POL00053937 - Witness Statement of Gareth Idris Jenkins (signed) - comments on 2nd Interim Technical expert’s report (Seema Misra case study)
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss
5A(3)(a)
and 5B, MC Rules 1981, r 70)
Statement of GARETH IDRIS JENKINS
Age if under 18 Over 18 (If over 18 insert ‘over 18')
This statement (consisting of 14 pages each signed by me) is true to the best of my knowledge
and belief and I make it knowing that, if it is tendered in evidence, I shall be liable to
prosecution if I have wilfully stated in it anything which I know to be false or do not believe true.
Datedthe 2 day of February 2010
Signature I G RO i
I have been employed by Fujitsu Services, working on the Post Office Account, formally ICL
Pathway Ltd, since 1996 as a Customer Solutions architect, involved in many aspects of design
and implementation of the computer system known as Horizon. This is a computerised
accounting system used by Post Office Ltd.
I have been asked to make comments on the 2” Interim Technical expert’s report to the
Court prepared by Charles Alastair McLachlan, a Director of Amsphere Consulting Ltd.
I have listed below the statement contained within the above mentioned report in italics and
recorded my comment beneath in bold. For ease I have retained the original number
reference.
2.1.3.3
There are consistently discrepancies arising from the use of debit cards or post office cash
account cards.
Not sure I understand what is meant by a “discrepancy” in this context. My
understanding is a discrepancy is where the system derived value.for.an item differs
C8011 (Side A)
Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
from that physically in the Stock unit and so this only applies to Cash or Stock. The
Value of Debit (and Credit) Cards and POCA Cards is handled as a “Payment” and
should balance with the corresponding “Receipt” recorded for the goods or Service that
they are used for.
2.1.3.5
If an “Account Payable” or counter credit is entered the Horizon system assumes that there isa
corresponding receipt (either physical cash, debit card transaction, Post Office Cash Account
card transaction or cleared cheque).
True, and this is checked during the Settlement process. Note also that unlike a normal
retail environment there may be “outpay” items (eg a cashed giro) that need to be taken
into account. However the basic principle of the sum total of all transactions within a
Customer session adding up to zero is maintained.
2.1.3.6
The post mistress used to receive discrepancy reports generated by the Post Office identifying
when there was a mismatch between the counter credit recorded at the counter and the cleared
cheque or debit card amounts reported to them by their correspondent banks or card merchant
provider. She no longer receives these and concludes that the Post Office function that
provided this service is non-operational or insufficiently staffed to properly reconcile all of the
discrepancies. These discrepancies, if left unresolved, could create a liability for the sub
posimistress.
This question is for Post Office Ltd to answer. I am aware of a function known as
Transaction Corrections which is available for Post Office Ltd central functions to
resolve any issues that are found.
2.1.3.7
If stock is sold, the Horizon system assumes that there is a corresponding receipt (either
physical cash, debit card transaction, Post Office Cash Account card transaction).
Signature’ G RO Signature witnessed by
CSO1IA
Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, 89; MC Act 1980, ss 5A(3)(a) and 58, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
If at the end of the monthly period there is a discrepancy between the cash on hand and the
credit balance expected by the Horizon system then the only way to close the period and start a
new period is to “make good” the cash discrepancy and declare that the cash on hand has been
brought up to the expected credit balance. There is no mechanism to record the discrepancy in
a suspense account for subsequent investigation and resolution. The system imposes a
declaration as part of the operating procedure that the cash is on hand. If the actual reason for
the discrepancy is due to a problem with a non-cash credit (e.g. incorrectly processed card
payment, incorrectly recorded cheque payment) then there is no opportunity for the sub post
mistress to note her concerns on the system.
This was the requirement made by Post Office Ltd of the system. There Ne
Ltd need to address this comment. troahonie
2.1.3.9 +
Aires
The sub post mistress demonstrated the following transactions in which the .
ts
could result in a discrepancy in the cash account (physical + debit card/POC
SOpAM
sub post office: cept.
Cash and Plastic (ie Credit / Debit Cards) and Banking (eg POCA) are handled separately
in the accounts.
2.1.3.10
Account Payable using a Debit Card / POCA card: the customer is seeking to make a bill
payment of council tax using a debit card. The card is apparently authorised at the PIN
terminal for the required amount. The card receipt is apparently credited to the sub post office
account. The council tax payment is debited from the sub post office account. However, during
the end to end electronic fund transfer process the fund transfer fails. The central Post Office
account never receives the expected electronic funds. It is supposed that the end of day
process identifies that there is no credit corresponding to the bill payment and therefore there
must be a cash discrepancy.
