POL00448768
POL00448768
Appendix 1
Post Office Limited Audit, Risk & Compliance Committee Terms of Reference (ToR) Evaluation 2021/22
The Terms of Reference are at Appendix 2, the relevant section(s) of the ToR are shown before each item.
The Committee shall:
2. Monitor the integrity of the v N/A v N/A v v
financial statements of the Reviewed the progress Noted the Annual Noted Annual Report
Company, including its annual report made with the audit Report and Accounts and Accounts update
and half yearly reports and any and Annual Report and update for the year for the year ended 28
other formal statements relating to Accounts, including ended 28 March 2021. I March 2021 [note: a
its financial performance, and review External Auditor’s Audit three-month filing
and report to the board on Summary extension to 31 March
significant financial reporting issues Memorandum for the 2022 has been
and judgements which those Post Office Limited sought].
statements contain having regard to external audit of the
matters communicated to it by the financial statements for
auditor. the year ended 28
March 2021.
3. Review and approve for Reviewed Annual Report and Accounts 2020/21 but not ready to recommend to the Board for signing as at 06/01/2022 (see 2 above).
recommendation to the Board the
Annual Report and Accounts,
including but not limited to:
i, Reports of the External Auditor;
ii, any proposed changes in
presentation of the financial
statements or accompanying notes
which the auditors may recommend;
and
ili, the Management letter.
4, Review and approve for N/A ~ Post Office Group does not produce half year results.
recommendation to the Board the
half year financial report or trading
statement for publication.
5, Review and report to the Board I ¥
‘on significant financial reporting Reviewed the Annual Report and Accounts for the year ended 28 March 2021 (see 2 above).
issues, including, but not limited:
i, the consistency of, and any
changes to, significant accounting
policies both on a year on year basis
and across the Company/Group;
Strictly Confidential Page 1 of 8
POL00448768
POL00448768
Appendix 1
ii, the methods used to account for
significant or unusual transactions
where different approaches are
possible;
ili, whether the Company has
followed appropriate accounting
standards and made appropriate
estimates and judgements, taking
into account the views of the
External Auditor;
iv. the clarity and completeness of
disclosure in the Company's financial
reports and the context in which
statements are made;
v. all material information presented
with the financial statements, such
as the business review and the
corporate governance statements
relating to the audit and to risk
management; and
vi. an overview of the extent to
which the Annual Report and
Accounts are fair balanced and
provide the information necessary to
the Shareholder to assess the
Company's performance, business
model and strategy.
6. Report to the Board where the
Committee is not satisfied with any
aspects of the proposed financial
reporting by the Company;
N/A
7. Approve the Group Treasury
policies, including methods of
mitigating against foreign currency
exposure and any use of financial
derivatives.
7
Treasury Policy approved by written resolution on 28 May 2021.
8. Approve for recommendation
to the Board any changes to the
accounting reference date, practice
or policy by any Group Company, if
different from those previously
adopted by the Group, unless
required by law or generally
accepted accounting principles.
N/A ~ there were no changes.
The Committee discussed the Department of Business, Energy & Industrial Strategy (BEIS) Consultation White Paper on restoring trust in audit and
corporate governance and approved the proposal that POL should respond to the consultation at its meeting on 18" May 2021.
9. Approve any changes to
accounting policies required by law
or generally accepted accounting
N/A ~ there were no changes.
Strictly Confidential
Page 2 of 8
POL00448768
POL00448768
Appendix 1
ra
The Committee shall:
systems.
incorporating reports
and actions from
reviews undertaken by
Internal Audit at each
scheduled meeting.
incorporating reports
and actions from
reviews undertaken by
Internal Audit.
incorporating reports
and actions from
reviews undertaken by
Internal Audit.
