POL00448805
POL00448805
POST OFFICE LIMITED - CHANGE ASSURANCE REPORT
PROGRAMME: Investment Funding Controls
REFERENCE: 2019/20-10
DATE ISSUED: 28 February 2020
Executive Summary
Background
The funding agreement between Post Office Limited and the Secretary of State for Business, Energy and
Industrial Strategy (BEIS) for 2018-21 (Funding Agreement) sets a Network Investment Payment of
£210m to enable the delivery of the 3 year Strategic Plan, which was endorsed by Post Office’s Board on
30 November 2017. The agreement also defines the obligation to report quarterly on the activities
undertaken, as well as their present and expected future performance. To date Post Office have
submitted seven progress reports with the full £210m of funding drawn in Q2 FY19/20.
During bi-lateral conversations in 2018, UK Government Investments (UKGI) raised concerns and sought
assurance over the robustness of Post Office’s oversight and control over the implementation of the
Strategic Plan (including how changes to forecasts are agreed, implemented and monitored). Internal
Audit were asked to review and assess the key portfolio level processes and controls, including those
governing progress and funding reporting. The audit identified some deficiencies in the controls over the
preparation of the Quarterly Delivery Report and Funding Requests paper (Quarterly Report) to UKGI,
particularly with regard to cost and benefit forecasts. The noted deficiencies had a minor impact on the
Q3 FY18/19 report. Remedial actions were agreed alongside plans already in place to enhance the
process. It was also agreed that Internal Audit would performed a follow-up review to assure the
effectiveness of the revised processes and controls.
Scope & Approach
Building upon the work done previously, the objective of this review was to confirm that findings from
previous audit were sustainably addressed. This was done by re-assessing the controls in place to
manage and report on the Strategic Priorities in light of the enhancements implemented since January
2019. In particular, financial accuracy and the ability to track and report against the original funding and
to demonstrate realisation of benefits. Specifically:
* Programme Delivery and Benefits Realisation
o Assess the mechanisms in place at Strategic Portfolio Office (SPO) level to ensure programmes
and projects (with UKGI funding) are delivered on time, within budget and expected level of
quality, with particular focus on the enhancements and new tools implemented to manage the
process and clarity of roles & responsibilities.
o Assess the revised process for forward forecasting of cost and timing of spend against original
budget and approved changes.
o Assess the revised process and the controls in place at SPO and the Financial Performance &
Analysis team, to measure and report the committed benefits and agreed additional benefits
(beyond the Baseline), as well as, associated risks and mitigation plans.
« Reporting Approval and Clearance
o Assess the revised process by which quarterly reports to UKGI are produced and signed off,
including financial accuracy of the data presented.
The agreed Terms of Reference (ToR) is attached as Appendix 1.
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
Conclusion
Significant improvements were made to the governance and management of
Change programmes and projects throughout FY19/20. As a result, tighter
control and clearer internal reporting of the end-to-end activity lifecycle of each
investment is now in place.
Likewise, significant improvements were also made in the processes for
Satisfactory recording and reporting the investment performance to external stakeholders.
An improved engagement is in place with UKGI, and the investment in tools
(particularly with the implementation of Anaplan) made the reporting process more agile and better
controlled, addressing key issues noted during the previous audit. Furthermore, UKGI is now also
provided with monthly operational and financial performance information on key initiatives (‘platinum’
and ‘gold’) supplementing the Quarterly Reports, thus enhancing UKGI oversight of Post Office’s
investment activities and robustness of the underlying controls.
We highlight that the reporting processes now in place, while significantly more robust than previously
assessed, can be further improved. The revised processes for compiling financial performance data are
not documented and are dependent on a key person. In addition, there are some control weaknesses
over Anaplan’‘s programme hierarchy that should be addressed.
Management Comment
“We continually discuss with UKGI their reporting needs and work to meet their requirements in an
efficient and effective manner. Our change spend continually changes and thus it is often challenging to
tie back to reports from a year ago, though in addition to reports, we have a monthly meeting to answer
any and all questions from UKGI to ensure they have full understanding and transparency of our change
spend.”