This observation needs to be explained more carefully. What exactly was observed to
happen here? The back end settlement between the Merchant Acquirer. (MA) and Post
‘GRO
Signature witnessed by
Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
If at the end of the monthly period there is a discrepancy between the cash on hand and the
credit balance expected by the Horizon system then the only way to close the period and start a
new period is to ‘make good” the cash discrepancy and declare that the cash on hand has been
brought up to the expected credit balance. There is no mechanism to record the discrepancy in
a suspense account for subsequent investigation and resolution. The system imposes a
declaration as part of the operating procedure that the cash is on hand. If the actual reason for
the discrepancy is due to a problem with a non-cash credit (e.g. incorrectly processed card
payment, incorrectly recorded cheque payment) then there is no opportunity for the sub post
mistress to note her concerns on the system.
This was the requirement made by Post Office Ltd of the system. Therefore Post Office
Ltd need to address this comment.
2.1.3.9
The sub post mistress demonstrated the following transactions in which the use of a debit card
could result in a discrepancy in the cash account (physical + debit card/POCA amounts) at the
sub post office:
Cash and Plastic (ie Credit / Debit Cards) and Banking (eg POCA) are handled separately
in the accounts.
2.1.3.10
Account Payable using a Debit Card / POCA card: the customer is seeking to make a bill
payment of council tax using a debit card. The card is apparently authorised at the PIN
terminal for the required amount. The card receipt is apparently credited to the sub post office
account. The council tax payment is debited from the sub post office account. However, during
the end to end electronic fund transfer process the fund transfer fails. The central Post Office
account never receives the expected electronic funds. It is supposed that the end of day
process identifies that there is no credit corresponding to the bill payment and therefore there
must be a cash discrepancy.
This observation needs to be explained more carefully. What exactly was observed to
happen here? The back end settlement between the Merchan#-AccusirorMA) and Post
GRO
CSO11A ™ . Version 3.0 11/02
Signature} Signature witnessed by
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
Office Ltd is totally separate from the accounting done in the Local Branch. Provided
the Debit Card transaction is Authorised by the MA, then the Branch Accounts will
record the Debit Card payment as the Method of Payment (MoP). However if the MA
doesn’t authorise the transaction then an alternative MoP is required. What action is
taken should the MA fail to honour the authorised payment and whether that results in a
Transaction Correction (TC) being sent to the branch to reclaim the funds is a separate
issue outside my knowledge, but Post Office Ltd should be able to clarify that. Note that
lity of the clerk to ensure that the Debit Card
payment was successfully authorised by the MA and to check the response received.
such rejections are rare. It is the responsi
Should they not do so and assume it was processed and touch “Fast Cash” to clear the
basket without looking at the screen, then indeed the system might record a Cash
transaction.
In summary, if the Debit Card payment says that it works at the time, then it is recorded
as such in the branch accounts. There is no automatic feedback into the branch
accounts from any subsequent MA rejections.
2.1.3.11
Debit Card/POCA withdrawal: the customer is seeking to receive an over the counter payment
of cash from their debit card or POCA facility. As above [2.1.3.10] the card is apparently
authorised but in fact the fund transfer fails at some point and the sub post office account is
debited with the cash at the counter terminal but this is not recorded centrally against a debit
card fund transfer. There is therefore an apparent cash shortfall in the till. The Horizon system
only prints a receipt for the customer; there is no debit voucher for the counter staff to place in
their till, At the end of the day or the end of the week it is not possible to physically reconcile
the cash payments with debit vouchers.
There are clear messages to the clerk indicating whether or not any Banking or Debit
Card transactions was authorised. As above there is no subsequent automatic
correction due to any subsequent failures. I accept that there is no Branch Receipt
produced for paper reconciliation purposes. We were specifically requested not to
produce one by Post Office Ltd.
Signature Signature witnessed 6
GRO
sorta Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS.
2.1.3.12
In either of the two cases above [2.1.3.10], [2.1.3.11] the electronic funds transfer mechanism
duplicates the fund transfer. This could result in the expected credit balance at the sub post
office being higher than it actually is. The sub post mistress will be expected to make good this
discrepancy with cash.
Sorry, but I don’t understand the point being made.