10. Along with the external and v ¥ N/A v v v
internal auditors, monitor the Discussed the Risk, Discussed the Risk, Discussed the Risk, Discussed the Risk, Discussed the Risk,
adequacy and effectiveness of the _I Internal Audit & Internal Audit & Internal Audit & Internal Audit & Internal Audit &
Company's internal financial controls I Compliance Reports at_I Compliance Reports. Compliance Reports. Compliance Reports. Compliance Reports
and other internal control and risk I each scheduled
management systems. meeting. Also noted:
Also noted: (1) the IT Controls
(1) the Transformation Deep Diver update
Office update (2) Service and
within the Risk Support Controls
Report update
(2) the IT Controls (3) Financial Assurance
Deep Dive paper over SPM
and upda 1
(3) the Supply Chain (4) Financial Reporting
Controls update. Controls
Environment
update
(5) Tax - IR35 update.
11. Review recommendations for v v N/A v v v
the improvement of the Company’s I Noted the Internal Noted the Internal Noted the Internal Noted the Internal Noted the Internal
internal controls, processes and Audit report, Audit report, Audit report, Audit report, Audit report,
incorporating reports
and actions from
reviews undertaken by
Internal Audit.
Noted the Contract
Management
Framework Controls
paper.
Noted and approved
the Bulk Cheque
Clearing Account
paper.
incorporating reports
and actions from
reviews undertaken by
Internal Audit.
12. Review and approve the
‘statements to be included in the
Annual Report concerning internal
controls and risk management.
v
Reviewed the Annual Report and Accounts for the year ended 28 March 2021
to be recommended to the Board for signing as at 06/01/2022.
which incorporated these elements (see 2 above) but the ARA was not ready
13. Review the overall risk v 7 v v v v
management framework and As above, Risk report The Risk report was (1) Risk Management I The Risk report was The Risk report was The Risk report was
strategy in place for the Group is noted at each noted, Workshop. noted, noted, noted.
Strictly Confidential Page 3 of 8
POL00448768
POL00448768
Appendix 1
including its risk appetites and scheduled meeting. (2) Network and
tolerance. (1) Operational Risk Postmaster risk I (1) The People Risk
Appetite Statement discussion. Appetite Statement
approved. (3) IT infrastructure approved.
(2) Legal & Compliance risk discussion.
Risk Appetite (4) Brand and
Statement reputation risk
approved discussion.
(3) Top down and
bottom up risk
assessment
considered,
14, Review the Company's overall I v v v v v
risk position and periodically invite I As above, Risk report I the Risk report was Risk Workshop held, The Risk report was The Risk report was The Risk report was
management to outline risk is noted at each noted. noted. noted. noted.
management strategy and status scheduled meeting.
within their specific business units. Also noted: Also noted: Also noted:
Also noted: (1) Procurement (1) Postmaster (1) Business Continuity
(1) Postmaster Governance & Management Update
Management Compliance Information & Data I (2) Procurement
Information paper Governance Governance and
Overview
(2) Joiners, Movers,
Leavers update
noted
(3) Cyber Security
update
(4) Procurement
Governance and
compliance paper
(2) Belfast Datacenter
Framework Update
(Horizon) Disaster I (2) Postmaster
Recovery Post Test
Remuneration ~
Briefing Third Party
(3) Payment Practices Assurance
Reporting (3) Legal Risk Review
(4) Law & Trends (4) Procurement
(8) Corporate
Insurance Renewal
Governance &
Compliance paper
(6) Policy Update - I (5) Modern Slavery
Summary Paper
action plan
Compliance
paper (including
approvals on
Vocalink, Bulk
Cheque Clearing
and internal and
external audit re-
tendering
recommendation
s)
(3) Mails Deep Dive
and Dangerous
Goods Update
Paper
(4) Strategic Partner
Risk Update
(5) Payment
Practices
Reporting
Compliance,
15. Review management's
assessment of the degree of risk the
v
The Committee has regularly invited management from different areas of the business to meetings and reviewed their assessment of risk (see 14 above).
Strictly Confidential
Page 4 of 8
POL00448768
POL00448768
Appendix 1
Company prudently incurs in
achieving a reasonable balance
between the cost of managing risk
and control systems and the benefits
derived.
