POL00189206
POL00189206
Confidential and legally privileged
Response to Second Sight Interim Report
STATUS: DRAFT
THIS PAGE TO BE DELETED BEFORE SUBMISSION
FINAL SUBMISSION TO BE IN PDF FORMAT TO ENSURE ALL META-DATA ABOUT PREVIOUS
DRAFTS IS REMOVED.
4A 27053113_1 1
POL00189206
POL00189206
Confidential and legally privileged
Second Sight Interim Report
Response of Post Office Limited
Overview of the Inquiry process
As part of the Inquiry process, Second Sight has submitted 10 scenarios relating to Horizon to
Post Office for its comments (the Spot Reviews). In light of its investigations to date and Post
Office's responses to these Spot Reviews, Second Sight is now preparing an Interim Report.
In accordance with the Inquiry process set out under the "Raising Concerns with Horizon"
agreement:
- Second Sight will prepare its report bearing in mind the primary need to ensure that
the report is reasoned and evidence based.
- The report and any recommendations will be the expert and reasoned opinion of
Second Sight in light of the evidence seen during the Inquiry.
- Second Sight will consult with JFSA, Post Office and/or any other party as it considers
necessary before producing any report.
- Post Office may provide Second Sight with its own comments on any or all concerns,
and on Horizon generallys
- Second Sight.will consider and take into’account any comments received from JFSA,
Post Office and/or any other consulted party.
Post Office's activity
Post Office has provided continuous support to Second Sight and has responded to all 10 Spot
Reviews. [This statement assumes that the 2 outstanding (SRs 5 and 22) will be submitted
before this document is released].
In supporting Second Sight, Post Office has:
- Worked closely with Second Sight to ensure that it is addressing all issues raised.
- Thoroughly investigated each Spot Review through the leadership of senior
management.
- Consulted senior personnel inside Post Office on the issues raised in each Spot
Review.
- Liaised closely with Fujitsu so that its expertise on Horizon supports every response.
4A_27053113_1
POL00189206
POL00189206
Confidential and legally privileged
- Collated and interrogated Horizon transaction records where Second Sight has
referenced particular identifiable transactions.
- Addressed any follow-up questions raised by Second Sight or Subpostmasters.
- Promptly submitted all responses to Second Sight in accordance with agreed
timeframes.
Overview of Post Office's responses
Post Office remains confident that Horizon is a robust system that accurately records the
activities of Subpostmasters.
All 10 Spot Reviews have been fully addressed by Post Office and none of them have identified
any error in Horizon.
In fact, the Spot Reviews have demonstrated that Post Office's organisational processes and
the Horizon system are designed to:
- Consistently track user and transaction activity in a transparent manner.
- Provide complete audit trails that allow Subpostmasters to fully investigate their
transaction histories.
- Strictly control access to Horizon data,
- Mitigate the riskof user generated errors resulting in financial losses.
- Prevent fraud against Subpostmasters and Post Office.
- Withstand problems outside Post Office's and Subpostmasters' control such as power
outages.
- Put integrity, fairness and subpostmasters' welfare ahead of Post Office's own
interests.
It is expected that Second Sight's Interim Report will address Spot Reviews 1, 5, 21 and 22 in
detail. Below is a summary of Post Office's position on each of those Spot Reviews.
Spot Review 1 — Risks associated with power or communications failures
This Spot Review principally asks whether Horizon robustly manages the risks created when it is
unable to connect to Post Office's central servers due to a power or communications failure
which is beyond a Subpostmasters' or Post Office's control.
4A_27053113_1 3
POL00189206
POL00189206
Confidential and legally privileged
Post Office's response to this Spot Review shows that the in-branch Horizon terminal has a
robust back-up and recovery system that prevents there being an discrepancies or errors in the
event of a communications or power failure.
In the particular case raised in the Spot Review, the root cause of the difficulties suffered by the
Subpostmaster was his failure to follow the on-screen and printed instructions given by
Horizon.
Acomprehensive, line-by-line review of all the Horizon transactions for the period covered by
this Spot Review was undertaken by Horizon experts at Fujitsu. In light of this analysis, Post
Office Limited is confident that the SPMR knew that the back-up and recovery process had
actively managed the communications failure at the branch in question because:
- When the transactions in question first failed to be processed, Horizon asked the
SPMR whether he wished to cancel or retry the transactions. The SPMR opted to
retry the transactions.
- When the transactions failed again, the SPMR opted to cancel the transactions.
- Horizon then automatically disconnected and.printed a,"disconnect" receipt that
showed the transactions that had been automatically reversed.
- A standard customer receipt was’hot produced — this would tell the SPMR that the
full transaction had not proceeded.
- Following the disconnect, the SPMR was required to log back on to Horizon and duly
did so.
- Following the log on, and as part of the standard recovery process, Horizon printed a
"recovery" receipt which again showed the transactions that had been reversed and
those that had been recovered.
The transaction logs evidencing the above conclusions have been provided to Second Sight.
