POL00448017
POL00448017
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 21° MAY 2024 AT 09:00
AT 100 WOOD STREET, LONDON, EC2V 7ER
Present: Invited Attendees:
Simon Jeffreys (Chair) Sarah Gray (Interim Group General Counsel):
(SG)
Andrew Darfoor (NED) (AD) Tim Bennett (Senior Internal Audit Manager): Item
3.4 and observing full meeting: (TB)
Lorna Gratton (NED, UKGI) (LG) Chris Brocklesby (Chief Transformation Officer):
Items 3.4, 8 & 9 (CB)
Elliot Jacobs (NED) (EJ) Martin Roberts (Group Chief Retail Officer): Items
3.4 & 13 (MR)
Simon Oldnall (Branch Technology Director): Item
3.4 (SO)
Vishal Thanki (Data Governance Lead Contractor):
Item 4 (VT)
Chris Russell (Interim Data Management
Director): Items 4 & 5 (CR)
Regular Attendees: Tim McInnes (Strategy and Transformation
Director): Items 4, 5 & 6 (TMc)
Nigel Railton (Interim Chair) (NRa) (Observer) I Kayleigh Dodd (Digital/Physical Records Manager):
Item 5 (KD)
Nick Read (Group Chief Executive Officer) Ed Dutton (Product Portfolio Director POMS): Item
(NRe) 7 (ED)
Owen Woodley (Deputy Chief Executive Officer) I Kelly Goodwin (Programme Director):Item 8 (KG)
(ow)
Kathryn Sherratt (Interim CFO) (KS) Neil Bennett (Chief Information Security Officer):
Items 9 & 14.4 (NB)
Andrew Paynter (Partner, PwC) (AP) Jonny Lonsdale (Business Continuity Manager):
Items 10 & 14.2 (JL)
Carol Murray (Deloitte Partner) (CM) Mark Cazaly (Head of Corporate Responsibility &
Social Impact): Item 10 (MC)
Johann Appel (Director of Internal Audit and Ross Borkett (Banking Director): Item 11 (RBo)
Risk Management) (JA)
Rebecca Barker (Head of Risk) (RB) Jo Milton(Senior Operational Improvement
Manager): Item 13 (JM)
Anshu Mathur (Group Assurance Director) (AM) Russell Hancock (Supply Chain Director): Item
13 (RHa)
Jonathan Hill (Group Compliance Director) (JH) I Martin McKee ( Head of People Services): Item
14.1 (MMcK)
Marie Molloy (Senior Assistant Company Claire Hamilton (Speak Up and Intelligence
Secretary) (MM) Manger): Items 14.3 & 24 (CH)
Karen McEwan (Group Chief People Officer): Item
16 (KM)
Rachael Hill (Head of Talent Acquisition): Item
16 (RHi)
Apologies: Andy Jamieson (Head of Tax): Items 16 & 17 (AJ)
Alisdair Cameron (Group Chief Finance Officer) I Tom Lee (Group Financial Controller): Items 16,
(AC) 17, 19 & 20 (TL)
STRICTLY CONFIDENTIAL 1
@
POST OFFICE LIMITED
POL00448017
POL00448017
Ben Foat (Group General Counsel) (BF)
20 (AR)
Antony Ray (Specialist Senior Procurement
Manager Professional and Financial Services): Item
Item 24 (AB) joined 11.44
Amanda Burton (NED & Speak Up Champion):
Action
Welcome and Conflicts of Interest
A quorum being present, the Chair opened the meeting.
The Directors declared that they had no new conflicts of interest in the matters
to be considered at the meeting in accordance with the requirements of section
177 of the Companies Act 2006 and the Company’s Articles of Association.
Previous Meetings
The minutes of the Audit, Risk and Compliance Committee meetings held on 20"
March 2024 were APPROVED and AUTHORISED for signature by the Chair.
The actions were reviewed in turn.
In relation to action 4, the revised definition of fairness to Postmasters was being
reviewed by RCC and an update would be provided against this action for July
ARC.
Progress against the completion of actions as shown on the action log was
NOTED.
2.3
SG outlined the RCC meeting summary. SG noted that SEG would review Post
Office’s key material risks and a refreshed update would be provided to
September ARC.
