11 May 2023 – Roderick Ismay
Hide video Show video
(9.58 am)
Mr Beer: May I call Roderick Ismay.
Sir Wyn Williams: Of course.
Roderick Ismay
RODERICK MARK ISMAY (sworn).
Questioned by Mr Beer
Mr Beer: Good morning, Mr Ismay, my name is Jason Beer and I ask questions on behalf of the Inquiry. Can you give us your full name, please?
Roderick Ismay: Roderick Mark Ismay.
Mr Beer: Thank you for coming today to assist the Inquiry in its work and thanks also for the provision of a witness statement, we’re very grateful to you. You should have in front of you a hard copy of that witness statement, it’s dated 13 January 2023 and if you turn to the last page of it, which is page 20, you should see a signature. Is that your signature?
Roderick Ismay: That is my signature, yes.
Mr Beer: Are the contents of that witness statement true to the best of your knowledge and belief?
Roderick Ismay: Yes, they are.
Mr Beer: For the purpose of the transcript – it needn’t be displayed – the URN is WITN04630100. I’m going to ask you questions today about the range of matters referred into your witness statement, but not about certain matters that arise in Phase 5 of the Inquiry, in particular I’m not going to ask you about the Second Sight investigation, nor Phase 6 of the Inquiry.
Can I start, please, with your career, qualifications and experience. Do you have any professional qualifications that are relevant to the issues that we’re going to speak about today?
Roderick Ismay: So my professional qualification is a chartered accountant.
Mr Beer: What degree did you obtain?
Roderick Ismay: Accountancy.
Mr Beer: When did you become a chartered accountant?
Roderick Ismay: I think that was 1994 or 5.
Mr Beer: I think you then worked in Ernst & Young; is that right?
Roderick Ismay: That’s correct.
Mr Beer: Was Ernst & Young at that time an accountancy, audit and management consulting firm?
Roderick Ismay: Yes, it was, yes.
Mr Beer: Over what period did you work for Ernst & Young?
Roderick Ismay: I worked for Ernst & Young from when I left university, which would be 1992, I think, and I worked for them for about 11 years, probably until 2003.
Mr Beer: When you joined the Post Office?
Roderick Ismay: When I joined the Post Office, yes.
Mr Beer: What was your role in Ernst & Young?
Roderick Ismay: So I joined Ernst & Young as an audit trainee, and did my studies during the first couple of years working with Ernst & Young. I worked in our Sheffield office and had a number of audit clients in the Sheffield area, spanning manufacturing businesses, pharmaceuticals and the Post Office.
Mr Beer: If I divided Ernst & Young’s work into three things, accountancy, audit and management consultancy, you were in the audit part; is that right?
Roderick Ismay: I was in the audit part. There were certain times where people would work with different functions and I did spend some time working with the management consultancy practice as well.
Mr Beer: In the answer before last you gave the range of clients that you worked for and, amongst those, was the Post Office.
Roderick Ismay: Yes.
Mr Beer: What work did you do for the Post Office when you were at Ernst & Young?
Roderick Ismay: So I initially was a trainee within the audit team, an audit junior, and progressed through such that I was senior manager on the Post Office Counters audit account when I finished.
Mr Beer: For how long did you work for the Post Office when you were at Ernst & Young?
Roderick Ismay: The Post Office would have been one of the first clients that I started on working at Ernst & Young, and so probably for the tenure of my time at Ernst & Young, I – Post Office would have been one of my clients, so that would have been about 11 years.
Mr Beer: So for the entirety of the 11 years, at one time or another, the Post Office was a client –
Roderick Ismay: Yes.
Mr Beer: – of Ernst & Young and you were working on that account?
Roderick Ismay: Yes, the Post Office was a client of Ernst & Young throughout all my time there and each year I would have had some involvement with the Post Office on the audit, yes.
Mr Beer: Were you part of the Ernst & Young team that reviewed what was called the CAPS project in November and December 1996?
Roderick Ismay: I can’t remember the acronym CAPS, I don’t know.
Mr Beer: Were you part of the Ernst & Young team that advised Post Office Counters Limited on a series of Acceptance Incidents, as they were called, in August 1999 as part of the contractual process of accepting the Horizon System?
Roderick Ismay: I can’t remember doing that and I don’t think, no.
Mr Beer: In the course of that process, the acceptance period, serious concerns were raised by Ernst & Young over the integrity of the data that Horizon produced, such that Ernst & Young felt unable to provide an unqualified opinion on the accuracy of Post Office Counters Limited’s accounts. Do you recall participating in that?
Roderick Ismay: I would have been involved in the Post Office Counters audit at that time. I can’t remember a matter in the audit opinions relating to the Horizon System in respect of its reliability but I can remember that the Post Office spent a lot of money on Horizon and it impaired the total value of it, such that the organisation had a question about going concern. So there was a £1 billion impairment, which raised a significant, as I say, going concern question for Post Office Counters, and for Royal Mail at the time.
My recollection would be that any reference of concern in the audit opinions, I think, would have been uncertainty related to the going concern of the organisation. I can’t remember it being a narrative about the integrity of the Horizon System. But I may be wrong. I may have forgotten but my recollection would be that it was the impairment and the going concern of the organisation.
Mr Beer: This was a different issue. It culminated – I’m not going into detail on this but it culminated in a letter that we’ve seen a lot of, dated 23 August 1999, in which Ernst & Young said they were so concerned about the integrity of the data produced by Horizon that they would, if the problems persisted, be unable to sign off the accounts without expressing a qualified opinion?
Roderick Ismay: I think that we were approached by the Finance Director at the time with what my recollection would be a hypothetical question of, given that it was a complex system that was being deployed, a hypothetical question of, if there were anomalies, would you be able to sign the accounts on an unqualified basis, and on that – so my recollection would be that that was a hypothetical question, which led to that. I don’t remember that being something that manifested itself in the audit opinion in the published accounts, though.
Mr Beer: Why was a hypothetical question being asked, to your knowledge, that, if there were these problems with Horizon data, would you be able to offer an unqualified opinion? Why was the hypothetical being asked?
Roderick Ismay: I think that the hypothetical was being asked because it was a very difficult contractual situation for the deployment of an enormously expensive system, where the partnership between BA, the Benefits Agency, and Post Office Counters at the time, and the extent to which benefits were going to get paid either directly into bank accounts or through cash in post office counters, was an enormously complex and sensitive question for the citizens of the country at the time.
And I think that the Post Office, as – something that – my recollection would be that there was an original request for benefits to be paid on an automated basis through post offices. That kind of evolved, and there was more of a question of is it going to be paid directly into bank accounts or not? The risk of it being paid into bank accounts directly would mean that a lot of footfall into post offices would not happen which, in turn, would have bought a question about the viability of the Post Office.
That’s a different thing to the integrity of the Horizon System but I think, within the sort of dynamics of the contractual conversations that were going on, the ability to table powerful statements with the suppliers and designers of the systems probably led to that question which would give impetus to the Post Office to make sure that a robust system was designed. It would have been extra leverage amongst all the different stakeholders to say “Our auditors would not be happy if this system did not work and, therefore, if such a situation did arise, what would your opinion be?”
And I think that was the context of what led to that –
Mr Beer: So who was asking you?
Roderick Ismay: I think the question was coming from the Finance Director of the Post Office at the time, asking Ernst & Young.
Mr Beer: Sorry, I missed that name?
Roderick Ismay: I think the question was coming from the Finance Director of the Post Office as a question to Ernst & Young at the time.
Sir Wyn Williams: Can I ask, can everyone hear Mr Ismay all right? Because, for some reason, I’m not catching every word, but if everybody else, is, that’s fine.
The Witness: I’ll move nearer the mic.
Sir Wyn Williams: No, no, I have a screen showing what you’re saying as well but –
Mr Stein: Sir, if I may say so and with respect to Mr Ismay, he speaks a little fast. Now, bearing in mind I do sometimes, I understand the problem.
Sir Wyn Williams: Fine.
The Witness: Okay, I’ll try to slow down. Apologies.
Mr Beer: So was the Finance Director of Post Office asking you in Ernst & Young this question?
Roderick Ismay: He was asking Ernst & Young that question.
Mr Beer: What was your involvement in the provision of an answer to the question?
Roderick Ismay: I can’t remember but I expect that the question would probably have come through to the audit partner and, as the senior manager on the account, or the manager at that time, I think, I would have been consulted as part of “What is the Ernst & Young response going to be to that question?”
Mr Beer: Did these discussions, to your memory, involve a concern over the integrity of the data that Horizon was producing?
Roderick Ismay: I think the question was if the – I’m trying to remember what you said right at the start of the question about a qualification, you referred to, at the start?
Mr Beer: Yes.
Roderick Ismay: So I presume that would have come from the question about the integrity but, as I say, my recollection of the actual audit opinion going into the statutory accounts was that it was more about the impairment and the going concern of the organisation that was the matter of concern and focus within the audit.
Mr Beer: What did you learn, if anything, at this time before you left Ernst & Young over concerns within the Post Office expressed to Ernst & Young or found by Ernst & Young over the integrity of the data that Horizon produced?
Roderick Ismay: I haven’t got a recollection of things in my Ernst & Young role having come from the Post Office to say that there were concerns about the system, no. My recollection would be more about the impairment and consequently looking at income generating units within the Post Office Network and the Post Office commercial side of the business to say is that a – is there a return to profitability for the different segments of the Post Office Counters organisation at the time.
Mr Beer: So we’re talking about entirely different issues. I’m talking about Ernst & Young writing to the Post Office saying, “We’ve got such concerns about the integrity of the system that you’re operating that we can’t offer an unqualified opinion”. You’re talking about the profitability of the organisation generally?
Roderick Ismay: Yes, I am. Sorry, I realise that’s different to your question but I can’t remember something – I can’t remember a conversation about the integrity of the system, at that time, leading to correspondence from Ernst & Young about it that I was involved in.
Mr Beer: In any event, you joined the Post Office in September 2003 and left in March 2016, and so served in the Post Office for 13 years?
Roderick Ismay: Yes.
Mr Beer: Is it right that in that 13-year period you undertook three main roles. Firstly as Head of Risk and Control –
Roderick Ismay: Yes.
Mr Beer: – between September 2003 and June 2006?
Roderick Ismay: Yes.
Mr Beer: A period of about three years?
Roderick Ismay: Yeah, yeah.
Mr Beer: Secondly, as Head of Product and Branch Accounting, P&BA, from June 2006 onwards?
Roderick Ismay: Yeah.
Mr Beer: Then, thirdly, your job description was Head of the Finance Service Centre.
Roderick Ismay: Yes.
Mr Beer: When was that from?
Roderick Ismay: I’m not sure when Product and Branch Accounting became the Finance Service Centre but somewhere between 2010 and 2014, somewhere within that period. So the – I continued to lead to the Product and Branch Accounting, the people who were part of the Product and Branch Accounting team that whole operation became part of the Finance Service Centre and we took on certain other functions like accounts payable. It was part of a precursor to Royal Mail privatisation and separating the Post Office from Royal Mail.
So certain transaction processing functions, if you like, like accounts payable, needed to be built for the Post Office to have on its own because it had relied on Royal Mail before. So probably the move from it being P&BA to Finance Service Centre would probably have been two or three years before Royal Mail privatisation because it was part of that journey.
Mr Beer: Can I deal with each of those three roles in turn, then.
Roderick Ismay: Yes.
Mr Beer: Firstly, your work as Head of Risk and Control and, as we’ve said, that was from September 2003 until June 2006. What was the nature of your role as Head of Risk and Control?
Roderick Ismay: So the role – initially, I came into the organisation with two internal control managers. I’m not sure who they reported to before but that became part of my team. But the main mandate from the Finance Director coming into the organisation, when I took that role, really was about getting ready for Financial Services.
So I was involved in writing the final management letter from Ernst & Young to the Post Office in my last year at Ernst & Young, and one of the observations that I made in there was just a kind of routine observation that the organisation is moving into financial services and it’s going to be important that financial services compliance is a key part of the organisation moving forward. So when I joined, the Finance Director effectively said, “Your last management letter said get ready for compliance for financial services, so that’s what I’d like you to do”.
So that dominated my job when I joined the Post Office, even though I’d got a title of risk and control, which did involve talking to heads of different departments in the organisation about what they saw as risks in their areas and working with Royal Mail Group audit to look at vital few controls audit activity, such as it might be a payroll process.
The bulk of my actual time for a good amount of time in that job was going to seminars with the – I think the FSA, as it was at the time and meeting Bank of Ireland, and helping to – helping the Post Office understand what it’s responsibilities were going to be as an appointed representative to the Bank of Ireland as it entered Financial Services.
Mr Beer: If somebody asks me what I did as my job I would say I provide legal services, I ask questions of witnesses in court and I write opinions and advices, full stop.
Roderick Ismay: Right, yeah.
Mr Beer: Could you translate the answer I’ve just given into what you did between 2003 and 2006 for your job in sort of a 1, 2, 3, if there are three?
Roderick Ismay: My job title was about talking to different functions around the organisation to find out what their risks were, to assess controls in their areas. That was what my job title would be. In practice, most of my time was looking at financial services compliance.
Mr Beer: So your role was principally financial services compliance?
Roderick Ismay: Yeah, so for a large part of that risk and control job, it was financial services compliance.
Mr Beer: Your title was Head of Risk. What other risks, other than financial, were within your portfolio?
Roderick Ismay: Any risk that the organisation could have would be something that could come on to the risk radar and be subject to linkages to that job.
Mr Beer: To whom did you report?
Roderick Ismay: I was a direct report to the Finance Director.
Mr Beer: Who was?
Roderick Ismay: Who was when I joined, that was Peter Corbett.
Mr Beer: Did it remain Peter Corbett for the three years?
Roderick Ismay: Yes, it did, yes.
Mr Beer: Did you attend board meetings of Post Office Limited?
Roderick Ismay: I did for – I was in attendance or presenting on certain topics, which were financial services related.
Mr Beer: How frequently did you attend Post Office Limited board meetings?
Roderick Ismay: I – not many. I probably went to a couple of them and I’m not actually sure whether it was Post Office Limited board or Post Office Limited Executive Team. So the group that I was going into had got David Mills, who was Post Office Managing Director at the time, and his executive team. I wasn’t in a room which had got non-executive directors in. So I may have been wrong to say that I was in board meetings. It may have been Post Office Limited Executive Team meetings that I was in.
Mr Beer: In that three-year period, you think you attended a couple of times?
Roderick Ismay: I think I attended a couple of times in there, and, yeah, and then that led to also a Post Office Limited Risk and Compliance Committee.
Mr Beer: We’ll come to that in a moment.
Roderick Ismay: Right.
Mr Beer: Did you prepare written reports for the Post Office Board Executive Team meetings?
Roderick Ismay: I think I prepared one to do with the Bank of Ireland and getting ready for financial services, yeah.
Mr Beer: Was the format that they were tabled at such board meetings and then you would present them?
Roderick Ismay: Yes, but, as I say, I’m not sure whether it was board or –
Mr Beer: Executive Team?
Roderick Ismay: – but yes, and I would have just been in attendance for that part of the meeting.
Mr Beer: When you took over the role, how many people reported to you?
Roderick Ismay: When I joined, two people reported to me.
Mr Beer: They’re the two internal control managers that you spoke of earlier?
Roderick Ismay: Yes.
Mr Beer: What is an internal control manager?
Roderick Ismay: A bit like an auditor, so somebody who would look after the processes in a particular function and test the controls in that area.
Mr Beer: How many people did they have underneath them?
Roderick Ismay: None.
Mr Beer: So you had a staff of two?
Roderick Ismay: Yes.
Mr Beer: You say in your witness statement that the role evolved to take on responsibility for the Branch Audit Team?
Roderick Ismay: Yes.
Mr Beer: What was the Branch Audit Team?
Roderick Ismay: That was the individuals who would go out to Post Office branches to conduct physical asset verification audits which would be checking cash and stock. They would also go out to Post Office branches and to Post Office cash centres to count cash again there but also to perform compliance checks.
Mr Beer: How many people were in the Branch Audit Teams?
Roderick Ismay: A lot. Probably – it could have been around about 100 when I joined. So – no. When I joined, I had two people. When I got the branch audit team and that came to me, that would have been about 100 people in that team.
Mr Beer: How were the branch audit teams organised?
Roderick Ismay: There was a national audit team manager who had regional managers reporting to him. So I think we had seven regions back then. So there would have been, say, a North Thames and East Anglia I think, individual managing a team of seven, eight, nine people for that region. So the audit manager had got seven reports under him, I think, and then also an individual who would have been doing risk modelling to identify where the regional audit teams would go out to do their work.
Mr Beer: In that structure, who reported to you?
Roderick Ismay: The national manager reported to me.
Mr Beer: What was his or her name?
Roderick Ismay: That was Martin Ferlinc.
Mr Beer: Were the teams based regionally?
Roderick Ismay: Yes.
Mr Beer: How did you supervise and manage the work of the Branch Audit Team?
Roderick Ismay: I primarily met with Martin. We talked through risk modelling, as in what pieces of data might cause us to go out to a Post Office branch. I didn’t have that much contact with the individual branch auditors performing the audits because my contact mainly was with Martin.
Mr Beer: Did you ever go out to see Branch Audit Teams?
Roderick Ismay: I met the whole of the team in that we would have had a national team communications and training day. So somewhere like Post Office had a training centre near Rugby, Coton House. I think we convened the whole of the team at some point to come together there as a training and engagement event for the team, so I would have been to a function where all of the team would have the opportunity to be there.
I also went out, I think I only went out to two – probably two audits themselves to assist the team as being – playing a role within the team at a branch audit and being responsible for counting part of the cash and liaising with the colleagues in branch on an actual audit.
Mr Beer: Was that because your skills were necessary or was it the boss showing his face?
Roderick Ismay: That was for me to better understand the activity that the team were performing, yeah.
Mr Beer: When in the three-year period did you take over responsibility for the branch audit team?
Roderick Ismay: I think that would have been within a year of joining the Post Office. I’m not sure how quickly but I think it would have been within my first year of working there.
Mr Beer: Was there, when you took over the function of Head of Risk and Control in September 2003, a Post Office Audit Committee?
Roderick Ismay: When I joined, I don’t think there was a Post Office Audit Committee. There was Royal Mail Group Audit Committee and any matters pertaining to Post Office would have been subject to that Group Audit Committee. And, indeed, most of the internal audit resource was part of the Royal Mail Group internal audit team, who would look at certain things in Post Office, in Parcelforce and in Royal Mail.
Mr Beer: Can we look, please, at POL00021415. You’ll see these are the minutes of a committee called the Post Office Audit Committee.
Roderick Ismay: Yes.
Mr Beer: They’re dated 13 March 2001, and so two and a half years before your time.
Roderick Ismay: Yes.
Mr Beer: You’ll see the list of those present, those in attendance and those also present.
Roderick Ismay: Yes.
Mr Beer: Then if we just scroll down, you’ll see some of the business dealt with. Just go back up to the top, please. This minute tends to suggest that, at least in March 2001, there was a Post Office Audit Committee?
Roderick Ismay: Right. Let me clarify that, then. So the Post Office Group changed its name several times. So – and there’s significant confusion in many areas about what’s Post Office, what’s Royal Mail even now. So I think, at that time, the Post Office was the Post Office Group and the Post Office Group had got divisions, which were Post Office Counters, Royal Mail and Parcelforce, but it was called the Post Office Group.
At some point, the names were reversed such that it became the Royal Mail Group, which still had the same pillars under it. So there was always Post Office Counters, which became Post Office Limited – so there was always Post Office Counters, there was always Royal Mail, there was always Parcelforce, but the overriding group name in the ’90s and at this point, I think, was called the Post Office Group.
At some point in the 2000s, that Post Office Group became called the Royal Mail Group, although it was exactly the same things, and then, at some point, it became called Consignia Plc. Then it went back to being called Royal Mail Group.
So this document isn’t Post Office Counters, or Post Office Limited Audit Committee, this is the group audit committee.
Mr Beer: Can you tell us that from the list of those that are shown as being present and in attendance?
Roderick Ismay: Yes, so Marisa Cassoni, as Group Finance Director, and Douglas Hill, as Group Director of Financial Management, makes clear to me that that was a group – that was a committee that was looking at Group matters.
Mr Beer: When you joined in September 2003, were you provided with the back editions of the Audit Committee minutes, such as this one?
Roderick Ismay: No. I could probably have asked for them but, no, I wasn’t provided with back copies of committee minutes, no.
Mr Beer: You were taking over an audit function?
Roderick Ismay: Yes.
Mr Beer: Did you not see which issues the Audit Committee, even if it was the Group, had been considering in the recent past and how the Audit Committee had sought to address them?
Roderick Ismay: I didn’t and, in hindsight, that may have been something I should have asked but I very much had a mandate to look at financial services regulatory compliance when I joined, and so the focus and the mandate from the Finance Director, and indeed from those POL-ET meetings that I went into was all about regulatory compliance when I started. Even though my role picked up the Network Audit Team, the individual mandate and most frequent questions to me were about how do we get on the path to regulatory compliance?
Mr Beer: After you joined in September 2003, did the what you’ve called the Group Audit Committee continue?
