POLARC13 (6"")
13/36 - 13/45
WITNO0740132
WITNO0740132
Strictly Confidential Exhibit WITNO0740192
POST OFFICE LIMITED
(Company no. 2154540)
(the Company)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held
Present:
Alasdair Marnoch
Neil McCausland
Tim Franklin
In attendance:
Paula Vennells
Chris Day
Chris Aujard
Alwen Lyons
Sarah Hall
David Mason
Malcolm Zack
Lesley Sewell
Jeremy Midkiff
POLARC
13/36
POLARC
13/37
POLARC
13/38
(a)
(b)
(a)
(b)
on Tuesday 19 November 2013 by conference call
Chairman of Committee
Senior Independent Director
Non-Executive Director
CEO
CFO
General Counsel (GC)
Company Secretary
Head of Financial Control and Compliance
Head of Risk Governance
Head of Internal Audit
Chief Information Officer (Minute 13/40 only)
Senior Manager, Ernst & Young (Minute 13/42 only)
INTRODUCTION
A quorum being present, the Chairman of the Committee opened the
meeting and welcomed all those present.
MINUTES OF THE LAST MEETINGS AND MATTERS ARISING
The Committee approved the minutes of the meetings held on 12
September 2013 for signature by the Chairman of the Committee.
The Committee noted the actions list dated 12 November 2013.
RISK MANAGEMENT - TOP COMPANY RISKS
The Committee had received an ExCo report on key risks from David
Mason, Head of Risk Governance, in the papers for the meeting. The
CFO explained that further work had been undertaken since publishing
the papers and asked that this be the focus of the Committee’s
discussions.
The Committee discussed the top six risks as identified by the Business:
« Allegations relating to the integrity of the Horizon system;
¢ Failure to deliver top line growth in line with strategic plans ;
« Operating Model fails to deliver requisite cost savings;
Page 1 of 7
WITNO0740132
WITNO0740132
Strictly Confidential Exhibit WITNO0740192
e Inadequate people capability or capacity to deliver transformational
change and the strategic plan;
* Non-delivery of Network Transformation Programme; and
e Strike action within Supply Chain could damage ability to distribute
cash to network (Industrial Relations/the CWU)
(c) In addition to the above risks, the Business identified three further risks
which would be monitored:
«the risk of regulatory action or reputational damage from FS mis-
selling;
e the risk of not maintaining the security and integrity of Post Office
data; and
e the risk of unsuccessful delivery and operation following IT
transformation
(d) The CEO explained that the Business had owners for all the risks and was
reviewing the actions and assurance processes which were in place to
reduce the risks. The Business would also be reviewing the top risks at
the ExCo on a quarterly basis.
(e) The Committee thanked the CEO, noted that a lot of progress had been
made on risk identification and review and applauded the proposed
approach. The Commitee acknowledged that although good progress had
been made to date it stressed the need for further progress to be
delivered at a rapid pace.
U7) It was agreed that the Chairman of the Committee would update the
ACTION: Board at the next meeting. The detail of the risks presented was captured
Alasdair in an update for the Board which is shown as an addendum to these
Marnoch minutes and would be discussed at the next Board meeting.
ACTION: (9) The Chairman asked that the Business go back 18 months and review the
Dave Mason 6 top risks and the 3 further risks to see how many would have been
identified at that stage.
(h) The Committee noted and supported the developing approach to risk
management in the Company.
POLARC CORPORATE AND NETWORK AUDIT
13/39
(a) The Committee received a paper from Malcolm Zack, Head of Internal
Audit, outlining the principles of internal auditing and options for the
future, including assurance that a plan was in place to deal with the
issues raised.
(b) The CFO explained that the Business had recognised the need for
additional resource in the Internal Audit (IA) function but also the need to
commission a short piece of external work to look at IT risk and audit. The
Committee supported that approach as the IT transformation was
Page 2 of 7
WITNO00740132
WITNO0740132
Strictly Confidential Exhibit WITNOO7AO192
complex and an external audit would give the Business assurance.
ACTION: (c) The Committee asked Chris Aujard, General Counsel, to undertake a risk
Chris Aujard review of FS compliance, with input from Tim Franklin, to ensure the
Business is responding to changes in regulations and the Mortgage
Market Review. A paper should be brought to the next ARC highlighting
the Business’ compliance scorecard and the work carried out to date.
ACTION: (d) The Committee asked that the Director of Financial Services also be
Nick invited to the next ARC for this discussion.