16, Review areas of specific risk as I ¥ ; ; h ;
highlighted by management, Specific areas of risk are regularly reviewed to the Committee, alongside the Risk Report presented at each scheduled meeting (see 14 above).
including enterprise and business
risk.
17. Monitor the Risk and v v N/A v v v
Compliance Committee activities and I RCC draft minutes Noted RCC's draft Noted RCC’s draft Noted RCC's draft Noted RCC’s draft
receive summary reports as noted at each ordinary I minutes and report. minutes, minutes. minutes.
appropriate. meeting.
18. Review legal, regulatory and I ¥ v N/A v N/A N/A
any other matters that may have a I A Compliance update —_I The following policies Approved the Modern
material impact on the financial I incorporating were approved: Slavery Statement for
statements, related Group I regulatory matters is i, Postmaster recommendation to the
compliance policies, and I presented to each Contractual Board.
programmes and reports prepared to I ordinary Committee Performance
manage and monitor Group I meeting (see 10
compliance policies and approve I @bove) ii. Postmaster
i it Contract
Group Key Policies as required I. sojowing policies Soe on
under the Group Key Policy I were approved by
Framework as amended from time I written resolution ili, Postmaster
to time by the Committee, including guring the yee leh & Contract
rocurement; Heal Termination
the Tax Strategy. Safety; Business
Continuity Policy; iv. Accounting
Group Key Policy Dispute Resolution
Framework; Financial (revised)
Crime Policy; Anti-
Money Laundering &
Counter Terrorism
Funding Policy.
19. Review, in conjunction with the I N/A - new policies were not adopted during the year.
Remuneration Committee, whether
any remuneration policy adopted by
either the Company or its
subsidiaries, or the implementation
of any such policy is consistent with
the risk appetite particularly in
relation to conduct risk.
20. Monitor the impact of any new I ¥ v N/A v v v
legislative, regulatory, market or Regular Law & Trends I Compliance Report Compliance Report Compliance Report Compliance Report
‘other developments which could Updates are provided I noted. noted noted. noted.
Strictly Confidential Page 5 of 8
POL00448768
POL00448768
Appendix 1
materially or adversely affect the
Group.
to the Committee,
alongside the
Compliance Report
presented at each
ordinary meeting (see
18 above).
Law & Trends Report
noted.
21. Receive reports on specific
breaches and incidents and review
management plans for resolution.
The Committee will also review
management plans for root cause
analysis resulting from breaches and
issues.
7
Compliance reports
presented at each
scheduled meeting,
including details on any
breaches and incidents,
including details of
actions being taken to
resolve/identify root
cause.
v
Compliance Report
noted,
N/A
v
Compliance Report
noted,
v
Compliance Report
noted,
v
Compliance Report
noted.
22. Approve the overall levels of
insurance for the Group, including
directors’ and officers’ liability
insurance and any arrangements for
The Committee shall
v
Approved at meeting on
28" September 2021.
SaaBnEh of directors.
adequacy and security of the
Company's arrangements for its
employees and contractors to raise
concerns, in confidence, about
possible wrongdoing in financial
reporting, regulatory breaches or
other matters. The Committee shall
determine that these arrangements
allow proportionate and independent
investigation of such matters and
appropriate follow up action.
Compliance reports
presented at each
scheduled meeting,
including a
whistleblowing update.
Compliance Report
noted.
Compliance Report
noted.
Compliance Report
noted.
Noted the
Whistleblowing Policy
Interim Review.
23. Review with the internal ¥ v N/A v v v
auditors and the external auditors The Internal & External I Compliance Report Compliance Report Compliance Report Compliance Report
the results of any review of the Auditors attend each noted. noted. noted. noted.
compliance with the Company's scheduled Committee
codes of ethical conduct and similar I meeting. Noted the
policies including whistleblowing Whistleblowing Policy
Compliance reports are Interim Review.
presented at each
scheduled meeting,
including a
whistleblowing update.
24. Review at least annually the v v N/A v v v
Compliance Report
noted.
Strictly Confidential
Page 6 of 8
POL00448768
Group's compliance function.
scheduled meeting.
