POL00447896
POL00447896
Post Office Limited - Document Classification: CONFIDENTIAL
Group Assurance
Standard Operating Procedures
POL00447896
POL00447896
Post Office Limited - Document Classification: CONFIDENTIAL &
CONTENTS
1. PURPOSE 3
2. SCOPE 3
3. PROCESSES AND PROCEDURES 3
4. PREPARATION AND PLANNING 4
5. FIELDWORK 4
6. QUALITY ASSURANCE/MONITORING 5
7. ANALYSIS AND REPORTING 5
8. REPORT RATING 5
9. REMEDIATION/ACTION PLANS/A&CI RECOMMENDATIONS 6
10. I. MANAGEMENT REPORTING AND MI 7
11. EVIDENCE AND DOCUMENT MANAGEMENT 7
DOCUMENT CONTROL 8
Group Assurance Standard Operating Procedures Page 2 of 8
V3.0 March 2024
Post Office Limited - Document Classification: CONFIDENTIAL
1.
Purpose
POL00447896
POL00447896
@
Group Assurance is part of the second line within the Three Lines of Defence model and is
responsible for deploying activity and risk management techniques within an agreed
assurance framework to provide Post Office Group, GE and the Board with assurance.
This document sets out the processes and procedures deployed by the team to provide
assurance through:
2.
A standardised approach for risk management and control assessments
Assurance objectivity by design
Efficient/effective delivery of Integrated Assurance
Timeliness of risk or gap identification and reporting
End to end alignment and reporting.
Scope
The scope of Group Assurance includes (but is not limited to) the following Business Functions
selected due to their criticality, co-dependencies and to ensure Senior Management have an
E2E view and assessment of the POL universe:
NBIT - Technical Assurance
Retail Transformation Programme (RTP)
Business Readiness - Critical Support Activities:
°
°
°
°
°
°
Culture
Finance
Data
Retail
Assurance and Complex Investigations /Speak-up
Contracting
Legal and regulatory compliance
Effective Governance
Processes and procedures
Planning
Each year assurance results, intelligence (incl. horizon scanning), KPI’s and
dashboards are reviewed to inform prioritisation of assurance reviews for the coming
year considering:
e Business key priorities and deliverables
e The importance and complexity of the business function or deliverable, and the amount
of effort (resource) likely to be required to perform assurance activity.
Group Assurance Standard Operating Procedures
V3.0 March 2024
Page 3 of 8
POL00447896
POL00447896
Post Office Limited - Document Classification: CONFIDENTIAL &
« The outcomes of previous assurance reviews of business functions or activities
« With the Risk function, identify changes in risk profile in the previous 12 months.
e The maturity of the function/activities controls and the level of control failures in the
previous 12 months.
* Available resource and expertise
3.2 Approval
e The annual assurance plan is documented and presented to GE, RCC and ARC for
approval prior to the start of the financial year and circulated to the business to inform
them of the planned schedule of assurance activity.
e From time to time, changing business priorities may change the assurance schedule
and any material changes are presented to GE, RCC and ARC for approval.
4. Preparation and planning
4.1 Prior to commencement of assurance activity, Group Assurance review the status and
completeness of relevant risks and controls.
4.2 Where a function or activity has been subject to previous assurance the existing scope
is reviewed with key stakeholders to identify changes and assurance questions and
required artefacts amended accordingly.
4.3 Where a new function or activity is being assured, Group Assurance meet with key
stakeholders to explain the process and:
e Hold workshops to review function or activity processes and MI and ensure full
understanding of associated tasks, risks, and control maturity.
e Produce pre-review questions in preparation for the review.
* Based on the responses to the questions, design assurance questions and artefact
requirements and timescales for assurance activity.
4.4 Head of Assurance reviews and approves assurance scope and questions, timescales
and resource.
4.5 Date for commencement of fieldwork and provision of /access to artefacts agreed with
stakeholders.
5. Fieldwork
5.1 Group Assurance gather relevant information and documentation, including policies,
procedures, and records. Additionally, relevant systems are identified, and access
obtained, if not already available.
5.2 An objective assurance assessment of the evidence provided is completed in the
agreed timescales.
5.3 Meetings with relevant business area stakeholders arranged to gain further clarity on
information gathered where required.
Group Assurance Standard Operating Procedures Page 4 of 8
V3.0 March 2024
Post Office Limited - Document Classification: CONFIDENTIAL
5.4
6.
6.2
6.3
6.4
6.5
6.6
7.2
7.3
7.4
7.5
8.
POL00447896
POL00447896
All evidence of findings is added to SharePoint - “4 —- Assurance reports” > specific
folder for the review.
Relevant files on Sharepoint follow agreed naming conventions and file formats.
Quality Assurance/Monitoring
Quality Assurance (Peer Review) activity completed on an ongoing basis on the
planning and completion of assurance work including:
o Review of scope to ensure completeness.
o Review of Assurance questions to ensure completeness.
Ongoing monitoring of progress of the assurance review completed to ensure the
review is on track and identify risks to completion.
The completed assurance review is checked for completeness and accuracy including
a sample check of evidence.
Sample check of findings and recommendations from the assurance review to ensure
completeness and accuracy.
Peer review of [evidence] documents and emails to ensure these are retained as
agreed.
Peer review of evidence pertaining to completed actions to ensure completeness and
retained as per filing convention.
Analysis and Reporting
The findings from the assurance review are analysed to identify areas for improvement,
evidence of non-compliance and control deficiencies. This includes root cause analysis
of non-compliance and control deficiencies to enable appropriate remediation action
to be identified.
Head of Assurance reviews the report to ensure for completeness and accuracy of the
findings.
Recommendations for corrective action based on the identified issues documented in
a formal report. A draft report with preliminary findings and recommendations is shared
with the relevant business unit/stakeholder.
