POLARC 16(3")
POL ARC 16/21 - 16/32
POL00423368
POL00423368
Strictly Confidential
POST OFFICE LIMITED
(Company no. 2154540)
(the ‘Company’)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE COMMITTEE
Present:
Tim Franklin
Ken McCall
Richard Callard
In Attendance:
Paula Vennells
Alisdair Cameron
Jane MacLeod
Nick Kennett
Alwen Lyons
David Carter
Paul Hemsley
Mike Morley-Fletcher
Garry Hooton
Peter Mclver
Mounia Mukina
Elena Belyaeva
Amanda Bowe
Apologies:
Carla Stent
POLARC 16/21
POLARC 16/22
POL ARC, 19" May 2016
held at 10.30am on 19" May 2016
at 20 Finsbury Street, London EC2Y 9AQ
Chairman (Acting Chair)
Non-Executive Director (KM)
Non-Executive Director (RC)
Chief Executive, (CEO) (Minute 16/21 to 16/30)
Chief Financial Officer (CFO) (Minute 16/21 to 16/30)
General Counsel (GC) (Minute 16/21 to Minute 16/30)
Financial Services Director, & CEO POMS (NK) (Minute 16/21 to
16/30)
Company Secretary (CoSec)
Financial Controller (DC) (Minutes 16/21 to 16/26)
Financial Controller Designate (PH) (Minute 16/21 to Minute
16/30)
Head of Risk and Assurance, Corporate Services, (MMF)
(Minute 16/21 to 16/30)
Audit Manager (GH) (Minute 16/21 to 16/30)
Ernst & Young (EY) (PM)
EY (MM)
EY (EB)
Post Office Management Services Limited (POMS) Non-
Executive Director and Chair of ARC (AB) (Minute 16/22 only) by
conference call
Non-Executive Director (Committee Chairman)
INTRODUCTION
(a)
(b)
A quorum being present, Tim Franklin opened the meeting, and
conveyed the apologies of Carla Stent, ARC Chairman, for her
absence. The members of the meeting appointed Tim Franklin
as the meeting Chairman.
Each Director confirmed that they had no conflict of interest in
relation to the business to be considered at the meeting.
REPORT FROM POMS ARC
(a)
The Chair welcomed AB who joined the meeting by phone.
POL00423368
POL00423368
Strictly Confidential
(b) AB gave a verbal report from the meeting of the POMS Audit,
Risk and Compliance Committee which had taken place on 10
May 2016.
(c) The POMS ARC had received a report and presentation from
Kevin Gilliland, POL Network & Sales Director, and Jonathan
Hill, POL Head of Financial Services Risk, on the oversight of
Post Office as Appointed Representative of POMS. From this
the POMS ARC had taken comfort that POL was taking steps to
ACTION: address various issues of concern. The Chairman asked for
General Counsel the report to be circulated to the POL ARC. The POMS ARC
had asked for an action plan to show how POL would mitigate
the risks.
(d) AB reported that the POMS ARC and Board had discussed the
Annual Report and Accounts and the treatment of £2m of
goodwill on the balance sheet. This had now been resolved and
agreed with the EY.
ACTION: (e) The Committee noted the report, and it was agreed that a
Company Secretary meeting of the POMS & POL ARCs should be arranged in
September.
(f) The Committee noted the minutes of the meeting of the POMS
Audit, Risk and Compliance Committee which had taken place
on 15 March 2016.
(g) The telephone call ended.
POLARC 16/23 HORIZON OUTAGE
(a) I The CEO updated the meeting on the Horizon outage which
had occurred on the morning of the 9" May. Since the problem,
which led to an outage of up to 90 minutes in some branches,
the system had been stabilised and there had been no further
issues. A full root cause analysis had still to be completed by
Fujitsu (FJ) but the CEO assured the ARC that she had been
personally receiving reports every 4 hours on the performance
of the system.
(b) I The CFO explained that over the last few weeks the servers
had been subjected to several checks which had all been
completed successfully. However, a switch from the secondary
to primary server, although successful throughout the weekend,
had failed on Monday morning with the higher volumes.
(c) The CFO reported that a formal contract escalation had been
put in place with FJ, and that he would not be comfortable until
it was clear why the outage had happened, and therefore no
further changes would happen until the cause was understood.
(d) I The ARC asked what the risk of another failure was. The CFO
explained that the system appeared to be stable and that no
POL ARC, 19" May 2016 2
POL00423368
POL00423368
Strictly Confidential
further resilience check would be carried out until a full root
cause analysis identified the problem.
(e) I The ARC asked if any customers or subpostmasters would
have been affected. The CFO explained the recovery
instructions which were generated in the case of a systems
failure. The helpline had also been informed and had not seen
any increase in discrepancies.
ACTION: (f) The ARC asked internal audit to check the incident and
Garry Hooton recovery process to ensure it had worked correctly.
ACTION: (g) I The CFO was asked to update the Board and come back to
CFO the ARC in September with a report on the root cause
analysis of the incident.
