POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
Re: Seema Misra
2" Interim Technical expert’s report to the Court prepared by
Charles Alastair McLachlan, a Director of Amsphere Consulting
Ltd.
This report contains 30 pages
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
Contents
1 INTRODUCTION.
2 PRELIMINARY REPORT OF FINDINGS DURING VISITS TO A SUB
POST OFFICE IN THE MIDLANDS AND WEST BYFLEET............:0:0ee+000 11
3 WHAT HYPOTHESES COULD SUPPORT THE DEFENDANT’S CLAIM
THAT THE HORIZON SYSTEM WAS THE SOURCE OF THE
ACCOUNTING DISCREPANCIES ?..........s:sssssessssssssesssesesessessasesenensaeseaseenneen 21
4 WHAT EVIDENCE NEEDS TO BE PROVIDED IN ORDER TO
DETERMINE THE MERITS OF THE DEFENDANT’S CLAIM?............:0:000 25
5 MY DUTIES TO THE COURT..........sssssssssssesessessseeeeeesessnsseesenssenenecesees 30
Charles McLachlan
1
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1 Introduction
1.1 Instructions
1.1.1 Tam Charles Alastair McLachlan, a Director of Amsphere Consulting Limited,
London, England specialising in information technology consulting. I have
been instructed in this matter by Coomber Rich Solicitors, on behalf of their
client, Seema Misra, (“the Defendant”) to assist the court in this matter of
alleged fraudulent accounting in providing expert evidence on the questions
posed at 1.1.3 hereunder.
1.1.2. The allegations arose from the discrepancy between the transactions as
recorded in the Horizon system provided by Post Office Counters Ltd through
a service agreement with Fujitsu and the cash on hand at the defendant’s Post
Office branch.
1.1.3. I was instructed to visit a sub post office in the Midlands and the sub post
office at West Byfleet to review the operational procedures and IT systems
implemented at the two sites in order to:
a. Understand the basis upon which standard operational procedures would
provide evidence to identify and resolve discrepancies arising from the use
of the Horizon system.
b. Understand the elements of the end-to-end IT architecture which could be
the source of discrepancies as a result of defects in the operation of the
software, hardware, network or integration with 3" party components.
1.2. Qualifications
Charles McLachlan
1
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.2.1 Thave been working in the software industry since my first job at the age of 17
writing software analysing the results from a particle accelerator for the UK
Atomic Energy Authority
1.2.2 I obtained an M.A in Computer Science from Cambridge University
matriculating in 1979
1.2.3 I developed software for environmental control systems for a company on the
Cambridge Science Park while at university.
1.2.4 I was retained by Cambridge University to do undergraduate teaching for
three years.
1.2.5 After University, I worked for the company of the Emeritus Professor of
Computer Science at Imperial College (and founder of IBM UK Hursley
Laboratories), developing PC multi-tasking office automation software. As
the company transitioned to IT consulting, I advised HP on their Unix
Strategy and looked at the potential for hosting Inmos parallel processors in
PC environments. I also built an extensive financial performance analysis
system for the Building Society industry.
1.2.6 In 1987, I became the founding partner of CMJP Associates which delivered
software development services to a wide range of clients using PC and Client-
Server technologies.
Charles McLachlan
2
POL00167137
POL00167137
Amsphere Confidential and Privileged
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
A number of these projects included the development of accounting modules
and work for the Financial Services industry including SG Warburg, GNI (of
the London International Financial Futures Exchange LIFFE).
In 1991 I established a partnership for CMJP Associates to provide expert
advice to the Client Server Centre of Excellence.
In July 1993 I became the founding Technical Director of Infonet Stystems.
Infonet Systems focused on building leading edge object oriented Client-
Server solutions. Its first success was the delivery of a complete front office
trading platform of financial derivatives (repos and bonds) in four weeks. This
was the first NT based client server trading desk in the City of London. While
at Infonet, I developed the Object Oriented Just In Time software
development methodology.
In December 1996, I was recruited by the European headquarters of emerging
internet service provider UUNet (shortly to become part of MCI Worldcom),
to advise on IP billing and customer provisioning systems. A key element of
the assignment was to undertake a critical review of the implementation and
customisation of the GEAC Smartstream ERP solution by Arthur Andersen
Business Consulting.
In August 1997 I was recruited by Arthur Andersen Business Consulting to
provide technology leadership for the new Advanced Technology division.
Over the next five years, I became the international thought leader in the
building of software related services that underpinned the development of
Andersen’s New Media and eBusiness practice. This was recognised by
election to partnership in 2000.
Charles McLachlan
3
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.2.12 Early identification of the crucial role for Java technologies and ‘just in time’
business and technology development methods, positioned the emerging
Business Consulting (BC) division for rapid growth on the Internet wave to
become 9th globally by Quarter 3 2001. Achievements during this period
cover:
1.2.13 Major systems delivery projects The software development related service
revenues were the fastest growing area of the fastest growing global
consulting organization between 1997 and 2002. My team delivered marquee
projects for key clients including: launch of Sky.com, TimeOut.com,
myTravel.com, Cendant’s Move.co.uk, pan-European systems for Budget-
Rent-a-Car. I was also engaged as a technical delivery expert for major new
systems types including on-line trading exchanges, high throughput customer
services systems, on-line transaction processing systems and content
management systems.
