POL00447965
POL00447965
CONFIDENTIAL @
Title: Central Investigation Unit Review Report Date: June 2023
Author: Phil James/Feyisola Omisore Sponsor: Aashy Mathur — Group Assurance
Executive Summary
Background
Group Assurance have performed a review of the Central Investigation Unit (CIU) to assess their control
environment and particularly compliance to the CIU processes and procedures as defined within Group
Investigations and Co-operation with Law Enforcement Policy (GICLE) and the Investigators Manual.
The CIU not only perform high-profile, complex investigations, they also provide oversight and governance
to internal investigations throughout the Post Office Group.
The CIU was established formally in January 2023 and has only been fully resourced to build the function
since November 2022. However, over the last 12 months the team has had to deal with significant
demand/requests for performing investigations, whilst in parallel continuing to create, build and embed new
investigation policies processes and procedures.
Consequently, it is acknowledged that the CIU processes and procedures subject to our review have only
recently been finalised or embedded for example the Investigators Manual was launched in June 2023. As
such, prior to commencement of the review there was an expectation that certainly within historic cases
dating back to 2022 there would be identifiable gaps when measured against processes and standards
introduced in 2023.
Whilst deferring the review was a logical option, the Head of CIU requested the review to commence, to obtain
an objective view of the efficacy of design and execution of CIU processes and procedures during the first
three/four months of being in existence.
Scope and approach
A sample of 8 cases (4 cases each from 2022 and 2023 respectively) and our scope included the objective
assessment of:
e CIU Group Investigation and Co-operation with Law Enforcement (this is currently a draft policy to go to
RCC/ARC in mid-2023) and Investigation Manual; and
« Process and procedure compliance.
This review was performed between April and June 2023, and therefore comments reflect the state of the
control environment during this period.
Scope exclusions
There are areas within the investigation process where only a trained and experienced investigator would
have the capability and knowledge to confirm assurance, therefore, the following is scope excluded:
e Whether all evidence pertaining to an investigation has been gathered and how it was gathered
« Whether evidence relevant to the investigation has been appropriately assessed nor confirmation of
continuity of evidence
« Whether an investigation followed all reasonable lines of enquiry to reach its conclusion; and
e Effectiveness and monitoring of any CIU actions or recommendation.
Version 1.0 Page 1 of 7
POL-BSFF-107-0000049
POL00447965
POL00447965
CONFIDENTIAL
Assurance Opinion
The CIU team actively and constructively engaged with our assurance review, and whilst the team is relatively
new, they are overtly aware of the Common Issue Judgements. Their intent and approach in ensuring
mistakes of the past are not repeated can clearly be evidenced not only in their revised set of processes and
procedures, but also in the positive behaviours and culture they are trying to embed within this newly created
team and across POL.
Our review highlighted that CIU have:
« Created and are implementing appropriate ‘Investigation’ policies, procedures, manuals etc including
case files, formal structures, document formats, an assurance approach for business led
investigations, and have formalised RACIs between the business and themselves.
This has all been delivered despite the team being under resourced coupled with an extraordinary
demand for their services to perform investigations.
e Strived to maintain a high level of adherence to policy and process whilst demonstrating their
collective knowledge and expertise in their case files, their capability to investigate sensitive, difficult,
and complex subject matters, produce detailed concise reports and recommendations.
e Have a secure, appropriate approach and process for evidence storage and access to sensitive data.
Digital evidence is retained within the Case File on Share point or Relativity and access to both is
restricted. Physical Evidence is retained within Finsbury Dials (and now Wood Street) with restricted
access for CIU staff only.
« Interviews - Only one case reviewed involved interviews (a witness interview carried out by a CIU
investigator). Evidence within the case file confirmed advance notification for the witness and an
invitation for the witness to attend the interview, a detailed interview plan and records of the
subsequent interview. This followed all process as outlined in the Investigators Manual.
e Report Writing - CIU have created a reporting template which should support reporting clarity,
particularly for complex investigation.
Whilst the above is a significant achievement for a function that was only recently created, our review has
highlighted several areas of significant improvements still needed. As mentioned earlier, this was to be
expected given that CIU is still in the process of embedding and improving their processes and procedures,
compounded by resource constraints vs demand for their services.
The areas which will need further focus are summarised below:
« ClU process compliance — Several gaps have been identified whereby evidence to demonstrate Head
of CIU review, sign off or criteria for decision making has not been maintained within CIU case files,
for example, triage criteria, case closure, criminal investigation, conflicts etc. Meetings with CIU staff
anecdotally show that review meetings are held twice a week on cases, but this is not reflected in the
casefile.
« Use and completion of key CIU documents need to be embedded consistently, such as the Combined
strategy/investigation strategy document and Investigation Control Document, or their non-use
explained.
« Case and file structures have only recently been adopting a consistent approach therefore for older
investigation (2022) navigating case files is challenging.
Version 1.0
POL-BSFF-107-0000049_0001
POL00447965
POL00447965
CONFIDENTIAL
Consequently, we have rated this review as: Needs Significant Improvement - There are significant
weaknesses in the framework of governance, risk management and control such that it could be or could
become inadequate and ineffective
As the full implementation of the CIU processes and procedures contained within the Investigators Manual
are unlikely to be adopted until later in 2023, Group Assurance will re-perform our review in mid-2024.
Version 1.0
POL-BSFF-107-0000049_0002
POL00447965
POL00447965
CONFIDENTIAL &
Detailed Findings
1. Compliance with CIU Processes and Procedures — Significant Improvement needed
Whilst we have found a high level of process compliance, and good practices being followed, several areas
within CIU would need to be further strengthened. The key exceptions are highlighted below:
e Triage process - Documentation of Acceptance Criteria
ClU’s Triage team receives referrals directly from the Business or from the Head of CIU. The Head of
CIU or the Speak Up Manager decides if CIU should pursue the case (Group Investigation and Co-
operation with Law Enforcement policy).
