related to the Proceeds of Crime Account.
Response to identified PO and agent exposure to external fraud.
Awareness
Security input into end user requirements of FOA.
Proactive efforts by Security - Fraud Risk team to raise fraud awareness within projects and incorporate robust controls to reduce
exposure.
Communication and training on fraud risk within the Network.
Monitoring
On-going review by Security - Fraud Analysis team over the effectiveness of reports (management information).
Updating procedures and flow charts to support processes.
Proactive efforts by Security - Fraud Risk team to develop and improve processes to drive fraud detection forward.
Monthly meetings to discuss case progress (investigators, Head of Security and Cartwright King with GC optional).
24
POL00423307
POL00423307
FINANCIAL CRIME
Appendix 2: Fraud Risk Management (FRM) - The Journey since Separation.
N Aprii2012. Seamityis \
F FRM led by POL launch Tesporsible for FRM activity is
RiGiespareiteton rae Royal Mail “Speak Up" some FRM reactive
Policy activity
FRMactivi fie —_— 9 month pilot
FRM activity refocused on FRM activity fecreetanee Ree eacritte with Detica
proactive work to inform focused on D eile chal ewitias identified
investigations product losses i/ bli 3 modelling
y Ve he rapeaeey solution 13
- 2016-17?
\ ee \S withmoveto
L/ September 7?
Ve
25
POL00423307
POL00423307
FINANCIAL CRIME
Appendix 3: Audited internal controls to assist in preventing and detecting financial crime.
The following areas were examined: recruitment screening, expenses (SAP and Capita), deductions, loans, annual leave, telecoms, corporate
procurement cards (CPCs) and stock management.
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
1. Recruitment
ila IScreening The Recruitment Policy states that PO I PO appoints High Reference checks and I Neil Haywood
applies a robust and a comprehensive I individuals who verification of qualifications I / Joe Conner
approach to vetting and_ pre- I dishonestly claim to should be dependent on the 30 Nov 15
employment checks. have professional direct level of risk in the
qualifications or position an individual will
Whilst this is true for some categories I have not worked for occupy.
such as CIT, Cash Centres (more I previous employers.
traditional with access to physical Cost benefit analysis should be
cash), Directors, FS sales employees I PO appoints performed against the risk.
for all other roles (mainly in customer I individuals with The cost of changes should be
service centres), PO pre-employment I lower levels of shared with Al Cameron for
checks for staff where there is no I dishonesty into consideration.
regulatory requirement are limited to: positions.
+ Criminal Records Bureau PO will not be
« Eligibility to work in UK compliant for
« Proof of address recruitment by FS
regulated entities.
Security staff are subject to enhanced
screening, however this is something
instigated by team rather than Policy.
Feedback from the HRSC Recruitment.
team suggests that reference and
professional qualification checking are
not viewed as a critical process.
Whilst it is acknowledged that
reference letters are a thing of the
26
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
past, performing a reference check
from an outside source (such as
telephoning a previous employer to
confirm dates of employment, role title
etc.) and verification of professional
qualifications required for the role will
help to ensure the best hiring decision
is made by PO.
2. Expenses
2a ISAP TravelI Staff continue to claim for travel I Reputational risk in High a) Management should review TBC
Claims expenses via SAP rather than using I light of MPs. the effectiveness of the
Capita. In addition to PO not getting I expenses scandal. Expenses Policy. This
best value from these travel bookings should incorporate ‘fraud
there are various fraud related I Staff use the travel proofing’ current
concerns including: receipt or invoice arrangements.
« staff are significantly exceeding the I booked through b) Management _ information
maximum limit agreed for overnight I Capita to claim a should be shared with Cost
accommodation. SAP expense. Centre holders and the
« staff are claiming for the cost of Cost Reduction Group
travel or overnight accommodation I Wrong _ behaviours regarding staff expenses
when it appears to have been settled I are encouraged. via SAP and Capita for
by Capita (this is being looked at analysis and to inform
outside the work to be reported). Impact to the future policy.
« Line Managers are approving such I bottom line. c) When travel is not booked
claims on SAP as appropriate.
through Capita the
following should be
completed:
«Line Manager should be
ensuring adequate
justification exists and is
in accordance with the
Expenses Policy.