1.2.14 Solution Development: 1 provided technology leadership for the development
of key global solutions for BC including: eStrategy, eBusiness, Content
Management, Experience Design, Component Based Development, Business
Architecture, Enterprise Integration, Datawarehouse, Technical Architecture,
Active Intelligence™, Anti-Money Laundering, Telco Fraud Protection.
1.2.15 I was the recognized methodology and risk management expert for software
related technology solutions across Andersen
1.2.16 I worked closely with the Computer Risk Management practice in the
Andersen Audit practice to perform technical due diligence, project risk
reviews and advise on project recovery.
Charles McLachlan
4
POL00167137
POL00167137
Amsphere Confidential and Privileged
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
Capability Development One of my key strengths was the recruitment,
training, development and motivation of deeply technical teams to perform
successfully in a ‘Big 4’ consulting environment
Operating first as the founding director of Andersen’s Global Software
Engineering Centre of Excellence and then as a member of the Global
Advanced Technology Advisory Team, I became one of a small number of
newly appointed partners building the technology integration skills at the
heart of BC’s growth strategy.
I provided technical leadership for the development of the core component
based rapid implementation methodology and acted as the expert for
methodologies built on this foundation including eBusiness, eMarketplace,
Content Management, Datawarehouse, Business Architecture, Enterprise
Integration and Customer Management.
Other achievements include implementation of the first successful Knowledge
Management Capability Maturity Model for the UK practice; establishing a
global virtual community of 2,000 software developers; developing alliance
relationships with BEA, Microsoft, Sun and a variety of specialist technology
providers; sponsorship of Computing for Business MSc at Imperial College,
development of four technology training courses for global roll-out; delivery
of a technology competency model for all practitioners globally.
Tam currently working as an IT and Technology Risk consultant as a Director
of Amsphere Consulting Limited.
Charles McLachlan
5
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.2.22 Recent assignments include:
e Advisor to board of advisor to board of interactive satellite broadband
start-up
e Recovery of failing project at Big ‘4’ consulting firm
e Associate editor Butler Group, the IT strategy consulting information
service company.
e Design and implementation of delivery risk management system for an off-
shore software development company
e Project delivery for an applications management business
e Report on XML related integration and data quality risk for JP Morgan-
Chase
e Expert witness including cross examination in an ICC Arbitration between
3 national banks and an international provider of banking accounting
software
e Expert witness in a High Court action relating to the quality of software
testing between an international mobile telephone operator and an
established mobile telephony systems integrator.
e Expert advisor in action between Geographical Information Systems
provider and off-shore software development services provider.
1.2.23 I am a former Director of UCL Consultants (founded by University College
London) which is responsible for providing professional consulting services
from members of UCL.
Charles McLachlan
6
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.2.24 Tam a Partner of the Transformation Development Partnership LLP.
1.2.25 I was appointed Visiting Professor of Software Enterprise at University
College London in 2005.
1.2.26 I have worked with IT organisations of all scales from small businesses to
international global organisations.
1.2.27 I mentor small businesses owners through the Academy for Chief Executives.
1.3. Confidentiality
1.3.1 This report is strictly private and confidential and has been prepared at the
request of Coomber Rich Solicitors on behalf of their client, for the Court.
1.4 Legal and factual issues
1.4.1 This report should not be read as expressing any opinion on factual matters
which depend on disputed testimony of the witnesses of fact, or legal issues.
It, however, inevitably reflects my understanding of the position.
1.5 Sources of information
1.5.1 In preparing my report, I have read and considered the following documents:
Charles McLachlan
7
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
a. Summary of facts prepared in accordance with Rule 21.3(1)(b) of the
Criminal Procedure Rules 2005;
b. The Indictment — The Queen v Seema Misra;
c. Witness statement of Keith Noverre 8" January 2009;
d. Witness statement of Elaine Ridge 9" January 2009;
e. Witness statement of Lisa Jane Allen 12" January 2009;
f Witness statement of Adrian Morris 6" January 2009;
g. Witness statement of Jon Longman 29" May 2009;
h. Witness statement of Javed Salim Bidiwala 13" April 2006
i. The statement under Section 9 of the Criminal Justice Act 1967 of John
Kidd
j. The Audit of Post Office ® West Byfleet branch, FAD 126023 — Action
Plan Appendix A
k. The Witness statement of Andrew Paul Dunks 24" June 2009
1 The exhibits provided running from pages 1-35 insofar as the copies
provided are legible.
m. The systems architecture for the end to end process from Point of Sale
terminal to Electronic Funds Transfer for a leading UK retailer
1.6 The scope of my work
Charles McLachlan
8
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.6.1 [report as an expert witness, not as a witness of fact.
1.6.1.1 [have reviewed the documentation provided to me.
1.6.1.2 I have not undertaken an operational review of the software solution
Horizon system.
1.6.1.3 I have not had access to any documentation or test data relating to the
Horizon system
1.6.1.4 I have attended a sub post office in the Midlands reporting regular cash
discrepancies, interviewed the sub postmistress, reviewed the operating
procedures in the sub post office and reviewed the capabilities of the
Horizon system.