POLARC 16/24 MINUTES OF THE MEETING HELD ON 17 MARCH 2016, STATUS
REPORT AND MATTERS ARISING
(a) The minutes of the meeting held on 17 March were approved
as presented and the Chair of the Committee was authorised to
sign them as a true record.
(b) I The Committee noted the actions list dated 12" May 2016, it
was agreed that action POLARC 16/03 (q) would report in
September.
POLARC 16/25 ANNUAL REPORT AND ACCOUNTS (ARA)
(a) The CFO introduced the draft 2015/16 Annual Report and
Accounts (ARA) explaining that they were presented to the
Committee for review and comment.
(b) I The CFO explained that both EY and the Post Office had
completed most of their audit work with 80% of the
reconciliation completed, and no material issues had emerged
to date.
(c) The Financial statements would be presented to the Board on
the 24" May, with the proposal of delegating authority to the
ARC to sign off the final ARA. An ARC conference call to be
ACTION: organised for the end of June.
Company Secretary
(d) I The CFO explained that since the decision was taken not to
include a statement of compliance with the spirit of the UK
Code of Corporate Governance EY had clarified which parts of
the report could be shorted or removed. In the draft ARA
presented to the meeting the segmental reporting note had
been removed; the directors remuneration reporting had been
reduced, although with more disclosure in the notes to the
accounts; but the risk sections had remained.
POL ARC, 19" May 2016 3
POL00423368
POL00423368
Strictly Confidential
(e) I The ARC discussed the Directors’ Remuneration Report and
whether there was a desire to include more detail than the
minimum required. It was agreed that reducing the disclosure
would be difficult to explain and might appear less transparent
than in the past. The ARC were comfortable with the current
draft and would recommend this disclosure to the Board.
(f) The CFO explained that the usual accounting policy adopted by
the business to impair capital items in the year of expenditure,
had been changed for the POMs goodwill, leaving £44m on the
balance sheet as the value was not dependent on POL trading.
(g) I The ARC discussed the contingent liabilities and the proposal
to disclose the notification of the claim filed in the High Court,
regarding Sparrow. The ARC agreed that a disclosure should
be made and EY supported this position.
(h) I The ARC asked EY what scope they had found for
management to override systems. EY recognised that where
manual controls were in place there was room for tighter
controls, especially around taking leavers off the systems and
ensuring users rights were updated if roles changed. They
stressed that these were usual points which had been raised in
previous years but that they had no ultimate concerns over the
accounts.
(i) The ARC asked EY their view on the robustness of the revenue
reconciliations. EY explained the work being undertaken by
KPMG to check that revenue was correct and accurate for the
major contracts. EY had no concerns of management
manipulation on the accounts systems and were satisfied that
the systems were producing information correctly for the
accounts. They stressed that there was still room for
improvement by automating systems and reducing the reliance
on manual inputs and spreadsheets.
ACTION: CFO 0) It was agreed that the CEO, CFO, Chairman of the ARC and
EY would have a final session to review the accounts
(k) The ARC discussed the disclosure of proposed supply chain
redundancies and it was agreed that these changes should not
be included as they are subject to a 90 day consultation period.
POL ARC, 19" May 2016 4
ACTION: ALL/CFO
POLARC 16/26
ACTION: MMF
ACTION: Company
Secretary
POLARC 16/27
ACTION: MMF
POL ARC, 19" May 2016
POL00423368
POL00423368
Strictly Confidential
(Il) The ARC were asked to raise any outstanding points with
the CFO, who would raise them at the Board if they
remained unresolved.
ANNUAL REPORT AND ACCOUNTS DISCLOSURES
(a) MMF introduced the approach to the Corporate Governance
compliance disclosures and the risk and control disclosures to
be included in the ARA. MMF acknowledged that there was still
work to be done but believed that the introduction of the control
framework along with the work on risk mitigation had made
things clearer.
(b) I The ARC agreed the ‘Managing our risks’ section of the ARA.
(c) The ARC agreed the ‘Principle Risks’ section of the ARA.
(d) I The ARC asked that the ‘Board’s Annual Assessment of risk
management and internal control systems’ acknowledge
the remedial work done, at the request of the ARC, following
the subpostmasters’ compensation provision error.
(e) IThe ARC also asked the Report of the ARC to be amended
to include the challenge of both EY & the Business after the
subpostmasters’ compensation error.
RISK AND CONTROL UPDATE
(a) MMF introduced the Risk and Control Report. The ARC queried
the delay in the risk framework project plan and asked why
developing the route map to corporate governance compliance
had been rescheduled from May to September.
(b) MMF explained that priority had been given to the Internal
Control Framework and Executives’ Declarations as these were
of more immediate concern.
(c) Policy Framework. MMF explained the key Policy Framework
containing 16 key Corporate Services (CS) policies, with
additional 7 key policies from other parts of the Business. Of the
16 CS policies all were in place except the Conflicts of Interest
policy. The ARC asked MMF to ensure that all policies included
specific dates for approval, and a rolling calendar for
presentation to the ARC and the Board.
(d) I The ARC asked that Physical Security be reported to the
ARC, and Treasury Risk Management be recommended by
the ARC for Board approval.
