FUJ00172076
FUJ00172076
KPMG LLP Tel
15 Canada Square Mobi
London £14 GL chtis. Stare
United Kingdom
Private & Confidential
Mike Deaton
Fujitsu Services Limited
22 Baker Street Ourret ej/FujitsuHorizon/2012
London
WIU 3BW Contact Ervin Joeson
GRO
22 February 2012
Dear Mike.
HNG-X Data Integrity Assessment
We are writing to confirm the terms of the engagement by Fujitsu Services Limited (“Fujitsu”
or “you") of KPMG LLP (“KPMG") to provide you with an independent review of the
adequacy of controls operating over the completeness, accuracy and integrity of the in built
‘audit trail’ function in the HNG-X environment.
Background
Subsequent to our detailed proposal and the various joint workshops we have conducted with
your team in 2011, we now provide you with a letter of engagement to deliver your requirement
of an independent review of the controls operating in the HNG-X environment currently being
delivered by Fujitsu to Post Office Ltd. The purpose of this review is to demonstrate whether
the system as designed. implemented and operated has sufficient controls in place to addr
any risks that the ‘audit trail’ transactional data may not be complete, accurate and stored in
such a way as to maintain its integrity. You have identified six specific assertions that you wish
us to consider in carrying out this review. These are as follows:
That all of the baskets in a transaction (a basket is defined as any number of items for
one customer) received from the Post Office branch counter balance to zero against the
customer payment.
«That the basket received at the data centre corresponds to what the counter staff sees on
the HNGX screen.
¢ The full basket goes into the audit trail.
¢ All baskets get into the audit trail.
* No extra baskets get into the audit trail (i.e. nothing is added that the counter staff has
not seen on the HNGX screen).
¢ That there is no evidence that the audit trail has been corrupted.
KPMG LLP
HNG-N Data hntegrity Assessment
22 February 2012
Scope of the Services
We have based this engagement on the information contained in the Fujitsu document “Horizon
Online Data Integrity” ref ARC/GEN/REP/1229 dated 25 November 2011 and subsequent
clarification dialogue between KPMG and Fujitsu.
Excluded from scope are the integrity of the Oracle Real Application Clusters and any issues
relating to service reliability and stress testing of all or part of the Horizon Online system. Also
excluded from scope are the testing of IT infrastructure controls such as general controls
reviews. and security assessments. Fujitsu assert that these have been covered in separate
reviews. and audits, and that we may review and refer to the work of those reviews where
necessary for the purpose of our testing and reporting.
The deliverable reports from this engagement are not, and will not be treated as, expert witness
reports or opinions, As agreed with Fujitsu’s legal counsel, third parties should not rely. on the
deliverable reports as constituting a formal audit or as having reviewed or proved anything not
expressly set out in the reports. Fujitsu have drafted commercial terms governing the potential
requirement to distribute the reports externally. This will be agreed with KPMG and included in
the final deliverable reports as a condition of its release to Fujitsu’s third parties.
Specifically, KPMG will provide the following services:
Stage 0 - Documentation readiness review:
* An initial review of system documentation including liaison with your system architects
to ensure that the documentation is at a suitable level in terms of scope and detail to
enable the processing to be understood and the controls to be identified and agreed for
inclusion in the formal review and assessment in Stage 1 & 2.
© This will include a series of joint workshops to map our review approach against the
documentation, existing audit and review reports, and data-flow artefacts of the HNG-X
system. The objective will be to ascertain the quality and availability of data and
information required to keep the scope and review as efficient as possible by leveraging.
past audit reports and documentation to reduce and eliminate scope and re-work. At the
conclusion of Stage 0, will work with you to finalise a quote for Stage 1 & 2. At this
Fujitsu can give KPMG notice in writing that it does not wish to continue this
engagement (provided that Stage 0 milestone payment has been made)
+ Stage 0 Deliverables
+ A report which identifies the control points
Stage I - Documentation detailed review:
© We would review the system documentation to identify the specific controls that address.
the six control objective assertions that Fujitsu have identified and which are listed
below.
* We would prepare a detailed schedule of specific controls that supported each of the six
sertions and which thus require testing. Fujitsu assertions to be validated:
FUJ00172076
FUJ00172076
be balI
KPMG LLP
HNG-N Datu Integrity Assessment
22 February 2012
1. That all of the baskets in a transaction (a basket is defined as any number of items
for one customer) received from the Post Office branch counter balance to zero
against the customer payment.
w
That the basket received at the data centre corresponds to what the counter staff
sees on the HNGX screen.
