POL00447914
POL00447914
- Deloitte LLP
eloitte ae
e Leeds
Lsi 2AL
19 July 2024
FAO: Nick Read, Chief Executive Officer
CC: Owen Woodley, Deputy Chief Executive Officer
Proposed changes to Internal Audit governance arrangements
Dear Nick,
lam writing to you as your Internal Audit co-source service provider to share our concerns on the proposed
changes to Internal Audit’s governance arrangements — specifically, Internal Audit reporting into the Group
Assurance Director alongside the organisation’s second line assurance functions.
Internal Audit plays a critical role in enhancing an organisation’s ability to serve the public interest. Through
the provision of independent risk-based and objective assurance and advice, Internal Audit helps to create,
protect and sustain organisational value. This is of crucial importance to the Post Office given its society -led
purpose and the focus placed on good corporate governance through the ongoing Public Inquiry.
The independent positioning of Internal Audit is a key principle under the Institute of Internal Auditors’ (IIA)
current Global Internal Audit Standards (“the Standards”), which guide the worldwide professional practice
of internal auditing. Under this principle, the board is responsible for enabling the independence of the
Internal Audit function, which is defined as the freedom from conditions that impair the function’s ability
to carry out its responsibilities in an unbiased manner. The new IIA Standards, effective January 2025,
include a domain focused specifically on the responsibilities of the Chief Audit Executive (CAE), in
collaboration with the board and senior management, in governing the Internal Audit function, which
reiterates the importance of the board and senior management in championing the function's recognition
throughout the organisation. This is driving higher levels of governance and positioning of Internal Audit
activities and reporting. Internal Audit is most effective in fulfilling its role when the CAE reports directly to
the board and is positioned at a level within the organisation that enables it to discharge its services and
responsibilities without interference.
Further, the revised Internal Audit Code of Practice (“the Code”), which is currently in draft and will be
applicable to corporates once finalised, continues to move in the direction of travel set by the Financial
Services sector. The Code states that Internal Audit should be independent of risk management,
compliance, finance and other control functions, and be neither responsible for, nor a part of, them. These
proposed governance arrangements are not in conformance with the draft Code on the basis that Internal
Audit will have the same reporting line as the organisation’s second line assurance functions.
Whilst it is understood from my recent conversation with the Audit, Risk and Compliance Committee (ARCC)
Chair that these new governance arrangements may be temporary, during which time the ARCC Chair will
maintain a direct link to the CAE, they do not align with the Standards or the draft Code and we believe they
will adversely impact the effectiveness and independence of Internal Audit and governance at the Post
Office. We are also concerned that positioning the Internal Audit function alongside second line assurance
functions will dimmish Internal Audit’s profile within the Post Office and could be seen to dilute the
importance placed on Internal Audit within the organisation.
Deloitte LLP isa limited liability partnership registered in England and Wales with registered number 0C303675 and its regis tered office at 1 New Street Square,
London, EC4A 3HQ, United Kingdom.
Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee
("OTTL"). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see
www.deloitte.com/about to learn more about our global network of member firms.
© 2024 Deloitte LLP. All rights reserved.
POL00447914
POL00447914
Deloitte.
We are already starting to see the proposed new reporting line pose challenges for planned Internal Audit
work. Specifically, there is an independence challenge over the audit of the New Branch IT (NBIT, Horizon
Replacement Programme) assurance plan, which forms part of the 2024/25 Internal Audit Plan that was.
approved by the ARCC in March 2024. Given the NBIT assurance plan was developed and is overseen by the
second line and the Group Assurance Director, Internal Audit feels that its independence is compromised
due to the proposed new reporting line.
We would be grateful if you can respond to this letter to explain the rationale for these changes and why
you consider the proposed governance arrangements to be appropriate. We have also written to Simon
Jeffreys as the ARCC Chair to share our concerns.
Yours sincerely
Carol Murray
Deloitte LLP