POST OFFICE LIMITED
Capital One who were happy with the latest recommendations on
our approach to Mystery Shopping.
The Committee raised the following points:
- The Chair highlighted the organisational structure point in Action 1:
24/11/2020/ & 26/01/2021 – 9.1 – Historical Matters Unit – and
asked whether this issue was being resolved. NR confirmed that it
was, and that he would update the Committee on this matter before
NR
Christmas.
- The Committee discussed Mails and Dangerous Goods. The Chair
noted that the key issue appeared to be the application of labels,
and POL needed to arrive at Phase 3 where the customer took
responsibility for the label. AC stated that either the money was
found to install customer-operated pin pads and Horizon updates,
or this matter would not progress. The Chair agreed. The cost of
the required upgrades was estimated to be £15m.
- TC asked whether, when Suspicious Activity Reports (SARS) were
raised in branches, whether POL looked at how well-trained the PM
was, and whether this was part of the problem. stated that this
was checked as a matter of course.
The Committee otherwise
NOTED the Compliance Update.
3.3
Internal Audit (IA) Update
introduced the paper, which had been circulated previously
and was taken as read. The following points were made:
- Six audits had been completed since the last Committee meeting.
An emerging theme was the pressure on POL employees across the
business due to the workload caused by Historical Matters work and
the Statutory Inquiry. Delays in recruitment had led to a reliance
on contractors, and the knock-on effect of this was a delay in IA
actions being completed and a slowdown in the completion of
Common Issues Judgment (CIJ) and Horizon Issues Judgment (HIJ)
actions. Six audits were overdue as a result of lack of capacity.
The Committee raised the following points:
-
noted that the stamp stock scheme was now understood to be
separate to other PM detriments. An audit on this had almost been
completed as at December 2021. AC observed that this audit had
been performed quickly and cheaply and that it would be good to
replicate this approach to other audits.
- Zarin Patel (ZP) asked for a progress update on PCI Programme at
the January 2022 Committee meeting. TC raised the issue of
further delays to the PCI Programme. NR stated that the key issue
was the lack of Fujitsu resources being deployed; this was not likely
to improve, as the PCI programme was running in tandem with the
Belfast Exit programme.
- KM noted the high level of contractors used on the Strategic
Modernisation Programme (SPM) and Belfast Exit, with SPM
STRICTLY CONFIDENTIAL
5
POST OFFICE LIMITED
controls were tested, whether they met POL requirements and
checking that the right ownership of the controls was in place.
- IT were working in conjunction with the Finance Team on the IT
controls regime to build on effective frontline ownership by
progressing to second line assurance, and were moving towards
approval from Jeff Smyth to go forward with this.
- IT had started work on KPIs and reporting requirements staying
with the standard reports as far as possible from ServiceNow.
- IT had conducted a survey of controls owners, and would be
presenting an update on this in due course. So far feedback had
been positive.
- Risk and IT were working together on the link between risk and IT
Controls, and how these were extended to third parties. The aim
was to allow third parties to attest directly into the controls regime.
- IT would continue work on HIJ conformance and Belfast Exit, and
this would be reflected in POL’s IT controls maturity.
The Committee raised the following points:
- AC noted that insurance cover had been signed off for this year.
With regards to Cyber, POL had obtained less cover for higher cost.
When Computacenter went down earlier in the year, POL had no
oversight. This could happen to POL, Fujitsu or Horizon, so POL
might not have complete control over this risk, but achieving
greater clarity in this area was a point of focus for POL. ZP
AC
requested that AC send a note to ARC on what POL’s cyber
insurance covered.
The Committee
NOTED the IT Controls Deep Dive Update.
6.
Service and Support Controls
Amanda Jones (AJ) and
introduced the paper, which had
been circulated previously and was taken as read. The following points
were made:
- AJ reported that
had left POL
but there was still strong oversight of service and support
controls, albeit that the system was manual and relied on
spreadsheets and human intervention. In August 2021 it had been
proposed to transfer this system into ServiceNow, however funding
had not been granted, so and AJ were looking at how to deal
with this pragmatically.