3. The full basket goes into the audit trail.
4. All baskets get into the audit trail.
w
No extra baskets get into the audit trail (i.e. nothing is added that the counter staff
has not seen on the HNGX screen).
6. That there is no evidence that the audit trail has been corrupted.
At the conclusion of our review we would present and discuss our findings to provide
you with the opportunity to comment and agree on the controls identified in support of
the assertions. We will identify only the key controls as candidates for testing as opposed
to an excessive amount of controls which not all may be directly relevant.
The deliverable at the end of this stage would be a report listing the specific controls
which support the control objective assertions above. together with our opinion on
whether the listed controls would, if operated adequately. achieve those objectives.
We would also provide a finalised quotation for the Stage 2 resource required to test
those controls and provide a report on whether each control operated effectively and
whether each of the six control objective assertions were achieved.
+ — Stage I Deliverables
+ Areport detailing possible considerations and recommendations for Fujitsu
to meet the above objectives, specifically:
- Missing controls (ie required control objectives where there is
no control);
- Possible controls
particular control
where Fujitsu. management decide. that a
adequate to achieve the control objective.
Stage 2 - Controls review and testing:
Carry out detailed testing of design, implementation and operation of each of the key
controls agreed to be in scope as defined in Stage I.
Carry out data analytical work on the audit trail to determine whether the assertion that
all baskets total to zero is correct.
Report on the operation of each control tested, whether each of the six assertions are met
and underpinned by e! ively operated controls and whether in our opinion, excluding
those controls identified as not in scope in stage 0, we believe the audit trail to have
integrity.
FUJ00172076
FUJ00172076
bebe
KPMG LLP
HNG-N Data Integrity Assessment
22 February 2012
+ Stage 2 Deliverables
+ A detailed test report
+ A data analysis report
+ Anassertion audit report
Timetable
The project duration will vary depending on the number of controls that require testing. ‘The
project is expected to commence on 23" February 2012 and expected to conclude by 31 July
2012 or earlier. The timing of our work and its performance will be dependent on all relevant
information and documentation and access to personnel being made available to us promptly as
and when required by us, In order to ensure that Fujitsu is aware of documents and resources
required our weekly report will detail all requirements for the next week. We shall use all
reasonable endeavours to meet any agreed timetable,
KPMG resources.
KPMG will provide the following resources to support Fujitsu during this engagement.
Advisory Director: jocson
Ervin will function in this role as the engagement director having overall responsibility for the
quality of the advisory services delivered within this engagement to Fujitsu by KPMG.
Engagement Lead: Chris Starnes
Chris will carry out the role of engagement lead and will be responsible for day to day
operations of the overall engagement and supporting resources. He will be supported by a team
of subject matter experts and experienced auditors for the tasks outlined in this letter.
Fujitsu responsibilities
We will require the following support of Fujitsu in order to achieve timely completion of the
project.
* System documentation to be readily available.
* Controls documentation to be available.
© Fujitsu staff to have time available to meet with us and to turn around requests
for information and documentation in a timely manner.
© Access to a test system and data that is representative of the live system.
FUJ00172076
FUJ00172076
FUJ00172076
FUJ00172076
KPMG LLP
HNG-N Data Integrity Assessment
22 February 2012
Our fees
Our fees for this engagement are set out below. Our fees are fixed apart from the number of
agreed control points to be tested which will determine the final fee. If there are any material
changes to the scope and nature of the engagement or if there are significant delays (which
KPMG will detail in their weekly report) in making information, documentation or personnel
available to us. we will agree with you in advance of any additional effort and costs being
incurred by KPMG. We will keep you informed of project status on a fortnightly basis.
The following fees reflect tiered options for your budgetary purposes: however each option will
have a provision for a revised fee estimate for Stages I & 2 at the conclusion of Stage 0. Stage 2
in all options assumes 2.9 days effort to test each control per our methodology. Any variation to
the fees reflected below will need to be agreed by you in writing.
Based on 10 key controls to be tested
Stage 0 - Documentation readiness review $ 13.000.
Stage I - Documentation detailed review: Bi 62.474
tage 2 - Controls testing (based on 10 controls) 29 50,000
Stage 2 - Data analysis 15 30,000
es
¢
Total j* 155,474*
Based on 20 key controls to be tested
Stage Number of Days £Total
Stage 0 - Documentation readiness review 3 13.000
Stage I - Documentation detailed review 31 2.474
Stage 2 - Controls testing (based on 20 controls) 58 100.000
Stage 2 - Data analysis 15 30,000
Total 109* 205,474"
Based on 30 key controls to be tested
Stage Number of Days £Total
Stage 0 - Documentation readiness review 5 13.000
Stage I - Documentation detailed review 3 O44
Stage 2- Controls testing (based on 30-controls) 150.000
a si 30.000
We shall charge in addition outlays and VAT. Outlays will only include directly incurred ‘out
of pocket’ expenses (any claims to be supported by receipts), billed at cost.