«Capita travel data should
be sample checked
27
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
against SAP expenses to
ensure the claim has not
been duplicated.
2b IReconciliation Expenses claimed via SAP are subject I Inappropriate claims High a) Managers should be TBC
between claim I to sample checking. Whilst the HRSC I may be processed reminded of their
and receipt on a sample basis reconcile claims to I through SAP in the accountability for
receipts, we observed there is limited I absence of an approving all expenses
challenge over the appropriateness. I effective check on relevant to their cost
We acknowledge the difficulties for the I receipts. centre.
HRSC in doing this, given the lack of b) Guidance should be issued
visibility over the individuals work. I HRSC does not have to staff regarding the
The Line Manager is therefore I all the information approval of expense
responsible for performing the I required to provide claims.
appropriateness check; however they I an effective check c) Security - Fraud Risk team
do not have visibility of staff receipts I on the validity and should include staff
when approving the expense for I appropriateness of expenses and Capita travel
robustness. the claim. data within remit of
detective activities.
2c ICapita Travel Unlike expenses claimed via SAP staff I Inappropriate Capita High a) Comprehensive analysis TBC
Requests do not require approval for Capita I travel requests should be performed of
travel requests, so long as they are I remain unidentified staff use of Capita for
within the limits set out in the I by Line Manager. travel, identifying
Expenses Policy. improvements based on:
Duplicate claims are « Cost
There is no link between SAP and I made through SAP « Benefits
Capita travel systems. using the Capita Risks
invoice / rail ticket b) Consideration should be
Staff have the ability to: etc. given to restricting booking
« select any notifer (ie. does not certain items via Capita:
require approval by Line Manager) « blocks 10 anytime
irrespective of grade or function. tickets.
* purchase season and _ multiple ¢ first class tickets.
28
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
tickets (block of 10 anytime tickets «monthly and annual rail
for some staff). season tickets,
* assign the expense to any cost c) Exceptions should be
centre. approved by HR Business
e duplicate a claim through SAP and Partner.
Capita.
2d_ I Contractual Individual contracts vary significantly I HMRC associated I Medium I a) Line Managers — should I Colin Stretch
entitlements in terms of staff entitlement. For I issues. understand they have the I 31 Dec15
example on staff travel reimbursement responsibility for asking HR
such as: excess travel, transport costs I ropriate clai to re-issue contracts of
from home to place of work, use of napp made = sane employment if necessary,
lease car and accommodation. We bes mal a tif ‘ and that Line Managers are
noted that claims made by staff are SUB unicentined: responsible for authorising
not being checked against contractual payments to staff only if
entitlement. Furthermore the records these are in accordance
held by the HRSC listing home, dualist, with their contracts of
field and office based staff also appear employment and/or in
to be out of date when reconciled accordance with collective
against the claims made by a number agreements reached with
of staff in 2014/15. representatives.
b) A policy statement on
contract of employment
should be reviewed,
amended and reissued.
c) Guidance should be given
to managers about what
they should be asking and
checking before they sign
off travel expenses to
make sure this is rooted in
agreed terms and
conditions.
29
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
d) HR to review staff place of
work (with the respective
contract) against the
following categories:
Home, Dualist, Office and
Field based. This review
should be repeated at
agreed intervals.
3. Annual Leave
3a I Entitlement There are no automated checks to I Staff take excess I Medium I Benefits and limitations Joe Connor
ensure annual leave entitlements as I annual leave. (including costs) for enhancing Immediate
set out in staff contracts are being SAP to incorporate parameters
applied in practice for employees (i.e. I Red flags (fraud and automated checks for
parameters are not set within SAP to I indicators) may also annual leave entitlement
ensure that annual leave balances are I not be visible such should be explored.
not exceeded by staff). as staff refusing to
take holidays.
