POL00447847
POL00447847
Post
Offic
e
Limi
ted
Doc
ume POST OFFICE LIMITED
nO AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Tee
fon: I Title: Accountable Person Meeting Date: I 27 November 2023
ae Tom Lee, Financial Controller;
Authors: I Daniel Ward, Head of Financial & Sponsor: Kathryn Sherratt, Interim CFO
L Technical Accounting
Input Sought: Noting
The Committee is asked to note:
i. the responsibilities of the Accountable Person; and
ii. how those responsibilities have been met for year ended 26 March 2023 (
“FY22/23"”) and as such why the Annual Report and Accounts (“ARA”) can be
approved.
Previous Governance Oversight
e None
Executive Summary
This paper has been prepared to outline the responsibilities of the Accountable Person (“AP”),
in line with the principles of His Majesty’s Treasury’s (“HMT’s”) Managing Public Money (
“MPM") and describe how these responsibilities have been met during FY22/23 and continue
to be met thereafter up to the point of signing the FY22/23 ARA, which is planned for
December 2023.
The AP has a number of responsibilities which are focused around the key principles of MPM
(notably section 3.4 of the MPM) and the standards expected of the AP with regard to
projects and proposals. These include a number of items, with this paper focusing on the
below which are of key relevance in respect of the ARA approval:
. Regularity - ensuring adherence to legislation and regulations;
. Propriety - ensuring good governance;
. Feasibility - ensuring affordability and sustainability; and
. Value for money - ensuring that value for the business and the exchequer as a whole
is met.
Adherence against some of these requirements cannot be easily monitored and assessed due
to their subjective and behavioural nature. However, the current governance, reporting,
control (including Financial Reporting Controls) and decision-making frameworks in place at
the Post Office ensure that all relevant aspects are understood within the business and
complied with. This includes the roles of business areas such as the Risk, Compliance,
Assurance, Internal Audit and Company Secretariat (“CoSec"). Further specific requirements,
such as signing the ARA, including a Governance statement, will be achieved following
approval of the FY22/23 ARA and subsequent signature by the Group Chief Executive Officer (
“CEO”).
Strictly Confidential
POL00447847
POL00447847
Post
Offic
@
Limi
ted
one Post Office utilises its Internal Audit function and the findings of the External Auditors, along
nt With its 2" line functions (including Central Risk, Central Compliance and Group Assurance),
Class to drive change and ensure internal systems of controls and governance are adequate and
ificat_ meet all regulatory and statutory requirements. These areas of activity also provide further
ion: comfort as to Post Office’s compliance with the key principles of Value for Money. It is the
INTE AP’s responsibility to ensure the requirements are met, however the information within this
RNA paper around organisational structure and processes in place, is prepared to assist with this
L and provide sufficient assurance that the ARA for FY22/23 can be signed, subject to
finalisation of the relevant disclosures and financial postings.
Questions addressed
1. What and who is the Accountable Person at the Post Office?
2. What are the responsibilities of the Accountable Person?
3. How have the responsibilities been met?
4. Are there any departures from expected governance and, if so, what are the associated
mitigations?
5. Can the FY22/23 ARA be approved by the AP?
Report
What and who is the Accountable Person?
6. Under MPM Public Corporations like POL are required to be subject to levels of control
and governance deemed appropriate by their sponsor department, agreed in the context
of a framework document and approved by HMT, and while compliance with MPM can be
imposed, it is not always a default position.
7. Where conformance with MPM is deemed appropriate - as is the case with POL - the
Public Corporation’s CEO is typically considered to be an AP, in a role that mirrors that of
the Accounting Officer (“AO”) for central government bodies. This paper therefore
considers the role of AP and AO interchangeable for the purposes of MPM.
8. The AP is a singular designated individual within an organisation who is accountable for
both the operations of the organisation and the preparation of its Annual Report and
Accounts. Nick Read, Group CEO, is the AP as at the time of presenting this report.
Responsibilities of the Accountable Person
9. The primary responsibilities of the AP are outlined within the MPM guidance, which states
that the AP should ensure the organisation abides by, and delivers on, a number of
defined standards designed to help meet the overall objective of the role. These are
outlined in Appendix 1.
10. Many of the standards required in the MPM represent desired behaviours and ways of
working which are difficult to formally monitor and assess. However, the way in which
POL is governed helps to ensure that these standards are met and the role of the AP is
delivered.