1.6.1.5 I have attended the sub post office at West Byfleet named in these
proceedings, interviewed one of the attending investigating officers,
reviewed the operating procedures in the sub post office and reviewed the
capabilities of the Horizon system.
1.7 Independence
Charles McLachlan
9
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
1.7.1 Lhave prepared an independent and objective report addressed to the Court. I
have had no previous involvement with the Defendant. I have no previous
involvement with Coomber Rich Solicitors
1.7.2. Amsphere’s fees in this case are not dependent on the result of the
proceedings in this matter.
1.8 The structure of my report is as follows:
1.1.1 At Section 2, I report my preliminary findings following the visits to the two
sub post offices.
1.1.2 At Section 3, I reconsider “What hypotheses could support the Defendant’s
claim that the Horizon system was the source of the accounting
discrepancies?”
1.1.3. At Section 4 I reconsider “What evidence needs to be provided in order to
determine the merits of the Defendant’s claim?”
1.1.4 At section 5 my expert’s declaration is recorded
Charles McLachlan
10
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
2 Preliminary report of findings during visits to a sub post
office in the Midlands and West Byfleet
2.1 Findings during visit to sub post office in the Midlands
2.1.1
2.1.11
2.1.1.2
2.1.1.3
2.1.1.4
2.1.1.5
Background of sub postmistress
The sub postmistress responsible for the sub post office we visited in the
Midlands asked that she retain her anonymity at this stage in the process
because she is very fearful of being suspended. However there are some
relevant details that she was ready to have appear in the report:
She has a previous career in banking with a major retail bank and had
previous bank teller experience before moving to export/import credit
products.
She is familiar with handling detailed and complex documentation from her
experience at the bank.
She has been a sub post mistress for more than 10 years and only took on the
sub post office in order to be able to have her elderly disabled mother live
where she worked and in order to be close to her children as they grew up.
She has been recognised by the Post Office for her bravery in her response to
being shot at by armed robbers on more than one occasion and she
commented to us “why would I steal money from my own business when I
have already demonstrated that I will put my life at risk to protect it?”
Charles McLachlan
1
POL00167137
POL00167137
Amsphere Confidential and Privileged
2.1.1.6
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
Her husband and her children are all qualified graduates.
2.1.2 Background to issues at the sub post office
2.1.2.1
2.1.2.2
2.1.2.3
The sub post office is operated by a husband and wife team together with
their son.
The sub post office has 3 counter terminals which are operated on a shared
stock basis
The premises housing the sub post office include a small shop selling a
limited range of envelopes, gift card and other post related accessories. The
lottery terminal is on the shop counter. We were advised that sales in the
shop are between £200-£300 per week compared to a monthly transaction
volume at the post office counter of between £200,000 and £300,000 per
month.
2.1.3. Pattern of discrepancies
2.1.3.1
2.1.3.2
The sub post mistress explained that her experience is that there are almost
no discrepancies that she has to record against the stock.
There are also almost no discrepancies that she has to record against the
physical cash held in the shop.
Charles McLachlan
12
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
2.1.3.3. There are consistently discrepancies arising from the use of debit cards or
post office cash account cards. Not sure I understand what is meant by a
“discrepancy” in this context. My understanding is a discrepancy is where
the system derived value for an item differs from that physically in the Stock
unit and so this only applies to Cash or Stock. The Value of Debit (and
Credit) Cards and POCA Cards is handled as a “Payment” and should
balance with the corresponding “Receipt” recorded for the goods or Service
that they are used for. There is a later statement which appears to contradict
this as it indicates there are insufficient records of debit card transactions to
allow such a statement to be made. It is not clear what is actually meant
here.
2.1.3.4 The value of discrepancies has increased as the proportionate value of card
use has increased. Which discrepancies are we taking about here? I assume
these are discrepancies between the amount of cash on hand and the Horizon
generated figure?
2.1.3.5 If an “Account Payable” or counter credit is entered the Horizon system
assumes that there is a corresponding receipt (either physical cash, debit card
transaction, Post Office Cash Account card transaction or cleared cheque).
True, and this is ascertained during the Settlement process. The system does
not assume it until the clerk settles the transaction either through entering
the amount (via a cash/cheque/debit card transaction) or “fast cash/cheque”.
If a transaction is not settled it must be put into suspend in order to move on
to another transaction.
Charles McLachlan
13
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
2.1.3.6 The post mistress used to receive discrepancy reports generated by the Post
2.1.3.7
2.1.3.8
Office identifying when there was a mismatch between the counter credit
recorded at the counter and the cleared cheque or debit card amounts
reported to them by their correspondent banks or card merchant provider.
She no longer receives these and concludes that the Post Office function that
provided this service is non-operational or insufficiently staffed to properly
reconcile all of the discrepancies. These discrepancies, if left unresolved,
could create a liability for the sub postmistress. POL to answer. (Wouldn’t
there be Transaction Corrections now for any such discreancies?) Any
discrepancies arising from returned cheques or other accounting issues
would still arise from the reconciliation process and this would need to be
attested to by P&BA. Fewer returned payments are being seen because the
majority are authorised online and chip & PIN payments are protected
against reversals. It is possible that a transaction settled through a “swipe
and sign” could be returned, but there would be a signed voucher on hand to
support this.