The Risk and Compliance Committee (RCC) meeting summary of 7° May 2024
was NOTED.
Risk, Compliance, Assurance and Internal Audit Updates
Risk Update
RB highlighted that POL was operating outside of tolerance for 23 out of 74
intermediate risks. Each risk had a mitigation plan and target date to bring it
back into tolerance.
The Committee questioned the use of the phrase ‘outside of tolerance’. It was
explained that this term designated risks that were ‘particularly significant’ as
agreed with the ARC some time ago and did not mean literally that POL was
accepting risks that it could not tolerate. ACTION: Management agreed to
reconsider the terminology.
RB outlined that wellbeing of colleagues emerged as a consistent theme from
discussions with the first line (impact of the inquiry, negative social media, and
the capacity of colleagues to perform day-to-day activities).
AD was concerned about the copper to fibre programme and the significant
delay risk, which was at amber status, and AD considered this should be red
rated. RB confirmed that this risk was included in the main body of the paper
and in appendix 1. The risk was outside of tolerance currently and was amber
RB
STRICTLY CONFIDENTIAL
POL00448017
POL00448017
@
POST OFFICE LIMITED
due to delay in the remediation plan and programme but RB confirmed that a
score of 9 was high risk. AD considered that British Telecom (BT) required
proactive management.
TB had followed up on the internal audit copper to fibre report and confirmed
that the challenges with BT were being resolved and the number of branches
outstanding had decreased from 3,000 to 800 and confirmed that there was
clear activity to manage the relationship with BT. AD remained of the opinion
that the risk was red rather than amber.
AD further advised there had been a discussion about the copper to fibre
programme at the Investment Committee and Saf Ismail, Postmaster NED, had
made a point about re-engagement of Postmasters and using the programme to
think about the communication approach and communication with Postmasters
in light of SPMP, and assisting Postmasters to keep to schedule given to them.
NRa discussed and asked whether POL had a systemic and structured approach
to engaging with Postmasters so that they were fully aware of timelines and
more specifically when they would be subject to the fibre upgrade and/or
changes to the dates.
EJ noted that there was not a database with the correct contact details in for
Postmasters. OW confirmed that MR and team were working on capturing data
such as Postmaster telephone numbers.
EJ outlined that copper stop sell was potentially a test bed for how the NBIT roll
out could go and he observed he was yet to see delivery on a technology project
on time or within budget. LG agreed that a more integrated approach was
required.
ACTION: The Chair and AD undertook to co-ordinate in relation to overlap
between the Investment Committee and ARC and the interrelationship regarding
oversight and governance raised on programmes and associated risks. The
Chair/
NRa noted of the many risks outside tolerance it was very challenging to pick
out from the paper the top three or four key risks that were most important in
terms of prioritisation. LG discussed a framework to assist prioritisation. KS
added that top risks discussed at the QSM. ACTION: Consideration to be given
as to how the key strategic risks could be signalled and tracked by RB
management.
ACTION: The ARC asked management to re-emphasise the role of RCC to
ensure it was clearly the management risk committee and not simply a RCC
committee to approve papers to be submitted to ARC and requested ARC papers Chair
generally should feedback more on management's analysis and progress to
resolution of open issues.
RB presented the proposed risk appetite and tolerance level statements for
strategy and environment risk appetite statements.
The ARC NOTED the key risk positions and the target dates to bring exposures
into tolerance and APPROVED the suggested appetite & tolerance levels for
Strategy & Environment risk appetite statements.
STRICTLY CONFIDENTIAL 3
@
POST OFFICE LIMITED
POL00448017
POL00448017
3.2
Group Compliance Update
JH discussed the ICO’s decision to issue a Practice Recommendation (PR) to
POL, following the decline in compliance with FOI response timescales. The
consequent reputational risk was discussed by the ARC with LG favouring a
proactive course of action.
JH considered it likely that the ICO would take similar action regarding POL’s
compliance with data protection legislation and would issue a further PR
covering Information Rights and the risk of more severe action by the ICO was
discussed.
The Chair asked if management had already addressed the recommendations
expected in any PR. JH confirmed actions were well advanced and four new
positions had been approved for the FOI Team and he was working closely with
Simon Recaldin and the remediation Team. NRe discussed the number and
complexity of FOI’s received by POL.