Dan Zinner, Chief Transformation Officer
Summary of Findings
The table below provides a summary of the findings and their ratings.
Finding Rating* Action Owner I Date
Scope Area: Programme Delivery and Benefits Realisation
The revised processes for compiling financial
1 performance data are not documented and P2 Max Jacobi 30 June 2020
are dependent on a key person
Scope Reporting Approval and Clearance
Process and controls weaknesses in A
2 Anaplan’s programme hierarchy Pa Max Jacobi 30 June 2020
3 Content and format differences in quarterly P3 Dan Zinner, 30 June 2020
and monthly performance reports Max Jacobi
4 Minor presentation errors in Q3 and Q4 P3 Dan Zinner 30 June 2020
Quarterly Reports
* Pi = High Priority, P2 = Medium Priority, P3 = Low Priority
Page I 2 Confidential
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
Detailed Findings and Agreed Actions
Scope Area: Programme Delivery and Benefits Realisation
Post Office Change function undertook a series of changes in 2019. This included the introduction of a
revised framework to govern change programmes, the Change Excellence Framework (CEF); the
appointment of the Chief Transformation Officer in July; and SPO and portfolio functions re-organisations
in September and November. These changes brought additional clarity over processes, roles and
responsibilities, a tighter degree of control over change activities and increased scrutiny of financial and
operating performance. These changes also allow to better address the issue reported in the previous
audit.
Also during 2019 there was a significant investment in tools to facilitate the ongoing management of the
programmes and drive a better, faster and more insightful reporting of performance. This was done by
the implementation of ServiceNow (SNOW) Business Management module by SPO, the implementation
of Anaplan by the Finance Performance & Analytics (FP&A) and the implementation of a series of
interfaces and manual data input & approval steps between SNOW and CFS, Post Office’s back office
financial system.
vernan ind_ke Ixele control improvements (from th: highligh’ in the previo dit
report):
« Overall governance for change approval has not changed significantly but the submission and
approval processes and its accountabilities have been clarified by the revision of charters for each
of the governing bodies. Decision making retains the same delegation of authority principles from
the Post Office Board and Investment Committee (IC) with Portfolio Review Group (PRB) replacing
the Change Approval Group (CAG) to approve changes up to £2m total spend. In support of the IC
and PRB, a revised structure reporting to the CTO is now in place:
o The SPO continues to be the guardian of the methodology and oversight of programme delivery.
SPO has been re-structured into Change Governance, Change People and Portfolio Oversight
teams. Following a decision from PRB, IC or the Board, the Change Governance team is now
loading the programme’s approved budget into SNOW. This process triggers a series of control
activities, including interfacing with CFS the programme spend ceiling, thereby minimising
overspend. SPO also maintains a central repository of minuted decisions on programmes and
projects taken by the approval bodies. The Portfolio Oversight team is now also responsible for
compiling a monthly programme performance dashboard of key initiatives (rated as ‘platinum’
or ‘gold’) using performance information submitted by each programme in SNOW. This report is
also shared with UKGI to aid in the ongoing monitoring of the change activities.
o Portfolio Leads are now fully accountable for the delivery of programmes within their assigned
portfolios in line with the vision and requirements of the sponsor. The execution is driven at
programme level by programme/project leads. Each Portfolio Lead is supported by a PMO, who
aids in the governance and oversight of programme activities, including risk, issue and
dependency management and assessment of performance vs. delivery. This information is
captured in SNOW and serves as the basis for the weekly and monthly portfolio performance
assessments, as well as the operational performance dashboards presented at PRB, IC,
Executive Committee and UKGI. These dashboards are created from SNOW data extracts and
formatted for presentation purposes.
« Business Unit (BU) Finance Heads continue to assist in the business case preparation and drive the
initial financial review and costs categorization. Within their teams the BU Finance Heads have finance
leads with assigned oversight of specific programmes. These are working more closely with the
programme teams and Portfolio Leads to review budgets, approve and track actual spend and help
prepare forecasts. Anaplan is used to consolidate the financial position across all programmes as part
of the month-end processes. Actual costs are loaded from CFS by the FP&A team to be analysed and
variances are investigated. Forecasts and variance comments are added by the finance leads based
on input from programme and Portfolio Leads between month-end working days 5 and 10, by which
time the system is locked for reporting financial performance data. Anaplan can also be used by the
finance leads to forecast costs and benefits of new initiatives. This coupled with improved CEF
templates and tighter control over the information provided for funding approval allows a clearer
view and better management of benefits for new investments adopting Agile principles.