Roderick Ismay: Yes, I think the Group Audit Committee continued, I think, yeah.
Mr Beer: Did you attend the Group Audit Committee?
Roderick Ismay: I think I only attended one Group Audit Committee.
Mr Beer: So were you by invitation, then?
Roderick Ismay: Yes.
Mr Beer: How often did that Group Audit Committee meet?
Roderick Ismay: I don’t know. I would expect it was quarterly but I don’t know.
Mr Beer: Do you know whether there were written terms of reference for it?
Roderick Ismay: I would expect so but I don’t know. Well, I would expect that there would have been.
Mr Beer: Do you know how that audit committee reported back to the Post Office Board, whether that was the board of Post Office Counters Limited or then, as it became, Post Office Limited?
Roderick Ismay: I don’t know what the mechanism was for the group audit. The group Post Office Limited directors would have received messages from the Group Audit Committee, I’m not sure what media, whether that was an agenda item at a POL-ET, or a dedicated audit relationship meeting but I know there would have been dialogue, there would have been a governance process for how those would interact but I can’t remember what that governance process was.
Mr Beer: We also have some minutes, I’m not going to show them to you, of something called an Audit and Risk Committee of the Royal Mail Holdings Plc. Is that different from this Group Audit Committee?
Roderick Ismay: I don’t know whether that was a change in name from this Committee. As I say, this Post Office – the Group changed its name between Post Office and Royal Mail. The particular titles of committees sometimes changed without the committee itself changing but as a better acknowledgement of what the scope of that committee was. So it could well have been the same committee, most likely was.
Mr Beer: Does it follow that, by the time you joined in September 2003, there wasn’t a dedicated Post Office Limited Audit Committee?
Roderick Ismay: Yes, that’s right. For the Post Office Limited company in isolation there wasn’t a – wasn’t an audit committee for that specific limited company, no.
Mr Beer: We know that at some point an entity called the Risk and Compliance Committee was formed.
Roderick Ismay: Yes.
Mr Beer: Of which company was that a committee?
Roderick Ismay: Post Office, Post Office Limited.
Mr Beer: When was it formed?
Roderick Ismay: Some time during the tenure of my 2003 to 2006 role, probably 2005.
Mr Beer: Why was it formed?
Roderick Ismay: Well, I think I said, in one of those ET meetings that I went to, that, in a governance sense, it would be beneficial for the organisation to have got its own audit committee. And I think the agreement of that Post Office Limited ET was that I was going to turn into the Post Office Limited Risk and Control Committee that you’ve just mentioned.
Mr Beer: When you joined, was it striking to you that the Post Office did not have a risk, audit or compliance committee?
Roderick Ismay: No, I think when I joined, because it was an integrated group, it would be common for an integrated group to have got one group audit function, and so I don’t think it was unusual for a group of companies just to have one group audit function. But the journey for the Post Office Group or the Royal Mail Group for 30 years has been one of will there or will there not be part of this organisation privatised, and therefore there had been comings and goings of how should Post Office Counters Limited possibly separate itself within that scenario.
And so I think the idea of Post Office Limited getting its own audit committee back in, I think it was 2005, was probably appropriate, given the continued national debate about would one or more parts of the Post Office/Royal Mail Group be privatised.
Mr Beer: How often did the Risk and Compliance Committee, once it was created, sit?
Roderick Ismay: I think that met quarterly.
Mr Beer: Did it report back to Post Office Limited’s main board?
Roderick Ismay: I think the papers from it would have gone back to the board.
Mr Beer: So copies of the minutes; is that right?
Roderick Ismay: The minutes, yes.
Mr Beer: Was that the only means of communication back to the main board?
Roderick Ismay: I think that was the formal mechanism back to the board. The Post Office Limited Risk and Compliance Committee had got the then chairman of the organisation, I think Sir Mike Hodgkinson, so he was the chair for that committee. He would have been on the board, as would the Finance Director, who was in attendance at that committee. So I think those two individuals would have been both in the Risk and Compliance Committee and in the board and, therefore, that would have been a means of communication, as well.
Mr Beer: That document can come down from the screen.
How frequently did you attend the newly formed Risk and Compliance Committee?
Roderick Ismay: I think most of the meetings, unless I was on holiday. I think I would have attended all of them because I was involved in preparing the agenda for those committees. So up until I moved into the Product and Branch Accounting Team, I think I would have attended all –
Mr Beer: Every one, barring holiday?
Roderick Ismay: Yes, I think so.
Mr Beer: Did the Risk and Compliance Committee have terms of reference?
Roderick Ismay: Yes, I think we did have a terms of reference when we set up.
Mr Beer: Was it a decision-making body?
Roderick Ismay: No, I don’t think it was a decision-making body, I think it was one that would give views on information that was submitted to but it wasn’t a body that had, say, a delegated authority to make expenditure decisions or …
Mr Beer: Or any other decisions?
Roderick Ismay: I don’t think so.
Mr Beer: You said that it instead make recommendations?
Roderick Ismay: Yeah.
Mr Beer: To whom did it make those recommendations?
Roderick Ismay: I think those recommendations would have been what had gone to Post Office Limited Executive Team.
Mr Beer: Can we look, please, at POL00047544. If we just scroll down a little bit, you’ll see that this is a branch auditing report for Period 6 in the financial year 2004 to 2005. It’s dated 29 October 2004. It’s from Martin Ferlinc, who you mentioned, and is that his full job title: “National Audit & Inspections Manager”?
Roderick Ismay: Yes, yes.
Mr Beer: It’s to, amongst other people, you, Head of Risk and Control?
Roderick Ismay: Yes.
Mr Beer: If we look in paragraph 1, we’ll see that the report makes clear that its first purpose is to inform your work in a report that you were to prepare to the Post Office Board or the Executive Committee, as appropriate, and to the newly formed compliance committee; can you see that?
Roderick Ismay: Yes, I can.
Mr Beer: If we go down to the “Executive summary” in 2, it reads:
“The total of all cash account losses revealed at audit in the first six months of the year has amounted to £2.8 million (from approximately 1,000 audits). While the shortages revealed that the majority of these audits would be made good by the subpostmaster or might be rectified by error notices, £1.9 million of the total amount is based on the findings of just 20 branches audited. Although in some of these cases, there were indications of errors being made, which would be rectified by an error notice, there is also a significant risk that the losses identified in most of these cases will not be recovered. It is also a concern that in spite of the size of amounts of discrepancies, a precautionary suspension was not made in 35% of these cases.”
So, first six months of the year, losses of £2.8 million revealed at audit, yes; £1.9 million of the total attributed to 20 branches audited; significant risk that the losses will not be recovered.
Then if we go to the end of that paragraph there:
“… in spite of the size of the amount a precautionary suspension was not made in 35% of the cases.”
You were responsible for the Branch Audit Teams at this time, yes?
Roderick Ismay: Yes.
Mr Beer: Can we take from this summary of the losses that it had been discovered on audit that a suggestion was made that discernible errors had been made by postmasters in some cases?
Roderick Ismay: Yes.
Mr Beer: Those errors could be rectified by error notices and followed up by a payment by the subpostmaster?
Roderick Ismay: I believe the audit team would have checked with the Product and Branch Accounting Team at the time if there were error notices pending and, therefore, there would be an understanding that the – that wouldn’t actually be a shortage in the round if an error notice was known to be on its way to resolve it. But if Product and Branch Accounting didn’t have any knowledge of any error notices that were going to be on the way to the branch, then the shortage identified at audit would be deemed to hold true in the round because there wasn’t any error notices expected to offset it.
Mr Beer: Can we also take it from this summary that some of the losses discovered at audit could not be explained by discernible errors?
Roderick Ismay: Yes.
Mr Beer: In fact, most of them?
Roderick Ismay: Quite possibly, and the reason that the understanding of me and of the audit team at the time was that money had been stolen and that one can’t identify a discernible error that has caused the money not to be there, if a – if it happened that a subpostmaster or member of staff employed by a subpostmaster or if a door had been left open and a customer had managed to take money out of the till, there isn’t going to be an error notice – there isn’t going to be an error that defines that; it’s an example of theft.
Mr Beer: But the concern that is expressed, that the losses won’t be recovered, is because, on audit, the majority of the losses couldn’t be explained by discernible errors?
Roderick Ismay: Well, you can’t explain theft.
Mr Beer: Is that the mental process that you went to: if there’s not a discernible error, it must be theft?
Roderick Ismay: That was a possible scenario in the audits and, sometimes, as has been referred to in some of the documents in the packs that I’ve received, there have been statements that an individual confessed at the time the auditors went in, and I’m aware of audit team members having said to me that they went into a branch and somebody would say to them “I’m grateful you’ve come to conduct this audit because I’ve been paying off a debt and I can’t go on like this and I’ve been using money to pay off a debt”.
And that was in a small number of branches so, as an organisation, you know, we were passionate about our subpostmaster community and our network of branches but, in our some of our Crown Offices and some of the sub post offices, sadly there were some situations where individuals admitted, or members of staff of individuals admitted, that they’d taken money, and sometimes one couldn’t believe that a trusted member of staff may have taken something.
But you’ve got the reference to Blackwood here and my recollection from Blackwood was that that office was co-located with a sorting office, I think, or a delivery office, and I think my recollection is that the audit report noted that the door was left open between that post office and the delivery office next door and that the safe wasn’t always shut and, therefore, a scenario where £436,000 was identified as a loss at audit, there was a clear risk that unidentified individuals had come through an open door to an open safe and taken batches of money from it. And there would not be an accounting error for anybody to identify which would lead to that, it was simply an open safe that someone may have taken the money from.
Mr Beer: In the answers you’ve just given, you have suggested, would this be right, that in the absence of a discernible error, the assumption was that losses were caused by a postmaster’s conduct, whether that was accidental or deliberate?
Roderick Ismay: Yes, that was the belief in a number of cases, yes.
Mr Beer: Is that why the report in that last sentence on the first paragraph there expresses a concern that the postmaster wasn’t suspended in 35 per cent of the cases, ie it’s got to be down to them, they should have been suspended?
Roderick Ismay: I think that was the –
Mr Beer: That’s the implication, isn’t it?
Roderick Ismay: That is the implication, yes.
Mr Beer: Did it ever occur to you or anyone else that applied their brain to the issue that the losses might not be caused by postmaster conduct?
Roderick Ismay: It occurred to us that it could be caused by a third party other than the postmaster having taken the money. It could have been a trusted member of staff or, in the situation that I described that I believe from my recollection was the situation at Blackwood, where an open door and an open safe could have had a number of unidentified individuals having access to that safe.
Mr Beer: But it was always down to the postmaster in some way, the loss?
Roderick Ismay: Under the postmaster contract, yes.
Mr Beer: No, no. That’s a separate issue about financial and legal responsibility for losses. I’m not going to spend time working through with you whether that was a correct interpretation of the contract or not. But, as a matter of fact, your belief and the belief of those around you was all losses, unless we can see what the error was, are down to the conduct of a subpostmaster in some way?
Roderick Ismay: Yeah, ultimately it was the responsibility of the subpostmaster.
Sir Wyn Williams: That’s not quite the question he’s asking you, Mr Ismay. I think what he’s trying to get from you is an acceptance, if you do accept it, that your thought processes in 2004 was that these losses were caused by human activity, either accidentally on the part of subpostmasters or their staff, or deliberately.
Roderick Ismay: That’s correct, yes.
Sir Wyn Williams: That was your explanation for all these losses?
Roderick Ismay: Yes, that was the thought process, yes. Thank you. Yeah.
Mr Beer: It didn’t occur to you or anyone around you that there may be system faults that are causing the losses?
Roderick Ismay: My understanding from the IT teams was that they didn’t think there was a foundation to the allegations that were made. So, at this time, as documents in this pack indicate, the Cleveleys case, for example, had happened four or five years before this document. It’s known that the Cleveleys case involved some allegations about the system – well, I think the documents here say there was a lack of system records to substantiate the case going forward and that’s led to the outcome of that one.
So I, in my role as when I joined as Head of Risk and Control, I did ask a question into the team of “Well, look, if we’ve got this allegation being made, is this – you know, is there a foundation to this?” And the very strong view coming to me from colleagues in the IT team at that time was that it was – there was no foundation to the allegation that had been made in the Cleveleys case.
Mr Beer: Was that just a conversation?
Roderick Ismay: Yes.
Mr Beer: Is that the way audits normally work: somebody who is responsible for an IT system, you say to them, “Somebody has alleged your IT system isn’t working properly and is causing financial errors”, and they say back to you, “No, it’s not”, and you say, “Oh, okay, then”?
Roderick Ismay: Well, for me, coming in with the structure of team that I’d got as I joined and not having an IT auditor, there wasn’t an alternative to doing that. But I was also looking at it in the context of the organisation had put a lot of project management into the whole deployment of the IT system, a lot of specialists involved, the reports that gets referred to with my name from 2010, I, in there, refer to something that IT had told me about of the Gartner report, which was not something that I conducted, not something I would have understood the technicalities of what the Gartner specialists were looking at, but said that it made positive comments about the deployment of the system. And, therefore, I was operating in an environment where I asked the IT team “Is there a basis to these allegations”, and they said no, and I’d also got the message that there’d been all these specialists involved in working through the design and deployment of the system and, clearly, the material that you’re now showing me does mention lots of issues that were identified during the procurement and design and deployment of the system.
I wasn’t aware of all of those things. I was aware of the context where there’d been a lot of IT specialists involved in the deployment of it and that a Go Live had been taken on the basis of trusted testing of it.
Mr Beer: So your state of mind was informed, you say, by the things that said the system was working well. You hadn’t been shown any of the things that we now know exist to show that there were, putting it neutrally, issues with the integrity of the data that it produced?
Roderick Ismay: Yes, I was receiving stuff talking about positives and why there were reasons to rely on the system and that it worked, and so I didn’t see something that said “Well, what was it that was alleged in the Cleveleys case and how was that tackled? How was that responded to, to rebut it?” I didn’t see that. But I was assured by the team in IT that it was – that there wasn’t a foundation to it.
Mr Beer: Who in IT gave you that assurance?
Roderick Ismay: I would have been speaking to – so David Smith was Head of the IT at the time. It would have been somebody – him or somebody in his team I would have spoken to.
Mr Beer: Was there a risk register?
Roderick Ismay: Each department had got a risk register. IT had got a risk register. I don’t recall that this was something that was recorded as a risk on that register.
Mr Beer: So IT didn’t have the Horizon System on its risk register; is that what you’re saying?
Roderick Ismay: Yes.
Mr Beer: Did you, as Head of Audit, maintain a risk register?
Roderick Ismay: I didn’t maintain a risk register other than what was collated out of what individual departments had got and a discussion with them about what was on their risk registers.
Mr Beer: So you maintain sort of a super risk register; is that right?
Roderick Ismay: Yes.
Mr Beer: For the company?
Roderick Ismay: Yes.
Mr Beer: Post Office Limited?
Roderick Ismay: Post Office Limited, yes.
Mr Beer: Was the Horizon System on that super risk register?
Roderick Ismay: I don’t think it was, no.
Mr Beer: What research or inquiry did you undertake to determine whether the Horizon System should be on the risk register or should not be on the risk register?
Roderick Ismay: Because I was aware of the allegations that had been made in Cleveleys, because that had been reported in Computer Weekly, and I received, I think – there was a press cutting service within the organisation. So I would have received press cuttings, I think, in the organisation, that would have highlighted there has been this article and this allegation.
As I say, I asked David or somebody in his team what – was there a basis to this? I’m having a meeting with the IT – some people in the IT team about their risk register and so I know I asked something at that time about, “Well, given the allegations being made, should there be a risk here?” And the response was very firmly that there wasn’t a foundation to that allegation.
Mr Beer: Was there anything more systematic than that in the maintenance by you of a risk register in – when I say “that”, I mean reading an article in Computer Weekly which makes an allegation, and speaking to the head of IT who says there’s nothing in it?
Roderick Ismay: I’m sure I had a more detailed conversation than I’m describing there but I can’t remember the spec of what we went into.
Mr Beer: Were there regular tabled meetings where you would pull in the heads of department and say, “Let’s look at your risk register, let’s interrogate them, let’s pick apart why things are and aren’t on those risk registers”?
Roderick Ismay: Yeah, I think I probably had – well, thinking about the cycle for the Risk and Compliance Committee, which was quarterly, I think I would have had a meeting with a senior representative out of the Marketing team, the IT team, the Network team, all the seven or eight divisions in the Post Office, I would have met them quarterly before compiling a paper into the Compliance and Risk Committee.
Mr Beer: It was the conversation with the head of IT that meant that the Horizon System never entered any risk register?
Roderick Ismay: Yeah.
Mr Beer: Can we look please at POL00021416. You’ll see these are the minutes of a Risk and Compliance Committee for 25 – sorry, for 5 January 2005. I think we can see that you gave your apologies.
Roderick Ismay: Yes, yeah.
Mr Beer: If we just scroll down, please, item 0301, “Investigate” – these are action points:
“Investigate how subpostmasters appointment and suspension/reappointment process can be improved to reduce risk – lessons learnt from the Sandbach case. To include developing our own internal pool of interim branch managers.
“Tony Utting to supply an update to the forum on the Turners Hill case.
“Turners Hill case to be sent to Bob Wigley”, and the like.
If we carried on looking – I’m not going to spent time doing it – we can see that are from these minutes and from the other minutes from the Risk and Compliance Committee, the Risk and Compliance Committee was considering the specifics of individual investigations involving subpostmasters and lessons learned from those investigations. Is that a fair reflection of part of the work of the Risk and Compliance Committee?
Roderick Ismay: Yes, it is.
Mr Beer: So it was usual for this Committee to consider individual cases?
Roderick Ismay: Yes, it did.
Mr Beer: The first action as we’ve seen, is to investigate how appointment and suspension processes can be improved to reduce risk. Was that, in fact, seen as a risk to the Post Office at the time, that subpostmasters were the risk and greater control was needed of them through the suspension process?
Roderick Ismay: I think the risk that was seen was that post offices increasingly had a retail side, and there was a risk that the retail side of the branch may not be that financially successful. I think there’d been examples where – not necessarily just individual subpostmasters but there might have been a franchise partner that the organisation worked with, and there have recently been large franchise organisations who have experienced financial difficulty. And the – what was being looked at here, I think, was to say “Are we, and we should be doing credit checks on the organisation”, which, as I say, might be a limited company franchise.
It might be a significant multiple partner we were looking at, not just the subpostmaster, although the phrase is subpostmaster here, but it was saying how effectively are we doing business credit checks on the organisations to which a franchise is going to be given to run a Post Office because, if we take on a contract with a business partner which has got financial difficulties, that potentially creates a risk to kind of use working capital out of the Post Office side to prop up the shop side.
Mr Beer: So I think the answer to my question is yes, that the risk to the organisation was seen as coming from dishonest subpostmasters?
Roderick Ismay: From – well, from financially challenged partners. Not necessarily just subpostmasters. As I say, there were major national multiple partners that the Post Office worked with, and you’ll have seen in the press in the last few years some of these major national organisations have experienced financial difficulties.
Mr Beer: This refers to subpostmasters and their suspension, doesn’t it?
Roderick Ismay: It does, but I think the process that was being worked on was wider than just subpostmasters.
Mr Beer: Can we look at page 3 of these minutes, please, and look at the foot of the page at 3.3.3, “Internal Crime”:
“Tony Utting gave a broad overview of the team dynamics for internal crime.
“There are over 600 cases at present spread over 39 [organisations].
“Financial investigations (freezing proceeds of crime) were discussed and issues around Home Office training. £1.2 million recovered so far this year.
“An over view of the security features for Post Office Card account was discussed.
“DWP cash cheques and liabilities were discussed …
“New risk model for profiling subpostmasters was discussed.”
Can you help the Inquiry, please, with what the new risk model for the profiling of subpostmasters was, please?
Roderick Ismay: So that would have been, when you asked me about the structure of the National Audit Team and I said there was an individual separate to the regional teams who would have been looking at risk modelling. I think this was looking at what was going on there and so the factors that would influence the audit team to go out to Post Office would have included various items of data, and this last line here was a comment about what pieces of data were going into that exercise.
So, for example, if there had been, through central checks being conducted, something about cheques not arriving at the cheque processing centre, or examples of Post Office Saving Stamps missing from pouches coming in, counterfeit cheques being encashed, any indications of some perhaps customer complaints. There’d be a number of pieces of data which would be weighted and would then come up with a prompt to say there’s a higher score attributed to these branches from all these different bits of data.
So it wasn’t about profiling a subpostmaster as such; it was about looking at the data and perhaps customer complaints related to a Post Office branch which would include Crown post offices, to say, based on that data, this location is one that we think we need to send the audit team out to.
Mr Beer: Who was responsible for writing the new risk model for the profiling of subpostmasters?
Roderick Ismay: There was somebody in Martin’s team who was leading that. I can’t remember the name of the person but somebody in his team was – had got that dataset.
Mr Beer: Did this approach of profiling subpostmasters and reviewing the process to reduce the risk that they might present through the use of the suspension process dovetail with the concurrent rollout of the IMPACT Programme?
Roderick Ismay: No, it was totally separate.