The Chair questioned the assurances previously given by JH that the good
liaison and positive relationship with the ICO meant that POL was unlikely to
receive any sanction or adverse publicity. JH acknowledged that these risks had
increased.
The ARC NOTED the Group Compliance Update.
3.3
Group Assurance Update (including SPMP Integrated Assurance)
In relation to Retail, AM highlighted that overdue open management actions
remain significantly high with only 16% (13 out of 83) actions closed to date.
The significant increase since the last ARC was driven by 36 Postmaster Policies
actions being overdue, with a reforecast closure date of June 2024 for the
majority of these. Retail’s inability to demonstrate their conformance with the
Common Issue Judgement (CIJ) was discussed by AM. LG considered it was an
unacceptable position and the risk highlighted by Group assurance needed to be
addressed by the Retail Executive. The Chair asked management to engage on
this. ACTION: Outline action plan with timeline, commitments and risk
exposures to be presented to July ARC.
SPMP Integrated Assurance
AM outlined the 34 Statement of Works (SOW) and he was seeking ARC’s
approval for these, akin to the approval sought for the internal audit plan, given
the criticality of the assurance topic and impacts. The Chair noted that
management approve the individual SOW so that ARC could oversee progress.
AM confirmed that RCC were satisfied from a risk perspective in relation to the
34 SOW.
NRa sought clarity about AM’s plan and the lack of a timeline. AM advised that
he could not currently provide the timeline or resources required, as the SPMP
programme were still working on building and finalising their risk posture for
release and deployment, which was an ARC request from December 2023,
along with a significant dependency on acquiring SME external support
MR
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
AM outlined the two external reviews performed by IPA and PD and more
specifically the red rating within the IPA report. In AM’s opinion, and as agreed
with SEG the previous day, both reports highlighted the same key issues and
have provided a clear ‘proof point’ that the building blocks of SPMP are less than
adequate, and hence to some extent predicted the outcome of the four
Assurance reviews in flight. Therefore, as agreed with SEG, a decision has been
made to pause SPMP assurance in order for SPMP assurance resources to assist
the SPMP programme, including understanding the causes of the issues,
highlighted in the IPA and PD reports.
The Chair advised AM to ensure he remained objective as his team would
inevitably lose independence and objectivity. AM advised that there would be
separation of personnel involved or independent resource utilised. JA outlined
there was a planned review of the overall SPMP approach in September 2024.
NRa discussed that the programme was adopting an agile delivery model, which
on balance, always represented a higher inherent risk and therefore the
programme processes and procedures should be built around this heightened
risk.
AD questioned if the pace of assurance work was sufficient. AM advised that it
was not and GA were constructing a plan to address the issues identified in both
reports. ACTION: AM to revert to ARC with more information on the timeline.
AD considered there was a window of 2-3 months to reset, beyond which would
be problematic.
AD highlighted that he was significantly concerned with the status of SPMP.
given the outcomes of the two external reports along with status of assurance
and continuing lack of visibility of SPMP risk profile. ACTION: The Chair
requested a SPMP deep dive.
The ARC NOTED the Group Assurance update.
AM
CB/TMc
3.4
Internal Audit Report
SO, MR and CB entered the meeting.
JA presented six audit reports; Financial Services Conduct Risk Management
and International Money Transfer audits were both rated as ‘Needs
Improvement’. ATM Link Scheme Assurance audit was rated ‘Satisfactory’.
Copper Stop Sell Programme and Pin Entry Device Replacement Programme
were both rated ‘Significant Delivery Risk’. Management of Post-GLO
Improvements was rated ‘Needs Improvement’.
JA drew out the reliability of data and communication with Postmasters as key
issues in the Copper Stop Sell Programme IA report. NRa commented upon the
Pin Entry Device (PEDS) Replacement Programme with 5 P1’s and asked why
this was not Red rated. TB advised that, during the fieldwork, the PEDs controls
improved to justify amber.
JA outlined that the Deloitte Horizon Privileged Assess Management report was
contained in the reading room with an overview in main paper. Deloitte were
only able to assess POL operated access controls. The Chair outlined that access
controls were fundamentally important. At the last meeting POL were awaiting
output of EY’s work which now seemed to have been pushed out until August
2024.
