POL00448826
POL00448826
3.4 Intemal Audit Update
@
“What we've built up in the banking team in the last year or two is it - there is no other skilled ATM 3.4
knowledge within the business. As noted, this has been compounded by organisational change, which .
has further removed awareness of current processes within the support teams regarding how POL has
done things over the past 15 years. So the problem is getting worse, not better.
The problems identified are difficult to address - the obvious answer being to bring in further resource.
In the absence of that available resource, the programme will simply have to support a) doing the job
itself right now (to meet the timelines) b) then, reporting on the job to support the process load that
sits over the programme and c) then track the project business benefits. These cannot happen in
parallel, and must happen in series as a result of the resource challenges we face.
The key in all of this is actually delivering: doing the job successfully, joining LINK, completing the
development work with Cennox, delivering the new solution and then rolling out the new hardware in
the time left.
We acknowledge that the programme is by definition tight and tightly controlled. The team is indeed
stretched but managing engagement and delivery pace using key resources to ensure tight timelines
can be met. There is little room for error/change/illness etc.”
Martin Kearsley - Product Portfolio Director - Banking, Payments & Transactional Products
15. IDG Assurance Phase 2 (Ref.2021/22-01)
The IDG has been established to provide oversight and coordination
of the improvement activities being undertaken across the business
to ensure the outputs from the GLO judgments have been
identified, catalogued and actioned. Phase 2 of the IA work focused
on remediation activities from the Deloitte Postmaster Journeys
work. We have also assessed other ‘orange’ improvements
completed since phase 1.
IDG are currently tracking 396 Improvements, with 303 (76%)
being marked as closed/complete and 93 (24%) are marked as
active/incomplete. This rate of closure continues to demonstrate
good progress, with delivery at pace.
Sponsor:
Dan Zinner We conclude that the IDG has continued to provide effective senior
management oversight and coordination of the improvement
Audit actions: activities being undertaken across the business, to ensure the
4 outputs from the GLO judgments are being actioned and
~ sustainably implemented. At the end of Phase 2, we highlight that
90 of the 97 improvements assessed are effective, with the
remainder being put back in remediation or deferred.
As with Phase 1, this report is not rated due to the progressive
nature of the completion of improvements to be tested.
Appendix 6
Management Comment provided by Dan Zinner (Group Chief Operating Officer)
“L agree with the findings from the IA team and appreciate the work completed. The operational teams
have been working hard to complete a significant number of improvements in a very short space of
time. It is inevitable that a few may be delayed. We will continue to work towards putting postmasters
at the heart of the service and support we provide. I hope that the remaining actions will be completed
and verified soon and look forward to Phase 3. Thank you again for all of your hard work to verify that
these actions have been completed successfully”.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-26/07/21 91 of 217
POL-BSFF-WITN-043-0000006,
3.4 Intemal Audit Update
@
POL00448826
POL00448826
92 of 217
16. Payzone Control Environment (Ref. 2021/22-08)
Needs Improvement
Sponsor:
Owen Woodley
Audit actions:
Appendix 7
The objective of this audit was to review the control environment
operating within Payzone Bill Payments Ltd.
The review assessed the design, operating effectiveness and
maturity of key Finance, commercial and IT controls, as well as the
effective operation and reporting of risks and control deficiencies
into Payzone Board and POL governance structures. The review
revisited the areas reported on after the previous audit in 2019 and
also followed up on the progress to fully exit TSA and reverse TSA.
Payzone have continued to develop their Finance capability and
have put in place a structure that facilitates good control disciplines.
Whilst the remote working situation has provided challenges with
formally evidencing some activities, the overall control environment
remains effective. Work on implementing POL policies and
procedures where applicable is progressing well and links with POL
Finance are being explored and developed. Some housekeeping
tasks around the documentation of processes remain, although this
audit confirmed that the majority of controls were working as
intended. The programme to exit the TSA is on target for the end
of October 2021 with the bank account due to be in place by August
2021. In-house development of Payzone’s own Credit Control
System, ‘Debtman’, has successfully delivered a_ significant
improvement in capability and has delivered efficiencies.
Likewise, we noted that Payzone have continued work to develop
and secure their IT control environment with a documented
strategy in place covering short, medium and long term IT
objectives, supported by the ongoing ISO27001 and ISO22301
accreditations. They are implementing a comprehensive
Programme management framework, supported by a clear process
for the development, test and release of software. Controls are in
place to secure the Payzone network and associated end-user
devices, and to provide operational support for most key platforms.
Activity is ongoing to migrate the webhosting environment in-
house, and to provide support for the Navision ERP tool. Additional
work is required to update development and coding standards, and
to refine policies to facilitate data loss prevention.
Management Comment provided by Andrew Goddard (Managing Director Payzone Bill Payments Ltd)
“The latest update represents a fair and accurate appraisal of the significant work completed to date
since the last audit at the end of 2019. It is encouraging that the audit team acknowledge that the
finance governance routines carried out by the team are done to a high standard and segregation,
supervision, checks and balances are all in place.
The PZBP management team and myself acknowledge and will action the improvements to be made
by the end of December 2021, specifically with regards to i) finance governance control processes
(purchase orders, month end checklists, and management of bad debts) and ii) IT development
documentation, website GDPR compliance, and data loss prevention amends.”