2.1.4.3
She also demonstrated the weaknesses of the system in relation to the use of the debit
card/POCA terminal:
¢ the lack of counter vouchers,
This was a specific Post Office Ltd request
¢ the requirement to record some debit terminal transactions as cash receipts,
This may need to be explored further. I’m not aware of any such requirement other
that in the area of Refunds.
« the delays in the system at busy periods,
Again I’m not sure what the relevance of this is. My understanding is that the
response time for online transactions is very good
¢ the lack of certainty as to whether a transaction completes when there is a break in
network connectivity
There should be clear messages in all cases as to whether the clerk should assume
the transaction was successful or not. In the case of a comms failure the
assumptions should always be that the transaction has failed. Recovery processes
will allow this to be confirmed afterwards.
2.1.5.3
Signature i
cso1tA, Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
All of the facilities of Horizon are available in off-line mode except debit/POCA transactions and
access to information from the DVLC required to issue vehicle licences.
There are other exceptions now.
2.1.5.4
The Horizon system sells postal services, provides foreign exchange, supports receipts of cash,
cheque and debit card/POCA for Accounts Payable services and supports payment of cash
from debit card/POCA accounts.
Also other banking online services for A&L and via Link
2.2.1.2
It was clear that there is no standard operating procedure to reconcile counter credits with the
actual amounts recorded. This could give rise to a range of discrepancies which the sub post
mistress would rely on the Post Office to identify and reconcile. If the Post Office failed to do so
then overstated amounts could give rise to a deficit at the sub post office which the sub post
mistress would be required to make good with cash.
Again I’m not sure what is meant here. Post Office Ltd should comment on their
processes.
2.2.2.1
The West Byfleet sub post office is set up to operate with each counter having a separate
stock. Although this assists with stock control and ensures that stock discrepancies can be
localised, it does not provide any assistance in management of discrepancies in debit/POCA
receipts (no vouchers are automatically printed) or Accounts Payable and counter credit
discrepancies (standard operating procedures do not reconcile these on a daily basis).
Again for Post Office Ltd to respond.
2.2.3.3.
Signature!
cSO11A Version 3.0 11/02
G RO Signature ws G RO I
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
He agreed that the Horizon system provided no paper record of debit/POCA vouchers and
therefore that a sub postmaster/mistress would not be able to produce any evidence that a
customer had received a receipt for a debit/POCA transaction.
This information is available in the Audit data which could be supplied as evidence
2.2.3.4
He accepted that the Horizon system, as supplied, which the sub post master/mistress was
required to use under contract, did not provide the facility for the sub post master/mistress to
reconcile discrepancies that might arise in the operation of the system.
This is down to Post Office Ltd requirements.
3.1.1
Accounting systems are usually designed around a ‘double entry’ booking keeping principle.
The double entry book keeping principle means that for every entry into the system there is an
equal and opposite entry that should maintain the ‘balance’ between the accounts.
Horizon follows this principle.
3.1.2.
So, for example, if somebody at the till sells a stamp for £1 paid in cash then the stock account
would be reduced by £1 value of stock and the cash on hand account would be increased by £1
— overall the balance between the accounts would be unchanged.
Horizon does this.
3.1.3
As part of the process of financial control, it would be normal for the value of stamps to be
physically counted and recorded (stock value) and the value of cash on hand physically
counted and recorded (cash value) and these two values compared (‘reconciled’) to what is
recorded in the accounting system.
This is required as part of the Stock Unit Balancing process which should happen at
least once per month and can be done as often as required. In particular Cash should be
Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, 9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
Declared (and variances checked) daily.
3.2.1
The User Interface gives rise to incorrect data entry: poor user experience design and
inadequately user experience testing can give rise to poor data entry quality. In cases that
users are working under pressure, insufficiently trained or are using a system presented in a
language different from their first language the problems of data entry can be exacerbated.
I’m not sure what is meant by “The User Interface gives rise to incorrect data entry”.
Training matters are down to Post Office Ltd.
3.2.2
The Horizon system fails to properly process transactions: accounting systems are usually
carefully designed to ensure that accounts balance after each “double entry” transaction. In
particular, a database technology referred to as ‘two-phase’ commit is used to ensure that
either both entries or neither entry is recorded on the system.
Horizon does properly process transactions and does ensure that double entries are
always both committed atomically. There is no need for a 2 phase commit as such in the
branch accounts, but the design of the interfaces to both the MA and POCA ensure that
the view of the transaction as recorded in the Branch is the “correct” view and other
systems are adjusted (if necessary) to match this view through various reconciliation
processes,
3.3.1
There are opportunities for incorrect data entry (e.g. entry of £2,000 for a cash credit rather
than £200) to give rise to discrepancies in cash recorded on Horizon versus cash held at the til.