« A Project Masterdata team is in place supporting the setup and approval of the master data structure
needed to accurately record programme and project costs in CFS. There is a formal process document
Page I3 Confidential
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
clearly detailing the activities followed in SNOW and CFS for the creation and validation of programme
master data.
e The FP&A team, as owners of the planning process in Anaplan, facilitate and monitor the month-end
process across all BU change programmes and produce monthly and quarterly financial performance
data. This data provides the basis for the UKGI Quarterly Report and monthly performance reviews
by Business Units, IC and Group Executive, as well as the monthly performance report that is now
shared with UKGI.
1. The revised processes for compiling financial performance data are
not documented and are dependent on a key person
Finding (P2)
While robust, the processes that are followed to collect and produce financial performance data used
in reporting the monthly and quarterly reports are not fully documented and are heavily reliant on a
single individual.
While some processes are self-explanatory or included as menu options in Anaplan, the FP&A team
does perform a series of complex validations and reconciliations as to ensure that CFS data and any
additional adjustments (e.g. disposal of assets) are complete and accurately integrated. FP&A team
also manages the financial reporting hierarchy, a key and complex matrix that is the foundation of the
CFS data integration and the Anaplan reporting process. There is limited documentation in regards to
the activities followed.
Furthermore, the majority of the processes are performed by a single individual. While other members
of the team and the head of FP&A can complete the reporting processes, it is acknowledged that the
process may not be effectively and timely done. As such, the head of FP&A has initiated steps to cross-
train and disseminate knowledge among the team.
Risk
Significant rework, reconciliations and risk of delayed reporting due to incomplete or inaccurate
financial performance data loaded into or extracted from Anaplan as processes are not appropriately
followed. Incomplete or inaccurate financial performance data may be reported.
Process improvements may not be sustainable in the long term in the absence of the key individual.
Agreed Management Actions
1. Fully document the end-to-end processes followed for the capture, validation and reporting of
financial performance data and complete the knowledge transfer and cross training of FP&A team.
Action Owner: Max Jacobi
Date: 30 June 2020
Page I 4 Confidential
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
Scope Area: Reporting Approval and Clearance
The Funding Agreement defines a quarterly reporting obligation in relation to the change activities
undertaken and their present and expected future performance. During FY19/20, Post Office has
submitted three Quarterly Reports, but also monthly performance reports that contain both financial and
non-financial performance results of the key individual projects and programmes (rated ‘platinum’ or
‘gold’ investments). Both reports are now sponsored by Post Office CTO.
Reporting processes & control improvements (from those highlighted in the previous audit report’
« The same financial performance data is used for internal and external purposes. As previously
noted, SPO’s Portfolio Oversight team is now also responsible for compiling a monthly programme
performance dashboard out of the performance information maintained in SNOW. As a further
improvement, from Period 7 onwards the financial performance summary presented is produced
by FP&A with data extracted from Anaplan as opposed to the SPO requesting and combining
financial data. The financial data includes detail period spend and achieved benefits as well as
year-end forecast of the same. In addition, to serve as internal management dashboards, this
report is shared with UKGI as a monthly performance report to aid the ongoing monitoring of the
change activities.
« Both monthly and quarterly financial performance information and variance explanations are
prepared by the FP&A team, after Post Office’s month-end close processes, fully adopting one of
prior year’s audit recommendations. By using Anaplan, the process to consolidate and populate
the report data has improved significantly, now requiring fewer manual steps and complex, error-
prone MS Excel files. Additional commentary and variance explanations are added in Anaplan by
the Finance Business Partners based on input from programme and Portfolio Leads. The financial
data and commentary is extracted from Anaplan into templated MS Excel files to facilitate the
production of the tables included in the reports. After the extraction of the Anaplan information a
draft paper is written by the head of FP&A team with additional input from the CTO, SPO, Portfolio
leads and finance business partners. The final Quarterly Report is reviewed and signed off by the
CTO before is submitted to the Board.