Following issuance of the final report, the business unit/stakeholder is asked to formally
accept the findings and provide an action plan to remediate issues identified.
Outcome of assurance reviews reported to RCC and ARC.
Report Rating
8.1 The overall report is rated based on the severity of issues identified and taking into
consideration the ratings applied to the recommendations.
Group Assurance Standard Operating Procedures Page 5 of 8
V3.0 March 2024
@
POL00447896
POL00447896
Post Office Limited - Document Classification: CONFIDENTIAL &
No or low-level findings, minor process changes or inefficiencies
I and no control weaknesses identified.
Improvements identified, some internal controls weaknesses such
I as processes, records or systems identified.
Action required to address all issues and to mitigate future
occurrences.
Inadequate or failed internal control environment which could
potentially lead to material or reputational loss.
Actions required based on comprehensively addressing issues as a
priority.
Significant or high number of issues with internal and/or external
standards, weaknesses in records, processes, systems, or controls.
Immediate attention required to address any regulatory,
contractual, reputational, or material loss as a priority.
9. Remediation/Action Plans/A&CI Recommendations
9.1 Remediation/Action plans are checked for completeness ensuring the plan provides
detailed information on activities being taken to remediate the issues identified.
9.2 Agreed plans are monitored to ensure actions are completed on a timely basis,
overdue actions are escalated to the stakeholder/Head of Function.
9.3 Group Assurance will also monitor recommendations from A&Cl investigations and
Quality Assurance activity completed by A&CI on areas of the business.
9.4 Business approval is obtained where actions cannot be immediately completed or are
likely to be incomplete.
9.5 Timelines
9.5.1 Completion of actions/recommendations will be monitored against the original
timelines.
9.5.2 Where completion dates are re-forecast, this will be noted on the action tracker and
update provided in monthly reporting, however the status of the
action/recommendation is reported against the original closure date .
9.6 Monitoring the status/progress of committed management actions.
Weekly —
Group assurance action tracker will be monitored, and updates requested for any
actions due in the next seven days.
On the 5" working day of each month, Group Assurance will provide data to the key
stakeholders in the relevant business areas of their open and overdue actions.
Mid-month, Group Assurance will provide an update showing the position —i.e.,
improvement/no improvement.
Group Assurance Standard Operating Procedures Page 6 of 8
V3.0 March 2024
POL00447896
POL00447896
Post Office Limited - Document Classification: CONFIDENTIAL &
9.7 Review response and evidence received for actions on Group Assurance tracker
lf acceptable — change to “To be QA’d” and save the evidence to the “Group
assurance action tracker” folder > “Action evidence” folder.
If unacceptable — follow up with the stakeholder, escalate if not resolved in an
acceptable manner.
9.8 Updates provided for the Quality Assurance Framework recommendations are
managed by the A&CI team.
Where recommendations have been accepted and confirmed as operational, the A&Cl
team will re-run the same set of tests every 2 or 3 months to gather evidence of
compliance.
10. Management reporting and MI
10.1. Group Assurance reporting includes:
. Status of the assurance plan against delivery
. Status of key risks and related assurance opinions
. An aggregated net risk position for in scope areas and whole of POL
. Trend analysis including metrics on key themes from all assurance reviews and
repeat findings.
11. Evidence and Document Management
11.1 Folder Creation: the folders created for each assurance review will include:
e Folder Naming: name a folder for each Assurance review using the following
naming convention: Review Name DDMMYY where "Review Name" represents the
name of the review, and "DDMMYY" denotes the date of the review initiation.
o Example: "ClJ Review 08.09.23 Review evidence
e¢ Document Naming: Documents saved as part of the review (i.e., evidence) should
use the following naming convention: Review Name DDMMVYY where "Review
Name" represents the name of the review, and "DDMMYY" denotes the date of the
review initiation.
o Example: ClJ Review 08.09.23 Action evidence #1
11.2 Folder Location: all review folders are in a centralized and easily accessible location
within the Group Assurance team site.
11.3. Document Inclusion: the documents included in the folders are:
e Scope Plans: the initial and revised review plans will be saved in the respective
review folder which is accessible to the team.
e Working Papers: all working papers generated during the assurance review. Each
working paper should be properly labelled and dated for easy reference.
Group Assurance Standard Operating Procedures Page 7 of 8
V3.0 March 2024
Post Office Limited - Document Classification: CONFIDENTIAL
POL00447896
POL00447896
@
e Evidence: all evidence gathered during the review process will be included in the
team’s folder. All evidence will be saved within the subfolders of each review, if
necessary, based on the type of evidence or source.
* Version Control: all reports, review plans and revisions produced during the review
process will include the use of version control. The draft versions start at 0.1 with
changes to each iteration whilst the final version will be labelled 1.0 to indicate its
status as the complete version.
« Sensitivity Labelling: all Assurance reports will be assigned sensitivity labels based
on their confidentiality. The header or footer of the document may include
“Confidential”, “Strictly Confidential” or “Internal Use Only” to ensure easy visibility.
11.4 Reports and Storage: All reports will be kept in the Assurance Reports folder with a
copy in the relevant review folder.
Document Control
Date Version I Updated by Reviewed by Change details
20/09/23 I 1.0 Feyisola Omisore I Jayshree Patel New document
14/02/24 I 1.1 Jayshree Patel Sean Farrow Additions
20/02/24 I 2.0 Sean Farrow Jayshree Patel Updated version
05/03/24 I 2.1 Jayshree Patel Andrew Morley _I Amends section 9.7 and added 9.8
11/03/24 I 3.0 Jayshree Patel Andrew Morley _I Final version following above amends
Group Assurance Standard Operating Procedures
V3.0 March 2024
Page 8 of 8