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
SO added that EY had expanded the scope this year and the Audit was in
progress. SO acknowledged POL’s contractual obligation to pay for this work. EJ
said that checking the controls access systems was fundamental and that
August was too late.
AM asked why the Deloitte report was not rated, noting the P1’s in the report,
and the lack of access provided to the auditors; normally lack of access and the
number of P1 would lean towards a Red report. JA noted that as fieldwork could
not be completed the report was not rated. He considered it would be rated
unsatisfactory and amber/red. CM confirmed Deloitte had only looked at POL
controls. ACTION: The ARC requested that NRe engage with Fujitsu to
accelerate the delivery of the EY report.
AM asked SO what the read across from the Deloitte report was against POL
compliance with the HIJ requirements and that Internal Audit should provide a
formal opinion on this immediately. ACTION: An update on the consequential
impact on compliance with the HIJ requirements to be provided to July ARC.
JA noted that IA had been requested to follow up the investigation of actions
from Speak Up and he had approached OW and AB in relation to the scope of
this audit.
JA outlined that completion of audit actions was progressing slowly; there were
22 actions overdue, 14 of which were older than 60 days. ACTION: ARC
requested a progress update at the July meeting.
The ARC NOTED the progress being made with delivery of the internal audit
programme and completion of audit actions.
SO, MR and CB left the meeting.
NRe
SO/JA
JA
Data Governance Update
CR, VT and TMc entered the meeting.
CR advised that the team were assessing how the timelines for level 4 maturity
could be brought forward from August 2027 and that the pilot scheme in three
areas of the business would provide a more detailed timeline. CR acknowledged
the impact on the business at a time when the stakeholders were already
stretched running BAU. TMc added that the demands on the business were
materially different for level 3 and 4 maturity, compared with level 2.
CR assessed that the quality of the data that POL currently had was poor, but
that SEG and data sponsors had committed to improvements.
The Chair asked about progress on the management of delivery, controls and
oversight. CR advised that the pilot would start to identify the critical data sets
and acknowledged the importance of data to allow POL to make good decisions
and help deliver the strategy. As part of the pilot, CR advised that SPMP would
be a crucial component given the significance of the programme. The ARC
agreed with CR’s proposal to include SPMP in the data management pilot.
AD discussed Artificial Intelligence (AI) and having a clear sense of the AI
strategy as an organisation. CR agreed there was a need to embrace Al for.
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
competitive advantage and highlighted the importance of having the right
governance and controls around it. CR confirmed there was a paper pending on
Al led by Chris Darriet-Jones, Chief Data Architect. AD was keen to clarify risk
tolerance towards AI. EJ requested this address front line benefit of AI in terms
of cost reduction and benefit to Postmasters. ACTION: Paper on AI to be
presented to ARC once finalised and Chris Darriet-Jones to provide a date for
this.
NRa noted that data was a key element of SPMP and the quality of data was a
big part of migration and asked how this was being considered. CR advised that
the data management function was part of the main gating process and this was
being ‘built in’ by design and confirmed that SPMP was one of the three pilot
areas of the business.
The ARC NOTED the Data Governance Update.
Chris
Darriet-
Jones
Branch Data Plan and Controls
KD entered the meeting.
KD outlined that the specific risk in relation to the management of Branch data
is in the process of being defined and agreed in terms of the risk ownership,
with an expectation that an update would be provided at the September ARC.
ACTION: Branch data update to be presented to September ARC.
LG asked about the plan in relation to NBIT and whether there would be any
physical data in branches. CR discussed analysing why there were paper copies
and whether it was because it had always been done that way. TMc outlined the
need to establish what needed to be done for clients and then how to achieve
this and gave the example Moneygram requirements may be retained on a PDF
rather than in a box in branch. EJ outlined the short term need to rationalise
data storage.
The ARC NOTED the approach to the management of physical (unstructured)
data held in Branch.
KD, CR, VT and TMc left the meeting.
KD
Transformation Office Changes Update
This item was not presented.
The ARC NOTED the Transformation Office Changes Update report.
POI Board Update
ED entered the meeting.
The multi-faceted relationship between POL and POI, the complexities, and
inherent potential conflicts of interest (for example, as an appointed
representative and principal; a shareholder; an FCA regulated subsidiary; and
as parties to a shared services agreement) and the obligations on parties as a
result, were outlined by ED.