« Historical project spend by month from the start of the Funding Agreement has been loaded into
Anaplan. This enables complex queries and provides the ability to extract and report a wider set
of information. Spend and benefit forecasting remain a quarterly activity, which is also in Anaplan.
Integration of pre-FY18/19 spend (prior funding cycle) was assessed but was not considered cost
effective. Although not currently in Anaplan, pre-FY18/19 total spent is included when applicable
to live programmes in same of the detail of the investment dashboards. Although manual and
complex process, a pre-FY18/19 quarter by quarter spend can be compiled for all programmes
from historical records if required for comparison.
Key to these improvements is a programme hierarchy that serves as Anaplan master record. It links
each programme to the Strategic Priorities agreed with BEIS at the start of this Funding Agreement the
BU that the programme supports, the maps of the programme corresponding cost structure (WBS), cost
centre and owner in CFS to allow the corresponding cost extraction.
2. Processes and controls weaknesses in Anaplan’s programme hierarchy
Finding (P2)
A key element of the improved reporting processes, the Anaplan‘s programme hierarchy, has process
and contro! weakness. While the detail testing of the re-processing of Q3 and Q4 Quarterly reports
have not noted errors, clarifications were needed to validate differences reported. The majority of these
relate to re-allocation of programmes or elements of programme spend across Strategic Priorities. An
additional walkthrough while shadowing P10 reporting cycle further confirm the processes weaknesses.
Specifically:
¢ Different programme hierarchies exist in Anaplan, SNOW and CFS, as a single common master
does not exist and, while there is some process automation between systems, changes in
Anaplan hierarchy rely on good communication between all teams (FP&A, SPO, Finance Business
Partner, and Project Masterdata). An integrated solution with full system interfacing was
deemed to as not cost effective and as such was not implemented. The teams have identified
the weaknesses in communication of changes and recognise the need to improve the process.
« Anaplan’‘s programme hierarchy is not subject to change control and no change log is
maintained by FP&A, with updates reflected directly in the latest version. While prior versions
Page I 5 Confidential
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
are maintained, making it possible to compare and trace changes, this information is not
centrally kept and logged in the hierarchy. Examples of hierarchy changes include new or closed
programmes, changes between BUs or additional child projects or cost structures (WBS codes).
« There is no agreed materiality threshold for allocating programmes and projects into an ‘Other
smaller projects’ category. This category is used to provide a consolidated single line item
position of smaller investments in the Quarterly Report and is shown in the appendix data for
each Strategic Priority. This line is therefore reassessed quarterly and manually reflected in the
hierarchy.
The above weaknesses are currently being mitigated by FP&A team in complex and time-consuming
reconciliations, both before and during month-end, to ensure a complete and accurate hierarchy is in
place throughout the reporting process.
We further highlight that, due to the historical breakdown of the Investment Agreement into Strategic
Priorities, the hierarchy also has to maintain an additional dimension with added complexity to allow
the mapping of programmes and projects. The hierarchy is also maintained at Business Unit level.
Risk
Inadequate management of the Anaplan’s programme hierarchy limits the ability of the internal and
external customers of financial performance data to determine whether programmes are being
delivered within time, budget and to the expected level of quality. There remains a risk of erroneous
information being reported.
Agreed Management Actions
2a. Implement a formal change control process over the hierarchy matrix.
2b. Discuss and agree with UKGI materiality for the ‘Other smaller projects’.
2c. Evaluate further opportunities to simplify the process, reducing the need to perform complex
monthly reconciliations (e.g. mechanisms to ensure cross systems indexing).
Action Owner: Max Jacoby
Date: 30 June 2020
3. Content and format differences in quarterly and monthly performance
reports
Finding (P3)
There are content and format differences between the Quarterly Reports and in the monthly
performance reports, which could cause confusion and lead to the misinterpretation of Post Office’s
investment performance within the current funding cycle. Specifically:
« The Quarterly Reports vary in detail with FY19/20 Q3 and Q4 excluding dimensions of spend
(total spend and 3YP forecasted spend & benefit information) from previous reports. The agreed
plan with UKGI is to re-introduce these into the next report.