If stock is sold, the Horizon system assumes that there is a corresponding
receipt (either physical cash, debit card transaction, Post Office Cash
Account card transaction). And it requests the User to specify how it is
settled for and accounts for it accordingly. Agreed, as for 2.1.3.5, it requires
the clerk to enter something to settle the transaction.
If at the end of the monthly period there is a discrepancy between the cash
on hand and the credit balance expected by the Horizon system then the only
way to close the period and start a new period is to “make good” the cash
discrepancy and declare that the cash on hand has been brought up to the
expected credit balance. There is no mechanism to record the discrepancy in
Charles McLachlan
14
POL00167137
POL00167137
Amsphere Confidential and Privileged
2.1.3.9
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
a suspense account for subsequent investigation and resolution. The system
imposes a declaration as part of the operating procedure that the cash is on
hand. If the actual reason for the discrepancy is due to a problem with a non-
cash credit (e.g. incorrectly processed card payment, incorrectly recorded
cheque payment) then there is no opportunity for the sub post mistress to
note her concerns on the system. This was the requirement made by POL of
the system. This is in the nature of the contract with the Agent and has
always been thus, even before the advent of Horizon. There are mechanisms
for Agents to raise concerns through P&BA and their local Manager.
The sub post mistress demonstrated the following transactions in which the
use of a debit card could result in a discrepancy in the cash account (physical
+ debit card/POCA amounts) at the sub post office: Cash and Plastic are
handled separately in the accounts.
2.1.3.10 Account Payable using a Debit Card / POCA card: the customer is seeking
to make a bill payment of council tax using a debit card. The card is
apparently authorised at the PIN terminal for the required amount. The card
receipt is apparently credited to the sub post office account. The council tax
payment is debited from the sub post office account. However, during the
end to end electronic fund transfer process the fund transfer fails. The
central Post Office account never receives the expected electronic funds. It
is supposed that the end of day process identifies that there is no credit
corresponding to the bill payment and therefore there must be a cash
discrepancy. This needs to be explained more carefully. What exactly was
observed to happen here? The back end settlement between the Merchant
Acquirer and Post Office Ltd is totally separate from the accounting done in
the Local Branch. Provided the Debit Card transaction is Authorised by the
Charles McLachlan
15
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
MA, then the Branch Accounts will record the Debit Card payment as the
MoP. However if the MA doesn’t authorise the transaction then an
alternative MoP is required. What action is taken should the MA fail to
honour the authorised payment and whether that results in a TC being sent
to the branch to reclaim the funds is a separate issue outside my knowledge,
but POL should be able to clarify that. Note that such rejections are rare. It
is the responsibility of the clerk to ensure that the Debit Card payment was
successfully authorised by the MA and to check the response received.
Should they not do so and assume it was processed and touch “Fast Cash”
to clear the basket without looking at the screen, then indeed the system
might record a Cash transaction.
In summary, if the Debit Card payment says that it works at the time, then it
is recorded as such in the branch accounts. There is no automatic feedback
into the branch accounts from any subsequent MA rejections.
A good summary. If a transaction doesn’t complete at the counter then an
error message is presented and it is not possible to settle the transaction with
the debit/credit card. The only way a discrepancy could be generated would
be if the transaction was subject to a charge-back and resulted in a notice
from P&BA which would have to be entered into the system by the Agent.
Probably need to get a statement from P&BA on this.
2.1.3.11 Debit Card/POCA withdrawal: the customer is seeking to receive an over
the counter payment of cash from their debit card or POCA facility. As
above [2.1.3.10] the card is apparently authorised but in fact the fund
transfer fails at some point and the sub post office account is debited with
the cash at the counter terminal but this is not recorded centrally against a
debit card fund transfer. There is therefore an apparent cash shortfall in the
Charles McLachlan
16
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
till. The Horizon system only prints a receipt for the customer; there is no
debit voucher for the counter staff to place in their till. At the end of the day
or the end of the week it is not possible to physically reconcile the cash
payments with debit vouchers. There are clear messages to the clerk
indicating whether or not any Banking or Debit Card transactions was
authorised. As above there is no subsequent automatic correction due to any
subsequent failures. I accept that there is no Branch Receipt produced for
paper reconciliation purposes. We were specifically requested not to
produce one by POL. Same as above, a clerk would need to ignore the
system messages and not follow the settlement process for this to happen.
Whilst there is no physical voucher, the system does retain logs of all
transactions and these can be printed off as a paper report by the Agent if
required. Probably need to get a statement from the system owner (or
someone in Network) in support of this.
2.1.3.12 In either of the two cases above [2.1.3.10], [2.1.3.11] the electronic funds
transfer mechanism duplicates the fund transfer. This could result in the
expected credit balance at the sub post office being higher than it actually is.
The sub post mistress will be expected to make good this discrepancy with
cash. Sorry, but I don’t understand the point being made. I don’t
understand this either, but this would appear to require an error in both the
initial authorisation and reconciliation files.