(e) I Whistleblowing policy. The ARC asked that the policy be
amended to include the act of exposing ‘potential’ wrongdoing.
The list of examples to be extended to include, money laundering
and terrorism.
ACTION:
Company Secretary
ACTION:
General Counsel
ACTION:
General Counsel
POLARC 16/28
ACTION: GH
ACTION:CFO
POL ARC, 19" May 2016
POL00423368
POL00423368
Strictly Confidential
(f) Taking into account the input from the ARC the policy was
approved.
(g) I The Chairman asked that an arcchairmai
email address be set up and quoted in the whistleblowing
policy.
(h) Business Continuity Management Policy. The ARC asked how
the processes highlighted in the policy should have been used
during the recent Horizon outage.
(i) GC explained that the framework had been invoked however
there were lessons to be learned from the process. A further
BCP test would be carried out in due course and this test
would be included in the Horizon report to the ARC in
September.
(0) The ARC asked for further detail of the business continuity
capabilities of the top suppliers, by materiality and
complexity.
(k) Taking into account the input from the ARC the policy was
approved.
(I) Executive Declaration. The ARC noted the paper and supported
the approach to disclosure.
INTERNAL AUDIT
(a) GH introduced the internal audit report, and was pleased to
report a significant reduction in overdue actions. Reports on the
Social Media Review; Treasury Operational Risk Review; and
Critical Metric Scorecard were presented to the ARC.
(b) Business Transformation Portfolio Management including
the overall assurance plan would be presented at the
September ARC.
(c) Treasury Operational Risk Review. The ARC highlighted the
findings in the treasury function. The CFO acknowledged the
lack of segmentation of duties and assured the ARC that
although no issues had arisen he recognised that the situation
was unacceptable. He reported that an offer of employment had
been made to a new treasurer. The ARC asked the CFO to
ensure the continuity was maintained as the new financial
controller took over accountability.
(d) CFO was asked to provide a report on the actions put in
place to mitigate the risks highlighted in the Treasury
report.
(e) Taking all of the discussion points into consideration, the
Committee noted the report.
POLARC 16/30
POLARC 16/31
POLARC 16/32
POL ARC, 19" May 2016
POL00423368
POL00423368
Strictly Confidential
more onerous for the business to comply with and the impact
would be monitored once details were available.
NOTING PAPERS
(a)
(b)
(c)
(d)
(e)
Audit Quality Enhancements
The Committee noted the paper.
Horizon Scanning
The Committee noted the developments outlined in the paper.
Property Compliance Update
The Chairman welcomed TM and SN to the meeting.
The Committee noted the update and endorsed the approach to
further mitigating and managing property compliance.
The Executive left the meeting, leaving the ARC members, EY
and the Company Secretary.
PRIVATE MEETING WITH THE EXTERNAL AUDITORS
(a)
Minutes of the discussion are shown in a separate appendix.
CLOSE
(a)
There being no further business the Chairman closed the
meeting.
POL00423368
POL00423368
Strictly Confidential
(f) Qutstanding Audit Actions. GC introduced the report on
outstanding audit actions focussing on contract management.
The ARC were concerned by the delay in dealing with the
contract management issues.
(g) GC explained that the contract management framework had
been put in place in 2015 to identify all significant contracts and
how they were managed. All new contracts were now controlled
centrally and the next phase was to establish a data base for all
contracts to ensure their obligations, both on Post Office and its
suppliers are identified and managed effectively. GC
acknowledged that the work was taking longer than she would
have liked but explained that the resource had been prioritised
onto the Trinity project, but was now available to undertake this
work.
ACTION: GC (h) The ARC asked GC to write to the members to explain what
would be presented at the September ARC.
(i) IThe ARC asked EY whether the external audit had focussed on
major contracts and contract management. EY explained that
the audit had reconciled the ledgers back to the terms in the
major client contracts, but that no specific work had been
undertaken on contract management. EY could include contract
management in the audit plan for 2016/17; this would test a small
number of major contracts.
ACTION:EY (j) I EY were asked to pull out examples of where contracts were
examined during the audit
(k) The Committee noted the report on outstanding audit actions.
POLARC 16/29 AML & CTF AUDIT ACTIVITY
(a) GC introduced the AML & CTF update and reported the
continued work with HMRC to manage the AML & CTF audit.
HMRC have undertaken 5-6 escorted branch visits as an
education exercise to understand how the business manages
AML & CTF. HMRC and the business are continuing to work
closely together. HMRC is expected to advise shortly how they
wish to conduct the branch audit and the number of branches to
be inspected.
ACTION: GC (b) GC explained the work underway to implement the
recommendations of the Promontory Report. Any material
findings to be reported to the September ARC.
(c) The GC advised that the Prime Minister had recently indicated
that legislation would be introduced that was similar to the
Bribery Act, which would impose a duty on organisations to
“prevent” financial crime. Additionally it was expected that the
introduction of the 4° Money Laundering Directive would, as a
minimum, lower the levels at which identification for transactions
would be required. Both these initiatives were expected to be
POL ARC, 19" May 2016 7