OW had previously advised the POL Board that the POI Board Senior
Independent Director (who is also the ARC Chair) had resigned. ED advised that
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
following discussion, she had subsequently withdrawn her resignation and would
complete her term. OW added that Tim Franklin’s term as Chair of the POI
Board had not been further extended and a process was underway to recruit a
successor.
The ARC NOTED the POI Board Update.
ED left the meeting.
SPM Risk Update
CB & KG entered the meeting.
CB explained that he was not in a position to provide the ARC with a clear risk
profile for the release of SPM, but he identified the next steps and timelines
needed to achieve this. As noted in a previous item, the Chair had requested
that a SPMP Deep Dive be facilitated.
The ARC NOTED the SPM Risk Update.
KG left the meeting.
Cyber Security Update, AWS Access Controls lessons learned & DLP
Update
NB entered the meeting.
Cyber Security Update
NB confirmed that Cyber defences continued to be effective in the face of
increasing Global threats with no business impacting incidents in the reporting
IRRELEVANT
IRRELEVANT
POL were a victim, were
The Chair asked if this work was planned. NB confirmed that it was within the
maturity programme, which was being presented to POL Board on 3" June 2024
and he believed management knows what needs to be done and had a plan,
NRa observed that he had i
AWS Access Controls
In relation to AWS Access Controls, NB advised that the Post Incident Review
had concluded, and had identified 51 actions related to technology, people,
process and governance across 10 categories. Each action had a clear owner,
with priorities and due dates currently being allocated. This was being overseen
by the Technology sub-committee.
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
‘that actions were being agreed with management in relation to the IA technical
assurance of AWS.
NB advised that whilst the containment actio!
The Chair asked about any response from the ICO. NB advised there had been
an ICO response to one customer with no further action being required.
LG referenced the open actions in Appendix 1 and noted that some had no due
dates. NB confirmed they did now have dates. LG noted that some due dates
were pushed out to October 2024. TB advised there had been lack of oversight
over the clarity of the actions. NB advised that known risks were identified but
had not been sufficiently mitigated prior to the audit.
Data Loss Prevention (DLP)
In relation to Data Loss Prevention, NB presented the forecast completion dates
for the four short term actions related to DLP, with the latest completion date
being the end of September 2024. NB confirmed that good progress was being
made in relation to implementing DLP controls.
The ARC NOTED the Cyber Security Update, AWS Access Controls lessons
learned and DLP Update.
CB and NB left the meeting.
10.
Climate risks and our approach under TCFD (Task Force on Climate-
related Financial Disclosures)
JL & MC entered the meeting.
JL outlined that POL must report in line with the Climate-related financial
disclosures requirements for FY 2023/24.
EJ was concerned about energy improvements/CSR activity on the frontline in
the 11,500 independently operated buildings. MC confirmed he was working
with the branch IT team in relation to Horizon energy use. EJ recalled a previous
ARC discussion regarding a potential £1m saving if Horizon kit were able to be
switched off at night. ACTION: Further information was to be provided to ARC
members in relation to energy cost savings and the potential to switch kit off
overnight. EJ noted the long time period between now and the planned move to
NBIT and was looking for something to be done before this move.
The ARC NOTED the approach to Task Force on Climate-related financial
disclosures.
JL & MC left the meeting.
so
11.
Banking Deep Dive
RBo entered the meeting.
STRICTLY CONFIDENTIAL
@
POST OFFICE LIMITED
POL00448017
POL00448017
OW confirmed that the Board would receive a further update on Banking
Framework 4 (BF4) negotiations on 4" June 2024. The Chair thanked RBo and
the team for the work undertaken so far. LG had found RBo’s paper good and
clear.
RBo outlined that the Access to Cash legislation imposed new obligations on the
banks to provide access and new information gathering powers over POL for the
services offered.
RBo discussed the ongoing BF4 negotiations with the banks, to secure a
continuation of the agreement to provide cash to the industry. RBo highlighted
the challenges in passing bac
New competition wa:
RBo highlighted that money laundering remained a significant risk for POL and
an ongoing challenge to manage and mitigate in partnership with the banks.
The underperformance of a supplier called {1F twas discussed, with further
fixes being implemented in the coming months to reduce the impact of
outages.