2.1.4 Operating procedures
2.1.4.1 We discussed the operating procedures implemented at the sub post office in
the Midlands in great detail with the sub postmistress. In my opinion, she
Charles McLachlan
17
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
demonstrated the trained eye for detail and procedure that I would expect
from somebody with her professional experience.
2.1.4.2. She demonstrated a range of features of the Horizon system that showed
how stock and cash were tightly connected across the system and how the
system had built-in mechanisms to link stock sales with cash receipt.
2.1.4.3. She also demonstrated the weaknesses of the system in relation to the use of
the debit card/POCA terminal:
e the lack of counter vouchers, This was a specific POL request The
details are all recorded in the system log and available through
printed reports
¢ the requirement to record some debit terminal transactions as cash
receipts, This may need to be explored further. I’m not aware of
any such requirement other that in the area of Refunds. I am only
aware of some very specific refund transaction. I suspect this gives
an indication of what has been happening here (if indeed there are
errors) that transactions are being settled to cash, or dealt with as
cash withdrawls, because you can’t make a debit card payment
without a transaction to settle.
e the delays in the system at busy periods, Again I’m not sure what
the relevance of this is. My understanding is that the response time
for online trasanctions is very good. The system meets the banking
requirements which is, I understand, an 8 second response time.
Charles McLachlan
18
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
e the lack of certainty as to whether a transaction completes when
there is a break in network connectivity There should be clear
messages in all cases as to whether the clerk should assume the
transaction was succeful or not. In the case of a comms failure the
assumptions should always be that the transaction has failed.
Recovery processes will allow this to be confirmed afterwards.
The recovery process is clear on this.
2.1.5 Capabilities of Horizon
2.1.5.1
2.1.5.2
2.1.5.3
2.1.5.4
Horizon terminals are capable of working in on-line and off-line mode.
The terminals are required to be left on overnight in order to permit two way
data transmission and software updates.
All of the facilities of Horizon are available in off-line mode except
debit/POCA transactions and access to information from the DVLC required
to issue vehicle licences. There are other exceptions now. There are so
many now that it is obvious at an early stage that the system is off-line.
The Horizon system sells postal services, provides foreign exchange,
supports receipts of cash, cheque and debit card/POCA for Accounts
Payable services and supports payment of cash from debit card/POCA
accounts. Also other banking online services for A&L and via Link True
2.2 Findings during visit to sub post office at West Byfleet
Charles McLachlan
19
POL00167137
POL00167137
Amsphere Confidential and Privileged
2.2.1
2.2.1.1
2.2.1.2
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
Operating procedures
I was able to confirm my understanding of the operating procedures from my
visit to the sub post office in the Midlands.
It was clear that there is no standard operating procedure to reconcile
counter credits with the actual amounts recorded. This could give rise to a
range of discrepancies which the sub post mistress would rely on the Post
Office to identify and reconcile. If the Post Office failed to do so then
overstated amounts could give rise to a deficit at the sub post office which
the sub post mistress would be required to make good with cash. Again I’m
not sure what is meant here. POL should comment on their processes. I
suspect this is something you would need to go to P&BA about. The Agent
has a complete record at the office of the transactions undertaken, it is only
where they have failed to do something, such as record Lottery transactions,
that there would normally be a discrepancy of this type.
2.2.2 Capabilities of Horizon
2.2.2.1
The West Byfleet sub post office is set up to operate with each counter
having a separate stock. Although this assists with stock control and ensures
that stock discrepancies can be localised, it does not provide any assistance
in management of discrepancies in debit/POCA receipts (no vouchers are
automatically printed) or Accounts Payable and counter credit discrepancies
(standard operating procedures do not reconcile these on a daily basis).
Again for POL to respond. Each stock unit has their own transactions
recorded against it, so I’m not sure what is being got at here?
Charles McLachlan
20
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
2.2.3. Approach of investigating officers to system issues
2.2.3.1
2.2.3.2
2.2.3.3
On our visit to West Byfleet, we had an opportunity to raise some questions
with one of the investigating officers that attended on the day of the audit
that gave rise to these proceedings.
He made it clear that it was Post Office policy that investigating officers
should never consider systems problems as relevant to their enquiries.
He agreed that the Horizon system provided no paper record of debit/POCA
vouchers and therefore that a sub postmaster/mistress would not be able to
produce any evidence that a customer had received a receipt for a
debit/POCA transaction. This info is available in the Audit data which can
be supplied as evidence I would have expected the audit logs to have been
obtained which not only have records of all transaction, but also of system
events and failures. Do these indicate an undue number of failed debit/credit
card transactions or being settled to cash?
He accepted that the Horizon system, as supplied, which the sub post
master/mistress was required to use under contract, did not provide the
facility for the sub post master/mistress to reconcile discrepancies that might
arise in the operation of the system. This is down to POI requirements.
What has been said here, it provides a suitable system for recording
transactions and logs of transactions undertaken, so what more is required?
He accepted that there was no Post Office requirement that he should
understand the operation of the Horizon system in order to properly conduct
Charles McLachlan
21
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
his investigations. Operation at what level? I would assume anyone
investigating a suspected fraud would need to know what the system does
and how transactions are recorded. I wouldn’t expect intimate knowledge of
the back-end, but that doesn’t appear to be relevant here?
