POL00116802
POL00116802
Deloitte.
Project Zebra
Supporting Your Assurance Needs
7 June 2012
POL00116802
POL00116802
Simon Baker, ;
Post Office Ltd. Deloitte LLP
148 Old Street , 2 New Street Square
London, London
EC1V 9HQ. EC4A 3BZ
United Kingdom
www.deloitte.co.uk
Dear Simon,
June 2012
Project Zebra — Supporting your Assurance Needs
As per our recent conversations, I am delighted to provide some further information summarising the three possible options which we see as available to Post Office Ltd
(POL) which would provide you with differing “levels” and “types” of comfort over the integrity of processing within your Horizon system.
Based on our conversations to date, my personal view is that Option B appears to best suit POL’s needs. Whilst a number of comparisons are outlined in this document,
my primary reason for suggesting this is that such an approach is more flexible in its delivery form and outputs. Such an approach has less reporting constraints (eg:
agreed upon procedures only enables us to report factual findings, not conclusions) and fewer formal reporting protocols (eg: in a positive assurance approach, based on
ISAE3000, we would be required to adhere to a prescribed reporting format and prescriptive wording around our conclusions, as dictated by the standard). For a review
such as this, avoiding such reporting constraints and protocols enables us to scope our forensic testing work in more pragmatic, risk focussed and time considerate way
and enables us to shape our end deliverable more proactively with you, to ensure our findings and conclusions are most suitably reported. I strongly believe that this,
combined with your current level of understanding of detailed system data flows, architectural matters and activities to manage key processing risks, will see POL
achieving best value from our work through this approach.
I would be very comfortable delivering such work to you under legal privilege, should you require this. From our team bios and credentials previously shared, we have
demonstrated that our team has the right experience and capabilities to give you confidence that Deloitte can deliver such a high profile and complex piece of assurance
work for you, what-ever form this may take. I am also confident that our background of working with POL over the past 4 years in both IT and Financial areas (with your
teams in Chesterfield) will help improve our effectiveness through all stages of the review and raise higher quality improvement suggestions with you.
My team and I are genuinely excited by the opportunity of working with POL in this area, so please don't hesitate to call me on my mobile number below with any further
queries should these be raised in your discussions with Paula, Alice, Susan or Lesley.
Yours sincerely,
Gareth James
Partner
@012 Deloitte LLP. Private and confidential
POL00116802
POL001168
Three Potential Options
There are three key approaches that could be adopted by P OL to provide varying degrees of assurance around the proce ssing integrity of your Horizon
system. These approaches have different characteristics, which r evolve around complexity, flexibility and cost.
Our recommendation, based on our conversations to date, i s that option B would most likely best suit POLs current ne eds. This offers the greatest degree of
flexibility to define the scope to meet your requirement s and has a much less “prescriptive” reporting output.
Option A
Option B
Agreed Upon Procedures (AUP)
Option C
Conclusions & Recommendations
Positive Assurance
@012 Deloitte LLP. Private and confidential
POL00116802
POL00116802
Key Features and Estimated Costs
Option A Option B Option C
Agreed Upon Procedures Conclusion and Recommendation Positive Assurance
Ww
<
Ee
a
c=
STAGE 2
Perform & Report
+
BG
io}
Le}
Estimated
* Estimated costs for Stage 2 work under each Option are based on a number of assumptions which, through our experience of the various delivery models, we have suggested likely fee
outcomes to POL for consideration. Our actual costs would be charged on a time and materials basis, in line with the Advisory rate card within our framework agreement with POL, and
would depend on exact scoping requirements of the performance and reporting phase. All fees exclude VAT and out of pocket expenses, which would be charged as incurred
@012 Deloitte LLP. Private and confidential
Important notice
This document has been prepared by Deloitte LLP (as defined below) for the sole purpose of providing aproposal to the parties to whom it is addressed in order that
they may evaluate the capabilities of Deloitte LLPto supply the proposed services.
The information contained in this document has been compiled by Deloitte LLP and includes material whch may have been obtained from information provided by
various sources and discussions with management buthas not been verified or audited. This document abo contains confidential material proprietary to Ddoitte LLP.
Except in the general context of evaluating our abilities, no reliance may be placed for any purposes whatsoever on the contents of this document or on its
completeness. No representation or warranty, express or implied, is given and no responsibility or lability is or will be accepted by or on behalf of Deloitte LLP or by any
of its partners, members, employees, agents or any other person as to the accuracy, completeness or corectness of the information contained in this document or any
other oral information made available and any suchliability is expressly disclaimed.
This document and its contents are confidential and may not be reproduced, redistributed or passed on, directly or indirectly, to any other person in whde or in part
without our prior written consent.
This document is not an offer and is not intended be contractually binding. Should this proposal beacceptable to you, and following the conclusion of our internal
acceptance procedures, we would be pleased to disciss terms and conditions with you prior to our appohtment.
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kirgdom member firm of Deloitte Touche Tohmatsu Limitel (‘DTTL"), a
UK private company limited by guarantee, whose memter firms are legally separate and independent entites. Please see www.deloitte.co.uk/about for a detdled
description of the legal structure of DTTL and itsmember firms.
@012 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership regstered in England and Wales with registered number 0C303675 and its registered office at 2 New Street Square, London
EC4A 3BZ, United Kingdom.
Member of Deloitte Touche Tohmatsu Limited
POL00116802
POL00116802
@012 Deloitte LLP. Private and confidential