Kennett
(e) The Committee agreed that the Risk Management and IA teams should
be focussed on the top 6 risks and 3 further risks and that enough
resource should be provided to fulfil this requirement. The CFO explained
that the structure for internal network audit would also be reviewed but
that this would be done at a later date and did not stop the Business
moving on strengthening the corporate IA function.
(f) IThe Committee noted the plan outlined in the Committee paper.
POLARC IT AUDIT FINDINGS - SOFTWARE LICENSING AND IDENTITY
13/40 ACCESS MANAGEMENT
(a) The Committee welcomed Lesley Sewell, Chief Information Officer, to the
meeting.
(b) The Committee received a paper from Malcolm Zack summarising the
most recent internal audit reports on Identity and Access Management
and Software Licensing and assurance that an action plan was in place to
deal with the issues raised.
ACTION: (c) The Chairman thanked the Head of Internal Audit for the frank reports
- which clearly identified the areas of concern. The Committee asked that
Malcolm future reports included deadlines for all actions identified.
(d) Lesley Sewell explained that both audits were important as a baseline for
the Business as it separated from Royal Mail Group suppliers and would
enable her to ensure the new suppliers fulfilled the audit
recommendations as they took over the service.
(e) IThe Committee noted the outcomes of the reports.
(f) Lesley Sewell left the meeting.
POLARC PROJECT SPARROW AND PROSECUTING AUTHORITY
13/41
(a) Chris Aujard, General Counsel, updated the Committee on the approach
to prosecutions brought by the Post Office. He explained that, currently,
the Post Office brings criminal prosecutions under s.6(1) of the
Prosecution of Offences Act 1985, which empowers any individual or
company to bring a private criminal prosecution. He sought the
Committee’s views on potential changes to the prosecutions policy and
further work proposed before any formal recommendation could be made
for any changes to the prosecutions policy.
Page 3 of 7
WITNO0740132
WITNO0740132
Strictly Confidential Exhibit WITNO0740192
(b) The Committee discussed the alternative approaches to prosecution but
were concerned that if any changes were agreed the timing might
influence the mediation process by raising questions on previous
prosecutions.
(c) Chris Aujard explained that one of the issues was the perception that
subpostmasters had of the Post Office bringing prosecutions for false
accounting rather than theft, which was easier to establish. The
Committee asked whether the business would still be able to recover
branch losses through the Civil Courts. Chris Aujard explained that this
would still be open to the Business but it may be slower and not recover
as much. He explained that the Business was working to put in controls to
support subpostmasters and stop any debts escalating. The Committee
supported this but was nervous about changing the approach to
prosecutions as in their view this acted as a deterrent.
(d) The CEO thanked the Committee for the helpful challenge. She stressed
that the Business was not saying that it would never bring prosecutions,
but that it would be more circumspect in the cases it chose to take. She
agreed that the current approach was a deterrent but explained that there
were other deterrents such as suspension or termination of contract.
(e) The Committee noted that it expected that the number of prosecutions
would reduce over time regardless, as a result of the Business’
improvements in the overall control framework around the branch network
and the provision of support to sub-postmasters, in line with Project
Sparrow and Network Transformation.
ACTION: (f) It was suggested that the decision on the Company’s prosecuting policy
Chris Aujard should be taken to the January Board.
(g) The CEO updated the Committee on Project Sparrow. She explained that
the lesson learned review was complete and the report would be available
late November/early December. The CEO drew the Committee’s attention
to two risks to the delivery of the Project.
(h)
The first risk highlighted was that the Business had envisaged that the
final number of cases would have been under 100, but as the scheme
neared the deadline for application the number of applications was nearer
150, with nearly 50 received in the last couple of days before applications
closed. As a result, the timetable will have to be extended as each case
will need individual investigation and Second Sight will need to be with us
for longer. There will also be a resource cost to the Business which the
CFO is aware of.
(i)
The second risk that had arisen concerned the compensation that
subpostmasters believed they were entitled to. It had become clear from
the applications for mediation that there was an expectation gap which the
Business needed to mitigate where possible.
@)
The Committee emphasised the need to reach conclusion as quickly as
possible and to constrain the costs. It was noted that the Board would
receive an update at the November Board meeting.
Page 4 of 7
WITNO0740132
WITNO0740132
Exhibit WITNO0740132
Strictly Confidential
POLARC INTERIM REPORT REVIEW AND ERNST & YOUNG HALF YEAR
13/42 REVIEW FINDINGS
(a) The Committee welcomed Jeremy Midkiff (JM), Senior Manager, Ernst &
Young to the meeting.