The sub post office relies on the consistent, accurate and timely resolution of these
discrepancies by the Post Office and the operators of the Horizon system. The sub post
master/mistress has no standard operating procedure or local record that protects them from
Signature witnessed bi G RO i
: I Version 3.0 11/02
cso11A
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
discrepancies. Perversely, the Post Office and the operators of the Horizon system have no
incentive to resolve discrepancies that appear as cash losses at the post office counter
because the sub post office contract makes the sub post master/mistress personally liable.
I agree that the system just records what the user enters, but there is little that can be
done to resolve that. However when cash is deposited messages are displayed
requiring the Clerk to check the amount deposited which should minimise such errors.
3.3.2
The Horizon system does not appear to be a single monolithic mainframe based system with
computer terminals with no independent processing capability. Rather the architecture relies on
a number of inter dependent units: the individuals nodes (counter terminals) at the sub post
office each with its own processing unit with an attached keyboard, touch screen, barcode
scanner, debit card authorisation PIN terminal and printer and a network router to the wider
Horizon system. Each of these components could give rise to faults that result in
discrepancies: either due to problems within the components or due to problems from
interaction between the components.
I accept that currently Horizon does depend on data recorded and held on the local
system which is then replicated to other counters and the central system. However I am
unclear why this is considered to be a fault.
3.3.3
Within the central Horizon system that is not directly visible to the counter operators I would
expect there to be a set of inter-operating components that could give rise to malfunctions and
discrepancies. In particular, the end to end dialogue between the counter terminal, the card
authorisation terminal, the network, the core Horizon system, the electronic funds transfer
component, the authorising merchant service and the central post office branch accounting
system is a long running transaction with multiple points of possible failure.
Agreed that this is complex. However the key point is that the end result as seen at the
counter is what is displayed to the clerk and what goes into the accounts. Any
hypothetical corruption (and I’m not aware of any issues in that way) in other systems
Signature witnesse¢ H
Signature:
csot1a
9
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
should not result in any discrepancies at the Branch. In particular should no response
be received, then the clerk will be advised of this and that it must be assumed that the
transaction failed.
3.3.4
Complex systems of this nature rarely have sufficient capability built in to deal with all possible
failure points and discrepancies are very likely to arise which require manual intervention based
on the reconciliation of paper and electronic logs at different points in the system. When the
end to end system does not provide the counter staff with access to paper or electronic logs at
the point of use then it is impossible for them to identify whether there is a system fault or
operator problem.
There are full logs, but I agree that they are not all made directly available to the end
user. I suspect that this is true in any complex system. There are mechanisms by which
details of individual transactions can be printed off from the system if there is some
uncertainty via the “Transaction Log” Reports.
4.1.1
The first problem with the provision of evidence is that the Horizon system does not
automatically provide a paper voucher for retention at the post office counter when funds are
withdrawn using a debit card or Post Office Cash Account card. Therefore the sub post office
has no mechanism for reconciling the result of downstream processing by the Horizon system
and the Post Office with what occurred at the sub post office counter either at the time or when
discrepancies are identified at the end of the weekly trading period. In effect, the Horizon
system makes it impossible for the sub post office to demonstrate an error occurred in the
downstream processing.
This is for Post Office Ltd comment.
4.1.2
The second problem with the provision of evidence is that the Horizon system does not
automatically provide a paper voucher for retention at the post office counter when funds are
Signature} GRO I Signature witnesse¢ I
10
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, 59; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
credited to the sub post office account as part of a bill payment (Accounts Payable) as a result
of a withdrawal using a debit card or Post Office Cash Account card. Therefore the sub post
office has no mechanism for reconciling the result of downstream processing by the Horizon
system and the Post Office with what occurred at the sub post office counter either at the time
or when discrepancies are identified at the end of the weekly trading period. In effect, the
Horizon system makes it impossible for the sub post office to demonstrate an error occurred in
the downstream processing.
Again this is for Post Office Ltd comment.
4.1.3
The third problem with the provision of evidence is that the standard operating procedure for
post office counter clerks does not include the reconciliation of bill payment or counter credit
slips with the individual amounts recorded by the counter clerk onto Horizon. In effect, this
standard operation procedure makes it impossible for the sub post office to identify any failures
by the Post Office or the Horizon system in identifying or dealing with discrepancies arising from
incorrect data entry.