POL00448768
Appendix 1
25. Review the Group’s procedures I v N/A N/A v N/A N/A
for detecting fraud and the systems I Compliance reports Approved the Anti-
and controls for prevention of presented at each Bribery & Corruption
bribery and any non-compliance. scheduled meeting Annual Report and
includes a financial Policy Review.
crime update.
26. Review any summary of frauds, I ~ v N/A v v v
thefts and other irregularities of any I Any frauds, thefts and I Compliance Report Compliance Report Compliance Report Compliance Report
size, other irregularities are I noted. noted, noted. noted.
reported in the
Compliance report
presented to each
scheduled meeting.
Other specific matters
otherwise detailed.
27. Review the regular reports from I 7 N/A N/A v N/A N/A
the Money Laundering Officer and Compliance reports Anti-Bribery &
monitor the adequacy and presented at each Corruption Annual
effectiveness of the Group’s anti- scheduled meeting Report and Policy
money laundering systems and includes a financial Review approved.
controls. crime/AML update.
28. Review regular reports from the I ~ v N/A v v v
Director of Compliance and monitor I Compliance reports Compliance Report Compliance Report Compliance Report Compliance Report
adequacy and effectiveness of the presented at each noted. noted, noted. noted,
29. Review late statutory filings and
the circumstances around such
lateness.
The Committee shall
N/A
30. Approve the appointment or
termination of appointment of the
Head of Internal Audit.
N/A
31. Approve the Internal Audit
Charter every two years.
N/A
N/A
v Approved.
N/A
N/A
32. Review and approve the
annual Internal Audit Plans,
including any changes to these
plans, to ensure they are aligned to
the key risks of the business and
review reports on work carried out.
v
Internal Audit Updates,
including updates on
progress against the
plan are presented at
each scheduled
v
Revised Internal Audit
Plan of 2021/22
approved.
N/A
a
Internal Audit Report
noted.
v
Internal Audit Report
noted.
v
Internal Audit Report
noted.
Strictly Confidential
Page 7 of 8
POL00448768
POL00448768
Appendix 1
The review should include methods
employed by the internal auditors to
assess risk and to prioritise the
various audit proposals identified in
the annual plan.
‘Committee meeting.
33. Ensure internal audit has
unrestricted scope, the necessary
resources and access to information
to fulfil its mandate.
v
There have been no reported issues in the current financial year and regular updates have been presented to the Committee (see 32 above).
34. Ensure the Internal Auditor has.
direct access to the Board Chair and
to the Committee Chair and is
accountable to the Committee.
v
Internal Audit Updates are presented at each scheduled Committee meeting
Direct contact or meetings with Board or Committee Chair occurs where required.
35. Monitor and review the
effectiveness of the internal audit
function in the context of the
Group's overall risk management
system and the work of compliance,
finance and the external auditor and
as part of this assessment:
i, Meet with the Head of Internal
Audit without the presence of
management
ii, Review the annual internal audit
plan work and results
iii, Determine whether it is satisfied
that the quality, experience and
expertise of internal audit is
appropriate for the business
iv. Review actions taken by
management to implement the
recommendations of internal audit
and to support the effective working
of the function.
v
Internal Audit Updates
are presented at each
scheduled Committee
meeting including
outcomes of audit
reports and audit
actions.
Note: There is no
formal annual review of
Internal Audit i.e.,
documented discussion
of (iii). However, under
Internal Audit
standards, external
review is required at
least every 5 years.
[Meeting with Internal
Audit and Non-
Executive Director
including Chair, without
management. Deferred
until sign of point for
ARA?]
36, Ensure the independence of the
internal auditor including an annual
review of any non-audit services
provided by internal audit.
37. Determine whether an
independent, third party review of
The Committee shall:
ae is opera
38, Approve for recommendation l v
Strictly Confidential
Page 8 of 8
POL00448768
POL00448768
Appendix 1
to the Board the appointment,
reappointment or removal of the
independent external auditors, the
proposed fees (in consultation with
management) and the acceptance of
the scope and general extent of the
engagement.