Charles McLachlan
22
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
3 What hypotheses could support the Defendant’s claim
that the Horizon system was the source of the
accounting discrepancies?
3.1
Background
Accounting systems are usually designed around a ‘double entry’ booking
keeping principle. The double entry book keeping principle means that for
every entry into the system there is an equal and opposite entry that should
maintain the ‘balance’ between the accounts. Horizon follows this principle.
Yes
So, for example, if somebody at the till sells a stamp for £1 paid in cash then
the stock account would be reduced by £1 value of stock and the cash on hand
account would be increased by £1 — overall the balance between the accounts
would be unchanged. Horizon does this. Yes
As part of the process of financial control, it would be normal for the value of
stamps to be physically counted and recorded (stock value) and the value of
cash on hand physically counted and recorded (cash value) and these two
values compared (‘reconciled’) to what is recorded in the accounting system.
This is required as part of the Stock Unit Balancing process which should
happen at least once per month and can be done as often as required. In
particular Cash should be Declared (and variances checked) daily. It is a
requirement to count the cash undertake a cash declaration daily and the stock
on a less frequent basis, but discrepancies would be seen when a balance was
undertaken at the end of the accounting period.
Charles McLachlan
23
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
3.2 Hypothetical issues with the Horizon system
3.2.1
3.2.2
The User Interface gives rise to incorrect data entry: poor user experience
design and inadequately user experience testing can give rise to poor data
entry quality. In cases that users are working under pressure, insufficiently
trained or are using a system presented in a language different from their first
language the problems of data entry can be exacerbated. I’m not sure what is
meant by UI gives rise to oor data entry. Training matters are down to POL.
It is the responsibility of the Agent to ensure all their staff are adequately
trained and able to use the system. Training material is provided covering the
correct operation of the system. The User Interface is clear at the point of
data entry.
The Horizon system fails to properly process transactions: accounting systems
are usually carefully designed to ensure that accounts balance after each
“double entry” transaction. In particular, a database technology referred to as
‘two-phase’ commit is used to ensure that either both entries or neither entry
is recorded on the system. Horizon does properly process transactions and
does ensure that double entries are always both committed atomically. There
is no need for a 2 phase commit as such in the branch accounts, but the design
of the interfaces to both the MA and POCA ensure that the view of the
transaction as recorded in the Branch is the “correct” view and other systems
are adjusted (if necessary) to match this view through various reconciliation
processes. This is not a database system and the transactions recorded in
Horizon are taken as the correct view. The transactions are designed in such a
way that each has a “double-entry” and that the system stays in balance.
3.3. Comments on Hypothetical issues following site visits
Charles McLachlan
24
POL00167137
POL00167137
Amsphere Confidential and Privileged
3.3.1
3.3.2
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
There are opportunities for incorrect data entry (e.g. entry of £2,000 for a
cash credit rather than £200) to give rise to discrepancies in cash recorded on
Horizon versus cash held at the till. The sub post office relies on the
consistent, accurate and timely resolution of these discrepancies by the Post
Office and the operators of the Horizon system. The sub post master/mistress
has no standard operating procedure or local record that protects them from
the failure of the Post Office or the operators of the Horizon system to deal
with the discrepancies. Perversely, the Post Office and the operators of the
Horizon system have no incentive to resolve discrepancies that appear as cash
losses at the post office counter because the sub post office contract makes
the sub post master/mistress personally liable. I agree that the system just
records what the user enters, but there is little that can be done to resolve that.
However when cash is deposited messages are displayed requiring the Clerk
to check the amount deposited which should minimise such errors. Equally
the user could give out £2000 instead of £200 if they didn’t look at the screen
or the notes they were using.
The Horizon system does not appear to be a single monolithic mainframe
based system with computer terminals with no independent processing
capability. Rather the architecture relies on a number of inter dependent units:
the individuals nodes (counter terminals) at the sub post office each with its
own processing unit with an attached keyboard, touch screen, barcode
scanner, debit card authorisation PIN terminal and printer and a network
router to the wider Horizon system. Each of these components could give rise
to faults that result in discrepancies: either due to problems within the
components or due to problems from interaction between the components. I
accept that currently Horizon does depend on data recorded and held on the
local system which is then replicated to other counters and the central system.
Charles McLachlan
25
POL00167137
POL00167137
Amsphere Confidential and Privileged
3.3.3
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
However I am unclear why this is considered to be a fault. Even a monolithic
mainframe is actually composed of different systems even if they are all
running on the same box and would have similar external interfaces, so I’m
not sure what the problem is.
Within the central Horizon system that is not directly visible to the counter
operators I would expect there to be a set of inter-operating components that
could give rise to malfunctions and discrepancies. In particular, the end to end
dialogue between the counter terminal, the card authorisation terminal, the
network, the core Horizon system, the electronic funds transfer component,
the authorising merchant service and the central post office branch accounting
system is a long running transaction with multiple points of possible failure.
Agreed that this is complex. However the key point is that the end result as
seen at the counter is what is displayed to the clerk and what goes into the
accounts. Any hypothetical corruption (and I’m not aware of any issues in
that way) in other systems should not result in any discrepancies at the
Branch. In particular should no response be received, then the clerk will be
advised of this and it must be assumed that the transaction failed. If
components further down the line failed, this would result in a reconciliation
error, which would only impact the branch if it was raised by P&BA and input
by the Agent.