KPMG LLP
HNG-X Data tniegeity Assessment
22 February 2012
We will invoice you in arrears on a milestone basis for the fees. linked to completion of the
following milestones and payment will be dependent on Fujitsu receiving all deliverables:
Stage 0 - Completion of high level documentation review
¢ Stage I - Completion of detailed documentation review
* Stage 2 - Completion of controls testing
* Stage 2 - Completion of data analysis
Invoices will be payable in arrears 30 days from the invoice date . The agreed fees described
above are based on the scope of work outlined above.
If the parties agree there is any material change to the scope and nature of the assignment, or
there are significant delays in making information. documentation or personnel available.
KPMG will agree with you in advance any changes to the basis for calculating their fees.
Further it is agreed that if at any stage during the engagement, Fujitsu wishes KPMG to cease
work. then it will provide notice in writing. and we agree to stop all work and to incur no further
fees until further notice from Fujitsu. Fujitsu will pay all fees incurred up to the date of
cessation.
Terms of Business
We accept this engagement on the basis that our General Terms of Business. as set out in
Appendix I (as amended below), will apply to this work and govern our relationship with you.
This letter is the “Engagement Letter” mentioned in our General Terms of Business. Please
read these Terms carefully. There are various exclusions and imitations on our liability and
associated obligations imposed on you. Through our contract with you we aim to clarify your
and our obligations and responsibilities and we seek to protect ourselves, other members of the
KPMG organisation and our people. We draw your attention in particular to the following
clauses of our General Terms:
Clause 4: We set out here the obligations imposed on us in respect of your Confidential
Information. For our marketing or publicity purposes we are permitted to make general
references to our relationship with you and to work performed for you, but this clause is deemed
modified so that we must obtain your prior written consent before doing so.
Clause 7: We confirm here that our work is performed for you alone and we set out various
restrictions on the extent to which you may share with others the product of our work or refer to
our name.
Clauses 18 to 24: These set out our position where your interests may conflict with our other
clients’ interests and clarify our responsibilities in relation to Confidential Information (as
defined in clause 4) in the circumstances identified.
FUJ00172076
FUJ00172076
Ana
KPMG LLP
HNG-N Data titegrity Assessment
22 February 2012
Clauses 31 to 35: We set out here the principal exclusions and limitations on our liability to you.
Our liability to you in connection with this engagement for losses shall be limited, on the basis
set out in our General Terms, to a maximum aggregate of £800,000. If you wish to bring a
claim against us. you must do so within 4 years (subject to the amendment to clause 35.2
below).
Clause 44: This clause will not apply to you as our mainstream work will not include “regulated
activities” under the Financial Services and Markets Act 2000. Any “regulated activities” that
may be performed will be incidental to our mainstream work and the detailed rules and
regulations under the Act applicable to “regulated: activities” carried out as part of our
mainstream services will not apply.
For the purposes of this engagement only, the following amendments shall be made to our
General Terms of Business:
Clause 4: the reference to “ICAEW” is the Institute of Chartered Accountants in England and
Wales
Clause 4: in the second paragraph insert “, provided we obtain your prior written consent,
in which event
Clause 10: the fourth sentence is deleted and replaced with “Outlays will comprise directly
incurred costs only.”
Clause-15: (i) in the first sentence insert “reasonably” after “you shall supply” and (ii) in the
second sentence replace “best” with “reasonable” and (iii) in the third sentence insert “, in your
after “and which’
reasonable opinion:
Clause 3
in the first bullet point delete “four years” and replace with “six years”
Clause 36; insert at the end of the clause: “Your liability to compensate and reimburse us under
clause 36 shall be limited to £800,000."
Confirmation
If you are in agreement with the terms of our appointment. as set out in this Engagement Letter
and the attachments, we should be grateful if you would sign the enclosed copy letter and return
it tous. If not_oritvoureauice futher information or clarification, please do not hesitate to
contact me on GRO
FUJ00172076
FUJ00172076
aaa
KPMG LLP
ity Assessment
February 2012
HNG-N Data Ii
We very much look forward to working with you and your team on this project
Yours sincerely,
Ervin Jocson
Director, KPMG LLP
Attachments:
Appendix 1: General Terms of Business
and accept thet
Signed:
Name:
Position:
Date: Lik Mao 2ovE
Duly authorised. for and on behalf of Fujitsu Services Limited.
FUJ00172076
FUJ00172076