Again for Post Office Ltd comment.
4.2.1
There are two elements to this possible cause
* The sub post office staff and, in particular, the sub post master/mistress is not trained in
the proper operating procedures to deal with maintaining an auditable contemporaneous
record that would protect their reputations in the event that faults in the Horizon system
or operator error resulted in discrepancies between the actual cash position and the
centrally recorded cash position.
Horizon does maintain a full audit of what is recorded which can be made available to
Post Office Ltd. I am also aware of at least one case where this information has been
made available directly to a Defence Accountant.
* The sub post office staff are not properly trained in the use of the Horizon system.
Signatur! GRO I Signature witnesse:
esoua
Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
This is for Post Office Ltd comment.
4.2.2
In order to understand to what extent sub post office staff are trained in the necessary
operating procedures, it would be necessary to review the course material provided for counter
staff and sub post masters/mistresses and to review the training and assessment processes
implemented by the Post Office. Finally, it would be necessary to review to what extent the
necessary operating procedures could feasibly be adopted and were in fact adopted in general
operating practice and in the case of Seema Misra in particular.
For Post Office Ltd to respond.
4.2.3
In order to identify whether Horizon system training is a possible cause, it would be necessary
in the first instance to sit alongside a user operating in normal Post Office conditions that had
only recently completed the standard systems training and who represented the kind of user
engaged by the Defendant.
For Post Office Ltd to respond.
4.2.4
If there is a pattern of incorrect data entry then it would be necessary to conduct a detailed
examination of the kinds of incorrect data entry that occur and the implications for failure of
accounting.
I'm not sure exactly what is meant here. I’m aware of work within Post Office Ltd to
explore errors in data entry and to come up with ways to reduce them.
4.2.5
There are two available technologies that could assist in examining cases of incorrect data
entry:
¢ Screen capture technology installed on the user terminal that keeps a record of every
key press/screen press and the associated screen shot.
This is not practical. However the Audit trail that H
Signatut G R :
sonia kL. Version 3.0 11/02
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS.
fairly comprehensive record of what has happened.
* Digital camera recording equipment positioned to have a clear view of the screen
continuously recording the screen as it responds to operator entry
This is clearly possible. A similar technique has also been used to benchmark
system response times.
4.3.2
Further, if there is prima facie evidence of incorrect transaction processing, it would be
necessary to review the technical documentation of the Horizon system and interview key
individuals responsible for the system within the Fujitsu team in order to understand the
potential source of the incorrect transaction processing. From my understanding of comparable
retail systems architectures there are a large number of potential points of failure which could
give rise to the kind of discrepancies reported by Seema Misra and the sub post mistress in the
Midlands. In particular, I have reviewed the architecture for a national retailer and identified a
series of possible failure points which are currently addressed by testing, review of error logs
and reconciliation of discrepancy reports. See Exhibit “Point of Sale — Electronic Funds
Transfer architecture”.
1 don’t see the relevance of this diagram. It is nothing like what Horizon does. We could
if necessary provide some documentation and information on Horizon. However I am
confident that there is not a system problem and the issues are due to incorrect actions
(whether deliberately or accidentally) by the user.
4.3.3
Based on the review of the technical documentation, it should be possible to identify and
examine the various electronic log files maintained by different components of the systems
architecture that are required by the Electronic Mastercard Visa (EMV) standard or for Payment
Card Industry (PCI) compliance.
These are probably available. (I’m not sure how long they are held and they will
probably have had details of Cards Obfuscated for Security reasons as required by PCI.)
Signaturé GRO /
csoa ib
Signature witnesst H
I G RO H Version 3.0 11/02
13
POL00053937
POL00053937
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of GARETH IDRIS JENKINS
4.3.4
If the potential source of the incorrect transaction processing can be identified then it would be
helpful to be able to reproduce the problems under controlled test conditions in a consistent and
reproducible manner. This would require the assistance of Fujitsu in providing access to the
test environments maintained in support of the Horizon system.
Again this is technically possible.
There is no reason to believe that the information in this statement is inaccurate because of the
I improper use of the computer. To the best of my knowledge and belief at all material times the
computer was operating properly, or if not, any respect in which it was not operating properly, or
was out of operation was not such as to effect the information held on it. I hold a responsible
position in relation to the working of the comput i
Signature witnessed bi i
: Mersion 3.0 11/02
14
som GRO
cso11A