Mr Beer: Nothing to do with the IMPACT Programme and in the IMPACT Programme debt recovery being prioritised?
Roderick Ismay: No, this is totally separate to that.
Mr Beer: So there’s two things. We’ve seen and heard a lot of evidence about one of the drivers for the IMPACT Programme was to reduce debt and to seek to recover more of it from subpostmasters. That was going on within the organisation. Then, separately, this was going on as a different piece of work, one unrelated to the other?
Roderick Ismay: No, they were totally separate. There may have been some of the same people involved in both of them but this one, in isolation, could actually have led to more debt being identified. So –
Mr Beer: And more recovered –
Roderick Ismay: Not –
Mr Beer: – using the Proceeds of Crime Act, for example?
Roderick Ismay: The risk profiling would lead to more being identified. The risk – this risk profiling could lead to more debt being identified. Risk profiling itself would not lead to a chance of more recovery but, yes, the powers under the Proceeds of Crime Act would have potentially enabled more debt to be recovered but the risk model itself was purely about identifying issues in branches, not about the recovery of them.
Mr Beer: Was the number of investigations tracked as part of the Risk and Compliance Committee?
Roderick Ismay: I don’t know. It clearly is the number of – I don’t think there was a metric presented to that Committee to say “This is how many we’ve done this month”, but this paragraph is an example of some metrics being presented to it, but I don’t think that was kind of on a formal “Let’s keep looking at that every month” basis.
Mr Beer: Can you recall whether – you obviously weren’t present at this meeting but, outside of it – any concern was raised over there being 600 cases being investigated?
Roderick Ismay: Yes, there would have been concern that – yeah. I mean, I don’t think any organisation would want to have got a large number of any investigations going on.
Mr Beer: Had there historically been investigations at this level?
Roderick Ismay: I believe that there’d always been investigations that had been going on, going back into the cash accounts world, pre-Horizon being deployed. Yes.
Mr Beer: Was the level or the number of investigations seen as telling you something about the Post Office? You said there would have been concern at any investigation into staff. Was the number of them seen as a metric or as a measure of that concern?
Roderick Ismay: I don’t think the number was seen as a metric on a scale, if you like. There wasn’t like a threshold that says this is a concern and this is even more of a concern but I think no organisation would really want to have got one investigation going on. 600 clearly would be even more unsettling but that’s not to say that, you know, 200 is acceptable, 600 is – it’s just 600 is a big number.
Mr Beer: Was any attempt made to unpick or investigate why there was a big number?
Roderick Ismay: Yeah, I think there was reflections such as there would be data collated and I think some of that data is referred to in one of the tables that went into that report that I summarised in 2010. So there was something – a table of metric of things coming out of that. Can you ask me the question again, sorry?
Mr Beer: Yes. Was there any investigation into – you said this was a concerning high number.
Roderick Ismay: Yes, yes.
Mr Beer: Was there any investigation into whether it had changed from the past and gone upwards or downwards and, if so, what the causes of the high number of investigations were?
Roderick Ismay: No, I don’t think there was. Looking at this, from what I can remember, I think just 600 was a big number. I can’t remember a conversation about “It used to be 500, what’s happened?” I think this was purely looking at “It’s 600, that’s a big number”.
Mr Beer: This also speaks about freezing the proceeds of crime and £1.2 million had been recovered in a part year. Was that seen as a success by the Post Office, in recovering £1.2 million?
Roderick Ismay: No, I think that was a 2011 statement of what was received. I don’t think anybody was taking joy out of any figure like that, by any means. It was a sad situation, everything involved with it.
Mr Beer: This refers to issues around Home Office training about either financial investigations and/or proceeds of crime. Can you remember what they were: the concerns or the issues?
Roderick Ismay: I don’t know what the issues were around Home Office training, no. I think the Post Office investigators had to perform something under the – the legislation that followed on from 9/11, there was some sort of national organisation that would do training to whatever organisations had got financial investigators, and I could only imagine there was so much demand that it was perhaps hard to book a training slot because there was so much demand for –
Mr Beer: If we go over the page, we can see there’s an action to “Inform Sir Mike”. Is that Sir Mike Hodgkinson –
Roderick Ismay: Yes, that is.
Mr Beer: – the then chair of Post Office Limited?
Roderick Ismay: Yes.
Mr Beer: “… of the Home Office contact if support is required to speed up training for financial investigators.”
Was this part of a push to recover money from subpostmasters?
Roderick Ismay: It – yes, it was part of a push to recover from the cases that had been investigated, yes.
Mr Beer: Can we turn to POL00021417, please. We can see minutes of the meeting on 6 April 2005, and we can see that you’re present on this occasion. We can see at the top of page 2, the progress of the actions from the meeting I’ve just spoken about. 301:
“Investigate how subpostmasters appointment and suspension/reappointment process can be improved to reduce risk – lessons learnt from Sandbach case. To include developing our own internal pool of interim branch managers”, et cetera.
“Status”:
“Ongoing, paper to board.”
In the “Action” there, it’s been added in:
“[To develop] our own internal pool of interim branch managers from auditors/trainers/DMB staff – potential to widen scope and use Rapid Deployment Team.”
Can you please explain what the Rapid Deployment Team was, please?
Roderick Ismay: No, I can’t remember what the Rapid Deployment Team was, no.
Mr Beer: Have you any memory of such a team?
Roderick Ismay: I haven’t, but the Post Office experienced several periods of industrial action and I would imagine that a team with that name would have perhaps been part of sort of business continuity planning and thinking “If we’ve got a strike in our Crown Offices, how do we enable customer service to continue?” So I know I was called at some point to go and work on the counter in number of Crown Offices during the strike action. I don’t think that was called the Rapid Deployment Team but the nature of it was that it was a rapid response to strike action.
Mr Beer: Amongst those who are going to go in and essentially run a branch are auditors and trainers?
Roderick Ismay: Yes.
Mr Beer: Was there any concern raised about using your auditors to go in and run branches or to use trainers to run branches?
Roderick Ismay: No. I think the reason that auditors and trainers were suggested here is that they would have been the people with most understanding of the processes in a branch and, therefore, the most competent people to ensure that customer service continued in the branches effectively.
Mr Beer: We see that the action for Sir Mike is recorded as completed. If we go forwards, please, to page 4 of the minute, it’s under 3.4.5, the minutes record under “Corporate risk register”:
“Reviewed current risk register and discussed any movement of risks and causes.”
Firstly, the current risk register. Is that what we’ve described as the “super risk register” maintained by you?
Roderick Ismay: Yes.
Mr Beer: It says that you discussed any movement.
Roderick Ismay: Yes.
Mr Beer: Was a record kept of the Risk and Compliance Committee’s decisions on movement of risk?
Roderick Ismay: I would think so.
Mr Beer: Where?
Roderick Ismay: I’d have thought if a risk had moved, that that would be recorded in the minutes of the meeting. But –
Mr Beer: So does this –
Roderick Ismay: – there evidently isn’t any here so I don’t know where it got recorded.
Mr Beer: So this we should take to be a record of a discussion that result in no movement?
Roderick Ismay: I think that my recollection is that the things that were on the risk register pretty much stayed in the same position in terms of impact and likelihood, and this risk register was one that had probably got between 10 and 20 things in a heat map shape on it. It would have things like continuity of social network payments or other major financial matters to the organisation, and I think the position of those on that risk register, in terms of their impact and their likelihood, wasn’t changing very much.
I think the risk register tended to be quite a similar document because those things that the organisation deemed to be the biggest risks were always inherently going to be the biggest risks to the organisation and weren’t going to change that much between the cycle of committees.
Mr Beer: So the risk remained static over time for your three years; is that right?
Roderick Ismay: I think the things that were on that register probably did remain static, yeah.
Mr Beer: There’s a discussion, it seems, recorded adjacently in paragraph 3.4.6, about access to Horizon, under the heading “Information Systems security”. Can you see that?
Roderick Ismay: Yes, I can, yeah.
Mr Beer: Can you recall discussions, whether at this meeting or in your three years, about improper or unauthorised access to the Horizon System?
Roderick Ismay: The things that I can remember, and I think this is the exclusive thing that I can remember on that, because it was the only thing that I was aware of at the time, was of auditors going into Post Office branches and seeing passwords written on the wall, and therefore the sharing of passwords between colleagues in Crown Offices and in sub post office branches, this topic, I think, was a concern about access to Horizon by people sharing passwords in branches.
And that was a sort of a thing in an alleged situation of missing money in a branch, the sharing of passwords. If there was – if there was a transaction that was inappropriate in a branch – and, as I’ve said earlier, there isn’t a transaction for money being stolen, you can’t find a transaction for money being stolen – but if there was a transaction that had been put in that was an inappropriate transaction, it is not possible to identify who the individual was where people share passwords and user IDs, and our concern here was that it was very clear that many branches had got user IDs and passwords on the wall.
Mr Beer: So, again, the focus is on subpostmasters doing things wrong?
Roderick Ismay: And in Crown Offices, yes.
Mr Beer: Was there any, in your three years in this post, discussion about Fujitsu employees having unrestricted and unauditable access to the Post Office Horizon System?
Roderick Ismay: I didn’t believe that individuals had got access to the transactions in the system and, therefore, there wasn’t conversation about that because I was advised by IT that individuals didn’t have the ability to do transactions on the system. That it was purely colleagues at the front on the Horizon counter who’d got the chance to do systems.
Mr Beer: Just stopping there, breaking that answer down, how did the conversation between you and IT arise? Why were you having a conversation about backdoor access by Fujitsu?
Roderick Ismay: Because going back to such things as the Cleveleys – the allegations that were coming out of the Cleveleys report.
Mr Beer: Again, was this part of the same conversation with the head of IT?
Roderick Ismay: Yeah.
Mr Beer: He said “No, there is no such access”, and you said, “Great”? Is that how it went?
Roderick Ismay: Yes.
Mr Beer: Thank you very much. That would be a convenient moment.
Sir Wyn Williams: Fine. 15 minutes?
Mr Beer: Yes, please. I think that’s 35 past.
Sir Wyn Williams: 35 past, right. Jolly good. Or 25 to!
Mr Beer: Yes.
Sir Wynn Williams: Right.
(11.20 am)
(A short break)
(11.36 am)
Sir Wyn Williams: Yes, Mr Beer.
Mr Beer: Thank you very much, sir. Mr Ismay, before we move on can we just go back and check one thing, please. Can we look, please, at POL00029282. This was a document we looked at yesterday with a Fujitsu employee called Steve Parker, who you’ll see mentioned as a contributor to this document. You’ll see that, from the top left, it’s a Fujitsu document and it’s dated 18 March 2004, so it’s within the period that we’re looking at, at the moment of your tenure in Risk and Compliance between 2003 and 2006. I’m not going to go through the document because we looked at it extensively yesterday.
It sets out the nature and extent of Fujitsu’s access in what has been described as remote access or backdoor access to the Horizon System. If we look at what’s at the foot of the page as we see it now, a point picked up by the Chair yesterday, it’s distributed to John Bruce of Post Office Limited. Do you know who Mr Bruce was?
Roderick Ismay: No.
Mr Beer: Is that a name entirely unfamiliar to you?
Roderick Ismay: I don’t know that name at all, no.
Mr Beer: If, as some of our other records suggest, he was an implementation manager for releases into Horizon, releases about Horizon, would that be within the IT department, as you’ve called it?
Roderick Ismay: Yes, I think so.
Mr Beer: If this record is accurate, that this document setting out the extent of remote access at least went over to Mr Bruce, what would you expect the chain to be, in order for you, in Risk and Compliance, to know about it? How would this get from Mr Bruce to you?
Roderick Ismay: I don’t know if it would.
Mr Beer: Why wouldn’t it?
Roderick Ismay: Because there were so many projects and so many documents that there’ll be thousands of documents that never came anywhere near me or any of my team.
Mr Beer: All right, what about the issue then, rather than the document itself. If, let’s assume for the moment, there were documents that were circulating which suggested that Fujitsu had privileged access to counters that permitted changes to financial data to be made and that that privileged access was unauditable, you would, I think, regard that as a risk to the integrity of the system –
Roderick Ismay: Yes.
Mr Beer: – and, therefore, information about which you should know, being Head of Risk?
Roderick Ismay: Yeah.
Mr Beer: Assuming such documents existed, how would you expect the information or the issue to get from – once it entered Post Office through, say, this route to somebody who is an implementation manager, to get back to you in Risk?
Roderick Ismay: As I say, there were so many documents that there wouldn’t be something would cause me to have said “Can I have a particular document like this?”
Mr Beer: I’m not asking that.
Roderick Ismay: Yes, but I think it would depend on the gentleman who is named in here, if he was aware that this was something that he should escalate to somebody. So, first off, if he was the only recipient in Post Office, then potentially nobody else in Post Office might have known if he was the only recipient. There’d be a dependency on did it occur to him that he ought to escalate it to somebody, given that –
Mr Beer: Just stopping there, that sounds, if I may say so, a rather shaky system of risk and compliance, that it all depends on an individual realising that they must escalate something. Wasn’t there a more systematic approach by which departments would ask people to contribute on a cyclical basis to an assessment of whether there were risks of which they were aware and then they were fed back centrally to you?
Roderick Ismay: I think if the organisation had got a risk then it would be conveyed – if the organisation had acknowledged a risk, then – and if – for example, if I’d then communicated to departments heads that I was concerned about a particular risk, I’d expect that to be – message to be conveyed to trigger things to come back up, but – but I understood there wasn’t a foundation to the allegations that were being made from the questions that we talked about earlier today.
Therefore, I wouldn’t have been asking for sight of documents, and the operational change procedures, I think there were many, many, many documents that would have been like this, and the organisation would have had empowered individuals in some areas who were expected to just get on with the thing they were dealing with.
Clearly, I acknowledge the enormity of the matter that you’re referring to that is touched on in this document, as you’ve suggested. That puts – probably puts this on a different scale. But, in isolation, there would be many programme managers and members of project teams who would be the person dealing with that particular area, and I don’t think projects in lots of companies would expect every document to be shared with different people in the team when somebody has got a defined role in a team to get on and do something.
Mr Beer: Thank you. I’ll move on. That can come down.
You were in charge of audit between perhaps 2004 and 2006 when you took on branch audit responsibilities. What was your assessment of the attitudes prevalent amongst auditors, so far as subpostmasters were concerned, in that period?
Roderick Ismay: My understanding, from speaking to the team, was that I sensed that they had good relations with subpostmasters. Clearly, one isn’t going to have good relations after a situation perhaps where a shortage is identified but the Post Office audit team were going out to many branches. It was a minority of branches where issues arose and members of the team, when I did meet some of them, would say – well, you know, I’ve gone out to a branch and they’ve said “Oh, hello, we’re pleased to see you again, you’re out for your routine audit again”, and they’ve kind of described a pleasant rapport with colleagues and branches that they went out to.
Mr Beer: Have you listened to or read or seen a summary of the Human Impact evidence that the Inquiry heard last year as to the way in which subpostmasters say they were treated by auditors?
Roderick Ismay: No, I haven’t.
Mr Beer: We’ve heard evidence from them that suggested that auditors did not approach their task with an open mind, that they sought to prove fault and were unwilling to listen to the accounts that subpostmasters gave. Are those attitudes that you recognise?
Roderick Ismay: No, I think that’s disappointing.
Mr Beer: Was there, in your time, in the three years that you held this role, a policy document that governed the way in which audits were to be conducted, for example the need to keep an open mind and the duty to follow all reasonable lines of investigation?
Roderick Ismay: I don’t know if there was a policy document like that. But if you take the institute that I’m a member of, things like independence and objectivity are core things that are part of the principles of the mindset. For –
Mr Beer: Were all of the auditors members of your institute?
Roderick Ismay: No, they weren’t. They weren’t, no.
Mr Beer: So if there wasn’t a policy document which governed the way in which audits were to be conducted, why wasn’t there?
Roderick Ismay: I don’t know if there was or wasn’t and that’s – I appreciate that’s not a very good answer. I can’t remember whether there was a policy document or not.
Mr Beer: Was it recognised by you, as the Head of Audit, that audits were the foundation, quite often, for criminal investigations and then criminal proceedings?
Roderick Ismay: Yes.
Mr Beer: Was there, at that time, a policy that the auditors were required to have regard to about the conduct of their work because they knew that it would lead to or may lead to a criminal investigation?
Roderick Ismay: I think auditors were expected to follow standard recordkeeping procedures for what they went out to and I would have, whilst I don’t know whether there was a policy document or not, I would have expected them to be polite, diplomatic, helpful, open minded when they went out to do the audits but, clearly, you’re explaining there’s been harrowing feedback that they weren’t.
Mr Beer: I’m going to take an example from much later on, after your time, and just ask you whether you recall anything similar. Can we look, please, at POL00038853. If we just scroll down a little bit, please, you’ll see that this is a policy concerned with the “Conduct of Criminal Investigations”. It’s dated August 2013 and owned by the Head of Security Operations. That’s a different division, essentially, from your own, isn’t it –
Roderick Ismay: Yes, it is.
Mr Beer: – security operations? We’ll see that this is version 0.2, but I think we can see from the revision history at the foot of the page that even version 0.1 was dated 16 August 2013. It seems that this policy for the conduct of criminal investigations was written up for the first time, so far as we can see, in 2013.
To your knowledge, was there an earlier policy which documented the approach that should be taken to audits which may lead to criminal investigations?
Roderick Ismay: I can’t remember whether there was or wasn’t one before then.
Mr Beer: Can we just look at some of what was being said in 2013 and whether it reflected the position in your time. Can we look at page 11, please. Appreciating this is directed at the Security Manager and not auditors, the policy tells readers that:
“The Security Manager must not overlook the fact that a fair investigation is there to establish the truth as well as substantiate the allegation, so it is importance that any evidence uncovered that may support the subject’s position is also recovered. It is important to document every action, decision and reason for decisions being made during the course of the investigation.”
Do you think similar guidance to that would have been given to your auditors back between 2003 and 2006?
Roderick Ismay: Well, I would hope so. I would hope that a balanced approach was there, to be open minded and to be recording evidence either way.
Mr Beer: Do you see anything wrong, if it did reflect the approach that auditors would take back in the day, with what’s written there?
Roderick Ismay: I feel like, looking at that, that it would be enough to say “a fair investigation to establish the truth”, full stop.
Mr Beer: Yes, because it’s reminding people that they shouldn’t overlook, that an investigation is there to establish the truth?
Roderick Ismay: Yeah.
Mr Beer: Presumably, there would never be any risk of that being overlooked by your auditors?
Roderick Ismay: Well, I would think that the all embracing thing is to establish the truth and, if the truth happens to substantiate the allegation, well that’s a subset of establish the truth, and it probably should have had a full stop after “establish the truth”.
Mr Beer: It says that:
“[The individual] must not overlook the fact that a fair investigation is there to establish the truth as well as substantiate the [investigation].”
Would you understand that’s what an investigation was for: to substantiate the allegation?
Roderick Ismay: Well, I think an investigation would have been triggered because there was an allegation and the allegation, presumably in this criminal investigation policy, would have been that there was an example of theft alleged. So the investigation would have been initiated as a result of an allegation, but I would have thought the policy then should be to go to wherever one needs to go to examine the evidence, and that the policy should be to establish the truth, full stop.
I don’t know why the policy needs to remind people – as well as to substantiate the allegation.
Mr Beer: It also says:
“… it is important that any evidence uncovered that may support the subject’s position is also recovered.”
Would that suggest to you a rather passive process. If you come across anything that helps a subject, retain it. It doesn’t suggest that you should actually look for any evidence that points away from the suspect, does it?
Roderick Ismay: Well, no, I guess if I was writing that, I feel like it ought to say that “The security manager must not overlook the fact that a fair investigation is there to establish the truth”, full stop, and I would expect somebody to understand that establishing the truth means gathering all the evidence, whatever direction the evidence supports.
Mr Beer: The things that you have just said, how was that made clear to the very many auditors for which you were responsible back in 2003 to 2006?
Roderick Ismay: I’d like to think that would have been the sort of thing we would have been saying in the training events, where I alluded to getting people together, I would like to think there might have been a policy that referred to that, but I can’t remember if there was one. But I’d like to think that an approach of objectivity would have been in place for conducting audits.
Mr Beer: Can we look please at POL00090437.
If you forgive me a moment, I’ve just had a file collapse.
Can we turn to the second page, please. We understand this is a Post Office Investigation Division file. Would you ever have seen such files?
Roderick Ismay: I didn’t routinely get files sent to me to look at.
Mr Beer: Whether routinely or not, would you get files sent to you?
Roderick Ismay: No. I – at some point I asked to see a file, I think when we were going through into the Second Sight investigation, there was a branch that I asked to see a file for then. But I wouldn’t have been sent files routinely, no. So I wasn’t sent files, I don’t think. I wasn’t sent files.
Mr Beer: Can we go to a document within this file, please, it’s at page 87. It’s an email from Tony Utting to John Cole, copied to Keith Baines, of 2 March 2006 I think that’s a period when you were still Head of Risk and Compliance?
Roderick Ismay: Yes.
Mr Beer: If we just read it. The subject is “Re: Analyst Resource for Civil Litigation cases”:
“John, as discussed the other day, I do believe that this is a job that could usefully conducted within our team for a number of reasons.