The Board approved the re-appointment of PWC as the external auditor for Post Office Limited on 18" March 2021.
The Committee considered the internal and external audit re-tendering recommendations on 30" November 2021.
39. Review and approve the
selection procedure for the
appointment of the audit firm in
accordance with applicable
regulatory requirements, ensuring
that all tendering firms have access
to all necessary information and
individuals during the tendering
process.
N/A
40. If an Auditor resigns, review the
issues leading to this and determine
whether any action is required.
N/A
41. Review and approve the
agreed annual external audit plans
and approach to risk assessment
and the scope and plan of their
audits.
¥ approved the scope
and proposed fee
structure for the audit
and assurance work to
be delivered by PWC.
N/A
N/A
N/A
N/A
42. Review the findings of the audit
with the external auditor. This shall
include discussing any major issues
which arose during the audit
including (but not limited to) key
accounting and audit judgement and
the levels of error identified.
N/A
¥ External Auditor's
Audit Summary
Memorandum for the
Post Office Limited
external audit of the
financial statements for
the year ended 28
March 2021 noted.
Y Noted the Agreed
Upon Procedures
Paper.
N/A
N/A
N/A
43. Review any representation
letter(s) requested by the External
Auditor before they are signed by
management.
N/A
44, Review the management letter
and management's response to the
auditor's findings and
recommendations.
N/A ~ the Annual
Report and Accounts
for the year ended 28
March 21 was not
ready for signing as at
01/06/2022.
N/A
N/A
N/A
N/A
N/A
Strictly Confidential
Page 9 of 8
POL00448768
POL00448768
Appendix 1
45. Monitor and review annually
the independence of the external
auditors including level of fees paid,
an annual review of any non-audit
services provided by the external
auditors and auditor's processes for
maintaining independence.
v
Whilst, there has been
no formal annual
review of
independence of the
external auditors by
the Committee,
independence and non-
audit fees are
addressed in the
Auditor's reports and
can be challenged as
required,
¥ approved the scope
and proposed fee
structure for the audit
and assurance work to
be delivered by PWC.
N/A
N/A
N/A
46. Approve the Group's policy on
non-audit services by the auditor.
v
The Committee considered the non-audit fees in Se}
are considered within regular external audit update
ptember 2019 and agreed
S.
y the external auditor. Non-audit fees
47. Meet regularly with the external
auditor (including once at the
planning stage before the audit and
once after the audit at the reporting
stage) and, at least once a year,
meet the external auditor without
management being present, to
discuss the auditor's remit and any
issues arising from the audit.
v
External auditor
attends all Committee
meetings
¥ approved the scope
and proposed fee
structure for the audit
and assurance work to
be delivered by PWC.
N/A
N/A
N/A
N/A
[Deferred until sign of
point for ARA?]
48. Review annually the
qualifications, expertise and
resources of the external auditor and
the effectiveness of the audit
process, which shalll include a report
from the external auditor on their
‘own internal quality procedures, an
assessment of the quality of the
audit, handling of key judgement by
the auditor and the auditor’s
response to questions from the
Committee.
?
[Last year’s entry:
v
This has not been done in a formal way, but it is covered in the audit report for FY 2019/20 and FY2020/21 Audit Plan. It is suggested that a more formal
annual review is carried out following the approval of the Annual Report and Accounts moving forwards (this could include matters set out in 45 above).
49. Ensure co-ordination of the
external audit with the activities of
the internal audit function
50. The Chair shall report formally
to the Board on its proceedings after
each meeting on all matters within
its duties and responsibilities and
shall also formally report to the
Board on how it has discharged its
v
Internal and Internal Audit attend all Committee meetings meaning each are aware of the other's activities.
v
ARC Chair provides an update on ARC matters at each scheduled Board meeting as required, otherwise this is dealt with via Board members attending the
ARC or being briefed outside of the meeting by the Chair.