Spot Review 5 — Access to live Horizon data
This Spot Review principally focusses on an assertion by Mr Michael Rudkin that during a visit
to Fujitsu's site at Bracknell on Tuesday 19th August 2008, he observed an individual based in
the basement of the building who demonstrated the ability to access ‘live’ branch data and
directly adjust transactions on the Horizon system.
Given the amount of time that has passed, neither POL nor Fujitsu have any record of Mr
Rudkin attending the Bracknell site.
Post Office and Fujitsu have attempted to establish the Bracknell visitor logs for the day in
question to verify Mr Rudkin’s attendance and his contact on the day, however these records
are not retained for as far back as 2008.
4A_27053113_1 4
POL00189206
POL00189206
Confidential and legally privileged
Fujitsu have additionally made the effort to go through all email, documents and archived
information to hand but do not have any information for Tuesday 19th August 2008 that would
suggest they had visitors to the site.
Further investigation into Post Office work logs indicates that there were just three POL test
managers present on site in Bracknell on the 19 August 2008. None of them have any calendar
records relating to a visit by Mr Rudkin.
It has however been determined that in August 2008 the basement of Fujistu's building
contained a Horizon test environment that would look very similar to a live Horizon
environment. This environment was not physically or technologically connected to the live
Horizon environment. It was therefore impossible for anyone in this room to have adjusted any
live transaction records, though Mr Rudkin may have witnessed some form of adjustment to
the test environment.
This separation of test and live environments is designed to guarantee the integrity of Horizon
data.
Spot Review 21 - transparency of stock adjustments
This Spot Review principally asks whether Horizon automatically makes stock adjustments and,
if so, whether this could cause a subpostmaster to suffer.a loss.
In summary, Horizon doesnot generate automatic stock adjustments. This function does not
exist within Horizon.
Each member of staff at Post Office branches should have and use their own unique ID. Each
subpostmaster, as a result, has aunique user ID, This requirement is detailed in the Standard
Subpostmaster's Contract for Services. Section 1, clauses 5, 14 and 15 of this Contract for
Services and the Horizon Online Help operational manual provide that passwords and login
details for Horizon are personal and are not to be shared between branch staff. This is
important to enable traceability of transactions for audit and investigation purposes.
On review of the Horizon transaction logs, every stock adjustment transaction inputted on 4
November 2009 at the Great Staughton branch (being the date and branch under consideration
in this Spot Review) was a manual transaction logged against the subpostmaster user ID
(JOD001).
Even if there were erroneous stock adjustments, these adjustments could not cause a
subpostmaster to suffer a loss due to the "double entry" balancing process inherent in Horizon.
Each manual instruction inputted by a subpostmaster creates a double entry (i.e. if the
subpostmaster adjusts the stock level down, the cash level on Horizon will be increased by the
same value as the stock). This has a balancing effect on the overall cash and stock position
even if an error is made by the subpostmaster. For example, if the branch position begins in
4A_27053113_1 5
POL00189206
POL00189206
Confidential and legally privileged
balance, an inaccurate increase to the stock level of stamps will create a shortage of stamps
but it will also cause a reciprocal decrease in the cash position thereby creating a balancing
surplus of cash. This shortage of stamps and surplus of cash balance out meaning the
subpostmaster will not have an overall shortfall.
This double entry system is designed to mitigate the risk of user errors by automatically
balancing out those errors to the Subpostmaster's benefit.
Spot Review 22 — Recording scratch card stock levels
This Spot Review principally asks whether Horizon accurately records REMMED-in scratch
cards.
In summary, Post Office cannot find any evidence that thereis a problem with the Horizon
system with regard to REMMED-in scratch cards.
National Lottery scratch cards are provided and controlled by Camelot, the National Lottery
provider. In order to sell scratch cards, a Subpostmaster must (1) activate a pack of scratch
cards on the in-branch Lottery terminal and (2) REM-im-the scratch card stock on Horizon.
"REMMING-in" a scratch card is the process whereby new packs of scratch cards are recorded
on Horizon as in branch stock.
During the period being examined in this Spot Review, if subpostmasters correctly REM-in
scratch cards to the Horizon system,the finabfigures recorded in the Horizon system at the end
of each day will match the-final figures in the Camelot system at the end of each day for the
activation of scratch cards.
On 17 February 2010 at the Hightown branch (being the date and branch under consideration
in this Spot Review) there were two remittance sessions relating to scratch cards in regard to
which two receipts would have been automatically produced by Horizon.
The Spot Review suggests that the Subpostmaster's printed records on this day do not match
Post Office's records. However, the alleged discrepancy in the figures resulted from the
subpostmaster presenting for the purposes of this Spot Review only one of the two receipts
produced on this day . The transaction history in Horizon reflects the figures advanced by Post
Office.
In any event, the manual REMMING-in of scratch cards by Subpostmasters has now been
replaced with an automated process so the risk of a discrepancy occurring (such as the one in
the Hightown branch on 17 February 2010) has been largely mitigated.
4A_27053113_1