Strictly Confidential
POL00447847
POL00447847
Post
Offic
e
Limi
ted
joc
ume 11. More formally the AP is required to sign the ARA, taking personal responsibility for
nt delivery against the MPM standards. Within the ARA, the Governance report lists the key
Class structures, actions and committees in place that help to meet the desired standards of
ificat the AP.
ion:
inte 12. When making key decisions or assessments, several standards can and should be used
RNA to assess whether an initiative meets the VFM guidance and therefore whether the AP
L can justify the decision to parliament as required. These standards are:
a) Regularity: Proposals have sufficient legal basis, parliamentary authority, and
Treasury authorisation. They are compatible with the agreed spending budgets;
b) Propriety: Proposals meet the high standards of public conduct and relevant
Parliamentary control procedures and expectations;
c) Value for Money: In comparison to alternative proposals or doing nothing, the
proposal delivers value for the Exchequer as a whole (i.e. in terms of suitability,
effectiveness, prudence, quality, good value); and
d) Feasibility: The proposal can be implemented accurately, sustainably, and to
the intended timetable.
13. In addition to the above standards, for which the AP is considered personally
responsible, the AP is also expected to take personal responsibility for several other
areas. These are:
a) Control: Personally approve all Cabinet Committee papers (i.e. Board papers in
the context of POL) and sign off all major initiatives;
b) Management of Opportunity and Risk: Achieve the right balance for POL’s
risk appetite;
c) Learning from experience: Both using internal feedback (e.g. through
managing projects and programmes), and from external sources; and
d) Accurate Accounting: For the organisation’s financial position and
transactions to ensure published financial information is transparent and up to
date, and that the organisation's efficiency in the use of resources is tracked
and recorded.
14. When the AP is unavailable for a significant period of time, the role should be deputised
to another senior member, with any significant absences being highlighted to UKGI in
order to appoint a temporary AP as required.
Assessment of how these responsibilities were met during FY22/23
15. The below outlines how POL conforms to MPM wholistically with these items
providing comfort of conformance in aggregate.
16. Within the draft FY22/23 ARA there is a dedicated governance section. The draft
ARA has been reviewed by the External Auditor and Deloitte (specific review
activities, see ‘ARA Approval’ paper, with no material inconsistencies noted. Final
3
Strictly Confidential
POL00447847
POL00447847
Post
Offic
e
Limi
ted
joc
ume approval of the ARA by the External Auditors will evidence that the requirements
nt around accurate accounting have been formally met for FY22/23.
Class
ificat 17. Formal processes, detailed within this section, are in place to ensure the
ion requirements are met on an ongoing basis so that they can be attested to
INTE annually.
RNA
L 18. POL’s internal Financial Planning and Analysis team (“FP&A”) are responsible for
governance of budgeting and forecasting across POL. The Board is kept up to
date on budgeting and forecasting through quarterly Board reporting, as well as
ad hoc communications with FP&A.
19. Across all levels of POL, governance frameworks are in place. For example, POL
has terms of reference for Board and Executive level committees, there are clear
levels of delegated authority and regular monitoring and reporting of risks to the
Board which help the AP to make appropriate decisions. The terms of reference are
reviewed and updated annually.
20. Regarding the key components of VFM and risk appetite, review boards, such as
IADG were in place, ensuring all significant spend within the organisation goes
through a formal review and authorisation process. The structure, delegation of
authority and key considerations are routinely reviewed to ensure the
requirements for the AP are being met. Financial processes are intertwined with
these review boards to ensure actual spend is controlled in line with the
governance framework.
21. POL’s procurement activities must comply with Public Contract Regulations (
“PCR”) 2015. There are exceptions for Post Office Insurance and Payzone which sit
outside. Public sector procurement is subject to a legal framework which
encourages free and open competition and VFM, in line with internationally and
nationally agreed obligations and regulations. The over-riding procurement policy
requirement is that all public procurement must be based on VFM. This should be
achieved through competition unless there are compelling reasons to the
contrary.
22. POL risk management is based on a number of key principles including that (i)
risk management must be embedded in all POL activities, (ii) all material risks
must be identified, measured, monitored, managed and reported on a continuous
basis at an individual and aggregate level and (iii) risk reporting must allow for
the effective review, challenge and monitoring of risk exposure against approved
risk appetites. Operational management, Central Risk and Internal Audit are the
three lines of defence for risk management.
