POL00142948
POL00142948
This document contains confidential information relating to Post Office Limited. It is intended for
the named recipients only and should not be disseminated further.
Review of Key System Controls
Horizon in Horizon
System
Controls Post Office Limited
Legally Privileged & Strictly Confidential
Assurance Review
March 2012
es Internal Audit & Risk Management Se
Legally rvileged and Stetly Confidentiat
Confidential
POL-BSFF-0002113
POL00142948
POL00142948
SS ee
‘The Post Office Limited (POL) network of approximately 11,000 branches processes client and business transactions in excess of £100 billion annually. The
‘majority of transactions are conducted on behalf of third parties, for example, receiving payment for domestic utility bills and paying out from National Savings
accounts.
Customer transactions are captured on the Horizon (HNGX) electronic point of sale system in branches and transmitted to central systems (utility payment,
external banking and POL finance systems) throughout the day. Overnight, dally summaries are transferred into the central accounting system, POL SAP. The
translation process between the two systems is enabled by the Reference Data System (RDS). An overview of the component parts of the HNGX system is
provided at Appendix A.
‘The overall objective of the review was to provide assurance that appropriate IT management disciplines provide a stable IT platform, and that suitable internal
controls operate over HNGX transactions and the extraction of these for central systems. In the area of management disciplines the review assessed controls
over: access to software; change management; capacity monitoring; and system resilience anddisaster-recovery. With fegards to internal controls over
transactions the review covered: master data controls; transaction data; SAP Middleware;and batch updates:
The review also assessed the degree to which actions to address the issues ralsed In the 2011 Emst & Young (E&Y) Management Letter regarding the HNGX
control environment have been progressed by management:
Key Findings and Conclusion
IT Management Disciplines and HNGX Transaction Controls
The following control weaknesses were identified:
1. System access: Access to HNGX in branches is by means of individual user accounts and passwords. However, particularly in sub-post offices, the same user
accounts and passwords are often shared between branch staff. The use of individual user accounts is not always practical, e.g. in the case of single
‘terminal branches where time would be lost continually switching between user accounts, and the number and geographical spread of sub-post offices
‘makes it difficult for POL management to ensure access controlsare enforced.
Implication: The ability to identify an individual user responsible for inputting a transaction may potentially be compromised.
2. Resilience and Disaster Recovery: Fail-over from the live data centre to the back-up has not been tested since June 2009, although disaster recovery
arrangements were tested during the migration to the new system in October 2009. Testing of the business continuity plan has been scheduled for the 24"
and 25" of March 2012.
Implication: The period of any inability to trade as a result of a major system outage may be greater than anticipated.
[ya Internal Audit & Risk Management es
Legally Privileged and Strictly Confidential, Page 20f8
Confidential
POL-BSFF-0002113_0001
POL00142948
POL00142948
‘Master data: No audit trail exists for change requests received by Fulitsu from the Network Business Support Centre (NBSC). Not all ‘approved! requesters
are documented or referred to on receipt of a change request. The membership of the Lotus Notes email groups, which are used to authorise the Master
Data Teams to make changes to standing data, is not known and has not been subject to recent review. One of a sample of 10 change requests was found
to have been handled via the “Fast track” process when it should have come through the normal process, resulting in reduced oversight of the change.
Implication: It is difficult to detect and prevent inappropriate changes being made to master data.
4, Transaction data: One of a sample of 5 monthly reconciliations between HNGX generated client transaction summaries and those created by the clients
themselves was found not to have a second level review signature. Period-end Senior Management review is not formally signed-off, although it appears to
bbe undertaken.
Implication: Transaction discrepancies may not be identified resulting in third porty clients being undercharged or overcharged for transactions.