“Positive stuff.
“Our investigators routinely have to acquire and examine Horizon transaction data as part of their criminal investigation and prosecution work and are therefore familiar with not only looking at and analysing data, but can also prepare their own witness statements in support of the evidence they uncover.
“Because we also have strong ties with the security and audit function within Fujitsu, we are also able to take witness statements from them in support of prosecution cases and could use the same links in support of civil matters (indeed, the standard statements that they currently provide to us in prosecution cases were originally drafted with support from our team). I believe our contract states they will provide support in this area.”
So this is, would you read this, Mr Utting making a pitch, essentially, for his team to have some more staff so they can support civil litigation against subpostmasters, as well as in criminal prosecutions?
Roderick Ismay: Yes, it looks like that, yes.
Mr Beer: He makes the point here “We’ve seen they’ve got good links with security and audit within Fujitsu”.
Now if we scroll down, please, to the bottom, to “The sting in the tail”:
“It needs to be understood that as the people running the system and its diagnostics, only Fujitsu can provide evidence that the system is working correctly. All we can do is look at transactions, identify the dodgy ones, and provide some idea of what has gone on and who did it. So you might find that there has to be a lot of input from Fujitsu on this from a witness statement and court attendance aspect.
“I have spoken to Rod about this issue and as we are in the throes of a 20% reduction, unless I’m able to keep two of the CM2 heads that I am being asked to lose, I will not be in a position to undertake this work. I have asked Rod to speak to Peter C about this and see where we stand.”
Is that “Rod” you?
Roderick Ismay: I think so, yes.
Mr Beer: What involvement did you have in this issue, then?
Roderick Ismay: I don’t know. Tony Utting reported to me at that time.
Mr Beer: Sorry, I missed that?
Roderick Ismay: Tony Utting reported to me at that time.
Mr Beer: Yes.
Roderick Ismay: So the Post Office was undergoing one of several headcount reduction exercises at the time. I would have been talking to Tony about if a reduction that – it says 20 per cent reduction here, if we’ve got to reduce our headcount by 20 per cent in the investigations team, how do we structure ourselves to being able to best do the job that the team is there to do? How do we structure ourselves in the context of a 20 per cent reduction?
I guess, as you’ve said here, Tony’s – looks like he was beginning to take on some more work but he can’t take the work on if he hasn’t got more heads and he certainly can’t take the work on if he’s got less heads. So he must have escalated that to me to talk to Peter Corbett about.
Mr Beer: That’s the reference to Peter C?
Roderick Ismay: That will be Peter Corbett, yeah, so he’d be my boss, the Finance Director, and we’d have been having a conversation about, “Well, is it in the wider business interests that that headcount reduction target applies at that level to this team?”
Mr Beer: Were you in favour of security taking on this additional role?
Roderick Ismay: I think I probably would have been. I think the sense of if a team is experienced in collating court files, then why wouldn’t such a team with that experience ensure consistency across other functions? Now, I would always have the civil law team and the criminal law team taking the lead on what’s, you know, guiding what needs to happen in there but, as somebody looking at process improvement in the organisation, if there’s – in simplistic terms, if there’s an opportunity for something that sounds similar – two things that sound similar to be done by the same team, that sounds like a sensible thing.
Mr Beer: Was it the case that you viewed civil claims and criminal prosecutions as really two sides of the same coin, namely debt collection?
Roderick Ismay: No. I think the thing here was that, as Tony is saying, the compilation of the evidence, there’s a similar collation process to be done. So this wasn’t about debt recovery at all and, like the previous point, where you said the two things that kind of overlap, the concept of investigations and how one conducts it is going to lead to the creation of and the identification of a debt situation. It’s not going to – that’s not going to collect the debt.
Mr Beer: Can we go over the page, please, to page 88.
I think this is the reply. In fact it pre-dates it. It may be that the earlier email was a reply to this one. In any event, Mr Cole says to Messrs Utting and Baines:
“With regard to the provision of an analyst to deal with civil litigation cases, could you confirm this is appropriate to your department … The steer from the …”
Is that Executive Committee, the “EC”?
Roderick Ismay: Yes.
Mr Beer: “… is that they are sympathetic to additional resource being provided …”
Can you recall whether this went up to the Executive Committee?
Roderick Ismay: No, I can’t. I mean, this indicates that it did. I can’t recall whether it did, but it looks like I would have been speaking to Peter Corbett about it and he was a member of the Executive Committee. I don’t know whether this – I don’t know what happened about how this went to the EC.
Mr Beer: Was, again, this all part of a drive by the Post Office to recover more money from subpostmasters?
Roderick Ismay: No, this was about how a case is collated.
Mr Beer: Can you recall a phrase in this period, namely “ARQ data”?
Roderick Ismay: I can remember the phrase, yeah.
Mr Beer: What did you understand ARQ data to be?
Roderick Ismay: My understanding is that I think ARQ data was a – some sort of extract of transactional data summaries at a branch level, that would, I think, be – in a Post Office branch you could run a balance snapshot report and you could see something that showed sort of transactions there’s been in a week and what cash and stock you were left with at the end of the week. I think an ARQ report was a way of interrogating the system centrally to sort of recreate the same audit trail of what transactions had been done.
Mr Beer: In broad terms, were you aware that the branch data store only retained data for a limited period and it was sometimes necessary to obtain that from outside that period from servers which retained it?
Roderick Ismay: Yeah, I think so, yeah.
Mr Beer: Can we look, please, at POL00039154. This is an email chain. It’s from much later, outside of the period. It’s got the subject line “Re: East Ham”, and then there’s a FAD, a branch code. It includes email exchanges between Andrew Winn and John Dutton. Broadly speaking, without going through the weeds of it, Mr Winn wanted to procure some ARQ data in respect of a transaction. There are some delays in the process and John Dutton sought from advice from Mr Winn.
Can we look, please, at that top line. It says, from Mr Winn to Mr Dutton:
“It looks like I am going to have to spend some money to get the evidence. I need to talk to Rod.”
Would that be you?
Roderick Ismay: Yes, I think so, yeah.
Mr Beer: Back in 2003 to 2006, did you have any role in authorising the expenditure of money to obtain ARQ data?
Roderick Ismay: I don’t think so. I think I became aware that there was a limitation on how much ARQ data could be pulled. I don’t know if it was when I was doing investigations or when I’d got in the FSC. At some point, while I was there, I know the issue arose that that the contract with Fujitsu, I think, limited how much ARQ data could be pulled and that, if an additional request that went over and above that limit was submitted, the Post Office was going to have to pay for that. I can’t remember when that – when I became aware of that but, certainly during my tenure there, at some point I found out and heard of ARQ and, at some point, became aware that there was a limited access to it.
Mr Beer: So it would have been outside the period when you were Head of Risk and Compliance?
Roderick Ismay: I’m not sure. I don’t know whether it was in there or not.
Mr Beer: Did you understand that there were divisions of data, some being obtainable from a system called Credence, some called standard ARQ data or just ARQ data, and some called enhanced ARQ data?
Roderick Ismay: I was aware there was Credence. I don’t recall enhanced ARQ as opposed to ARQ. But, certainly, I know Credence was different. Credence was a separate system.
Mr Beer: What did you understand to be the difference between data obtainable from Credence and ARQ data?
Roderick Ismay: I think that ARQ, I think, would have had – was going into the Horizon data store and would have got all of the information that it could interrogate in there, whereas I think Credence was the same totality of transactional data harvested from the Horizon System and put into a separate database but I think it was more about the transactional data, rather than the balances of cash and stock on hand. So I think Credence would have been something that – I think then genesis of it was more about sales MI data, sales management information data, and, therefore, I think it was more about transactions.
So if Andy had had a query from a subpostmaster that he was looking into, that would have been a query, most likely, that would have involved the possibility of it being about the transactions and a possibility of it being about cash and stock on hand. So he would have wanted the totality of it and it’s possible that Credence didn’t have that whole dataset in it.
Mr Beer: Was there a written policy for those conducting audits and investigations which set out when and in what circumstances they should obtain ARQ data?
Roderick Ismay: I don’t know.
Mr Beer: Was it the case that ARQ data was obtained in all cases of an audit in which a subpostmaster disputed that a loss was due to their conduct?
Roderick Ismay: I don’t know but I would have thought it would have needed to be because of the time period, given that there were – if there was local data only held for a certain period on the store within the counter, before it all went on to online onto the central system. So if there was a limitation on the time period when data was held at branch level, then I would have thought that the – a conversation about understanding the situation at the branch could well have begged questions going back days or weeks before the period that was still on hand there.
Mr Beer: So would you agree that, if ARQ data was not obtained and interrogated in all cases in which a subpostmaster said that a loss was not attributable to their conduct, one could not confidently respond “The loss is due to you”?
Roderick Ismay: I think if the – and I can’t remember how long the data period – but, say, if it was 100 days of data that was held locally in the branch still, if the subpostmaster said or the colleague in the Crown Office said, “This issue happened two weeks ago”, that would be within the 100 days of data that was held in the branch and, therefore, there wouldn’t be a need to pull ARQ data from preceding period because the colleague in the branch was challenging a more recent period.
So I don’t think I’d expect that ARQ data would have to be pulled in every case but, if there was a lack of clarity about when an alleged issue had happened or if a colleague in branch said “This thing has been going in for a year”, then I would have thought that ARQ data would need to be obtained for that earlier period.
Mr Beer: So the answer my question was: it would need to be obtained if the relevant transactions occurred in a period only covered by ARQ data?
Roderick Ismay: Yes, I would think so, yeah.
Mr Beer: Was that, to your knowledge, the approach: that in all audits and investigations, it was so obtained?
Roderick Ismay: I don’t know. That’s what I’m thinking should have been the process. I wish I could say that I knew but I don’t.
Mr Beer: Is that because of the frailties of memory or because it was not something that you would have involved yourself in at the time?
Roderick Ismay: Could have been either. I don’t know, I can’t remember.
Mr Beer: Can we move forward within this period. Ernst & Young were the group auditors of Post Office Group at this time, yes?
Roderick Ismay: Yes.
Mr Beer: Therefore, they were the auditors for Post Office Limited?
Roderick Ismay: Yes.
Mr Beer: What liaison did you have in this period 2003 to 2006 with Ernst & Young?
Roderick Ismay: In 2003 to 6, I think I would have met Ernst & Young to share the information that was coming from, say, talking them through the Compliance and Risk Committee. I think if there has been a management letter point that related to things within my teams then I would have met Ernst & Young about that. And I think I probably attended – quite possibly attended the audit planning meetings, which would have been ahead of the audit starting, and the audit closing meeting at that time, I think.
Mr Beer: Were you the key contact between Ernst & Young, as Head of Risk and Audit and Compliance?
Roderick Ismay: No. So although I’d worked for Ernst & Young before, the key contact for the audit, which I think would be standard in most companies is sort of the equivalent of a financial controller type role, who is somebody who is responsible for the financial processing. That person was typically the person who has got the lead role with the external auditors.
And so I wasn’t managing a processing team and I wouldn’t have been the lead person on the audit relationship, no.
Mr Beer: As well as financial auditing, did Ernst & Young produce service audit reports that concerned the Horizon processing environment?
Roderick Ismay: Ernst & Young would have done some testing of the IT environment in totality, which would have included – Horizon would have been part of that.
Mr Beer: Was that in each of the years 2003 to 2006?
Roderick Ismay: Well, I think they would have done that in any audit, in any year.
Mr Beer: You said some testing of the IT as a whole, I think.
Roderick Ismay: Yes.
Mr Beer: What testing did Ernst & Young do of the IT as a whole?
Roderick Ismay: The IT as a whole would include the central finance system, which has got accounts payable and accounts receivable going through it. So the testing would be of that. The testing, I think, would be things like what are the change control documentations for things that have happened in the year, and I think they would request the ability to run what would be called – and apologies that there’s many different things that get called audit, but I think in a system you’d usually have an audit log where you could say what things have happened to that system during the year.
The auditors could then look at that audit log and say, “Ah, there was a software upgrade, there was an accounts payable module, for example, was added to the system”, and where the auditors – so if the audit log said “There’s been no changes to the system in the year”, the auditors might say, “Well, we tested the system last time there was a change, given that the audit log says there hasn’t been any changes this year, there isn’t a need to test something because there hasn’t been a change from what we tested last time”.
But if there are things that have changed in the system, then they would look at some of the documentation around how was that change deployed in a controlled manner?
Mr Beer: You said in that that they would look at change control?
Roderick Ismay: Yeah.
Mr Beer: Would that include occasions on which Fujitsu had changed financial data within branch accounts?
Roderick Ismay: Well, I understood that wasn’t happening at the time. I think the audit process by change control wouldn’t have been about that. Now, if they’d been aware of it then they may have chosen to test it, but change control would have been about a change to the software script was being done, and they would have been looking at the change controls, as I say, around the system has had a new module attached to it, or the system has been upgraded to Windows 10 instead of Windows 9, or something. Those are the kind of changes that would be the changes to the system. Not changes of – as in a transaction being entered in a system.
Mr Beer: Would you expect this element of the audit to have established the extent to which Fujitsu had remote access to branch accounts?
Roderick Ismay: I guess I’d expect that security and permission controls would be something that would be looked at and so – to understand. So I think one of the audit management letters that was issued did talk about SAP_ALL access, for example. That’s in the central SAP system, not in the Horizon system, but a user who has got SAP_ALL access, there’d be a log that says who are the people who have got SAP_ALL access and then you might ask well is it appropriate that anybody has got SAP_ALL access? And if they have got it, what are they using it for? And let’s run an audit looking of what things have been done under that profile in the year.
So I think there would be an element to an information systems assurance review that would look at what types of profile of user are there, and what is the extent of –
Mr Beer: Their permissions?
Roderick Ismay: Permissions, yes.
Mr Beer: That document can come down from the screen, by the way?
Was there a standard which Ernst & Young conducted this audit against, ie a measure, whether a domestic or international standard?
Roderick Ismay: Yes, so auditors are subject to audit standards. So there are –
Mr Beer: I’m thinking about specifically this aspect, whether there was a standard of assurance for financial processes or processes with a financial risk for an organisation?
Roderick Ismay: No, I think – I’m not sure what phrase to use, the regulatory body for auditors in general has got particular themes of things where it would say objectivity, or IT systems assurance, here are principles that one should follow in there. So there would be some, if you like, industry standards that would apply to any auditor who was looking at something to bear in mind in how they conducted an assurance review of an IT system.
Mr Beer: Were you the recipient of the annual report that Ernst & Young produced?
Roderick Ismay: Yes. So I think in my – in that initial role, the first three years, I think I would have received the whole audit report for that. When my role became more specific in Product and Branch Accounting, I don’t think I did receive the full audit management letter because some bits were irrelevant to me, such as an element about payroll was nothing to do with me.
Mr Beer: Can we move forwards, please, to when you took over as head of Product and Branch Accounting in 2006, September 2006 onwards.
Roderick Ismay: Yeah.
Mr Beer: What did the role of Head of P&BA involve when you took it over?
Roderick Ismay: It involved the leadership of a team whose responsibilities were to ensure that a central ledger was maintained to pay Post Office clients the correct amount of money or claim from them the correct amount of money in respect of transactions that had been conducted in Post Office branches and through Post Office online services.
So my team was about – so there’d be an IT infrastructure that would feed Horizon data and website transactions through to what at one point in time was called the POL-FS system, and I was responsible for making sure that my team was using the POL-FS system to settle the right amounts to clients on time.
Mr Beer: What was the structure of P&BA?
Roderick Ismay: I think I had either five or six direct reports at different times during my tenure there.
Mr Beer: What were they called: managers?
Roderick Ismay: Yes, they’d be senior managers in the – in my team, yes. So I –
Mr Beer: How many people, as a whole, worked in P&BA?
Roderick Ismay: I think when I joined there was round about – I think when I took it over in 2006, I think there were about 240 people.
Mr Beer: When you arrived in P&BA, it was just as the IMPACT project was rolling out through what we know as release S90; do you remember that?
Roderick Ismay: There were lots of Ss, I can’t remember which, there was S80 and S90, I can’t remember which one was which, but I think when I joined it I think IMPACT had been deployed and I was joining some months after IMPACT had happened.
Mr Beer: So never mind the release number.
Roderick Ismay: Yeah.
Mr Beer: You remember that when you joined it was just as the IMPACT programme was being rolled out?
Roderick Ismay: Yes, yeah.
Mr Beer: The Inquiry has heard from a witness saying that this project led to “a lot of issues flying around”, and Product and Branch Accounting, which was based in the same building as him, he was aware that there was a lot of stress coming from there that needed resolving, concerning feeds from branches, things falling into the wrong accounts and the accounts not functioning as planned.
Does that ring any bells to you of the situation when you arrived in P&BA?
Roderick Ismay: Yes.
Mr Beer: Did it go beyond what that witness, Mr Winn, has identified?
Roderick Ismay: Well, I think he’s referred to that in about 2009 or 10 in his transcript. I – so IMPACT was deployed in 2005 or 2006. I think we had a lot of issues that ran right through that whole period and the – sort of the genesis of the issues at the start of it were you’ve got a load of files that you’re loading to the system. So we’d got – there was an old system called CBDB and Class, I think it was called.
We put this SAP system in. The data out of the old system needed transferring into the new system and it was an enormous amount of data and then continuity of the interfaces from branches needed to continue, such that we’d got all the stuff out of the old system migrated over, and knew that the branches were going to be plugged in from Day 1 for their information feeding into the system.
I think that when – on the day that system IMPACT migration happened, I think there were file load issues that meant the whole of the data out of the previous system was put in and then it had to be pulled out again and then it have to be put in again, and there was a constant issue for Product and Branch Accounting that the enormity of the data that was coming out of the whole of the Post Office Network meant that you’d got to – you had to stay on to be of processing a day in a day, and it was a heck of a lot of data that you were processing in the day, in respect of yesterday’s transactions.
There was a lot of anxiety about, if we’ve got to keep backing out data files and putting them in again, that itself adds to the overnight cycle of things that get on, and so we don’t want to get in a position where we’re not going to be able to continue processing a day in a day’s data, as well as sorting out the migration stuff.
So that caused a lot of headache at first. The migration data was put into the system, a day in a day data was managed, so I think we did manage to avoid getting in a position of not being – having two day’s data to process and never catching up, but the POL-FS system, when it went in, users were finding it quite slow.
So there was an enormous amount of data. An individual in my team might have responsibility for a particular product. So you might go into a Post Office branch and do a savings product, for example, there’d be a ledger centrally for that savings product, and people were looking at egg timers, they were trying to interrogate something and they just couldn’t interrogate it because of egg timers. So we were livid with the kind of IT environment of the egg timers that we’d got on there. That was causing a lot of angst in the team that Andy would have seen and heard amongst his colleagues in the team.
And in the following years, we continued. We were receiving an enormous amount of data, an enormous load of individual files from branches and cash centres every day, and from corporate clients who were sending us files. Sometimes the IT interfaces got slowed down and a particular file somehow didn’t come in and there would be an alert that would tell us that file hadn’t come in but, if a file didn’t come in, we couldn’t do all our normal processing on time, we’d have to wait until that file was, in order to be able to match transactions which might lead to a conversation with the branch about transaction correction.
So we were frustrated that sometimes there were file load timing issues, there were cases that some of the documents in the witness packs refer to about files loading the wrong way round, that was a frustration, and there was a controlled way to back the file out and put the file in again. But, frankly, my team, we were tying to be up to date for real – for as much as we could possibly do it, as close to realtime conversations with subpostmasters as we could, and having prompt and reliable settlement arrangements with our corporate clients, and we were furious that we were having issues in the infrastructure that were slowing down our ability to do those routines, and that’s the sort of stuff that Andy was – the vibes he was feeling from members of my team, including me.
Mr Beer: Did you draw, from all of that basket of serious concerns, any views as to the competence and professionalism of Fujitsu?
Roderick Ismay: My view from the correspondence that I had with Fujitsu was that they took seriously each topic that was coming forward and were responding in a – what seemed like a sensible manner to the particular issues that we identified. However, there were too many of them. So I’d a concern that there were too many file load issues that were going on, each one of them, I think, was handled in an appropriate manner, but why does this keep happening?
Mr Beer: What did you answer that question with: why does this keep happening?
Roderick Ismay: Well, so I asked – we had several different heads of IT during my tenure of being there but, at some points during that, I would have, and I did, say “This is impairing the ability of my team to do its job on a timely basis, we’ll do it right and we’ll give a certain time period delayed in doing the job correctly but it’s got good enough that we’re being delayed by technology issues”.
But I understood at the same time that the Post Office was going through an enormous IT transformation, so it was reinventing its network, working with different people to run the network, going online. It was entering – it had entered financial services, entered telephony, broadband, home phone, a lot of new products being deployed through branches and through its websites. It was deploying an IT tower strategy that I don’t understand the detail of it but going from a kind of a layered IT architecture to a verticalised one which was enormous. And it was going to lead us to a situation of being able to – if we needed to remove an IT supplier and put another one in, I think the tower strategy was going to take us to a place where you could change your IT suppliers more easily because, every four or five years you probably do need to change suppliers sometimes on things, but I think the enormity of the all of the transformations that were going on across the whole of the IT estate, meant that there was limited resource to kind of respond as fast as you’d like to some of the issues that were going on.