23. POL has Compliance teams in place to ensure regulatory requirements are
adhered to across the myriad of environments in which POL operates. Compliance
is monitored and reported regularly to ARC as required.
24. POL’s Financial Reporting Controls Framework (“FRCF”) is designed to mitigate
the risk of material fraud and error in financial reporting, thus providing
assurances around accurate accounting and safeguarding assets.
Strictly Confidential
POL00447847
POL00447847
Post
Offic
e
Limi
ted
a
ume 25. Control frameworks are also in place for IT, change processes, supply chain and
nt Postmaster operations which, as well as the FRCF, fall under control self-
Class assessment regimes. POL has a suite of companywide policies which define the
ificat minimum control standards expected to be performed within the applicable
ion business areas.
INTE
RNA 26. CoSec have a number of processes in place to allow formal oversight of the
L committees and the Board, whilst also ensuring specific requirements, such as
control over Board papers, is adhered to.
27. Internal Audit provide an independent evaluation of the adequacy and
effectiveness of the POL’s framework of governance, risk management and
control. Throughout the year, Internal Audit track audit actions to ensure all
recommendations are implemented.
28. External Auditors advise POL if control recommendations have been identified as
part of the audit. POL follows up on recommendations and they are discussed at
ARC meetings and during audit meetings throughout the year.
29. Continuous review of management information systems, organisation structures
and governance frameworks is ongoing within POL, thus ensuring that areas of
development are identified and improved as required. The ultimate driver is to
ensure the requirements of the AP’s organisation are met. The level of change
seen within the organisation in recent years, which is still ongoing, is evidence of
this focused development.
30. On an annual basis, a report will be provided to the AP and ARC to provide rationale as
to why the AP can sign-off on the ARA. Finance is accountable for the overall production
of the ARA and responsible for preparing the Finance & Business Review section and the
back-half financial statements. Other teams are responsible for the content in other
front-half sections as follows; Governance (prepared by CoSec), Directors’
Remuneration Report and Equity, Diversity & Inclusion (prepared by RemCo), Risk
Report (prepared by Risk), Streamlined Energy & Carbon Report (prepared by Health,
Safety & Environment), Chair and CEO statements (prepared by Communications). The
GE accountabilities for each section were agreed at GE in July 23 and shared with ARC in
September and November. Input is also sought from other relevant teams across POL
where required, such as legal. In advance of approving the FY22/23, attestations have
been sought from all teams responsible for areas of the ARA.
Known and potential departures from expected governance, associated
mitigations and validations
31. The pipeline of active and planned procurement activities are reviewed with business
units regularly. Where exceptions from UK regulations and PCR are requested, these are
raised at the appropriate governance forums for approval:
e Sub threshold <£213,477 including VAT, Risk Exception requests may be approved
by GE and retrospectively reported to ARC.
« Above Threshold >£213,477 including VAT, Risk Exception requests must be
submitted to Board for review and prior approval
Strictly Confidential
POL00447847
POL00447847
Post
Offic
e
Limi
ted
joc
ume 32. An exception from paragraph 31 is in regard to the procurement risk exception in
nt relation to Herbert Smith Freehills (“HSF”), who have provided legal support to the
Class. Remediation Matters Unit (“RU”) through a directly awarded contract since June 2019,
ificat and subsequently acted as POL’s legal representatives to the Inquiry through a directly
ion awarded contract in September 2021. It is considered by Procurement to be a low
INTE probability that other law firms would challenge these contracts as HSF’s involvement in
RNA the Inquiry and RU work has been well publicised and has been ongoing for a number of
L years now. To date POL has not received any complaint from competitors, indicating
there appears little appetite to challenge. If the HSF contracts are not continued, risks
associated with transition to new providers include duplication of costs, lack of familiarity
with POL structure and processes, and POL reputational damage. This will result in
significant delays to the Horizon Shortfall Scheme (“HSS”) and other schemes which will
have an impact on claimants, POL’s ability to support the Inquiry, and legal advice to
Horizon Matters Committee, Remediation Committee, GE and Board.