« There is a significant quarter by quarter variance of the ‘Other smaller projects’ category within
each ‘Strategic Priority’. Initiatives can be consolidated or individually listed as a result of re-
prioritisation, budget or spend changes. As highlighted above, there is no agreed materiality
threshold for the consolidation of programmes.
e Monthly performance dashboards also include spend and benefit information of previous funding
cycles as some key live investments started prior to FY18/19.
Content and format changes are expected and are done by request or with agreement of UKGI. It is
acknowledged that the changes are the result of internal and external need for BEIS macro level
forecast for quarterly spend demand oversight, UKGI’s comprehensive performance monitoring, or Post
Office’s total spend lifecycle and ROI views. However, to an outside party these may not adequately
understood and can be misinterpreted, particularly when comparing information between quarterly and
monthly reports.
Page I 6 Confidential
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
Risk
There is some risk that Post Office’s investment performance over the current cycle is misinterpreted
by external parties in the event of a Freedom of Information Act (FOIA) request of Post Office
information, with the associated effort for its management and follow-up. There is a residual
reputational risk for the misinterpretation of Post Office investment performance.
Agreed Management Actions
3. Further engage with UKGI as to review the report standards as to align monthly and quarterly
performance information.
Action Owner: Dan Zinner, Max Jacobi
Date: 30 June 2020
4. Minor presentation errors in Q3 and Q4 Quarterly Reports
Finding (P3)
The assessment of Q3 and Q4 Quarterly Reports have noted the following presentation errors.
« Both Q3 and Q4 reports incorrectly state the position for the monies drawn and still available
to be drawn by Post Office. Both show end of FY18/19 position as oppose to their respective
quarterly status. We highlight that, as of FY19/20 Q2, all available funding has been drawn.
¢ One appendix table in the Q3 report reflecting the name changes of programmes and projects,
contains errors, duplications and did not comprehensively reflect all designations used by key
programmes during the Funding Agreement.
Although the above are acknowledged as presentation errors rather than errors in financial data, it is
important to maintain accuracy throughout so that the credibility of the report overall is not
undermined.
Risk
Incoherent information being reported requiring clarification and does not enable a clear view of Post
Office’s investment performance for the current funding cycle.
Agreed Management Actions
4. Information will be corrected in the upcoming Quarterly Report and confirmation will be sought from
UKGI as to the need of a further name changes report in upcoming report. Furthermore, report review
and clearing will be strengthened with the lessons brought by this audit report.
Action Owner: Dan Zinner
Date: 30 June 2020
Page I 7 Confidential
Change Assurance Report: Investment Funding Controls
Distribution List
Executive Sponsor:
Dan Zinner - CTO
Al Cameron - CFO and COO
Distribution: Max Jacobi - Head of FP&A
Michael Brown - Head of Portfolio Oversight
Audit Team: Diogo Vidinhas
Iva Zhikova - Deloitte
Daniel Thompson - Deloitte
Key Dates: ToR Agreed: 20 December 2018
Fieldwork: 27 Jan - 14 Feb 2020
Close Meeting: 17 February 2020
Draft Report: 24 February 2020
Final Report: 28 February 2020
RCC scheduled: 09 March 2020
ARC scheduled: 24 March 2020
Page I 8
Confidential
POL00448805
POL00448805
POL00448805
POL00448805
Change Assurance Report: Investment Funding Controls
Appendices
Appendix 1 - Terms of Reference
Background:
In line with the UKGI funding agreement, Post Office reports on a quarterly basis, progress against its
2018-21 Strategic Plan. This information supports the progress reporting and drawdown requests agreed
with the Department for Business, Energy and Industrial Strategy (BEIS).
The Strategic Plan, which includes a detailed baseline of Strategic Priorities (Baseline), was endorsed by
the Board and submitted to the shareholder on 30" Nov 2017. To date the Post Office has submitted seven
progress reports with the full £210m agreed funding drawn as of October 2019.