In all but one case, it could not be evidenced within the case files under what criteria CIU accepted to
investigate the case.
¢ Declaration of conflicts - Not formally documented
The investigating Officer should declare a level of independence and objectivity prior to taking up the
investigation, for all cases reviewed this was not on file.
e Criminal Investigations - Authorisations not explicit
Any criminal investigation must be authorised by Head of the Investigation Branch, their deputy, or
the Group Legal Director. It was deemed an implied authorisation on the allocation of a case to each
investigating officer by the Head of CIU that the case would proceed as a criminal investigation as
there were no specific notes within any of the cases.
e Case Closure - Decision not Formally Documented
Many of the cases that were reviewed remain active investigations and only one case was found to
be completed. There was no statement from the Head of CIU within the Decision and Action log
confirming the case closure. (NB - A similar statement was to be found within the final report.)
« File Structure - Inconsistent
The structure and storage of information within a case file varies dependent upon the nature of the
investigation and/or the investigator. Thus, navigating and understanding the contents of files is
challenging, contradicting policy to support a transparent examination of investigations by internal and
external parties when necessary.
NB: It has been noted that cases dated 2023, the formal go-live date for CIU, have begun to adopt a
more consistent approach.
« Combined strategy/investigation strategy document - Formal sign off, disclosure officer not
nominated
The Strategy document outlines numerous proposed activities to be undertaken by the investigator
to conduct the investigation, resources required, and timescales involved.
a. For all cases reviewed the Investigating Officer had created either a combined strategy or
investigation strategy document dependent upon the complexity of the case, the formal review
and endorsement of this document, by the Head of CIU, could not be evidenced.
b. For five cases neither a disclosure officer was nominated, or a disclosure process outlined
within the investigation strategy document. Therefore, it was not explicitly clear who was
responsible for disclose and how CIU would go about disclosing documents for inspection to
third parties. (NB: not all cases had acquired evidence at the point of this review.)
e Investigation Control Document - Not fully embedded
Created by the Investigating Officer the Investigation Control document contains the Case Plan,
Decision and Action Log and in later dated cases an Evidence Grid. Additionally, there is other
functionality to track expenses both legal and non-legal.
Version 1.0 Page 4 of 7
POL-BSFF-107-0000049_0003
POL00447965
POL00447965
CONFIDENTIAL
a. In all cases reviewed the Investigation Control Document has been created.
b. Decision and Action Log — Effectively the progress log of all investigative decisions along with
the rationale applied when making the decisions. All cases reviewed had progress notes within
the log however there were five cases where there were considerable time periods between
entries.
We have been informed that this is because they were on hold due to lack of resource or
investigators were waiting info to be passed to them or capacity issues prevented progress on
the case.
Whilst these periods would obviously be dictated by the nature of the investigations it was
evident that there were no records of any of the cases being reviewed.
c. At the time of the review, it is apparent that much of the functionality, many of which are
optional, within the Investigation Control Document has yet to be adopted, none of the cases
reviewed had any inputs to the Case Plan and the Evidence Grids were also not completed.
The intent of the CIU oversight process is appropriate and necessary and that cases are regularly
reviewed. However, the volume of cases held by CIU and the other requirements that Head of CIU must
deliver is impacting his ability to apply the rigorous documentation of the oversight provided of
investigations within CIU.
Recommendation
Process Implement a peer review process to ensure key CIU I John Bartlett I 31 August
Compliance process/controls and procedures are compiled and 2023
assessed by an experienced investigator.
Version 1.0
POL-BSFF-107-0000049_0004
POL00447965
POL00447965
CONFIDENTIAL
2. Other matters - Some Improvement needed
a.
Suspended Investigations - On two occasions, due to limited CIU resources, all ongoing
investigations were suspended whilst other events were given priority. For individual investigations
which were underway and subsequently suspended CIU documentation does not demonstrate how
such suspended investigations are:
e Assessed for any potential risk to POL — reputational, hinder the effective recovery of funds etc
e Assessed for any potential risk or detriment to any individuals involved in a case
e Given the appropriate level of priority and resource allocation as was deemed necessary when
originally referred to CIU.
CIU Recommendations - Whilst currently not in the CIU process or procedures, we would suggest
that any recommendations arising from a CIU Investigation are formally accepted, where possible, by
the Functional Executive. This would then ensure recommendations have been accepted and or
endorsed, which would assist subsequent tracking and monitoring.
Recommendations
Resource If circumstances dictate that Investigations are I John Bartlett I 31 August
allocation suspended, consideration should be given to a 2023
secondary triage process or case priority system to
mitigate the potential detriment that may result
following these delays. Its reasons for which
investigation are suspended should also be formally
documented.
clu Consider updating the CIU processes to include a I John Bartlett 31 August
recommendations I formal end of case meeting between Compliance, 2023
CIU and the relevant business area to discuss
findings.
6
Version 1.0
POL-BSFF-107-0000049_0005
POL00447965
POL00447965
Appendix 1 - Opinion Definitions
Description
The framework of governance, risk management and control are adequate and
effective.
Some improvements are required to enhance the adequacy and effectiveness of the
framework of governance, risk management and control.
There are significant weaknesses in the framework of governance, risk management
and control such that it could be or could become inadequate and ineffective.
There are fundamental weaknesses in the framework of governance, risk
management and control such that it is inadequate and ineffective or is likely to fail.
Version 1.0 Page 7 of 7
POL-BSFF-107-0000049_0006