Conclusion: IT disciplines around functional changes and capacity monitoring were found to be appropriately designed and also-operating effectively. However,
‘access to the system in branches, particularly sub-post offices, can be by means of shared accounts. In addition, fail-over from the live data centre to the back-up
centre has not been tested since June 2009. This requirement is of particular importance, as highlighted by an outage in the system in December 2011. Testing
of the business continuity plan has been scheduled for March 2012: Controls designed to maintain the completeness, accuracy and integrity of transactional data
flows within HNGX were effective, with minor weaknesses noted afound manual-processes for the validation of master data and transaction data. No evidence
was found of material discrepancies arising from these issues,
Control Environment: Some improvement required.
E&Y Management Letter 2011
‘The 2011 E&Y Management Letter identified a umber of areas for improving HNGX and other POL IT system controls. This current Internal Audit & Risk
‘Management (WA&RM) review assessed the degree to Which management action plans have progressed to address the issues which related to HNGX. Progress
hhas been made in completing the:actions arising from the E&Y Management Letter. The E&Y recommendations that require most additional work relate to:
Inappropriate access to software change management duties (incomplete segregation between software development and migration roles); the process for the
Identification and resolution of incidents; the recommendations that POL undertakes an architectural review, configure passwords in line with policy and perform
periodic scan of passwords as part of a penetration testing schedule. The penetration testing originally planned for January 2012 has been postponed to March
2012 as the business had to prioritise a test to meet Payment Card Industry (PCI) compliance during January.
The findings, summarised in Appendix B on page 9, have been shared with E&Y and reflect our assessment as at the end of January 2012.
We agree with this report and its findings, and will act to progress the action plan within the agreed timescales ~ Lesley J Sewell
[ya Internal Audit & Risk Management es
Legally Privileged and Strictly Confidential, Page 3 of
Confidential
POL-BSFF-0002113_0002
POL00142948
POL00142948
immary Findings
What was done
What was found
Walked through and sample tested access
arrangements for branch, POL and Fujitsu technical
support staff.
HINGX access in branches, particularly sub-post offices, is often
via shared accounts. Access security controls over the “back
end” HNGX environment (including Credence / TI) were found
to be effective, as were physical security controls.
Inspected testing and release management
processes, walked through and sample tested
completed changes.
Functional changes are initisted and progressed via agreed
processes and appropriately approved and tested prior to
migration to the live environment,
Reviewed and sample tested arrangements for
monitoring processing capacity.
Resilience and Disaster Recovery:
Inspected, walked through and sample tested,
arrangements for ensuring resilience and disaster
recovery.
‘Transaction processing capacity, including processor
utilisation, disk space etc, is proactively managed and
monitored by Fujitsu including forecasting of future
requirements.
System design resilience is high with frequent failure testing of
individual components and sub-systems. “Warm” fail-over
arrangements exist between the two data centres, although
these have not been tested since June 2009,
Note: For details of systems and dats flows, see "HNGX System Overview” at Appendix A.
Legally Privileged and Strictly Confidential
Internal Audit & Risk Management
Page 4 ofS
Confidential
POL-BSFF-0002113_0003
POL00142948
POL00142948
summary Findiny
What was done
ial Controls Over Transaction
What was found
Inspected master dats input process and data
validation routines and tested via walkthroughs and
sample testing of changes.
Minor weaknesses were found around: helpdesk-initiated
change requests; documentation and verification of
“approved” requesters; and use of “fast-track” requests. Data
validation routines have been designed and implemented
effectively.
‘Transaction Data:
Reviewed and sample tested arrangements for the
reconciliation and validation of transaction data.
Client account recon
lations are reviewed by team leaders
and balances >£400k are reviewed by second line
management. However, no formal senior manager sign-off
‘exists for month-end probity reviews.
SAP Middleware:
Inspected data validation controls and tested the
reconciliation of inputs to and outputs from
Middleware (which translates HNGX data to POL SAP.
readable format).
Batch Updates:
Verified data flows across key interfaces to assess
whether batch updates are completed accurately and
(on time by means of walkthroughs and sample
testing,
‘A detailed functional specification has been defined and
agreed with Fujitsu, covering controls to validate the
completeness / accuracy of the interface to POL SAP. Controls.
relating to data transfer between SAP Middleware and POL
SAP appear to be designed and operated effectively.