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-26/07/21
3.4
POL-BSFF-WITN-043-0000006_0001
POL00448826
POL00448826
3.4 Intemal Audit Update
17. Historical Shortfall Scheme (HSS) (Ref. 2021/22-04)
HSS has successfully processed and settled almost 300 shortfall 3.4
claims from current and former Postmasters. The focus on lower
value and simple claims (under £8k and shortfall only, or ‘de
minimis’) has provided an opportunity to identify and address
operational and governance challenges before the Scheme moves
on to more complex cases.
Needs Improvement
This review assessed the scheme governance arrangements,
Sponsor: including oversight, reporting, escalation and claimant journey. We
Declan Salter also assessed operational controls to ensure the prompt and proper
resolution of claims.
Audit actions:
= Continuing changes to governance arrangements at HMBU level has
q provided a challenging backdrop against which to design and
1 operationalise processes over claims and payments. However, the
I HSS team has been successful in developing a coherent set of
5 i} processes, and no errors were found within our sample testing.
Appendix 8 Some weaknesses over process governance was identified, with
actions required to strengthen approvals and to clarify HMBU’s
oversight of claims processing undertaken by the law firm, Herbert
Smith Freehills. The need to maintain a complete and accurate
audit trail of all elements of the claims lifecycle is critical to enable
the Scheme to demonstrate that all claims have been treated fairly
and equitably.
The report is rated ‘Needs Improvement’ to reflect the findings,
which should be substantially actioned before the next phase of the
Scheme is underway.
Management Comment
“It is true to reflect that the governance process has been extended involving HM Committee, POL
Board, UKGI, BEIS SteerCo before the Independent Panel after which the recommendations from the
Panel have to traverse the same route again before an offer can be made. BEIS admitted today that
these new governance arrangements are “probably over-cooked” and need reducing.
It would be advisable to conduct an audit of HSF’s processes and governance to ensure that all decisions
are correctly recorded and complied with, particularly as such a great volume of the administration of
the scheme is being undertaken by HSF. This could be by POL IA or an external provider.”
Declan Salter (HM Director)
“Thank you to the audit team for their review. Going forward, we need to ensure that these issues are
addressed by the team including that claims and payments have the necessary approvals in place
(whether from Board or delegated). Such processes and approvals need to be documented. The broader
risk environment around the claims investigation and payments processes needs to be better identified
and reported upon. I have asked the team to review these findings and we will revert with appropriate
procedures and governance.”
Ben Foat (Group General Counsel)
10
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-26/07/21 93 of 217
POL-BSFF-WITN-043-0000006_0002
POL00448826
POL00448826
3.4 Intemal Audit Update
@
18. HIJ Improvement Programme - Phase 1 (Ref. 2021/22-09)
Following the judgments from the Group Litigation Order, Post 3.4
Not Rated Office has undertaken a programme of improvements to overhaul
culture, practices and procedures throughout every part of the
business. The Judgment on the Horizon Issues trial (the “HIJ”) was
handed down in December 2019. The Judgment identified 15
specific issues, relating to bugs, errors and defects in Horizon, and
the operation of Horizon.
A four phase HIJ Remediation Programme has been set up to
address the issues raised in the judgment and to identify and map
required activity against each of the issues. Internal Audit
reviewed the HIJ Remediation Programme and Phase 0 activities
within the 2020/21 audit plan. The purpose of this review was to
validate activities and outputs for Phase 1, which are based on rapid
fixes identified at the programme outset and additional activities
defined during initial investigations.
wValidated mDelayed
Sponsor: We conclude that significant progress has been made within Phase
Jeff Smyth 1 of the HIJ Remediation Programme, leading to measurable
improvements in Horizon processes, controls and oversight. This
Audit actions: includes more robust management of KELS (Known Error Logs),
7 enhanced testing and oversight of system and data changes, more
secure and transparent Horizon application support, and laying the
groundwork for enhanced Postmaster communications and
programme management.
We identified a total of 51 Phase 1 outputs for 21 activities across
the 10 workstreams, 42 of which we validated as fully delivered. 9
Appendix 9 outputs across 5 activities have not yet been completed, all of
which have been formally flagged and escalated through
programme governance forums.
For the majority of outputs, management consider the impact of
delayed outputs to be minimal, but additional work is required to
mitigate the effect of delays in accessing keystroke logs and
transactional data. We concur with this assessment.
Our discussions indicated that challenges with Fujitsu resourcing
and engagement was the primary cause for the delays identified
and management are investigating alternative solutions to address
this gap.
Management Comment provided by Simon Oldnall (HM IT Director)
“I appreciate the complex set of deliverables and outcomes that the IA team have sought to review in
this audit report and confirm that the report reflects the overall progress we have made in remediation
of the 15 core judgement findings. This Phase has set the foundations for Phase 2 with workstreams
developing their analysis and solutions for the longer term, while also implementing immediate interim
fixes to address critical issues for the Postmasters.
Whilst the audit report calls out 9 areas where they have been unable to fully verify completion I am
confident that the majority of these have little impact on our overall remediation progress. Exceptions
to this are shown in the table (attached at Appendix 6 in full report) with their respective impacts and
our plans to address in Phase 2.”
it
Confidential
94 of 217 Post Office Limited - Audit, Risk & Compliance Committee-26/07/21
POL-BSFF-WITN-043-0000006_0003