Strictly Confidential
Page 10 of 8
POL00448768
POL00448768
Appendix 1
responsibilities. This report shall
include:
i, the significant issues that it
considered in relation to the financial
statements (required under
paragraph 5) and how these were
addressed;
ii, its assessment of the
effectiveness of the external audit
process (required under paragraph
48), the approach taken to the
appointment or reappointment of the
external auditor, length of tenure of
audit firm, when a tender was last
conducted and advance notice of
any retendering plans; and
iii, any other issues on which the
board has requested the
Committee's opinion.
51. Advise the Board on any area it
deems appropriate within its remit
where action or improvement is
needed.
7
The ARC Chair provides updates to the Board on key ARC matters as required.
52. Report on its activities in the
Group’s annual report. The report
should describe the work of the
Committee, including:
i, the significant issues that the
Committee considered in relation to
the financial statements and how
these issues were addressed;
ii, an explanation of how the
Committee has assessed the
independence and effectiveness of
the external audit process and the
approach taken to the appointment
or reappointment of the external
auditor, information on the length of
tenure of the current audit firm,
when a tender was last conducted
and advance notice of any
retendering plans; and
ili, an explanation of how auditor
independence and objectivity are
safeguarded if the external auditor
7
The draft Annual Report for the year ended 28 March 2021 includes a report covering the work of the Committee.
Strictly Confidential
Page 11 of 8
POL00448768
POL00448768
Appendix 1
provides non-audit services, having
regard to matters communicated to
it by the auditor.
53. The Company's Subsidiary
Companies shall provide reports to
the Committee on a regular basis
and as requested by the Committee.
60 - 65 & 67. Membership &
Attendance
v v
Noted the update from
Post Office Insurance
ARC.
N/A v ra Vv
Noted the update from I Noted the update from I Noted the update from
Post Office Insurance I Post Office Insurance _I Post Office Insurance
ARC. ARC. ARC.
¥All membership and attendance requirements were adhered to.
The Chair of the Board does attend the Committee but is not a member (61).
66. Quorum shall be two members,
of whom one will have recent and
relevant financial experience.
v Adhered to at all meetings.
68. The Committee shall meet as
often as required but at least three
times per year.
¥ The Committee will have meet 6 times in FY 2021/22, including the meeting on 24" January 2022.
69 - 71. Meetings requirements
¥ All meeting requirements were adhered to in FY 2021/22.
72. The Chair will report regularly to
the Board. Minutes of each
Committee meeting will be circulated
to all members of the Committee
and once agreed, to all members of
the Board.
7
ARC Chair provides an update on ARC matters at each scheduled Board meeting as required, otherwise this is dealt with via Board members attending the
ARC or being briefed outside of the meeting by the Chair.
Minutes are circulated to members once approved by the Chair, but not to the full Board, who have access to the Committee Reading Room containing
signed minutes of the Committee.
73. The Company will provide
current and new Committee
members with any training, briefings
or induction required. The Group
Company Secretary (or his/her
nominee), the Group Chief Financial
Officer, the Group General Counsel,
the Head of Risk, the Director of
Compliance, the Head of Internal
Audit (or those holding positions
with responsibility for such roles,
howsoever named) and the External
Audit Partner will keep members
informed of relevant published
guidance as necessary.
v
Law & Trends Updates are included in ARC papers.
The Board receives an email (typically monthly) with a Boardroom briefing and information on training/ briefing sessions being offered by PWC, BEIS and
Pinsent Masons.
Strictly Confidential
Page 12 of 8
74. The Committee will undertake an
annual review of its performance
and the Terms of Reference. The
outcome of these review will be
recommended to the Board for
approval (notwithstanding
amendments approved by the
Committee whenever so required).
v
This Terms of
Reference Review for
financial year 2021/22
will be submitted to the
ARC meeting on 24
January 2022.
v Approved the plan of
action to address the
Independent Audit
Limited's external
Board & Committee
Evaluation report's
findings and
recommendations
relating to the
Committee.
N/A
N/A
N/A
POL00448768
POL00448768
Appendix 1
N/A
Strictly Confidential
Page 13 of 8