POL00447941
POL00447941
Post Office Investigations Branch
Assurance Control Framework
Purpose of this document
The Post Office Investigations Branch Assurance Control Framework, (IBACF) provides the
minimum standards for Post Office Limited (POL) to ensure an appropriate control
environment, in respect to the conduct and outcomes of investigations, exists, is assured
and is maintained. The IBACF clarifies the roles and responsibilities of those involved in
investigations, ensuring appropriate outcomes and managing the associated risks.
The IBACF provides the basis on which investigations activity within POL will be
reviewed/assessed, monitored and reported. The key outcome of the IBACF will be to
ensure and provide assurance that POL investigation(s) are evidence-based, and performed
in an impartial, objective and fair manner.
Further, it is essential that all investigation performed within POL maintain adequate
documentation, comply with various internal, external policies and regulations, in order to
not only maintain and clearly demonstrate a robust investigative control environment but
also ensure the manner in which investigations are conducted remain justified,
proportionate, necessary and fair.
Authority and responsibility
POL IBACF is owned by the Group General Counsel, under the delegated authority of the
Board. The IBACF is fully aligned to the POL Control Framework, and Group Risk policy, and is
intended to support POL to operate within agreed risk appetites and tolerances set by the
Board.
The Head of Central Investigation Unit (CIU) is accountable for the maintenance of the
relevant processes, systems, and controls to ensure appropriate governance and oversight
exists for all investigations that fall under this framework.
Executive Management and their functions, where investigations are performed under this
framework, are responsible for working within this framework, and demonstrating
compliance against the assurance standards.
The Group Compliance Team will be responsible for providing second line continuous
assurance over all investigative activity, and in particular those performed directly by or
under the supervision of the Head of CIU or the CIU team.
POL IBACF remit and scope
As a principle POL has a duty of care and obligation to ensure all investigations are
performed diligently and compliantly to ensure right and fair outcomes. To ensure this, the
IBACF specifically applies to the investigative activities of the following POL teams:
e LCG - Central Investigations Unit (CIU)
POL00447941
POL00447941
e LCG—Speak Up Team (SU) Collectively referred to as ‘Investigative Branch’ (IB)
e Functional Decentralised Teams (DT)
o LCG - Financial Crime
o LCG — Information Rights & Data
Protection
o Central Operations — Network
Monitoring & Reconciliation
Network Support & Resolution — Dispute Resolution
Retail Operations — Contract & Deployment
Service Delivery — Customer Complaints
Information Security — Cyber Security
0000
The POL IBACF does not apply to:
e HR grievance or staff performance issues
e Allother POL teams’ activities involving elements of fact find or investigations
Policies, procedures, and guidance
Investigation activity for IB is described and prescribed in the Policy and the supporting
Investigations Manuals:
e Group Investigation Policy
e Cooperation with the Law Enforcement Policy
e — Investigator’s Manual (where applicable)
e Data Protection Act
The Group Investigation Policy defines POL approach to investigations and identifies the
mandatory elements i.e. what must be done.
The Investigation Manual - Contains guidance on ‘how’ an investigation must be performed
by proving guidance, templates and information to assist investigators in their role to ensure
a balanced and fair approach is always undertaken.
These documents lay out and provide guidance for:
@ mandatory elements of investigation activity
e standardised IB methods for particular elements of investigations
e how matters are escalated and triaged
e decision points and decision makers
e establish minimum requirements for record keeping
e use of templated documents
and will form the basis on which assurance will be measured and reported against to ensure
robust investigations and fair outcomes.
POL00447941
POL00447941
Assurance approach
The table below summarises who will be responsible for providing assurance on the
activities of the ‘Investigative Branch’:
Assurance Provider I Line of Investigative Branch
Defence I Head of CIU CIU Team SU Team Decentralised
Teams
Head of CIU 1* Line v v v
CIU Team 1 Line v v
Group Compliance 2" Line Vv Vv v v
Internal Audit 3 Line v v v v
In order to ensure appropriate assurance is provided at key stages of an investigation:
e The Head of CIU will be responsible for:
© ensuring that appropriate assurance processes, procedures and reporting
mechanics exists across the Investigative Branch for the early detection,
remediation and reporting of any exceptions.
oO. performing assurance sample reviews on the investigations performed by the
CIU team.
© monitoring and sample checking assurance activities carried out by the CIU
team.
e The CIU Team will be responsible for:
o Monitoring and performing sample assurance reviews on the investigations
performed by the Speak Up and Decentralised Teams.
e Group Compliance will be responsible for:
© performing regular assurance reviews on the adequacy of the processes and
procedures within the Investigative Branch.
o performing sample assurance reviews on investigations performed by the
Head of CIU.
oO performing sample reviews on assurance activities delivered by Head of CIU
and the CIU Team.
¢ Internal Audit:
o Perform independent and objective assurance across the whole Investigative
Branch Universe, including activities of Group Compliance.
All assurance activities performed will be underpinned by ensuring that the investigation
have been performed in a compliant, diligent and robust manner in accordance with the
investigation policies and procedures applicable.
To ensure a consistent approach is adopted the Head of CIU will maintain and regularly
update, a checklist of key requirements or minimum standards expected from an
investigation. This would be used to score the level of compliance and identify areas where
immediate intervention or escalations are needed.
POL00447941
POL00447941
Please refer to Appendix 1 for the ‘Assurance checklist’ and associated scoring mechanism.
The Assurance Checklist has been structured to assess /identify key areas of investigative
risk and then broken into the examination of constituent parts of those risks — over 40
separate elements. This should allow a deep review and assessment of the investigation
being assessed.
Governance and reporting
The Head of CIU is responsible for
1) The maintenance of both the Investigation Policy and Investigation Manual:
e The Investigation Policy is approved annually by the Audit & Risk Committee and
by the Non-Executive Director Investigations Champion.
e The Investigation Manual is approved annually by the Group General Counsel
and reviewed by the Non-Executive Director Investigations Champion.
2) Providing monthly reporting and relevant MI to RCC, ARC and the Board (via NED).
a. Such MI should be of sufficient detail to provide and identify trends across IB
and at an individual investigator level.
b. Enable appropriate monitoring and tracking of investigations across IB,
including associated risks.
c. Enable appropriate oversight and associated tracking of remediations arising
from assurance activities performed by the IB, and that of the second and
third line.
3) Ensuring training and coaching requirements are identified and delivered to ensure
the delivery of fair and robust investigative outcomes.
4) Monitoring at an investigation level adherence to qualitative standards and
outcomes across IB, and where necessarily intervening (through CIU or Head of CIU)
to ensure investigative minimum control standards are adhered to.
Appendix 1
Quality Assurance
Framework Control D