3b I Use of SAP The Annual Leave Policy does not I PO is unable to test I Medium I Where staff have access, it I Colin Stretch
mandate the use of SAP (for those I for fraud relating to should be mandated that they 31 Dec 15
with access) to request or approve I annual leave. request and approve annual
annual leave entitlement. This has. leave on SAP.
resulted in inconsistent, localised,
offline procedures being adopted by Policy statement should be
staff. reviewed, amended and
reissued,
4. Telecoms
4a I Acceptable Use I Whilst PO has an Acceptable Use Policy Telephony is open to Medium I A corporate policy in support TBC
Policy covering mobile phones this is limited of the use of mobile phones
30
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
in terms of providing clear guidelines I misuse. should be developed, This
over user responsibilities, issuing, I Employees are should be aligned with the
recirculation of devices, and I unaware of the Acceptable Use Policy. As a
reimbursement of personal calls. terms and minimum it should cover:
conditions for ° Eligibility for a mobile
mobile phone use. phone.
« Use of devices.
« Exchange.
« Confidentiality.
« Leavers.
« Reimbursement for personal
calls.
« Recirculation of devices.
« Upgrades.
« Loss.
« Timetable for review.
4b I Monitoring of The responsibility for monitoring I telecoms are open Medium I Itemised bills for mobiles TBC
usage appropriateness of telecoms usage has I to misuse by users. should be made available for
not been formally delegated. We review (Cost Centre holders/
observed that monitoring is limited to Line Mangers) on a_ periodic
the top 10 highest users. Cost Centre basis.
holders are not currently provided with
sufficient information on billing to
enable such review. Our review of
charges for the past 6 months
highlighted 17 instances where staff
have bills for over £500 per month
(including 4 instances over £1k).
4c IReimbursementI Consistent procedures are not being PO is paying for a I Medium I a) Clarity is required over TBC
of Personal followed for the reimbursement of I significant amount accountability for Azzuri
Calls personal calls on PO mobile phones. I of personal calls (at contract.
The observed reasons for this include: least 25%). b) The effectiveness of Azzuri
« Azzuri (RMG legacy online billing and should be evaluated:
31
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
reporting supplier) receives a report I User list is not fully e resolve the mobile
of new users weekly, however email I known. phone billing, reporting.
addresses are often missing or do reimbursement issues.
not match the user name. « Resolve the gaps in user
« Azzuri sends two reminder emails data. Minimum data
quarterly (regarding staff requirements to be
reimbursing PO for personal calls). shared with = Azzuri
18% of users have not responded in should be agreed and
the past 6 months (longest period 5 implemented.
years) which suggests that limited « At a minimum PO
further chasing or action is taken by should provide Azzuri
PO internally. with urgency the
« Azzui does not have the email following:
addresses of users for 249 handsets. Telephone number
The user is unknown for a further 9 User name
handsets. Email address
¢ All users should be set
up on PCM with an
agreed deadline. A KPI
should be agreed with
Azzuri to ensure
timeliness of this going
forward.
c) Management (Cost Centre
holders or Line Managers)
should ensure
reimbursement of personal
call charges for mobile
phones have been followed
up consistently in their
departments.
4d ILeavers A reconciliation between the I PO is paying for call I Medium I a) Handset portfolio should be TBC
‘Outstanding for Reimbursement’ I charges incurred by reviewed.
report (March 2015) provided by I non-employees. b) Each handset should have
32
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
Azzuri and leavers list (since April an assigned user who is a
2014) found the following: Azzuri chase current employee.
enine leavers with active numbers I individuals to c) Active numbers assigned
being chased to reconcile (dating I reconcile call to individuals who have left
back to July 2014). charges who no PO should be cancelled
«six leavers with active numbers who I longer work for PO. immediately.
appear to have used their mobiles
after termination date with 4
currently using the numbers.
«one leaver (included above) who left
PO in July 2014 has two active
numbers, one of which incurred a bill
in March 2015.
Whilst the amounts involved are small
the findings could indicate a wider
issue relating to management of the
handset portfolio. The total amount
incurred overtime could prove
significant. *The exceptions were
raised immediately to Procurement
who manages the providers.