- It was proposed that map the manual controls to see how these
might be set up on ServiceNow. Then a subset of the controls that
had the greatest impact on POL would be identified for prioritisation
to be moved across to ServiceNow. This process would be
approached one team at a time, and would start with branch
reconciliation. The current timeline was to get the first set of
controls transferred across to ServiceNow by the end of January
2022, and would focus on this as a business activity.
STRICTLY CONFIDENTIAL
7
POST OFFICE LIMITED
The Committee made the following points:
- ZP asked about the progress of the Tier 2 and Tier 3 investigations.
AJ stated that a new operating model had been set up for Tier 1
and Tier 2 this year, and a new leader had been brought in. There
had been some absences in the team this year, and it was different
work for the team but the work was under review, and was a priority
for AJ and for
, who had replaced
. POL were
recruiting for a new team leader, and brought in an internal expert
in reconciliation and risk management.
-
confirmed that the team manager had started on 29th November
2021, and POL were now interviewing for an operations manager,
with DMB staff providing support.
-
noted that some of the recommendations for Governance Risk
and Compliance (GRC) implementation were very forward-looking,
so , and
were proposing to put together a GRC governance
group to oversee the model.
- TC requested a further progress update on service and support
controls in the March 2022 ARC. AJ and confirmed they would
provide this.
The Chair stated that it would be helpful to understand
AJ/
any emerging key themes.
The Committee
NOTED the Service and Support Controls update.
7.
Financial Assurance over SPM
and
introduced the paper, which had
been circulated previously and was taken as read. The Committee made
the following points:
- ZP asked whether the financial controls framework would pick up
issues on Postmaster detriment. AC thought this was an operations
issue, and would look to Dan Zinner’s team to answer this.
-
stated he would pick up on Financial Assurance over SPM with
AC and offline.
The Committee
NOTED the Financial Assurance over SPM update.
8.
Financial Reporting Controls Environment
and
introduced the paper, which had
been circulated previously and was taken as read. The following points
were made:
-
reported that the move from TrAction to ServiceNow had
addressed many of the improvement objectives. Risks had been
streamlined, and Finance had obtained Blackline, a financial period
close tool to ensure automated control around balance sheet
reconciliations, reporting and journal posting. A rollout for this was
projected for April 2022.
- The Chair noted that the appendices to the report detailed a few
processes that hadn’t been run or tested, and asked whether these
had been addressed.
confirmed that the items in the appendices
STRICTLY CONFIDENTIAL
8
POST OFFICE LIMITED
- The Committee agreed that POL should instigate conversations
around the provision of the external audit with the expectation that
the PwC contract would be extended. On the internal audit side, a
tender would be run in 2022, and POL should take a view on
whether the HMU work should be separated from the rest of the
internal audit work.
The Committee
NOTED the Internal and External Audit Re-Tender paper.
12.
AOB
The Chair requested that
check that the Committee was compliant with
the Committee terms of reference for the FY 2020/21 Annual Report and
Accounts to be filed by 31 March 2022, and send to the Chair for review.
There being no further business, the meeting was closed at 11:10 hours.
13.
Items for Noting
The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and
NOTED by the
Committee:
- Post Office Insurance ARC Update
- Mails Deep Dive and Dangerous Goods Update Paper
- Strategic Partner Risk Update
- Payment Practices Reporting Compliance
- Committee Forward Plan
……………………………………………… ……………………………
Chair Date
Meeting Actions:
Para
Action Detail
Action
No.
3.1
Risk Update:
took an action to review the risk ratings, and would come back to the
committee with this in January 2022.
3.2
Compliance Update:
noted that the Compliance paper reported at para 21 that by the end
of October 2021 the overall completion rate of ABC Compliance training
was 91%. That figure now stood at 95%, and Compliance had hit their
training obligations target.
asked how this compared
to previous years. agreed to confirm this offline with .
3.2
Compliance Update:
STRICTLY CONFIDENTIAL
11