Mr Beer: So you didn’t draw any negative views as to Fujitsu’s competence and professionalism?
Roderick Ismay: No, I don’t think I – no, I don’t think I drew negative views about their competence and professionalism. I was frustrated about capacity.
Mr Beer: I’m going to turn now to a report that you wrote in August 2010, the so-called Ismay report. Can we look at it, please? It’s at POL00026572.
We can see that it was written by you. We can see that from the top right-hand side “From Rod Ismay, Head of Product and Branch Accounting”.
Roderick Ismay: Yes.
Mr Beer: We can see the date of it, it’s 2 August 2010, and it’s, I think, 36 pages long.
Roderick Ismay: This – the additional bundle that I’ve received has got the page settings right on it so it’s 20 pages long. We had a Microsoft Windows upgrade at some point, which threw out the page numbering of all the documents that had been written pre-that Windows upgrade. So this looks like an untidy version of it. The actual version which is in the additional bundle is 20 pages long and the page flows much more sensible.
Mr Beer: I understand who commissioned you to write the report?
Roderick Ismay: Dave Smith.
Mr Beer: What was Dave Smith’s job at that time?
Roderick Ismay: He was Managing Director.
Mr Beer: Of?
Roderick Ismay: Of Post Office Limited.
Mr Beer: What were the terms of reference for the writing of the report?
Roderick Ismay: I don’t think there was written terms of reference for it, but the terms of it were to understand the reasons why Post Office should be able to take assurance about the Horizon System, what are all those reasons of positives? So this was obviously an ongoing situation where some allegations were being made about Horizon. Dave, I think, was relatively new to Post Office. I think he was only Managing Director for about a year. I think he came from somewhere in Royal Mail and went back to somewhere in Royal Mail.
In the period that he was there, I think that, given the comments that he was hearing allegations, this was a question to me to say, “Well, you know, what’s the counterargument to this?”
Mr Beer: You would have understood that the task you were being asked to perform was a very significant one, wouldn’t you?
Roderick Ismay: Yes, yes.
Mr Beer: Why were the terms of reference for it not reduced to writing?
Roderick Ismay: Well, they should have been, in hindsight and I’ve commented in my witness statement on some things that, in hindsight, should have been different. I think –
Mr Beer: Why does it take hindsight to realise that the writing of a report of very great significance ought to have written terms of reference?
Roderick Ismay: I think, sadly, because, in the heat of the moment, there was a need to construct this report and it was quite clear – it was quite clear to me that they were saying “What are the reasons to take assurance?” and that, in itself, was, you know, a pretty simple scope, “What are the reasons to take assurance?” And that’s what I’ve listed out, having had conversations with lots of people, I’ve listed those out on the – on most of the pages of the report.
Mr Beer: You said it was constructed in the heat of the moment. How long did it take you to write the report?
Roderick Ismay: I think it was couple of weeks.
Mr Beer: Was it hot during all of that two weeks?
Roderick Ismay: It was hot because there was so many things going on in the Post Office. So we were probably on another precursor to gearing up for Royal Mail privatisation. I’d got lean process improvement reviews going on in my team, the business was always restructuring, I’d got headcount reduction targets, I’d got all the file load issues that were just alluded to in the previous session. My job was red hot with lots of things going on in it and this was a hugely important piece of work in the context of a really challenging period of all sorts of organisational changes going on.
Mr Beer: But it was done in such a rush that there wasn’t time to reduce the terms of reference to writing?
Roderick Ismay: Well, that seems odd in hindsight, I realise. But, no, I think I felt at the time that the question was quite clear, “Please can you list out the reasons for assurance?” And, to that extent, I’m not sure if that needed terms of reference of beyond it. What are the reasons for assurance? Well, I’ve listed them out.
Mr Beer: So you weren’t given free rein to write what you wished, you were directed only to include reasons that gave reassurance?
Roderick Ismay: Yes. Yes. So I appreciate that, looking at this document cold, it could look imbalanced –
Mr Beer: But that’s the task you were given?
Roderick Ismay: The task I was given was what are the reasons for assurance? I wasn’t given the task of what are the allegations and can you investigate them? That was not the remit of this.
Mr Beer: You were only asked to present one side of the coin?
Roderick Ismay: Yes.
Mr Beer: If we just scroll down, please.
Sir Wyn Williams: I don’t wish to be crude but some people call that a whitewash. Do you think that’s what you were engaged in?
Roderick Ismay: No, I think they – allegations had been made, but somebody like Dave coming into the organisation wasn’t hearing – and he was finding his feet in the organisation –
Sir Wyn Williams: But just telling him one side of the story was hardly educating him, was it?
Roderick Ismay: Well, that was what he asked for.
Sir Wyn Williams: So that’s why I was a bit blunt. Was he asking, in effect, for information which would allow him to bat away the criticisms of Horizon?
Roderick Ismay: I think he was asking for information in order that he could get a balanced view because – yeah.
Sir Wyn Williams: All right.
Mr Beer: You told us that you were asked to write a report that gave reassurance and that presented one side of the coin. Can you see in the third paragraph on the page there it reads:
“This paper has been compiled as an objective, internal review of POL’s processes around branch accounting.”
Roderick Ismay: Yes.
Mr Beer: If you were asked to present only one side of the coin, in what sense was the report objective?
Roderick Ismay: It was objective about the processes and controls that were in place there but it was incomplete in that it didn’t tackle the allegation areas. But I think it was an objective assessment of the areas where there were positives.
Mr Beer: Do you understand “objective” to mean based on real facts, not influenced by personal beliefs or feelings, or not constrained by a pre-determined set of criteria?
Roderick Ismay: Yes, yeah.
Mr Beer: This report was none of those things, was it?
Roderick Ismay: I think it was a – an objective conversation with people about processes, controls, recruitment, training, opportunities to cold call centres. The report doesn’t comment on the effectiveness of those. It wasn’t an audit. So it’s an objective list of things that each team said were the reasons to take assurance.
It is incomplete in that it doesn’t have the negatives but I wasn’t asked to collate those. But I think it is an objective, assess – listing of the other arguments.
Mr Beer: Can we look, please, at page 31 of the report. This is one of the appendices to the report and, in this printed version, it’s a four and a half page document produced by Gareth Jenkins; can you see that?
Roderick Ismay: Yes, I can, yes.
Mr Beer: You relied on this report from Mr Jenkins in order to reach your conclusions, didn’t you?
Roderick Ismay: Yes. So I don’t think I spoke to Gareth during the course of putting this report together. I think I spoke with colleagues, and so I’ve named people on the front of it, and I spoke to people within the Post Office who were part of their teams, and somebody has provided this as part of that.
Mr Beer: In what sense did you think that asking the person responsible for designing and maintaining the system, whether the system that he had designed and maintained had integrity was in any way objective?
Roderick Ismay: Because – I understand what you’re saying there.
Mr Beer: Can you answer the question, then?
Roderick Ismay: Yeah, I’m just thinking how to answer the question there. So the people separate to Gareth who I asked the question of were telling me that it was reliable. So people within our own IT team. Gareth is saying the same here. Short of doing an audit, I don’t know what else I could have done, other than take those assertions from individuals. Now, I think the report should have said these are untested assertions, as in untested by me during the course of collating this report, and my report doesn’t say that.
Mr Beer: Why not?
Roderick Ismay: It should have done.
Mr Beer: Yes, but why didn’t it?
Roderick Ismay: Because I was so busy putting the thing together. At the end of a report there’s always things that you think in hindsight “I could have done that in it”, and at the time it didn’t occur to me that it needed to have got that statement in it.
Roderick Ismay: No, it didn’t. It didn’t, no.
Mr Beer: You tell us, if we just move to paragraph 39 of your witness statement, please, which is on page 10, you say, “Regarding” then you give a character string, which is the document we’re looking at, that’s the report:
“Regarding [the report] I confirm that I did write this report, after being asked by David Smith to conduct a review in light of the challenges being made about the system. It was a summary of existing conclusions …”
Yes?
Roderick Ismay: Yes, yes.
Mr Beer: If we can go back to the report, please. POL0002 – thank you, and then look at page 1, three paragraphs in. Where here does it say, “This report is restricted to being a summary of existing conclusions, not a fresh investigation”?
Roderick Ismay: It doesn’t.
Mr Beer: Why not, if that’s the task you were being asked to perform?
Roderick Ismay: Because, at the time when I wrote this, I thought that was – as I thought through what have I collated here, that was what I felt at the time was the description of the report that I’d compiled.
Mr Beer: You’ve rebadged the report up in your witness statement as just a collation or summary of existing documents, haven’t you?
Roderick Ismay: Well, it is.
Mr Beer: Why doesn’t it say that in the report itself, “This is just a paper exercise of writing down what’s already known”?
Roderick Ismay: It was a paper exercise of writing down what was already known but which had not been collated in a form that the managing director had got any kind of summation of all those reasons. So, yes, it was a paper exercise but, given that nobody had put together such a list before, at the time it was considered quite helpful to have collated that list of things there.
Mr Beer: It says something different, doesn’t it, in this third paragraph: it’s been compiled as an “objective, internal review”. That reads as if you’ve applied your mind to it, doesn’t it? If you were just gathering bits of paper together you wouldn’t need to say that, would you?
Roderick Ismay: No, so that’s the wrong wording, yes.
Mr Beer: Were you trying to give the wrong impression there –
Roderick Ismay: No.
Mr Beer: – to a reader?
Roderick Ismay: No.
Mr Beer: How long did it take to write the report itself?
Roderick Ismay: I think it was going on over a couple of weeks.
Mr Beer: Was that separate from the time it took you to review material and gather material, or was the whole process a two-week process?
Roderick Ismay: I think the whole process was a couple of weeks, yeah.
Mr Beer: Did anyone assist you with the task of undertaking the review?
Roderick Ismay: No. I met and talked to lots of different people and some things in here, like there’s some tables towards the end of the document, and Gareth Jenkins’ report, some of the pages in there are copies and pastes of things that people sent to me. I have then pasted them into this document and it’s only me that’s typed the things that’s in this document but that came out of lots of conversations with lots of other people.
Mr Beer: So we should understand, other than when you’ve cut something in to the report, whether by way of table or appendix, that these are your words and your words alone?
Roderick Ismay: That is my typing alone but it will be phrases that may have come from some of my conversations with the people that I’ve talked to in collating it.
Mr Beer: But you take responsible for what’s in here?
Roderick Ismay: I take responsibility for having typed what’s in here. If I’ve typed something that was a statement given to me by somebody else, I don’t take responsibility for the veracity of what that individual has said to me but I take responsibility for having asked them a question, they’ve given me some answers, and –
Mr Beer: And you’ve typed it up?
Roderick Ismay: I’ve typed it up.
Mr Beer: Are you reducing your role to that of a typist?
Roderick Ismay: No, because I think I had lots of questions that I asked people in order to be able to put together and structure something in a sense of looking at control systems, escalation processes, there’s a kind of structure to this document. But then that collates lots of information that other individuals have given to me.
Mr Beer: Can we look at the paragraph headed “Executive Summary”. In the second sentence, it says:
“We remain satisfied that this money was due to theft in the branch – we do not believe that the account balances against which the audits were conducted were corrupt.”
Can you see that?
Roderick Ismay: Yes, I can.
Mr Beer: You’ve used the word “we” twice in that sentence, haven’t you?
Roderick Ismay: I have.
Mr Beer: Who’s the “we” in that sentence?
Roderick Ismay: That is me speaking as we, the Post Office, and we, the Post Office, being represented by the individuals that I’ve talked to being a voice from different functions and, collectively, that “We” of all those people were remaining satisfied, as it says here.
Mr Beer: Does the fact that you’ve written in this way reflect a desire to set out a corporate position?
Roderick Ismay: It was setting out to Dave a “we” that reflected that all the teams that I worked with to collate this were satisfied. So it was an assurance to Dave, who had asked for “What, of all those reasons are positives”, I’m saying “I’ve talked talk those other people and we, being all these people and me, are feeding this back to you, we are satisfied. Here, Dave, is that summary”.
Mr Beer: The people you spoke to had various fingers in the pie to do with systems, processes, controls, IT, network, audit, security, legal.
Roderick Ismay: Yes.
Mr Beer: Did each and every one of them say to you “I remain satisfied that all of the money missing is due to theft in the branch. I do not believe that the account balances against which the audits were conducted were corrupt”?
Roderick Ismay: No, that phrase is my summation of all of the conversations with people.
Mr Beer: It’s you speaking there?
Roderick Ismay: That is me summarising what all those different teams have said to me. That exact wording is not something that each team out there used. However, all of the teams that I spoke to said, in whatever different types of words it was, that they were happy that Horizon worked. So –
Sir Wyn Williams: So that I’m clear, every single person whom you consulted remained satisfied that money was due to theft – money missing was due to theft in the branch and every single person you consulted was of the view that the audits were not corrupt?
Roderick Ismay: Right, I’ll break that down. So it’s a subset of a “Yes”, this answer here. So when I spoke to people in the IT team, they’d be satisfied that Horizon worked. Somebody in the IT team wouldn’t be able to take a view about was it external theft or internal theft or money that had gone down the back of the drawer. So the IT people wouldn’t be able to take a view about was it theft, but the IT people would say, “I was happy about the system”.
Whereas another team that I spoke to, who might be a colleague in the Network team, they wouldn’t be able to take a view about was the system robust because they’re not the IT team, but they would have a view from the audit evidence that had come out that would say “Well, we’re satisfied it looks like theft”.
So different people that I spoke to would have got assurance about a different piece of this jigsaw but, collectively, that whole jigsaw distills into this phrase here.
Mr Beer: The way to write it, then, if that’s the truth, is to say, “I’ve consulted with disparate parts of the organisation, aggregating the information that they’ve given me. I am satisfied that the money is missing due to theft”, et cetera, isn’t it?
Roderick Ismay: I could have structured it to say “I’ve consulted these organisations and, based on what they’re saying, I’m satisfied that, collectively, all these teams are assured about this”. I don’t think I could have said something that says, “I am satisfied” because I’ve placed some reliance on what another person has said about the area of their expertise in there.
Mr Beer: If you didn’t test what any of the people were telling you, you personally couldn’t be satisfied in any way at all, could you?
Roderick Ismay: I haven’t audited it. This wasn’t an audit, no.
Mr Beer: No. You couldn’t vouch safe for anything they told you?
Roderick Ismay: So perhaps the phrase “we remain satisfied”, perhaps there was an alternative to “we” –
Mr Beer: Maybe “they” should be the phrase?
Roderick Ismay: Well, they.
Mr Beer: “Some people I’ve spoken to, they are satisfied that …”
Roderick Ismay: Yeah.
Mr Beer: So why did you write it this way? Are you not trying here to set out a corporate position, to give reassurance to the reader that the entire organisation is satisfied that this loss of money is down to thieving postmasters and is nothing to do with data integrity?
Roderick Ismay: No.
Mr Beer: That’s what you’re doing, isn’t it?
Roderick Ismay: No, it’s not.
Mr Beer: Why did you use these words?
Roderick Ismay: Because it’s very easy to look at a report in hindsight and think that could have been worded differently but, at the time, that felt like the right –
Mr Beer: This isn’t playing with words. This is examining the natural meaning of what you wrote, and I’m asking you: why did you write it in this way?
Roderick Ismay: Because that was how – that felt like the right wording for the assurances that I was getting from all of the teams at the time.
Mr Beer: Why were you picked to write this report?
Roderick Ismay: I think because the nature of my role in Product and Branch Accounting meant that I’d got quite an overarching view of lots of things in different teams, not necessarily having the expertise in lots of different teams but a level of understanding of what was going on in different teams. And I think because Dave went out to different parts of the organisation to meet people, as he joined, as part of his welcome and introduction. He came to Chesterfield at some point. I think because we would have talked about branch accounting and client accounting then, he probably sensed that I’d got a breadth of understanding in order to be able to work with people to collate this report.
I don’t know why he didn’t ask for an auditor or somebody else to do it but –
Mr Beer: I’m going to come to that in a moment, probably after lunch.
Roderick Ismay: I’m sure, yeah.
Mr Beer: Do you know whether any directors were involved in the decision to pick you?
Roderick Ismay: No, I don’t know.
Mr Beer: Do you know whether your selection was discussed at board level?
Roderick Ismay: No, I don’t.
Mr Beer: Can we look briefly before lunch then at to whom the report was sent and go to the top of the page, please. There’s a distribution list with 14 names on it.
Roderick Ismay: Yeah.
Mr Beer: There are three direct addressees and 11 on the CC list. The three direct addressees first. Mr Smith, David Smith, the Managing Director. Was this report sent to him because he had commissioned it?
Roderick Ismay: Yes.
Mr Beer: Was he therefore the main addressee?
Roderick Ismay: Yes.
Mr Beer: Was there any discussion between you and him before the report was written as to what he would do with the report – do with the report, once it was written?
Roderick Ismay: No, I don’t think so. I think I – my recollection is that this was about he needed a collation of the counterarguments and I thought this was part of his gathering and understanding of that.
Mr Beer: Did you not know the use to which it might be put?
Roderick Ismay: No, I didn’t. So when I – let’s see. I think probably I came down to London one day and Angela took me round to meet some different people in the organisation.
Mr Beer: By that you mean Angela van den Bogerd?
Roderick Ismay: Yeah, I went and I think we’d got some new people who had joined in London and –
Mr Beer: Who were they?
Roderick Ismay: The Chair, so Alice Perkins. So she’d got this report and I wasn’t aware that – I hadn’t expected that that was going to be another audience for the report.
Mr Beer: Why didn’t you expect that it would go up to board level?
Roderick Ismay: Well, I probably should have.
Mr Beer: Why didn’t you but now realise that you should?
Roderick Ismay: Because I was focused on producing something for the Managing Director who’d requested that. I was working on how do I best summarise all this to respond to the question that he’s asked. Yeah.
Mr Beer: Does not the audience for which you’re writing the report and the use to which it might be put condition the task that you undertake?
Roderick Ismay: Yes, it should. Yeah.
Mr Beer: If I’m writing a memo to Mr Blake, I might write it in one way. If it’s to Sir Wyn, I might be more careful.
Roderick Ismay: Yeah.
Mr Beer: Did that cross your mind?
Roderick Ismay: No. I think what I – the way in which I’ve constructed this, I didn’t think about who else it might go to but I would always seek to write something in an objective manner and, obviously, understandably you’re question how objective it is, but I would always seek to write something in a way that would I be happy if somebody else read this? Well –
Mr Beer: Are you happy now?
Roderick Ismay: No, I’m not. I’m not happy now. No. And I’ve said in my witness statements things – that I think it should have had a terms of reference, it should have had attribution of things in there. Some of the phrases that I’ve used like – you’re probably going to ask about the phrase “compassion” that’s in there.
I certainly wouldn’t kind of use that phrase again, that was in there but, at the time, with many, many different things that I was working on, this, which – I burnt the midnight oil to summarise this after all the conversations that I had with people, this felt like a suitable wording that I would have been content if it was shared with somebody else. But I didn’t think through who else might it go to.
Mr Beer: Did you expect it to go to the board?
Roderick Ismay: No, I expected to go to Dave. It’s probably – I’m not surprised it’s gone to the board. I didn’t think through, is it going to go to the board, but I’m not surprised it went to them they.
Mr Beer: The second person on the direct distribution list is Mike Moores, the Finance Director. Why did you send it to him?
Roderick Ismay: Well, he’s my boss. I think he should be a recipient of something that I’m producing, and I think he was involved when Dave asked for it. I think Mike would have consented to my time being redirected to the collation of this, given the number of other things that I’d got going on.
Mr Beer: Was Mr Moores involved in setting the terms of reference for the piece of work that you produced?
Roderick Ismay: No. The unwritten, really short terms of reference, which was list out the reasons, was something that Dave asked for and I presume Mike was happy that that was an appropriate thing to ask for.
Mr Beer: So he was only involved to the extent in giving consent for the abstraction of your time?
Roderick Ismay: Yes, and I think – Mike, again, I don’t think had been in the Post Office Limited for long at that time. So whilst the report has included him as a “To” in the circulation list, he wasn’t somebody who’d got, you know, sort of direct input to make on this because he was relatively new to the organisation as well, I think, at that time.
Mr Beer: The third direct addressee is Mike Young, the Chief Technical and Services Officer?
Roderick Ismay: Yes.
Mr Beer: Why was the report sent to him?
Roderick Ismay: So he – I did speak to him during the course of collating this, and he and I did talk about the structuring of the document in terms of controls, training, just kind of thinking – my conversations with him were about the building blocks of the report of those four sorts of main areas that the report structured under.
Mr Beer: Did he see a draft of the report?
Roderick Ismay: Probably.
Mr Beer: Did anyone else see a draft of the report?
Roderick Ismay: I think probably all this audience. I’d like to think that I would have copied all of them in, in order that they could comment if it wasn’t a fair summary of the things that they’d shared in there. So the question that you asked earlier about the “we”, I think I would have shared this with people before finalising it and, therefore, that would add to the validity of it being a “we”, given that it would have gone through a kind of visibility of the draft of it.