Complex systems of this nature rarely have sufficient capability built in to deal
with all possible failure points and discrepancies are very likely to arise which
require manual intervention based on the reconciliation of paper and electronic
logs at different points in the system. When the end to end system does not
provide the counter staff with access to paper or electronic logs at the point of
use then it is impossible for them to identify whether there is a system fault or
Charles McLachlan
26
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
operator problem. There are full logs, but I agree that they are not all made
directly available to the end user. I suspect that this is trune in any complex
system. There are mechanism by which details of individual transactions can
be printed off from the system if there is some uncertainty via the “Transaction
Log” Reports. There are logs available to the user which cover the normal
day to day transactions and balancing activities, what is not available is the full
system log, which one wouldn’t expect to be, nor for a user to be able to
interpret it.
Charles McLachlan
27
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
4 What evidence needs to be provided in order to
determine the merits of the Defendant’s claim?
4.1 Errors in operator data entry are not properly reconciled by the Post Office
finance function or by the Horizon system.
4.1.1 The first problem with the provision of evidence is that the Horizon system
does not automatically provide a paper voucher for retention at the post office
counter when funds are withdrawn using a debit card or Post Office Cash
Account card. Therefore the sub post office has no mechanism for reconciling
the result of downstream processing by the Horizon system and the Post
Office with what occurred at the sub post office counter either at the time or
when discrepancies are identified at the end of the weekly trading period. In
effect, the Horizon system makes it impossible for the sub post office to
demonstrate an error occurred in the downstream processing. This is down to
Post Office Ltd. The counter holds logs which the Agent has access to that
effectively replace the office voucher. Unless a discrepancy is the result of an
error notice from P&BA, then it should be identified when the office cash
declaration or balance is conducted, at which point the transaction logs can be
examined.
4.1.2 The second problem with the provision of evidence is that the Horizon system
does not automatically provide a paper voucher for retention at the post office
counter when funds are credited to the sub post office account as part of a bill
payment (Accounts Payable) as a result of a withdrawal using a debit card or
Post Office Cash Account card. Therefore the sub post office has no
mechanism for reconciling the result of downstream processing by the
Horizon system and the Post Office with what occurred at the sub post office
Charles McLachlan
28
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
counter either at the time or when discrepancies are identified at the end of the
weekly trading period. In effect, the Horizon system makes it impossible for
the sub post office to demonstrate an error occurred in the downstream
processing. Again this is down to POL. Downstream processing reflects
what happens at the counter and there is a record at the counter of all
transactions undertaken there.
The third problem with the provision of evidence is that the standard operating
procedure for post office counter clerks does not include the reconciliation of
bill payment or counter credit slips with the individual amounts recorded by
the counter clerk onto Horizon. In effect, this standard operation procedure
makes it impossible for the sub post office to identify any failures by the Post
Office or the Horizon system in identifying or dealing with discrepancies
arising from incorrect data entry. Again down to POL Processes. The reports
have a record of all the transactions and for certain transactions documents are
retained.
The investigations identified below will assist in determining whether such
evidence is available.
4.2 The Operation of the System gives rise to incorrect data entry
42.1
There are two elements to this possible cause
The sub post office staff and, in particular, the sub post master/mistress is not
trained in the proper operating procedures to deal with maintaining an
auditable contemporaneous record that would protect their reputations in the
event that faults in the Horizon system or operator error resulted in
Charles McLachlan
29
POL00167137
POL00167137
Amsphere Confidential and Privileged
4.2.2
4.2.3
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
discrepancies between the actual cash position and the centrally recorded cash
position. Horizon does maintain a full audit of what is recorded which can be
made available to POL. I am also aware of at least one case where this
information has been made available directly to a Defence Accountant.
Though we would have asked for this already. The cash position is recorded
on the local terminal and replicated to the centre.
The sub post office staff are not properly trained in the use of the Horizon
system. This is down to POL. There should be records of training available,
but it is the responsibility of the Agent to ensure anyone working for them is
properly trained and competent.
In order to understand to what extent sub post office staff are trained in the
necessary operating procedures, it would be necessary to review the course
material provided for counter staff and sub post masters/mistresses and to
review the training and assessment processes implemented by the Post Office.
Finally, it would be necessary to review to what extent the necessary operating
procedures could feasibly be adopted and were in fact adopted in general
operating practice and in the case of Seema Misra in particular. For POL to
respond. This should be available, as should the Counter Operations Manual.
In order to identify whether Horizon system training is a possible cause, it
would be necessary in the first instance to sit alongside a user operating in
normal Post Office conditions that had only recently completed the standard
systems training and who represented the kind of user engaged by the
Defendant. For POL to respond. It is the responsibility of the Agent to
ensure staff are competent, and I am not sure how this would help as it does
not deal with the office environment, or support from the Agent in question.