AD referenced paragraph 32 of the paper in relation tole tnaving classed 5
of the qualifications as medium risk, following the PwC audit of the Banking
Framework, and getting these closed off in an appropriate length of time. RBo
confirmed that all apart from Vulnerability Management, which has not been
resolved, were signed off as complete. Vulnerability management had been
escalated again to understand the resolution plan, including to the new_CISO,
and RBo acknowledged this was likely to get additional scrutiny from jinseevantin
June.
The ARC NOTED the Banking Deep Dive.
RBo left the meeting.
12. Procurement Risk & Compliance Report
This item was not presented.
The ARC NOTED the Procurement Risk & Compliance Report
13. Postmaster Policies for Approval
MR, JM & RHa entered the meeting.
MR presented the following Postmaster policies for ARC approval:
« Network Cash and Stock Management
« Network Monitoring and Branch Assurance Support
« Postmaster Complaint Handling
MR outlined there were no significant changes in this set of policies since they
were last approved. LG requested that how it felt to be on the receiving end of
the policies continued to be considered in the approval paper presented;
including anything that could be done differently to improve the experience. EJ
considered that the balance was better now.
STRICTLY CONFIDENTIAL
10
POL00448017
POL00448017
@
POST OFFICE LIMITED
The Chair outlined that he was visiting Chesterfield on 11'* June and opened the
invitation to others who may also wish to visit. MR advised that the monthly
Town Hall had taken place there last week and had gone down well.
The ARC APPROVED the
« Network Cash and Stock Management Policy;
« Network Monitoring and Branch Assurance Support Policy; and
« Postmaster Complaint Handling Policy
MR, JM & RHa left the meeting.
14, Policies for Approval
14.1 MMcK entered the meeting.
Employee Vetting Requirements Policy
MMcK presented the policy and outlined that the policy had minor changes and
updates at this review.
The ARC APPROVED the Employee Vetting Requirements Policy.
MMck left the meeting.
14.2 JL entered the meeting.
Business Continuity Management Policy
JL presented the policy and outlined that the policy had minor changes and
updates at this review.
The ARC APPROVED the Business Continuity Management Policy
JL left the meeting.
14.3 CH entered the meeting.
Speak Up Policy
CH presented the policy and outlined that the policy had minor changes and
updates at this review.
The ARC APPROVED the Speak Up Policy
CH left the meeting.
14.4 NB entered the meeting.
Cyber and Information Security Policy
NB presented the policy and outlined that the policy had minor changes and
updates at this review.
The ARC APPROVED the Cyber and Information Security Policy
NB left the meeting.
15. Post Office Insurance ARC update
STRICTLY CONFIDENTIAL 11
@
POST OFFICE LIMITED
POL00448017
POL00448017
This item was not presented.
AD asked how the requirements of the Service Level Agreement between POL
and POI were met. OW advised that HR support had improved. The Chair
confirmed that he had regular calls with the POI ARC Chair with the next
meeting on 23" May and he regularly discussed compliance with the POI ARC
Chair. The POI ARC Chair had also attended POL ARC on occasion to provide an
update.
The ARC NOTED the Post Office Insurance ARC update.
16.
IR35 Update
KM, TL, AJ, RHi entered the meeting.
The Chair noted that this would likely require agreement with the Shareholder
and Shareholder funding. LG noted the level of risk taken and questioned the
Shareholders willingness to fund that risk. NRa asked about whether the
financial risk was still accruing. RHi advised that it was and in respect of circa
340 contractors, approximately half were outside IR35. TL discussed the
reassessment of each contractor and whilst the initial criticality assessment has
been completed, further review is required of the responses to ensure
consistency across the business.
ACTION: LG discussed the approach taken by POL historically and suggested
POL engage with the Centre for Tax Excellence which TL and AJ agreed to do.
The ARC discussed the expert advice taken. LG outlined that no written advice
had been provided to Board. TL agreed there was no specific external advice on
the position. CM confirmed that Deloitte had advised historically, but this had
been high level input and not directly on POL’s position. AP also noted the
significant length of time taken by HMRC on this matter.