Effective batch processing / interface monitoring controls are
In place, automated and managed via Tivoli Workflow
Scheduler (TWS). Automated error alerts are raised by TWS to
the Service Management team who escalate to either the
Logica Application Management team or Fujitsu for resolution.
Note: For details of systems and dats flows, see "HNGX System Overview” at Appendix A.
Legally Privileged and Strictly Confidential
Internal Audit & Risk Management
Page Sof 8
Confidential
POL-BSFF-0002113_0004
POL00142948
POL00142948
1. Complete an analysis of the potential misuse of individual Horizon user accounts and passwords in branches. Communicate to branch staff the requirement
‘that accounts and passwords must only be used in accordance with Post Office policy. Priority 2 (Dave M King - May 12)
2. Agree with Fujitsu a date for full fail-over testing. Priority 2 (Lesley Sewell - Completed)
addresses are included. Priority 2 (Lesley Sewell — May 12)
ee Internal Audit & Risk Management CE I
Confidential
POL-BSFF-0002113_0005
POL00142948
POL00142948
Susan Crichton, Legal and Compliance Director
Christopher Day, Finance Director
Kevin Gilliland, Network and Sales Director
Andy J Jones, Quality and Standards Manager
Dave M King, Senior Security Programme Manager
"Nel Lecky-Thompson, Head of Programmes and Planning
John M Scott, Head of Security
Lesley Sewell, Head of IT and Change
Paula Vennelis, Managing Director
‘Mike Young, Chief Operating Officer
Alice Perkins, Chairman
Legally Privileged and Strictly Confidential
Internal Audit & Risk Management
Derek Foster, Internal Audit & Risk Management Director
Moya Greene, Chief Executive
Matthew Lester, Chief Financial Officer
Emily Pang, Chief of Stat
Peter Tansley, Head of Risk & Assurance
Emst & Young
Ee
Page 7 ofS
Confidential
POL-BSFF-0002113_0006
POL00142948
POL00142948
EEE
ee Internal Audit & Risk Management
Legally Privileged and Strictly Confidential Page Bf 9
Confidential
POL-BSFF-0002113_0007
POL00142948
POL00142948
ppendix B - Update on Actions Arisi
E&Y
Finding Summary Status
Rating
1 High Governance of outsourcing arrangement with Fujitsu: POL is responsible for the governance and risk and control ‘Substantial
i frameworks and should have visibility and assurance over their design and operating effectiveness. progress made
2 High ‘Segregation of change management duties: Inappropriate access should be revoked and roles for development and I Further work
bd migration to live environment should be segregated. required
5 vgn I Change management process Al changes shouldbe aporopriatly authored, ested and approved prot tO Substantial
ba deployment to live environment. progress made
, Substantial
4 High I privileged access PrivigedaccesstoIT functions should berevewedt.dtermine whether itisaporopriate, I SUPRA
5 Mea I Period POL-owned review of user aeounts: To assist in the identification of nappropriate access and Substantial
potential setregation of duties conflicts. progress made
‘ Med) / I UseF administration: Review the current user access policy afd strengthen the existing user administration process I Substantial
Within POL and third paty service providers progress made
7 Lew Infrastructure logical security settings: Undertake architectural review and periodic scan of passwords as part Further work
of a penetration testing schedule requted
5 tow I Password parameter: Review and update the information Securty poly and configure ll applicationsin ie with I Further work
policy requirements. requirea
"Access to generic privilaged accounts: Review acrossall applications, Consider replacing with ndvidual Substantial
9 Mea
accounts and implement montorin controls, progress made
a ‘ow __ I neident identification and resolution: Regular review ofthe problem and incident management process to ensure I Further work
incidents are identified, clasified and resolved ona timely ba requirea
The findings above reflect our assessment as atthe end oflanuary 2012.
—s §—§— internal Audit & Risk Management ———
Legally Privleged and Sry Confidential Page 9019
Confidential
POL-BSFF-0002113_0008