An Internal Audit review conducted in November 2018 provided assurance over the accuracy of costs
reported, but highlighted deficiencies in regards to projected costs and benefits as well as noting control
gaps in the mechanisms followed to compile and report information to UKGI. Management agreed to
implement corrective controls.
Reason for Audit:
As agreed with the Board, a follow-up of the FY2018/19 Investment Funding review will be done to assess
the robustness of Post Office’s oversight and control over the Strategic Priorities (including how changes
to forecasts are agreed, implemented and monitored). This includes performing detail testing over the
closure of the previous audit actions.
Key Risks:
« Inadequate governance, oversight and reporting over scope and budget changes to the Baseline
change plan agreed with UKGI.
« Inadequate governance and reporting of the Strategic Priorities and the benefits that were agreed
with UKGI.
« Inadequate controls and assurance over ongoing expenditure and draw- down processes/criteria.
Scope of Audi
Building upon the work done previously, the objective of this review is to confirm that findings from
previous audit were sustainably addressed. This will be done by re-assessing the controls in place to
manage and report on the Strategic Priorities in light of the enhancements implemented since January
2019. In particular, financial accuracy and the ability to track and report against the original funding and
to demonstrate realisation of benefits. Specifically:
Programme Delivery and Benefits Realisation
e Assess the mechanisms in place at Strategic Portfolio Office (SPO) level to ensure programmes and
projects (with UKGI funding) are delivered on time, within budget and expected level of quality, with
particular focus on the enhancements and new tools implemented to manage the process. (To include
clarity of roles & responsibilities.)
Assess the revised process for forward forecasting of cost and timing of spend against original budget
and approved changes.
Assess the revised process and the controls in place at SPO and the Financial Performance & Analysis
team, to measure and report the committed benefits and agreed additional benefits (beyond the
Baseline), as well as, associated risks and mitigation plans, including once the programmes have
transitioned into Business as usual.
Reporting Approval and Clearance
e Assess the revised process by which quarterly reports to UKGI are produced and signed off, including
financial accuracy of the data presented.
Out of Scope:
Similarly to the previous audit, this audit will not assess individual programme level controls as these
are being assessed, for key strategic programmes, as part of the scheduled 2019/20 IA Change
Assurance plan.
Timeline:
ToR agreed: 20 Dec 2019
Field Work: 20 Jan - 07 Feb 2020
Draft report: 21 Feb 2020
Final report: 28 Feb 2020 RCC: 9 March 2020 ARC: 24 March 2020
Page I 9 Confidential
Change Assurance Report: Investment Funding Controls
Appendix 2 - Report and findings rating guide
Audit finding rating descriptions:
Ratings Description
P1 Issues arising referring to important matters that are fundamental and material
(High to the system of internal control. The matters observed might cause a system
ricrit ) objective not to be met or leave a risk unmitigated and need to be addressed as
P Y a matter of urgency.
P2 Issues arising that if not addressed may in time adversely impact the controls
(Medium environment.
priority)
P3 Issues arising that would, if corrected, improve internal control or efficiency in
(Low general but are not vital to the overall system of internal control.
priority)
Report ratings:
The specific rationale for the report opinion rating will depend on a variety of factors including:
eoee
The number of control issues identified
The priority rating given to these issues
The significance of the risks attaching to the area under review
The overall status of the control environment for the business area under review
We will categorise our report opinion according to the below rating:
Page I 10
Description
Generally appropriate design and operation of the key controls
tested, with only minor control weaknesses or process inefficiencies
identified.
Some weaknesses in internal controls which need resolving. A
number of non-adherences with internal or external guidelines and
weaknesses in records, systems and controls were identified.
Inadequate internal control environment which requires
management attention and improvement as priority. A high number
of non-compliances with internal and external guidelines, and
weaknesses in records, systems and controls were identified and/or
non-compliance with regulator/contractual requirements. Examples
may include reputational damage or inappropriate use of assets.
Major breakdown in internal control environment which requires
urgent Senior Management intervention. A significant number of
non-compliances with internal and external guidelines and
weaknesses in records, systems and controls were identified. Non-
compliance with regulatory/contractual requirements, risk of
significant reputational damage or significant inappropriate use of
assets.
Confidential
POL00448805
POL00448805