NRa highlighted the need to resolve the issue and mitigate risk going forward
and discussed the implications on contractors in the business and on SPMP re-
planning. RH outlined that POL has changed its approach to engaging new
contractors since moving the contract for contingent labour to Morson as the
managed service provider from January 2023, which has in turn reduced the
ongoing IR35 risk.
The Chair discussed the timing going forwards. TL outlined the dependencies on
HMRC and getting KPMG to resume service following the dispute over their fees
for their work on disclosure. AP considered the implications for signing this
year’s accounts if KPMG were advising.
ACTION: TL to produce a timeline going forwards, acknowledging the
dependencies on HMRC and KPMG.
ACTION: NRe was to discuss KPMG performance with their senior partner.
ACTION: LG requested that consideration was given to whether bonus
payments had been impacted.
TL/AJ
TL
TL
STRICTLY CONFIDENTIAL
12
POL00448017
POL00448017
ACTION: A new policy in relation to Contractor Engagement was to be devised. I KM/TP.
LG considered that ‘off cycle’ funding could not be requested until this policy
was in place.
AB joined the meeting.
The ARC NOTED the IR35 Update.
KM and RHi left the meeting.
17. Tax Update and Strategy
TL outlined that that no significant updates had been made to the Tax Strategy,
compared with the prior year.
TL outlined the strategic tax challenges for POL. In relation to VAT - liability of
Postmaster services to POL, LG was concerned about the potential impact on
Postmaster Remuneration and asked that DBT were made aware of this issue. TL/AJ
ACTION: TL and AJ to highlight this item to DBT. zh
TL had been advised by HMRC, that in response to Horizon Inquiry evidence
they had seen, HMRC may want to reassess POL’s Tax position back to the year
2000.
The ARC NOTED the Tax Update and APPROVED the Tax Strategy.
18. Payment Practices Reporting Compliance
This item was not presented.
The ARC NOTED Post Office Limited’s compliance with Payment Practices
Reporting requirements for the financial year ended 31 March 2024 (FY23/24).
19. Review of External Audit (post account approval)
TL outlined Management's retrospective review of the audit process, following
the completion of the FY22/23 Annual Report & Accounts. The Chair thanked TL
and the team for undertaking this review.
The ARC NOTED the Review of External Audit (post account approval).
20. External Auditor Procurement Exercise - Outcome and Appointment
AP and CM left the meeting.
AR joined the meeting.
The Chair noted that this was AP’s final year before retirement and he had met
with Chris Hibbs, AP’s successor. The Chair planned to invite Chris Hibbs to
future ARC meetings, but Chris would not be taking decisions until AP had
stepped down.
The Chair asked whether the exercise had been supported by Procurement and
AR confirmed that it had been.
In relation to the performance of PwC, the ARC had noted a Review of the
External Audit at item 19 on the agenda.
STRICTLY CONFIDENTIAL 13
POL00448017
POL00448017
TL confirmed that the management recommendation was free from influence by
a third party and that no contractual term of the kind mentioned in Article 16(6)
of the Audit Regulation has been imposed on the company.
The ARC APPROVED the recommendation to the POL Board to appoint PwC in
the role of external auditor for the Post Office Limited group of companies
(POL), with the appointment being for a period of 4 years, with the option to
extend for a further 2 years, commencing with the financial year ended
30/3/2025 (FY24/25).
AR and TL left the meeting.
AP and CM re-joined the meeting.
21. Committee Forward Plan
The ARC NOTED the Committee Forward Plan.
22. Any other business
There was no further business raised.
23. External Audit to meet with ARC Members
AP met with the Chair, LG, EJ and AD.
CM was in attendance. NRa attended as an observer.
MM was present to capture notes of the meeting. No material items were
discussed.
24. Speak Up Report
SG and CH entered the meeting.
AB presented the Speak Up Report.
ACTION: E) requested information relating to the comparative number of cases I CH
per 1000 in other organisations, compared to POL, which CH agreed to provide
to ARC.
ACTION: LG suggested consideration be given to the best means of surveying SG/CH
Speak Up reporters.
ACTION: E) requested circulation of a previous Board Minute to ARC members,
in relation to Disclosure of Evidence. CoSec
The ARC NOTED the Speak Up Report.
There being no further business, the meeting was closed at 12.32.
Simon Jeffreys I
STRICTLY CONFIDENTIAL
14