Charles McLachlan
30
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
4.2.4 If there is a pattern of incorrect data entry then it would be necessary to
conduct a detailed examination of the kinds of incorrect data entry that occur
and the implications for failure of accounting. Not sure exactly what is meant
here. I’m aware of work within POL to explore errors in data entry and to
come up with ways to reduce them. If there was an amount of incorrect data
entry, then I would expect to see some reconciliation issues where incorrect
amounts had been credited to client accounts, or where incorrect amounts had
been withdrawn from POCA accounts, for instance.
4.2.5 There are two available technologies that could assist in examining cases of
incorrect data entry:
e Screen capture technology installed on the user terminal that keeps a
record of every key press/screen press and the associated screen shot. This
is not practical. However the Audit trail that Horizon maintains does
provide a fairly comprehensive record of what has happened. Not too ken
on the use of Trojans in the EPOS environment, nor how far this would
take us.
e Digital camera recording equipment positioned to have a clear view of the
screen continuously recording the screen as it responds to operator entry
This is clearly possible. A similar technique has also been used to
benchmark system response times. Possible, through not practical for a
wide-scale deployment.
4.3. The Horizon system fails to properly process transactions
Charles McLachlan
31
POL00167137
POL00167137
Amsphere Confidential and Privileged
43.1
43.2
43.3
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
In order to identify whether this is a possible cause, it would be necessary in
the first instance to examine the operations in normal Post Office conditions
where there is an experience by the branch manager of what they believe to be
incorrect transaction processing.
Further, if there is prima facie evidence of incorrect transaction processing, it
would be necessary to review the technical documentation of the Horizon
system and interview key individuals responsible for the system within the
Fujitsu team in order to understand the potential source of the incorrect
transaction processing. From my understanding of comparable retail systems
architectures there are a large number of potential points of failure which
could give rise to the kind of discrepancies reported by Seema Misra and the
sub post mistress in the Midlands. In particular, I have reviewed the
architecture for a national retailer and identified a series of possible failure
points which are currently addressed by testing, review of error logs and
reconciliation of discrepancy reports. See Exhibit “Point of Sale — Electronic
Funds Transfer architecture”. I don’t see the relevance of this diagram. It is
nothing like what Horizon does. We could if necessary provide some
documentation and information on Horizon. However I am confident that
there is not a system problem and the issues are due to incorrect actions
(whether deliberately or accidentally) by the user. It does not appear that the
technicalities of the back-end systems are relevant to this case, but I am sure
we could provide the relevant architectural diagrams.
Based on the review of the technical documentation, it should be possible to
identify and examine the various electronic log files maintained by different
components of the systems architecture that are required by the Electronic
Mastercard Visa (EMV) standard or for Payment Card Industry (PCI)
Charles McLachlan
32
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
compliance. These are probably available. (I’m not sure how long they are
held and they will probably have had details of Cards Obfuscated for Security
reasons as required by PCI.) Card details will be obfuscated, but all
information should be available via the audit log.
4.1.4 If the potential source of the incorrect transaction processing can be identified
then it would be helpful to be able to reproduce the problems under controlled
test conditions in a consistent and reproducible manner. This would require
the assistance of Fujitsu in providing access to the test environments
maintained in support of the Horizon system. Again this is possible. Could
probably use model office, but would have to be sure about what is being
proposed and have it scripted and evaluated first in case it could result in
system damage or require a rebuild.
Charles McLachlan
33
POL00167137
POL00167137
Amsphere Confidential and Privileged
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
5 My duties to the Court
S.A
5.2
5.3
5.7
I understand that my overriding duty is to the Court, both in preparing reports
and in giving oral evidence. I have complied and will continue to comply with
that duty.
T have set out in my report what I understand from those instructing me to be
the questions in respect of which my opinions as an expert are required.
I have done my best, in preparing this report, to be accurate and complete. I
have mentioned all matters that I regard as relevant to the opinions I have
expressed. All of the matters on which I have expressed an opinion lie within
my field of expertise.
I have drawn to the attention of the Court to all matters, of which I am aware,
which might adversely affect my opinion.
Wherever I have no personal knowledge, I have indicated the source of factual
information.
I have not included anything in this report that has been suggested to me by
anyone, including the lawyers instructing me, without forming my own
independent view of the matter.
Where in my view, there is a range of reasonable opinion, I have indicated the
extent of that range in the report.
Charles McLachlan
34
POL00167137
POL00167137
Amsphere Confidential and Privileged
5.8
5.9
5.10
On instruction of Coomber Rich Solicitors
Yard House, Basingstoke, RG21 7NX
At the time of signing the report I consider it to be complete and accurate. I will
notify those instructing me if, for any reason, I subsequently consider that the
report requires any correction or qualification.
I understand that this report will be the evidence that I will give under oath,
subject to any correction or qualification I may make before swearing to its
veracity.
I have included in this report a statement setting out the substance of all facts
and instructions given to me, which are material to the opinions expressed in
this report or upon which those opinions are based.
I confirm that insofar as the facts stated in my report are within my own
knowledge I have made clear which they are, and I believe them to be true, and
the opinions that I have expressed represent my true and complete professional
opinion.
Charles McLachlan
Amsphere Consulting Ltd
Staple Hall
87-90 Houndsditch
London, EC3A 3AD
England
Thursday, 19 November 2009
Charles McLachlan
35