5. Corporate Procurement Cards
5a I Payments CPC payments are automatically I Staff are tempted to High a) A policy decision should TBC
debited centrally on a monthly basis. I inappropriately use be made over the use of
We identified that payment processes I the CPC facility. This CPCs.
are not subject to reconciliation to I remains undetected b) PO should review and
ensure the appropriateness of spend. I by PO. increase the level of
A walkthrough of processes also scrutiny and controls
highlighted that transactions are not I Sophisticated and applied to CPC
subject to any review in a significant I high-level fraud. transactions. This should
number of instances (i.e. neither by include:
Line Manager nor cardholder when I Purchases of items «CPC policy and guidance
statements are not received). intended for updated to specifically
personal use, mention the requirement
33
POL00423307
POL00423307
FINANCIAL CRIME
Ref I Area Reviewed Findings Risk Priority Proposed Action Owner/Date
duplicate items, and for defined management
unusual patterns checking processes for
remain identified. usage.
«Further clarity is required
on the line role.
«Sample compliance
checking should be built
into processes.
5b IReview of CPC I Testing revealed that cardholders are I Suspicious activity I Medium I Cardholders should be Lorraine
Statements not receiving statements in aj] or errors remain requested by the CPC I Garvey / Kate
significant number of instances to I unidentified. Administrator to confirm Wilson
confirm that expenditure incurred is whether or not statements are 31 Oct 15
accurate, Incorrect being received.
statements could be
paid. * Also refer to
recommendation 5c below re
loading and reconciling of.
transactions in SAP.
5c ICPC Policy and I The CPC policy and guidance does not I Lack of tone at top I Medium I Line Manager approval of Lorraine
guidance offer any clarity over who should I to prevent spend should be introduced to I Garvey / Kate
approve expenditure and what this I inappropriate ensure appropriateness of CPC Wilson
means. There is currently no further I behaviours. expenditure. The following 30 Nov 15
approval of CPC expenditure by options should be considered:
management after the initial approval « Explore the possibility of the
of card. CPC provider (HSBC)
providing an electronic
download of transactions,
which can be loaded into
SAP and reconciled /
approved by Line Manager
through — staff expenses
(Considered),
« Line Managers should review
34
FINANCIAL CRIME
POL00423307
POL00423307
Ref
Area Reviewed
Findings
Risk
Priority
Proposed Action
Owner/Date
statements on a monthly
basis (if above is not
possible). Sample checking
should be performed to
ensure compliance.
Alternatively statements are
no longer paid centrally
instead by the cardholder
and claimed back through
expenses.
5d
Allocation of
costs
CPC purchases are automatically
allocated to relevant cost centres.
CPC transactions
have been miscoded
when individual has
moved roles without
notifying the CPC
Administrator.
Medium
a) A review of the cardholders
should be performed to
ensure that — individuals
have not transferred
position / assigned the
right cost centre.
b) CPC Administrator should
be notified when a
cardholder moves roles.
Lorraine
Garvey / Kate
Wilson
30 Nov 15
6. Stock Management
6a
Inappropriate
Sale
PO stock is being sold by staff and
agents on auction websites such as
EBay (in some instances after being
reported as destroyed), There is no
dedicated resource currently to
address this issue.
Fines from third
parties.
Individual
as PO.
imitating
Brand reputation
Medium
Define the appetite for
protecting the brand against
resale of stock by staff online.
More widely PO _— should
consider the need for the
following:
« Brand Protection Strategy
Jane MacLeod
to raise with
Pete Markey
30 Nov 15
35
POL00423307
POL00423307
FINANCIAL CRIME
damage. « Brand Protection Programme
+ Dedicated resource
36
POL00423307
POL00423307
FINANCIAL CRIME
Appendix 4: Audit and Risk Committee Terms of Reference
. Significant findings (the “management letter” from external auditors) and recommendations
together with management's responses.
. Any reportable restrictions experienced regarding scope or access to required information
by either external or internal audit.
Review any summary of frauds, thefts and other irregularities of any size.
gee
4.4 Risk Management - Other
° The Committee shall have the power to conduct or authorise investigations into any
company matters within the Committee's scope of responsibilities. The Committee shall be
empowered to obtain independentlegal advice, and engage counsel, accountants, or others
to assist it in the conduct of any investigation.
. The Committee shall perform such other functions as may be assigned or delegated to it by
the Board, and may review other items of an internal control or risk management nature
which may from time to time be brought before the Committee.
37