Mr Beer: So you think there ought to exist, rather than this final version we’ve got, a draft or drafts that had been distributed to the 14 people on this list?
Roderick Ismay: Well, there may.
Mr Beer: You think there may?
Roderick Ismay: Yeah.
Mr Beer: That would have been their opportunity to say, “No, we disagree”, and that therefore justifies you writing up “We are satisfied that”?
Roderick Ismay: Yes.
Mr Beer: Is that what you’re saying?
Roderick Ismay: Yes.
Mr Beer: Thank you, sir. That’s an appropriate moment. I’ve got about another hour on the document, so can we break until after lunch, please?
Sir Wyn Williams: Yes.
Obviously you may have lunch with whoever you choose but, if it’s with someone who knows about the evidence in your case, don’t discuss your evidence. All right? Thank you.
The Witness: Thank you.
(1.00 pm)
(The Short Adjournment)
(2.00 pm)
Mr Beer: Thank you, sir.
Good afternoon, Mr Ismay, can we pick up where we left off at POL00026572. We were looking at the distribution list on the front of your report. Can I look to the list of 11 people to whom it was cc’d. Mark Burley, the Head of Projects in IT; Mike Granville, the Head of Regulatory Relations; Lesley Sewell, the Head of the IT Group. Does that mean Head of Group IT?
Roderick Ismay: No, that’s because the page breaks have gone with the –
Mr Beer: Okay.
Roderick Ismay: Yeah, so it’s actually “Group” is attached “RM” –
Mr Beer: For Rob Wilson –
Roderick Ismay: Yes.
Mr Beer: – head of Criminal Law, Royal Mail Group?
Roderick Ismay: That’s correct, yes.
Mr Beer: Andy McLean, Head of Service Delivery; Mandy Talbot, Principal Lawyer (Civil); John Scott, Head of Security; Keith Woollard, Head of Compliance; Lynn Hobbs, GM Network Support. What does that mean?
Roderick Ismay: General manager.
Mr Beer: Michele Graves, Executive Correspondence Manager. Who was Michele Graves, whose office was she in? She was the Executive Correspondence Manager.
Roderick Ismay: She’d either have been in Legal or general secretarial support to the Executive.
Mr Beer: To the Executive Team?
Roderick Ismay: Yeah, yeah.
Mr Beer: Sue Huggins, head of Network Planning and Change. Was that your choice of people to whom the report should be cc’d?
Roderick Ismay: No, I think that came out of speaking with – when Dave asked for the report, and I had conversations with Mike about it, Mike Young, I think that group of people was ones where either I felt they were people who would have relevant input to make or they may have been suggested to me as people to speak to. I can’t remember whether – I think that would have been an agreement, probably with me, Mike and Dave, that this was the relevant audience to ensure that, if you like, all bases were covered within speaking to relevant teams.
Mr Beer: So that’s not just a list of people to whom the report was cc’d, it’s a list of people to whom you would have spoken in order to write the report?
Roderick Ismay: Yes. So either those people or somebody who reports to them that they suggested I’d be speaking to.
Mr Beer: It’s effectively the top slice of senior managers in the Post Office, isn’t it?
Roderick Ismay: Yes, it is. It hasn’t got, for example, anybody from Marketing but, yes, it’s a segment that these would all be part of the senior leadership, yeah.
Mr Beer: There’s nobody there whose job description is given as being in charge of audit, is there?
Roderick Ismay: I think that the Branch Audit Team at the time reported into Keith Woollard, as Head of Compliance.
Mr Beer: Would you agree that internal auditors would be a vital source of assurance within the corporation?
Roderick Ismay: Yes.
Mr Beer: It would have been their job to conduct any internal investigation of this sort that would justify senior managers’ confidence, wouldn’t it?
Roderick Ismay: If an audit was being asked for then, yes, it would be. If somebody was asking for “Can you give me some reasons for assurance?” that might range from asking an individual for some reasons for assurance, it might mean asking somebody to collate things with a wider audience or it might mean initiating an audit which, yes, would mean asking the Head of Audit to do it.
Mr Beer: Can we look at page 19, please. Look at the bottom part of the page, paragraph 4(c). Under the cross-heading “Independent Review and Audit Angles”, you say:
“POL has actively considered the merits of an independent review. This has been purely from the perspective that we believe in Horizon but that a review could help give others the same confidence that we have.”
You continue:
“Our decision between IT, Legal, P&BA, Security and Press Office has continued to be that no matter what opinions we obtain, people will still ask ‘what if’ and the defence will always ask questions that require answers beyond the report. Further such a report would only have merit as at the date of creation and would have to be updated at the point at which Horizon or the numerous component platforms were upgraded.
“Ernst & Young and Deloittes are both aware of the issue from the media and we have discussed the pros and cons of reports with them. Both would propose significant caveats and would have limits on their ability to stand in court, therefore we have not pursued this further.”
You say in the first sentence there “POL has actively considered the merits of an independent review”. Who within POL actively considered the merits of an independent review?
Roderick Ismay: I think that the discussion between all the representatives of the teams on the first page, people within those areas at some point had questioned whether a review was needed and decided that it wasn’t because they were confident for the – all of the reasons, as stated, that one wasn’t appropriate.
Mr Beer: So it’s the 14 people on the first page have actively considered the merits of an independent review; is that right?
Roderick Ismay: Somebody in their teams had.
Mr Beer: I’m sorry?
Roderick Ismay: Somebody in their teams had. I’m not saying and I don’t know if those 14 named individuals were the specific people who’d done this, but people in the Post Office had considered it. I can’t remember who the people were specifically who’d done that.
Mr Beer: When was that active consideration of the merits of an independent review done? Was it done for the purposes of writing this review or on another occasion?
Roderick Ismay: No, I think that goes back earlier than this review because, clearly, the allegations had been raised for a much longer time than the couple of weeks that I referred to as the period for this report.
Mr Beer: So you’re referring to a process going back in time, on disparate occasions, involving different people.
Roderick Ismay: Yeah, yes.
Mr Beer: Was a record made of any of those decisions on a previous occasion, by any of the 14 people listed on page 1 or people within their departments, of the merits of conducting an independent review and the reasons not to conduct an independent review?
Roderick Ismay: I don’t know if a record was made and I can’t remember if a record was made, apart from one email that you’ve shared with me, where there’s mention of Rob Wilson’s views about that situation in another document.
Mr Beer: Is that the only record that you are aware of that records the decision making as to why not to conduct an independent review?
Roderick Ismay: Yes, I think so, yes.
Mr Beer: Who from IT, Legal, P&BA, Security and the Press Office made the decision that’s referred to in paragraph 2?
Roderick Ismay: I don’t know who the specific people were who did that but – whether it was the people I’ve addressed the document to or members of their teams.
Mr Beer: You make no mention there of internal audit being involved in the discussions that led to the decision or the decision itself, do you?
Roderick Ismay: No. No.
Mr Beer: Would you not want your own specialist internal auditors to advise you and to contribute meaningfully to a decision about whether or not to engage external auditors?
Roderick Ismay: Yes, probably, yes.
Mr Beer: Can you explain why it was important to involve the Press Office in decision making but not involve the internal auditors?
Roderick Ismay: No, I can’t. I think the Press Office were receiving questions which would evolve, and so I think sometimes the Press Office sometimes received question A and answered question A, and then question B came back, which would have kind of led to the narrative in here of, if we answer something, another question will come up.
So the Press Office, I think, would have been involved in this because of their experience of perhaps letters that were coming in, correspondence, Freedom of Information Act requests, perhaps.
Mr Beer: That explains your justification for their involvement. Why not internal audit contributing to a decision about whether to get an audit?
Roderick Ismay: Because that was a failing in the scope of that. Yeah, they possibly should have been involved.
Mr Beer: But why weren’t they?
Roderick Ismay: I don’t know. I think in the approach that I’d opted in collating this thing, I’d looked at lots of different angles and there’s always things one doesn’t do because one does so many things and hasn’t got the capacity to cover every angle and doesn’t think of it. And I’m sorry in the circumstances of everything that’s happened here, but I’m sure all of us have done things where we’ve done nine things and then you think “Oh, I wish I’d done that tenth thing”, and I hadn’t.
And none of us would say “Well, I don’t know why I didn’t do that tenth thing. I wish I’d done that tenth thing”.
Mr Beer: Might it because, if you ask the auditors, they would say “Yes, it would be a good idea to get an external audit in”?
Roderick Ismay: No.
Mr Beer: Can you help us through your thought process. “We need to decide whether to get an external audit, shall we ask our internal auditors to offer their view?”
“No.”
“Shall we ask the Press Office?”
“Yes.”
What did your mind do to lead you to that chain of logic?
Roderick Ismay: I don’t know.
Mr Beer: The purpose of such an external review, would you agree from the second sentence of the first paragraph there, you seem to be suggesting that the purpose of any independent investigation would be to seek to persuade others of Horizon’s reliability?
Roderick Ismay: Yes, that’s what I’ve said, to give others the same assurance that the organisation felt it had got.
Mr Beer: So it would be an exercise in convincing others of its reliability, rather than actually seeking to establish whether Horizon was reliable?
Roderick Ismay: I think in the process of assuring others as to why it worked, one probably would go through what things possibly don’t work and why is that assertion wrong or what is being done to fix it, if there was something came out that was proven to be a problem?
Mr Beer: But you’ll agree that the way this is written doesn’t suggest you approach the question of external review from the – from a position of “Let’s actually find out whether it’s reliable”?
Roderick Ismay: No, and that goes back, I think, to the concept of this whole report being commissioned from a point of view of, saying clearly there’s number of allegations being made, but what are the counterarguments for assurance within the organisation? And that kind of mindset has probably rippled through number of things that I’ve written in here.
Mr Beer: You give us the reasons why an independent investigation was ruled out: two, essentially. External auditors would insist on caveats and then, secondly, that would limit what they would be able to say in court?
Roderick Ismay: That’s what I’ve written, yes.
Mr Beer: Why would external auditors insist on caveats?
Roderick Ismay: The nature of audit reports is I think always that there are caveats in audit reports.
Mr Beer: Why is an audit report ever written, then, if it always contains a caveat?
Roderick Ismay: There are people who would question whether the whole approach to audit reports is effective, and that is an industry question that regularly rears its head.
Mr Beer: You’re saying specifically here, these caveats mean that it’s not worth a candle in obtaining an external independent review, aren’t you?
Roderick Ismay: I think what this is saying is that, if something was obtained and it had caveats on it, that’s inevitably going to lead to a question of “Well, what if?” And, therefore, it wasn’t going to feel – that a caveatted report would not prove to conclude anything.
Mr Beer: They wouldn’t be inappropriately assisting on caveats?
Roderick Ismay: It wouldn’t be inappropriate, no.
Mr Beer: They would be inserting appropriate caveats, wouldn’t they?
Roderick Ismay: That would be totally appropriate caveats for an auditor to put into something but an audience reading something which has caveats always thinks, “Well, what is that caveat in there and what does that mean about the value of a report when it’s caveatted?”
Mr Beer: You’re giving us, as a reason for not commissioning an independent review, that the public might misinterpret a caveat? Is that what it amounts to?
Roderick Ismay: I think that’s what it does amount to, but I’d also say that what’s in here has come from me speaking to quite a lot of people across the organisation to collate this, so these aren’t specifically – this is not me saying “This is it”, this is a collective view coming out of all the conversations that I’ve had there.
Mr Beer: Did you speak to your internal auditors to understand what external, independent auditors would in assist on by way of caveats?
Roderick Ismay: I don’t think I spoke to internal auditors in this, except that in the addressee audience the – whatever the scope of the Post Office internal audit team at that point was reported through to the Head of Compliance and, therefore, the audience of this does include a team which includes the Post Office internal audit function.
Mr Beer: What were the caveats, the appropriate caveats, that Ernst & Young or Deloittes would insist on if they were to conduct a system audit?
Roderick Ismay: I don’t – I can’t remember what caveats they would have said they would put on it but –
Mr Beer: What were the possibilities?
Roderick Ismay: What were the possibilities for the caveats one might put on would be auditors will sometimes be commissioned to do pieces of work where the scope of the work will say we will be asking questions but not testing, or there will be a scope of work where people are doing testing, and the scope of work may involve sample testing, it may involve other forms of testing, and there would be different scenarios where a scope of work would have those different parameters going on within it and an auditor would caveat their report to clarify the extent to which they had or had not tested something or had or that not documented processes or had or that not spoken to whatever range of functions within an organisation.
Mr Beer: So all entirely appropriate things?
Roderick Ismay: Oh, yes, yes. Those would be quite appropriate things to put in, yeah.
Mr Beer: So Ernst & Young and Deloitte doing the appropriate thing is a reason not to commission them?
Roderick Ismay: No, I think the view here was that those would be appropriate caveats to be putting in, however somebody else reading such a report would inherently think, “Oh, it’s caveatted”, and whilst we are both professionals and the people in this room are professionals who have got an understanding of caveats that go into some of these legal documentation reports and opinions, not everyone would and some people would soundbite items out of it to say that a narrowing of scope was for inappropriate reasons.
Mr Beer: What were the limits on their ability to stand in court?
Roderick Ismay: I don’t know.
Mr Beer: You wrote it. Please help us.
Roderick Ismay: Yes, I’ve written that based on conversations with many people and would expect that a comment about limitations on ability to stand in court is not something that I have got the experience or qualification to comment on and, certainly, wouldn’t randomly write something. That must have been from a conversation with someone from a legal background who has indicated that, and I don’t know who that was.
Mr Beer: So a lawyer has told you this?
Roderick Ismay: Well, in the addressee audience for the thing, you can see I’ve got some teams there who would include some lawyers, yes. So somebody has said that and I have included that in the narrative that’s in this report, yes.
Mr Beer: That’s not included from your knowledge as an auditor at Ernst & Young?
Roderick Ismay: No, from – no, from my recollection of doing audits at Ernst & Young, I haven’t got something in my mind that says what’s going to limit my ability to stand in court there, no.
Mr Beer: Did you pursue what that could possibly mean, “If we commission Ernst & Young or Deloittes there would be limitations on their ability to stand in court”. What does earth does that mean?
Roderick Ismay: Right well, as I sit here I don’t know. I don’t know whether I asked at the time. But, in the time window that I did have to collate this report, I did put a huge amount of time in within that window to collate this, and there would have been lots of things that I didn’t have time to do and whether I failed to even think of asking the question or didn’t have time, or had an answer and forgot what it is, I don’t know.
Mr Beer: Did it cross your mind that it might be dripping in irony to say “We can’t commission an independent review because the person that writes it has limitations on their ability to stand in court, to speak to the investigation of our IT system. We’re using that IT system to prosecute people and send them to prison”?
Roderick Ismay: No, I don’t think so. I think, possibly from a point of view of our external auditors, who were Ernst & Young there, they would have conflicts of interest rules of what things they could be involved in. They were clearly signing off an audit report on the financial accounts of the company. I don’t know whether to be asked to perform a piece of work like this would have had a conflict of interest in it that would have prevented them doing that.
Mr Beer: That’s a reason that you don’t give, ironically enough, is it?
Roderick Ismay: Well, I know – well, I’m talking from my knowledge here and you’re prompting a number of things that haven’t come into my head, either at all or for many years. So I appreciate I may be saying something that wasn’t in this report and wasn’t in my witness statement but the nature of what you’re doing is prompting my memory or thoughts on some things in a way that I hadn’t had before, and that’s what the purpose of this Inquiry is.
Mr Beer: Even if that was a material consideration, operative on your mind at the time, “We can’t ask EY to do it because they would feel conflicted, given their role as standing auditors to us”.
Roderick Ismay: Well, I –
Mr Beer: The answer to that would be “Well, let’s ask one of the other Big 5, wouldn’t it?”
Roderick Ismay: Well, maybe we did, I don’t know.
Mr Beer: Did you ask any of the other Big 5?
Roderick Ismay: I don’t know.
Mr Beer: No, did you?
Roderick Ismay: No.
Mr Beer: Are you aware of anyone asking?
Roderick Ismay: I think there was consideration of other firms.
Mr Beer: By who?
Roderick Ismay: I think the Finance Director.
Mr Beer: Right. When did the Finance Director give consideration to involving any of the Big 5, as I’ve called them, in conducting an independent audit or review of the Horizon IT System?
Roderick Ismay: I think in the other document that we’ve got in here, when we get on to Deloittes have done a report at some point, there was consideration of who could do that report and, clearly, Deloittes were appointed to do that –
Mr Beer: Yes, but I’m talking about now, by August 2010?
Roderick Ismay: I don’t know.
Mr Beer: Are you aware, by August 2010, of anyone giving consideration to bringing in any of the Big 5?
Roderick Ismay: Right, so in that time frame, I don’t know. No.
Mr Beer: You deploy as another argument for not seeking an independent report that it would “only have merit as at the date of creation”. Yes?
Roderick Ismay: Yes, yes.
Mr Beer: You would agree that that applies to every audit report?
Roderick Ismay: Yes, yes.
Mr Beer: Would you agree, therefore, that the logic of what you’re saying is that there are never grounds for seeking an independent investigation into an issue or a system because the report is only as good as the day it is written?
Roderick Ismay: Yes and no. So the reason I say no is that a lot of audit reports are issued on the financial statements up to a particular point in time, and it’s quite appropriate that one still issues an audit opinion on 31 March accounts, even if you do it in September, because it’s an audit report on 31 March accounts.
This, however, was considering a system. It wasn’t a particular date in time for the system. It was a system, so I think it’s a different context for different types of audit report.
Mr Beer: Isn’t it the case that the three reasons that you give here don’t add up to a row of beans and the real reason you didn’t want to commission an independent audit report is that you were worried about what it might show?
Roderick Ismay: No, no. The reasons – whilst the reasons may not look very good in there, those were the reasons.
Mr Beer: Why don’t they look very good?
Roderick Ismay: Well, you’re clearly challenging me on the quality of these things that don’t add up to a row of beans.
Mr Beer: My opinion is neither here nor there. I’m asking you: were these the true reasons –
Roderick Ismay: Yes, I –
Mr Beer: – why you didn’t go and get an external report?
Roderick Ismay: Yeah, yeah.
Mr Beer: Wasn’t it that you were worried that it might be disclosable in criminal proceedings?
Roderick Ismay: No.
Mr Beer: That was not a consideration at all?
Roderick Ismay: That was – no, no.
Mr Beer: Can we look, please –
In fact, before we come to that, can we look at the bottom of the page. You say:
“The external audit that E&Y perform does include tests of POL’s IT and finance control environment but the audit scope and materiality mean that E&Y would not give a specific opinion on the systems from this.”
Roderick Ismay: Yes.
Mr Beer: So you’re making clear, there that, as at August 2010, Ernst & Young weren’t themselves in a position to offer any opinion on the reliability or integrity of Horizon by reason of the standing audit functions they performed?
Roderick Ismay: Yes, I think I’m saying that they were – from the nature of the work that they’d done, they were able to give an opinion on the financial statements of the company, and that was the scope of what they were doing. They weren’t in a position to comment on anything other than the engagement letter of what they were appointed to do and what their work had been conducted for, for the financial statements.
Mr Beer: So the Post Office knew by this time that Ernst & Young’s audit could not be used as a justification of the integrity of the system; correct?
Roderick Ismay: Yes, their statutory audits for the years couldn’t – yeah.
Mr Beer: Equally, you would presume that Ernst & Young would know the converse of that: that they hadn’t been conducting a statutory audit that would itself examine the integrity of the Horizon System?
Roderick Ismay: Yes, yes.
Mr Beer: Can we look, please, at POL0002082. POL00002082. Thank you very much.
This is a briefing pack raised in preparation for a meeting with Lord James Arbuthnot, as he became, and Oliver Letwin MP that was scheduled for 17 May 2010, yes?
Roderick Ismay: Yes.
Mr Beer: You recall that you were part of the POL team –
Roderick Ismay: I do.
Mr Beer: – for that meeting?
Roderick Ismay: I was sat in reception at Old Street when the meeting happened.
Mr Beer: I’m sorry, I missed that?
Roderick Ismay: Yes, I was in London when the meeting happened. I wasn’t in the meeting but I was in London when it happened.
Mr Beer: Ah, you didn’t attend the meeting?
Roderick Ismay: No.
Mr Beer: Can we just look at page 2, please. You see under “Case Review” you’re listed. Did that mean you got sight of these documents?
Roderick Ismay: I think so. I can’t remember the document itself but I think, yeah, I think I would have had sight of it, yeah.
Mr Beer: Thank you. If we go forward to page 3, please, the section of the document headed “Key Messages”, and then if we continue on, there are lots of key messages, to page 6, please, which is one of the key messages to get across to James Arbuthnot and Oliver Letwin.
You see that it was proposed that Alice, that’s Alice Perkins, should speak to this and one of the key messages to get over was:
“We are considering commissioning an independent audit as an assurance measure, but in light [of the fact that] there is no evidence that there is a problem we need to determine if this is a good use of public money.”
Was money a factor in deciding not to commission an independent audit in 2010?
Roderick Ismay: I don’t remember money being a topic of discussion.