(b) Chris Day, CFO, invited the Committee to review the Company's Interim
Report and Condensed Financial Statements for the 2013-14 half year.
(c) The Committee also received a report from Ernst & Young (EY) on the
Company's Half Year Results 2013 - 2014. JM welcomed discussion on
this report.
(d) JM explained the scope of EY’s review of the Company's interim financial
statements. He noted that this was the first time that the Company had
issued interim results under IAS 34 and therefore the scope of EY’s
review was in accordance with ISRE 2410 and designed to give negative
assurance over the interim financial information.
(e) JM indicated that the scope of the review and focus areas were similar in
nature to the prior year full audit with focus areas being revenue
recognition, counterparty credit risk, pensions, classification of
exceptional costs on the income statement and review of corporation tax.
Based on the review to date, no findings were highlighted to the
Committee except for the reclassification SAD (summary audit difference)
related to the presentation of business transformation payments on the
balance sheet similar to the prior year end.
(f) JM noted that subsequent events procedures and management enquiries
will need to be updated to the expected date of sign-off and that a
management representation letter will be required for the interim results.
(g) Finally, whilst specifically not highlighted in the EY interim report, JM
highlighted the exceptional credit of £30m in the interim financial
information as a result of utilising part of the current year non-network
subsidy grant to offset costs which were incurred in the previous financial
year. Whilst there is no issue with the accounting treatment adopted by
the Business, EY wanted to highlight that this was an area of focus during
the interim review as it looked ‘odd’ to have a gain in the current period
financial statements for this specific matter.
(h) No other issues or findings were specifically highlighted to the Committee
for their consideration.
(i) I Sarah Hall responded that the use of the 2012-13 additional grant had
been specified in a designation letter from BIS into amounts for capital
and agents’ compensation with the balance being available for other
spend. Although 2012-13 expenditure was below the total level of the
grant, the mix was different and about £30m was spent above the grant
level for expenditure that was transformational but neither capital nor
agents’ compensation. In setting the designation letter for the 2013-14
grant, this issue had been discussed with BIS and the 2013-14 letter
allocated a lower level to capital and agents’ compensation leaving a
greater balance for other transformational spend to cover the amounts in
the prior year that had not been covered by the 2012-13 grant as well as
Page 5 of 7
WITNO0740132
WITNO0740132
Strictly Confidential Exhibit WITNO0740192
expenditure in 2013-14. The Shareholder Executive team is aware of
this treatment and of the use of the grant to date.
(j) SH highlighted the key changes since the Board had reviewed the Interim
Report which mainly arose from the review by the Shareholder Executive
team and noted that there would be further changes required should the
funding announcement be made before the Interim Report was finalised.
It was agreed that these changes would be reviewed by the Board
Subcommittee which would be arranged for a date in the last week of
November or first week of December.
(k) The Committee noted the Interim Report Review and thanked Jeremy
Midkiff.
(1) I Jeremy Midkiff left the meeting.
POLARC FINANCIAL SERVICES UPDATE, INCLUDING BANK OF IRELAND
13/43 (UK) PLC CAPITAL AND LIQUIDITY
(a) The Committee considered the report received from Nick Kennett,
Financial Services Director.
ACTION: (b) The Committee asked for a note to update them on the effect of the Bank
Nick of Ireland strategy on the savings portfolio and its position as value for
Kennett money for customers compared to the rest of the savings market.
ACTION: (c) There was concern that the Current Account rollout was delayed and the
CEO Committee asked for a fuller update at the Board.
(d) The Committee noted the update.
POLARC PAPERS FOR NOTING
13/44
ACTION: (a) The Committee noted the Information Security and Assurance Group
CEO Specific Update on Brands Database. The CEO said that she would
check again that we had the right controls in place for the Brands
ACTION: Database. The Committee asked the Business to test whether information
Chris Aujard security for international payments was covered by the FCA.
(b) The Committee noted the Internal Audit activity update, status of agreed
actions.
(c) The Committee noted the report on the Committee’s first self-
assessment.
(d) Finally, the Committee noted the report on the annual review of the
Committee’s terms of reference and the Internal Audit Charter and
agreed that:
¢ the terms of reference be ratified; and
« the Charter be approved with the changes detailed in the report.
POLARC CLOSE
13/45
Page 6 of 7
WITNO0740132
WITNO0740132
Strictly Confidential Exhibit WITNO0740192
There being no further business, the meeting was declared closed.
Page 7 of 7