33. Subsequent to the GLO settlement, an action was taken to review whether there are
historical processes which could have resulted in detriment to Postmasters. In addition
to the previously reported provision in relation to non-payment of postmaster
remuneration whilst a Postmaster was suspended, it has been identified that further
historical operational issues may have impacted Postmasters financially. POL made an
announcement on 8 November 2023, on its corporate website, that it plans to establish
a review to provide redress to Postmasters affected. The announcements of an intention
to create a review to compensate those Postmasters effected is deemed a triggering
event for a liability and therefore it is expected that a liability, contingent or realised, will
be recognised in the FY23/24 ARA. Funding has been sought and is expected to be
formally approved in the coming months. The ARA cover note details further information
on this area, including accounting treatment and disclosures.
34. As reported in the prior year AP paper, POL relies on source data from third parties for
occasions when a Postmaster should be paid for generating a lead, which is triggered by
the customer including a branch code on the third- ‘party website. The amounts are small
Sere Surselves on the completeness of Postmaster remuneration. Therefore, an
internal audit was performed between May and October 2023 to assess and validated
third party data and processes. This review included data analytics, which provided a
high level of confidence that Postmaster remuneration paid on third party revenue, was
substantially complete and accurate.
35. Additional assurance has been performed by Deloitte in respect of the FY22/23 ARA front-
half metrics, in response to the Directors’ Remuneration Report issue in the FY21/22
ARA. The assurance work has been carried out to mitigate the risk of similar errors,
covering all front-half sections that are not subject to detailed audit testing by the
Group’s External Auditors, as detailed in paragraph 30.
36. There are no other known significant departures over and above that already advised in
this report. POL performs an annual GE Declaration exercise, whereby each member the
GE is required to formally disclose items of ‘materiality’ not already disclosed by other
corporate disclosures, such as through the regular updating of the Group risk profile,
internal control assessments, legislative & regulatory compliance assessments etc. The
FY22/23 GE declaration exercise originally took place June 2023, however given the
delay in signing the ARA, the declarations have been refreshed in October / November
2023, with all but two being completed to date. Key items noted in the submissions have
6
Strictly Confidential
POL00447847
POL00447847
Post
Offic
e
Limi
ted
a
ume been detailed in the GE declaration paper, which is to be presented at the November
nt ARC.
Class
west Signing of the FY22/23 ARA
INTE 37. Once all remaining audit / ARA items are finalised, and if the AP agrees that this paper
RNA demonstrates that the organisational structure and governance processes in place allow
u him to meet the requirements of the role, the ARA can be signed, thus meeting the
formal requirement of the role as set out above.
Strictly Confidential
Post
Offic
e
Limi
ted -
@
POL00447847
POL00447847
OC
une Appendix 1
Sead Standards expected of an Accounting Officer’s organisation, per “Managing Public Money”
ion:
INTE
RNA
L
at guidance, last updated March 2022.
Box 3.1: standards expected of the accounting officer's organisation
Acting within the authority of the minister(s) to whom they are responsible,
the accounting officer should ensure that the organisation, and any ALBs it
sponsors, operates effectively and to a high standard of probity. The
organisation should:
governance
have a governance structure which transmits, delegates, implements and
enforces decisions
¢ have trustworthy internal controls to safeguard, channel and record
resources as intended
© work cooperatively with partners in the public interest
© operate with propriety and regularity in all its transactions
« treat its customers and business counterparties fairly, honestly and with
integrity
«offer appropriate redress for failure to meet agreed customer standards
* give timely, transparent and realistic accounts of its business and decisions,
underpinning public confidence;
decision-making
support its ministers with clear, well-reasoned, timely and impartial advice
Strictly Confidential
@
make all its decisions in line with the strategy, aims and objectives of the
organisation set by ministers and/or in legislation
* take a balanced view of the organisation’s approach to managing
opportunity and risk
« impose no more than proportionate and defensible burdens on business;
finandal management
© use its resources efficiently, economically and effectively, avoiding waste
and extravagance
© pian to use its resources on an affordable and sustainable path, within
agreed limits
© Carry out procurement and project appraisal objectively and fairly, using
cost benefit analysis and generally seeking good value for the Exchequer as
a whole
* use management information systems to gain assurance about value for
money and the quality of delivery and so make timely adjustments
© avoid over defining detail and imposing undue compliance costs, either
internally or on its customers and stakeholders
e have practical documented arrangements for controlling or working in
partnership with other organisations, as appropriate
© use internal and external audit to improve its internal controls and
performance.
Strictly Confidential
POL00447847
POL00447847