Mr Beer: The points you’ve listed were threefold: caveats; the auditors couldn’t stand in court or their ability to stand in court would be limited; and an audit is only good for the day it is written?
Roderick Ismay: Yes.
Mr Beer: You don’t mention this, money, as being one of them?
Roderick Ismay: No.
Mr Beer: Was it ever discussed with you for the purposes of writing your August 2010 review?
Roderick Ismay: I don’t remember it being discussed, no.
Mr Beer: Thank you. Can we go, please, to POL00106867, please. Can we go to page 3. If we scroll down to the email from Mr Haywood, we can see a date of email of 26 February 2010. I think we can see, amongst the distribution list, second is you?
Roderick Ismay: Yes, yes.
Mr Beer: The subject is “Challenges to Horizon”. We can see who this is from. If we just scroll down. From Andy Hayward, a Senior Fraud Risk Programme Manager within the Security team. Do you remember Mr Hayward?
Roderick Ismay: Yes.
Mr Beer: Was he somebody who reported to you?
Roderick Ismay: No, but I think in my first role for those first three years, I think Andy was part of one of those teams back then, not a direct report to me, though.
Mr Beer: By 2010 he wasn’t because you’d moved on to P&BA; is that right?
Roderick Ismay: That’s right, yes, that’s correct.
Mr Beer: So looking back at the top of the email, then, now we’ve seen who it’s written from, it reads:
“All,
“Following our conference call of today [presumably 26 February], below is a brief summary of the agreed key activities to progress the next steps in relation to the above piece of work:
“1) AH …”
Who would that be, himself?
Roderick Ismay: Yes, I think so. Yeah.
Mr Beer: “… and MT”, is that Mandy Talbot?
Roderick Ismay: I think so.
Mr Beer: “… to provide”, Sue Lowther –
Roderick Ismay: Yes.
Mr Beer: – and Dave King?
Roderick Ismay: Yeah.
Mr Beer: “… with information on past and present cases with reference to the Horizon Challenges (criminal and civil cases).
“(Note: I have asked the fraud team to approximately the past two or three years’ case files although these challenges are of a more recent nature).
“2) Information Security [Sue Lowther and Dave King] to conduct initial investigations and provide Terms of Reference outlining the remit and requirements to carry out a full investigation (including resource, timescales and any associated ancillary costs).
“(NB agreement by all that with [Dave King] and our ‘banking consultant’ (Paul Hallidan), we have far more expertise and knowledge than anyone is likely to produce for this initial piece of work).
“3) Subject to agreement of 2 above, conduct full investigations into integrity issues, with conclusions/report provided. Once investigated and conclusions drawn, gain external verification to give a level ‘external gravitas’ to the response to these challenges (Recommend Ernst & Young as most suitable partner to complete this … [to be advised]).”
Then I don’t think there’s anything else.
Then can we look at the response to this, please, and go back to page 1.
I should say that email chain is forwarded on to Rob Wilson, the Head of Criminal Law, and this is his reply. We can see that he has cut you from the distribution list, along with others. Can you see you’ve disappeared?
Roderick Ismay: I can. I can see Rebekah’s name is there in half, so I don’t know whether there’s distribution list in the email but missing from – sometimes the Window doesn’t show all the addressees. So I don’t know whether my name is or isn’t, but it’s a bit odd that Rebekah’s name is only half there.
Mr Beer: I see. I understand. He says “Dave”, that’s Dave Posnett. What role did Dave Posnett perform?
Roderick Ismay: He’d got a role in the security team. Not sure exactly what role it was, looking back, but I don’t know if he was kind of a manager of the investigators or commercial security.
Mr Beer: In an email signature block, he’s called the Fraud Risk Manager.
Roderick Ismay: Right.
Mr Beer: In any event, Mr Wilson, Head of Criminal Law, says:
“If it is thought there is a difficulty with Horizon then clearly the actions set out in your memo is not only needed but is imperative.”
I think we’d all agree with that:
“The consequence however will be that to commence or continue to proceed with any criminal proceedings will be inappropriate. My understanding is that the integrity of Horizon data is sound and it is as a result of this that persistent challenges that have been made in court have always failed. These challenges are not new and have been with us since the inception of Horizon, as it has always been the only way that Defendants are left to challenge our evidence when they have stolen money or [when] they need to show that our figures are not correct.
“What is being suggested is that an internal investigation is conducted. Such an investigation will be disclosable as undermining evidence on the defence in the cases proceeding through the criminal courts. Inevitably the defence will argue that if we are carrying out an investigation we clearly do not have confidence in Horizon and therefore to continue to prosecute will be an abuse of the criminal process. Alternatively, we could be asked to stay the proceedings pending the outcome of the investigation. If this were to be adopted, the resultant adverse publicity could lead to massive difficulties for POL, as it would be seen by the press and media to vindicate the current challenges. The potential impact is however much wider for POL, in that every office in the country will be seen to be an operating a compromised system with untold damage to the business. Our only real alternative to avoid adverse publicity will be to offer no evidence on each of our criminal cases. This should mitigate some adverse publicity but it is not a total guarantee.
“To continue prosecuting alleged offenders knowing that there is an ongoing investigation to determine the veracity of Horizon could also be detrimental to the reputation of my team. If we were to secure convictions in the knowledge that there was an investigation, where the investigation established a difficulty with the system, we would be open to criticism and appeal to the Court of Appeal. The Court of Appeal will inevitably be highly critical of any prosecutor’s decision to proceed against the Defendant’s in the knowledge that there could be an issue with the evidence.
“What we really need to do is impress upon Fujitsu the importance of fully cooperating in the provision of technical expertise and witness statements to support the criminal and civil litigation now and in the future.
“Given the nature of the discussions that took place on 26 February, I am staggered I was not invited to take part in the conference.”
Can we go to page 9 of this email chain, please, remembering that the original conference call was on 26 February. The Head of Criminal Law’s intervention was on 3 March. If we scroll down, please, we can now see an email chain of 8 March, in which you’re included.
Roderick Ismay: Yes.
Mr Beer: It says:
“As was discussed on the conference call and taking into account Rob’s comments, to confirm that what we are looking at is a ‘general’ due diligence exercise on the integrity of Horizon, to confirm our belief in the robustness of the system and thus rebut any challenges.”
So it seems as if there was a further conference call –
Roderick Ismay: Looks like it, yeah.
Mr Beer: – in the light of what Mr Wilson had said.
Roderick Ismay: Yeah, that’s what it says, yeah.
Mr Beer: The position had changed. You were now looking to conduct a general due diligence exercise, which would “confirm our belief in the robustness of the system”. That’s what you did, wasn’t it?
Roderick Ismay: Yeah, I guess that was listing those things for Dave was – listing out reasons for belief in the robustness of the system, yeah.
Mr Beer: So now there’s going to be no full examination of Horizon integrity issues, is there?
Roderick Ismay: No, looks like it, yeah.
Mr Beer: There’s going to be no third-party involvement, is there?
Roderick Ismay: No.
Mr Beer: Instead, the exercise has as its object the confirmation of the robustness of the system in order to rebut any challenges, doesn’t it?
Roderick Ismay: Yeah.
Mr Beer: These are essentially your terms of reference, aren’t they?
Roderick Ismay: I suppose it does look like that, yeah.
Mr Beer: And they’re loaded, aren’t they?
Roderick Ismay: Um …
Mr Beer: They tell you what your conclusion should be.
Roderick Ismay: I’m not sure what my conclusion should be from that.
Mr Beer: “Write a report that confirms our belief in the robustness of the system in order that we might rebut any challenges to it.”
Roderick Ismay: Well, that was the essence of what Dave’s request was. Dave was hearing a lot of allegations against the system, “I haven’t seen a list of issues on the other side, so please can you gather all those issues too, so I can get a balanced picture of it”.
Dave hasn’t – and I don’t think Dave used the words “rebut any challenges”, so I agree the report that I compiled was about confirming the belief in the robustness of the system.
Mr Beer: This is essentially an early genesis of your task, isn’t it?
Roderick Ismay: Well, I think you can see some phrases in there that have fed through to my report, yeah. So, in my report, I’ve used phrases about “staying”, for example, which are phrases that could only have come from somebody with a legal background because I don’t know about staying prosecutions. So there’s a consistency of narrative that’s coming through there but whether that was a separate conversation in September, December, whenever – when was it, August, that that report was written, I don’t know whether that was a separate conversation or at the time this same thing informing it.
Mr Beer: What I’m suggesting to you is that this is essentially your commission?
Roderick Ismay: Well, that’s not a commission to me to do the review that Dave asked me to do.
Mr Beer: You’d agree that the first paragraph is the polar opposite of an independent and objective analysis, the conclusions of which are driven by the evidence?
Roderick Ismay: Yes, that first paragraph ending with “to rebut any challenges” is not a balanced – yes, I agree, yeah.
Mr Beer: The conclusion that you were to reach in your report is written there in the first paragraph, isn’t it? And you duly deliver on it, didn’t you?
Roderick Ismay: I think that was common language that was used for a long time about the integrity of Horizon, so yes, I’ve issued a report that’s got that phraseology in it but the phraseology about reasons for assurance about the Horizon System and the integrity of the Horizon, I think were phrases that were used quite a lot over number of years.
Mr Beer: Was that a common mindset within senior managers at the Post Office at this time, “When we conduct an investigation, or a review, or a due diligence exercise, we should do so with a preconceived and fixed belief in the outcome, and we should gather evidence to support that preconceived fixed belief”?
Roderick Ismay: I don’t think that was the mindset but inevitably there’s a danger that that is how it manifests itself.
Mr Beer: Can we go back to your report, please.
Sir Wyn Williams: Before we do, Mr Beer, can I just ask a detail?
This email was sent to “David X Smith”.
Roderick Ismay: Yes.
Sir Wyn Williams: Are there two David Smiths? I don’t want to confuse myself over who’s who.
Roderick Ismay: Yes, there are.
Sir Wyn Williams: So which David Smith is this then, please.
Roderick Ismay: This is David Smith, Head of IT.
Sir Wyn Williams: Right, so it’s not the David Smith who commissioned you?
Roderick Ismay: No, this isn’t the Managing Director.
Sir Wyn Williams: All right I just want to be clear that I’m not losing track of which Smith is Smith.
Roderick Ismay: No, it’s a good point.
Mr Beer: Can we go back to your report, that’s POL000256572, thank you, and look at page 19, please, where we were, and go to the foot of the page. We’ve just read the paragraph at the bottom about Ernst & Young, yes?
Roderick Ismay: Yes.
Mr Beer: Yes. Then go over the page to page 20, please. You say – I think this is what you were referencing a moment ago:
“It is also important to be crystal clear about any review if one were commissioned – any investigation would need to be disclosed in court. Although we would be doing the review to comfort others, any perception that POL doubts its own systems would mean that all criminal prosecutions would have to be stayed. It would also beg a question for the Court of Appeal over past prosecutions and imprisonments.”
From whom did you get that information?
Roderick Ismay: That narrative would have come from speaking to somebody in the Criminal Law team, and it’s consistent phraseology with what was in that email that you’ve just showed, so I imagine it probably came from a conversation with Rob.
Mr Beer: Ie Mr Wilson?
Roderick Ismay: Most likely.
Mr Beer: So did he make it crystal clear to you that any independent review would need to be disclosed in court?
Roderick Ismay: Yes, and I think that’s what he was saying in that other thing that you’ve – that other email that you’ve showed a few minutes ago.
Mr Beer: Did you know why all prosecutions would need to be stayed, because an independent review was being carried out?
Roderick Ismay: I didn’t know the legalities of why that would mean that other prosecutions should be stayed, no. I was taking a message from the legal team that that was their description of what would happen. But I guess, as a layman, the concept of, if there was an issue, then I can understand why this is the outcome view of it but this was – this will be a message coming from a lawyer. I’m not qualified and wouldn’t have written something like that without it having come from somebody who was qualified to say that.
Mr Beer: Did you understand why the mere fact of carrying out an independent review, irrespective of the conclusions that it reached, call into question all past prosecutions and imprisonments?
Roderick Ismay: I’m not sure that I did understand the reason why. I understood that was the outcome that was being explained but, again, a layman’s perspective, I’m not sure why commissioning a review would do that but this was a clear legal message that I was receiving and that I’ve included in here.
Mr Beer: Why did you understand that it was permissible to keep your report secret but it wouldn’t be for an independent one?
Roderick Ismay: I’m not sure I did understand that it was permissible to keep my report secret.
Mr Beer: So you thought that your report would be disclosed in ongoing criminal proceedings, did you?
Roderick Ismay: I don’t think that even went through my mind.
Mr Beer: You didn’t think, again, “To whom might this report be disclosed? Therefore I need to write it in a way with the possible audience in mind”?
Roderick Ismay: No, and that may have been a failure in how I’ve gone about collating this thing but I don’t think I thought through that, and I think I worked on a priority basis of having received a request from the managing director to compile a list of these reasons, which I did, and what you’ve suggested would be a perfectly reasonable challenge to have had in mind at the start of it, but I don’t think I did have that in mind. I think I was working on: the managing director has asked for this, and that is what I’m going to do.
Mr Beer: Was it only Mr Wilson’s advice that you acted on, that an independent review would lead to prosecutions being stayed and a question mark being raised over past prosecutions and imprisonments or was any other lawyer involved?
Roderick Ismay: I don’t know whether any other lawyer was involved in there, but I think that would have – it wouldn’t have come from me because, as I say, that’s the kind of legal narrative that I wouldn’t have the knowledge to have been able to have written. Exactly who in Legal it did come from there, I don’t know, but the addressee that I’ve got on there as the prime contact was Rob, so it would either have been him or one of his team that I would have had that conversation with.
Mr Beer: Did you think if a review, an interpreter review, comes back saying the Horizon System is sound, that the data it produces enjoys full integrity, that that would lead to prosecutions being stayed and question marks being raised over past prosecutions?
Roderick Ismay: I don’t know. But as I sit here and think if you’re asking if we had a report that said the system works, would that lead to staying things? Well, I wouldn’t think that if a report came back and said things were fine, I’m not sure why that would cause things to be stayed.
Mr Beer: Or was instead the decision not to obtain an independent review motivated by a belief that it might be unfavourable?
Roderick Ismay: No, I think – I’ve got the three reasons that I thought at the time that I’ve put into this document, and that was the reasons.
Mr Beer: You and the people that you have had listed thought that it was better not to enquire, better not to find out and, instead, potentially to secure more convictions and more imprisonments?
Roderick Ismay: No, although the thought process in hindsight looks like it was the wrong process to have gone through, I think me and the recipients of this report and the contributors of the report all, rightly or wrongly, thought Horizon was reliable.
Mr Beer: Do you agree that this paragraph is a warning to the Post Office that if it was to take certain action, ie to commission a review, then the Post Office may be heading in a direction which may lead to the discovery that innocent people may have been wrongly convicted?
Roderick Ismay: Well, yes, this statement clearly is a warning and, indeed, the outcome of why we’re here today has kind of referenced this in Justice Fraser’s judgment, I believe.
Mr Beer: If the Post Office had nothing to fear, surely there’s nothing to lose in securing the seal of approval on that view from an independent body, is there?
Roderick Ismay: Well, I would agree with you that it would feel like there would be no reason not to secure an independent seal of approval. However, I’ve received advice from a legal team here that says it would mean that these are – this is what could arise.
Mr Beer: Was your own view, having such a high level of confidence in Horizon, dependent, at least in part, on the assessment by Fujitsu of its own product?
Roderick Ismay: Yes, in part. Yes.
Mr Beer: Did you realise the fallibility of asking the very organisation that may have been responsible for the provision of a faulty product whether it assessed that its own product was faulty?
Roderick Ismay: No.
Mr Beer: Allowing Fujitsu to mark its own homework?
Roderick Ismay: No. I see what you mean but, no, that didn’t and I don’t think that crossed a number of people’s minds.
Mr Beer: If we look at appendix 3, please, page 31. Was this the extent of the Fujitsu assessment of its own product that was communicated to you for the purposes of your review?
Roderick Ismay: Yes, I think so.
Mr Beer: Did you think at the time “This document has got limitations to it”?
Roderick Ismay: I don’t think I did, and that may have been a failing that – in how I went about it but, no, I don’t think I did think about limitations on it, no.
Mr Beer: To start with, it was written “without prejudice”, can you see that at the top?
Roderick Ismay: Yes.
Mr Beer: Did you stop to think why it was being written without prejudice?
Roderick Ismay: No, I don’t think so.
Mr Beer: Secondly, nowhere in Mr Jenkins’ document does it say, “This is the position of the company”, does it?
Roderick Ismay: I don’t know but I agree with you if it doesn’t.
Mr Beer: No. The document isn’t the company speaking, “This is our formal position of Fujitsu Services Limited, having taken a broad spectrum of reviews and considered the position carefully”; this is simply a document that Mr Jenkins has written?
Roderick Ismay: Well, it may have been but I would have expected that a letter going from one organisation to another like this would not have been a sole voice, and speaking in isolation. I would expect that this would have been a view that he was satisfied was a representative view of his organisation.
Mr Beer: Did you think this document had been provided for the purposes of your review, knowing the use to which it would be put?
Roderick Ismay: I don’t know how the – this document – so this document is dated 2009, which is a year before the report that I collated.
Mr Beer: Which is why I’m asking you these questions.
Roderick Ismay: Right. So I don’t know what the genesis was of how this thing was – well, I don’t know how it was that this was – that Gareth decided or was commissioned to write this. I don’t know.
Mr Beer: Did you think, “I’m relying on a document, the purpose of which I do not know, which is headed ‘Without prejudice’”, which it says in paragraph 1, again it’s submitted without prejudice, “and therefore it may be a shaky basis on which to reach conclusions”?
Roderick Ismay: Well, rightly or wrongly, you’ve shared this with me in the briefing pack, and I have looked at this document a few times as part of my papers. Rightly or wrongly, I’ve never even noticed that wording at the top. It obviously is at the top of the page, but where it says, “Commercial in confidence”, my eyes looking at this document have always gone straight into “Oh, it’s Gareth Jenkins, let’s read “Purpose” and go down”. I know that might sound stupid but I have not even – until you’ve said to me it says, “Without prejudice” on it, I haven’t noticed it says “without prejudice” on it.
Mr Beer: Did you notice that, from the second paragraph under “1 Purpose”, the purpose of the document is described as being, “a technical description of the measures that are built into Horizon to ensure data integrity, including a description of several failure scenarios and descriptions as to how these measures apply in each case”, rather than an assessment of the integrity of data that Horizon produces?
It’s a technical description of measures designed to ensure data integrity. It doesn’t speak to whether or not such data integrity had in fact been achieved, does it?
Roderick Ismay: No. So I can see that doesn’t say, “This is an audit of the system”, for example. I can see it doesn’t say that. Whether I saw that at the time when I looked at it, I don’t know, but I probably would have seen that this just says it’s a technical description. But, in seeking assurance from different parties, and me asking IT, who must have provided this to me when I asked IT, all I could do was ask different parts of the organisation to explain to me the reasons why they’ve got assurance on it, and in many areas that – and typically that would mean that a team would come up with a description of the processes and controls in their environment or a technical description of their area.
I don’t think anybody would have got something that would come forward with – unless there’d recently been an internal audit review of that particular process, I don’t think anybody would have got something which would have met the standard that you’re describing of presenting something that says, “And this has just been tested”, for example. I think most things that get shown to somebody are a description of it and then there’s a judgement about “Right, are we going to test this or not?”
Mr Beer: When you read this document, did you think this doesn’t address any of the bugs, errors and defects that we know about?
Roderick Ismay: Well, I’d narrated earlier in this report the four or five things that I was aware of, like barcode sticking. I can see this doesn’t reference to those but I don’t think I thought, you know –
Mr Beer: You were aware by this time about the Callendar Square bug, weren’t you?
Roderick Ismay: I don’t know. I don’t know if I was of that. I was aware of whatever the five things were that I’ve listed out earlier in that report.
Mr Beer: You’re referring to page 15, I think.
Roderick Ismay: Will somebody bring that document up?
Mr Beer: Yeah, if we go to page 15, please:
“Known IT issues and their non-applicability to the allegations made”?
Roderick Ismay: Yes, I –
Mr Beer: (a), then (B) barcode sticking, bottom of the page, non-polling, over the page, file delivery failures, and number 5, Horizon/POL-FS differences?
Roderick Ismay: Yes.
Mr Beer: By this time, there were ten bugs that were known about. I want to understand whether you knew about them: a bug called the receipts and payments mismatch bug?
Roderick Ismay: That’s a bug that I was aware of but I think that is later than this document.
Mr Beer: I’m sorry, I think it’s?
Roderick Ismay: I think that’s at a later date.
Mr Beer: No, I think by August 2010 it was known about. Was it known about by you by August 2010?
Roderick Ismay: I think it was later than that.
Mr Beer: What about the remming in bug?
Roderick Ismay: I don’t know. What was that?
Mr Beer: I’m asking you whether you remember?
Roderick Ismay: No, I don’t, no.
Mr Beer: The reversals bug?
Roderick Ismay: No.
Mr Beer: The data tree build failure bug?
Roderick Ismay: No.
Mr Beer: You hadn’t heard of any of those?
Roderick Ismay: No. Well, I don’t know if I – I can’t remember them.
Mr Beer: You say, just before the break, if we can examine this in your witness statement, please, at paragraph 40, which is on page 11 – sorry, bottom of page 11:
“The report suggested that Post Office was justified to assume the losses at audit were due to theft. This statement was based on the understanding that POL management still did not have serious concerns about the integrity of Horizon and so their view regarding the past cases would not have changed. It was also made in the light of the range of controls and mitigations noted throughout the document. At that time, the belief was that the overwhelming evidence pointed to human error with respect to shortfalls, that there was no independent expert evidence suggesting a serious problem with Horizon and that POL had invested considerably in mitigations including training and support.”
What was the overwhelming evidence that problems were the result of human error?
Roderick Ismay: The overwhelming evidence was the outcome of the branch audits and the confidence in the system itself. Clearly, this Inquiry and the allegations made challenge that presumption, and the allegations here clearly have challenged the basis to the branch audits but I think the outcome of those audits, including where people were understood to have made confessions at the start of an audit, even before cash was counted – and I know that’s not in every case – but those sort of things were the matters that were deemed to be overwhelming evidence, even though now one may say “Well, perhaps they weren’t right”.
Mr Beer: You give as a reason for Post Office being justified to assume that losses were due to theft, that there wasn’t any independent expert evidence suggesting a serious problem with Horizon. You had been party to a decision not to seek such independent evidence, hadn’t you?
Roderick Ismay: Well, yes, for the reasons that were quoted in that earlier response.
Mr Beer: Can we go finally on this topic, then, to your conclusions as expressed in the report. That’s back to POL00026572, foot of the page, under “Executive Summary”. You say in the second line of the “Executive Summary”:
“We remain satisfied that this money was missing due to theft in branch. We do not believe the account balances against which the audits concerned were corrupt.”
Then in the paragraph underneath that, in the third sentence:
“Horizon Online builds on this and brings benefits to running costs and change management. It [that must mean the introduction of Horizon Online] is not being done because of any doubt about the integrity of Horizon.”
So not only were you satisfied, is this right, that any discrepancies shown at audit were not down to Horizon, you were satisfied that the money had been stolen, rather than being missing through error or mistake; is that right?
Roderick Ismay: Yes.
Mr Beer: On what basis did you remain satisfied that all money that was missing had been stolen?
Roderick Ismay: On the basis that a provable reason as to why it hadn’t wasn’t identified. So my understanding would be that, during looking at a particular incident at a branch, there would be an opportunity to go back through the transaction logs and query “Well, if there’s a transaction in here that’s not appropriate, which one was it?” And certainly, in one case, I’m not sure which the office was, but I asked to see the transaction logs for a particular office and there were, what I understand were provable cash deliveries of £10,000 and £15,000, £20,000 to a branch. The transactions in the branch were low volume and low value and, therefore, the cash deliveries to the branch were totally disproportionate to what the level of transactional activity was in the branch and when the auditors went to the branch the amount of money that the Horizon System said should be there wasn’t there.
My understanding was that the records of cash deliveries to the branch were reliable and, therefore, if the system was wrong, there’d need to be a significant outpayment to question in there or a significant inpayment, and there wasn’t one in the logs there, the double entry accounting balanced for it, and that was an example where I asked – the one that I asked to show me that – there was probably an ARQ log for it, and that was kind of the sort of thing that was giving me assurance, having looked at a set of records for a branch.
Mr Beer: You say in the second paragraph:
“Horizon is robust …”
Then reading on:
“[Horizon Online] is not being done because of any doubt about the integrity of Horizon.”
Roderick Ismay: Yeah.
Mr Beer: Do those paragraphs reflect a belief of certainty, or close to it in your mind, that you had no doubt whatsoever about the integrity of Horizon?
Roderick Ismay: Yes. The first one does and the second one, I felt, was a totally separate thing, that the world was moving to Cloud-based, hosted functions. Post Office had been dependent on overnight drops of software to branches and there was a risk that you’d have data connectivity failures or other things that would – and I think it was more time consuming and problematic to drop software out to a branch, so the idea of setting up on an online data store which branches connected to was the way that many of us were working on Cloud technology now, and that was the –
I don’t know whether Cloud was quite the right word to use but the movement from whatever the old system of Horizon was to the new system was just in line with what many, many organisations all across the world are doing to go to an online process. So I didn’t perceive or understand the deployment of Horizon Online to be anything other than that’s the way that all companies are going with the way that their software is hosted.
Mr Beer: Just standing back for a moment from the detail, please, Mr Ismay. You now know that the Horizon System was significantly compromised by a series of bugs, errors and defects that had been the effect of causing accounting discrepancies that were wrongly attributed to the criminal actions of subpostmasters that led, in some cases, to their conviction and imprisonment.
With the benefit of reflection, do you agree that the decision not to commission a fully independent investigation and audit of the Horizon System in 2010 and, instead, for you to prepare a report that had as its object to demonstrate the robustness and reliability of Horizon, was a crass mistake?
Roderick Ismay: I think, given where we are, we should have been – that probably should have been considered, yeah.
Mr Beer: Considered or done, because it was considered –
Roderick Ismay: Yeah.
Mr Beer: – and it was rejected, for some reasons that we see spread across the documents we’ve looked at.
Roderick Ismay: Yeah.
Mr Beer: I’m suggesting to you, in the light of what we know now, with the benefit of looking back –
Roderick Ismay: In the light of what we know now, yes. Yes.
Mr Beer: It was an opportunity missed to discover a decade earlier than we did the flaws of this system and the consequences for your subpostmasters, wasn’t it?
Roderick Ismay: Yes, it was. Yes.
Mr Beer: Sir, can we take a break, please?
Sir Wyn Williams: Yes.
Mr Beer: Can we say 3.30, please. Thank you.
(3.12 pm)
(A short break)
(3.30 pm)
Mr Beer: Just before we proceed with my questions of Mr Ismay, can we just look on the screen, please, at POL00002082. I showed Mr Ismay this document and you’ll see it’s dated on this one, 17 May 2010.
Sir Wyn Williams: Yes.
Mr Beer: Ms Leek has pointed out to me that I made the same mistake that I made last time I displayed this document, which she also corrected and I then corrected myself, that this document should be dated or should identify that the meeting was scheduled for 17 May 2012, not 2010.
Sir Wyn Williams: Right.
Mr Beer: There are other iterations of the document that show it was 2012 not 2010.
Sir Wyn Williams: Well, it’ll be on – now that you’ve said what you’ve said, it’ll be on the official transcript. So I don’t have to try to find my precise note to correct it.
Mr Beer: Thank you, sir. Thank you, once again to Ms Leek. I’ll try to make a while before I make it a hat-trick.
Can we look, please, Mr Ismay, at POL00091384. Can you see this is an email chain in which you’re not involved but as, we’ll notice in a moment, you’re mentioned in it. If we start with the foot of the page, please. You’ll see that it’s an email dated 3 December from Lynn Hobbs. Can you recall who Lynn Hobbs was?
Roderick Ismay: She was the general manager in the Post Office Network.
Mr Beer: To John Breeden, we can see who he was from his signature block at the top of the page there. She’s forwarding something, the “Follow up to BIS meeting on JFSA”, and she says:
“John
“This is the last exchange I had with Mike Granville about the BIS meeting. The attached documents were not Mike was proposing sending to BIS and I commented as below. I haven’t seen anything further but I did have a conversation with Mike about the whole ‘remote access to Horizon’ issue. This was being looked into by Andy McLean and Mark Burley. The view being expressed was that whilst this may be possible it’s not something we have asked Fujitsu to provide. I don’t know what the final outcome was.
“I am also forwarding two further emails.
“One from Rod I see which is the final report he produced as a request from Dave Smith, MD, to review the whole issue of Horizon integrity.”
In fact you weren’t issued to review the whole issue of Horizon hectare, were you?
Roderick Ismay: No, but I think the description of the report that I did is described differently in many places and, as you say, that is not, as in people today refer to it being something much wider.
Mr Beer: Then, if we go over the page, please. We can see that she cuts into her email an email to Mike and to you. The way she’s cut it in doesn’t show its date. She says:
“I’m happy with the report and have just one observation.
“I found out this week that Fujitsu can actually put an entry into a branch account remotely. It came up when we were exploring solutions around a problem generated by the system following migration to HNG-X. This issue was quickly identified and a fix put in place but it impacted around 60 branches and meant a loss/gain incurred in a particular week in effect disappeared from the system. One solution, quickly discounted because of the implications around integrity, was for Fujitsu to … enter a value into a branch account to reintroduce the missing loss/gain. So POL can’t do this Fujitsu can.”
The line “I found out this week that Fujitsu can actually put an entry into a branch account remotely”, can you recall when you were told that by her?
Roderick Ismay: I can’t, but it’s clearly a really important statement but, no, I can’t.
Mr Beer: Why is it clearly a really important statement?
Roderick Ismay: Because it’s saying that something can be put into the branch system which is something that I’d said from my understanding and asking people couldn’t happen.
Mr Beer: Can you recall whether she told you this really important statement before or after you had finalised your report? You see she says, “I’m happy with the report”?
Roderick Ismay: So I can’t – there’s lots and lots of correspondence and there’s various things I can’t remember and I can’t remember this one, certainly whether it was before or after that report, but I can’t remember the email.
Mr Beer: If it was before the report, you would have wanted to take it into account, wouldn’t you?
Roderick Ismay: Yes, I would have, yeah.
Mr Beer: If it was after the report, you would want to change what you’d written, wouldn’t you?
Roderick Ismay: Yes, yes.
Mr Beer: Can we go to your report, please. POL00026572, at the foot of the page, you say:
“The integrity of Horizon is founded on its tamper proof locks, its realtime backups and the absence of ‘backdoors’, so all data entry or acceptance is at branch level and is tagged against the log on ID of the user. This means that ownership of the accounting is truly at branch level.”
The email that Lynn sent you undermines the last of those statements, doesn’t it?
Roderick Ismay: Yes. It does.
Mr Beer: Why is that statement in there or why wasn’t it changed?
Roderick Ismay: On my understanding, when I compiled this report, from the messages I was getting from IT, is that what I’d written here was the business understanding when I did this report. I can’t remember getting that email that you’ve shared, that came from Lynn, but if I had got it I would like to think that I would have then said that there was a whole different situation now that overruled what was in my report that had been issued in 2010.
Mr Beer: Can you help us, then. If the email from Lynn Hobbs had been received before you wrote this entry within the report, why would you not have brought into account what she said or at least investigated it further?
Roderick Ismay: Because I would presume it was after it but I can’t remember getting it anyway.
Mr Beer: If it was after you had written your report you ought to have amended it, shouldn’t you – revisited the August review, shouldn’t you?
Roderick Ismay: Yes, yeah.
Mr Beer: Because it was in part founded on a false assertion, wasn’t it?
Roderick Ismay: Yes, yeah.
Mr Beer: In the light of what Lynn Hobbs said, you would have thought “I need to undertake a chapter and verse understanding here or obtain a chapter and verse understanding here of what Fujitsu is doing with this power that I didn’t know that it had”, wouldn’t you?
Roderick Ismay: Yes, I agree, yes.
Mr Beer: If you received the email after you wrote your report, would you have thought, “We’ve got a duty to tell subpostmasters who have been prosecuted on the basis of supposedly tamper-proof branch accounts, where ownership of the accounting is truly at branch level, in fact, Fujitsu had a power to insert transactions into branch accounts. We need to tell them this”?
Roderick Ismay: Yes, if I did indeed receive that email I would like to think that I would have spoken to probably Rob Wilson and said “Here’s a change in circumstances here”, and then I’d have expected the Criminal Law team to do whatever was necessary as a consequence of that, which most likely would be the path that you’ve just described.
Mr Beer: Can you recall whether Angela van den Bogerd spoke to you in December 2010 after she received the email from Lynn Hobbs, and was your report saying one thing and Lynn Hobbs’s email saying another?
Roderick Ismay: No, I can’t remember, no.
Mr Beer: If we go over the page of this document, in the third paragraph, you say:
“When POL takes a subpostmaster to court we have strong processes for the compilation of evidence, compassionate factors are borne in mind and we have a high success rate. This does depend on ensuring that the courts focus on the facts of transaction logs and not on speculation about the ‘what ifs’.”
What were the strong processes for the compilation of evidence for court proceedings, please?
Roderick Ismay: I believe that the strong processes were the way in which the audit files were compiled, the way in which the investigations team collated things to provide to the Criminal Law team to take into court. I don’t know what all the specifics of that were but I believe there were strong processes within there for compiling those case files and evidence that would have been taken into court.
Mr Beer: Were those processes that you say were strong written down, ie “We’re thinking of mounting a prosecution, this is the process that must be gone through in order to obtain relevant evidence to analyse it, to ensure that it has integrity and to make a fair charging decision”?
Roderick Ismay: I can’t remember what there was there but I would expect that there would have been a sort of a control sheet that would be a template for, if I’m compiling a case, there’d need to be A, B, C and D that are included within that. So I would have expected that there would have been a sort of standard structure for compiling a binder, or whatever the bundle of information is, however that is presented into court. I’d expect there’d be a template for how that is compiled.
Mr Beer: Would you agree that strong processes for taking a subpostmaster to court ought to include rigorous and objective investigations that are aimed at uncovering the truth?
Roderick Ismay: Yes. I would.
Mr Beer: That they ought to include independent decision making over deciding whether to proceed with a case or not?
Roderick Ismay: Yeah.
Mr Beer: They ought to include systems that ensure that all relevant material, whether it assists a subpostmaster or seeks to prove the allegation against the subpostmaster, is obtained, secured, and then disclosed to a subpostmaster?
Roderick Ismay: Yes, I believe so. Yes.
Mr Beer: What did you do to discover whether those three pillars of a fair investigation and prosecution process, in fact, existed?
Roderick Ismay: I didn’t. I didn’t conduct an audit or test the assertions that were put in here.
Mr Beer: Does it amount to somebody told you “We have strong processes for the compilation of evidence”, and therefore you wrote “We have strong processes for the compilation of evidence”?
Roderick Ismay: Yes, I do. And in hindsight, I should possibly have put – rather than having an adjective in front of it, I should possibly have said “There are well-documented processes”, or something about processes but not strong, because that implies – that does imply that me, as the writer of this, I’m describing something strong, that was the message that was coming to me from the teams I was talking to, but I don’t have a sample of tests to validate that they were indeed strong.
Mr Beer: On the face of it, it looks like you’re applying your value judgement to the processes, doesn’t it?
Roderick Ismay: The collective group of people whose comments I gathered were, yes, and I was part of that group.
Mr Beer: Do you know whether Gareth Jenkins or any other witness called by the Post Office within civil cases or criminal prosecutions was given any guidance or training by POL as to what was expected from them in terms of providing data and documentation to support prosecutions?
Roderick Ismay: No, I don’t. I would expect that the legal team would have got processes and guidance. Whether it would be appropriate for the Post Office Legal team to have talked to a witness from a third-party organisation, I don’t know whether that – I genuinely don’t know whether that’s appropriate practice or not, so I don’t know.
Mr Beer: What were the “compassionate factors” that were borne in mind?
Roderick Ismay: In hindsight, I wouldn’t have used that word. The “compassionate factors”, I’m not sure what they all were but conversations I think with the Network colleagues, who I talked to in producing this, were that we were compassionate but I can’t give you elements that would substantiate and, frankly, I wish I hadn’t used the word in there.
Mr Beer: Why did you use it?
Roderick Ismay: Because, at the time, that was the sense that I was getting from the people I was talking to collating this report.
Mr Beer: What did they tell you about the compassion that existed in this prosecutor?
Roderick Ismay: I don’t know because I’ve not documented, and it’s so long ago.
Mr Beer: What do you think it could be?
Roderick Ismay: I would have thought it would have been about the way in which the audit relationship was during the audit. I would have thought it was about the relationship with the area manager or contract manager for that area. Clearly, you’ve articulated earlier that subpostmasters have said that wasn’t the case of their experience of it. And that’s just not – that’s bad that that was the experience. But my understanding from speaking to colleagues who were doing those jobs was that they felt things were being done in a compassionate manner. And, clearly, there’s a lot of comment that that’s not the case, and that’s bad that that’s the case.
Mr Beer: Were there any industry standards that you were aware of against which the efficacy and integrity of the Horizon System could be measured?
Roderick Ismay: Probably were. I’m not – industry – so PCI standards. I’m aware that there’s the card industry, Mastercard, Visa, Europay, there are PCI standards around the confidentiality and integrity of data in order to ensure the holders of credit cards and debit cards about the protection of their information. So the Horizon System, as a system that’s connected to a card processing terminal and connected to the Link network, the Post Office were subject to PCI DSS reviews, and so those are industry standards to which there was, I believe, independent assessment of that for accreditation purposes.
Mr Beer: Before you prepared this report, was there any discussion amongst you or research undertaken within POL to consider whether the level of bugs, errors and defects that had been experienced was within expected norms or outside expected norms compared to other integrated network systems?
Roderick Ismay: I don’t think so. I don’t know. I don’t think so.
Mr Beer: Can we turn to a different topic – thank you that can come down – something that was going on at the same time, which was the prosecution of Seema Misra. Can we look, please, at POL00055100. This is an email exchange between Andrew Winn, who was I think of your department of P&DA –
Roderick Ismay: That’s correct.
Mr Beer: – and Jon Longman, we’ll see that just slightly further down the page, of 27 July about the Seema Misra case.
Can we start, please, on page 2 of the document. Just scroll down, please. You’ll see this is an email from Issy Hogg, she’s a defence solicitor, to Jarnail Singh, who was a senior officer within POL’s Criminal Law division, yes?
Roderick Ismay: Yes.
Mr Beer: Ms Hogg says:
“Jarnail,
“As a result of the meeting that took place between Charles McLachlan [that’s a defence expert] and Gareth Jenkins as directed by the judge, we now need to have:
“access to the system in the Midlands where it appears there are live, reproducible errors.
“access to the operations at Chesterfield to understand how reconciliation and transaction corrections are dealt with.
“access to the system change requests, Known Error Logs, and new release documentation to understand what problems have had to be fixed.
“Please … contact me …”
If we look up the page, we see, I think, a forwarding:
“Can you please advise on the three points raised below …”
Then go over the page back to page 1. Jarnail Singh, I think that email at the foot of the page is just an irrelevant forwarding. Then in the middle of the page, a reply to Andrew Winn:
“Jon
“Rod Ismay, the head of P&BA is not happy at the prospect of an open-ended invite. He has asked me the question of what are the legal parameters we are working within. Simplistically if we refuse or impose conditions do we lose the case? I think we need more guidance on how something like this might reasonably operate.”
We’ve heard in the Inquiry from Mr Winn already. He told the Chair that he understood your reply – his boss and as head of P&BA – was to seek to disclose down the disclosure request as much as possible. Was that your intention?
Roderick Ismay: No, and I’ll explain why. So there were two things in here. I would expect the Post Office Criminal Law team to be overseeing the compilation of the – whatever was needed to be submitted and not for there to be a side conversation between me, as part of the organisation with the defence lawyer. I felt that a request should be coming to me from the Criminal Law team.
So first, I’d got a concern about whilst this email chain clearly has Jarnail in the email chain, Jarnail wasn’t asking me and telling me what was required to be submitted. I was being presented by somebody else with a request from a defence solicitor, where I didn’t know whether the Post Office Criminal Law team agreed that this was something that needed doing and, therefore, I wasn’t going to independently start a discussion about something where I’m sure everybody would agree you need a single point of contact who is leading for an organisation in a court case, not for different individuals to separately, randomly start having a conversation with the defence.
Mr Beer: Just stopping there on that answer, if we scroll to the bottom of the page, we can see that, presumably, she’s an administrative assistant or similar, she forwards on behalf of Jarnail Singh the email exchange we saw from Issy Hogg, and he, Jarnail Singh, says:
“I enclose a copy of an email received from Issy Hogg. Contents of which is self-explanatory. Can you please be kind enough to let me have your urgent instructions as to the access and information she is requesting …”
Just pause there.
Sir, I’m told that we have a technical issue in that we’re not able to broadcast at the moment and the request was for a five-minute break which would have taken us to 4.00, which was the time, I think, we were going to rise today, in any event.
Sir Wyn Williams: Yes. Well, I am prepared to carry on when we haven’t got a live transcript but a live broadcast is a bit different, since we’re relying on it for the public at large to have access to these proceedings if they want access to these proceedings.
So what’s the time now?
Mr Beer: Five to four, or 3.55, as I would call it.
Sir Wyn Williams: Well, you may or may not be glad to hear, everyone, that I’m proposing to adjourn until tomorrow and not to have a five-minute break to see if this can be fixed but I’m doing that on the basis, Mr Beer, that there will be ample time tomorrow to finish the witness within reasonable time.
Mr Beer: Which there will.
Sir Wyn Williams: Fine. Right. So we will adjourn now until tomorrow.
I’d ask you not to talk about your evidence overnight and, hopefully, we will be open to public view at 10.00 tomorrow morning.
Mr Beer: Thank you very much, sir.
(3.55 pm)
(The hearing adjourned until 10.00 am the following day)