CONFIDENTIAL
Version History
SCHEDULE D5
AUDIT
FUJ00234931
FUJ00234931
1.0 ‘I 31/08/06 "I Agreed version as at date of signature of CCN
1200
1.2 11/10/06 Minor corrections by FS
2.0 25/01/07 Baseline copy of 1.2
6.0 16/06/09 Moving all schedules to V6.0 as agreed with
Fujitsu
6.1 31/03/10 Applying changes as per CCN1276a
7.0 10/05/10 Moving schedules to V7.0 as agreed with Fujitsu.
8.0 21/02/12 Moving all schedules to V8.0 in accordance with
CCN1294d
9.0 13/01/14 Applying changes as per CCN1349 and
CCN1322b
10.0 10/09/15 Moving all Schedules to v10.0 in accordance with
CCN1506
11.0 31/03/16 Moving all schedules to V11.0 in accordance with
CCN1604
12.0 03/07/17 Moving all schedules to V12.0
13.0 Moving all Schedules to V13.0
14.0 20/12/2021 Applying changes as per CCN1672a and moving
all schedules to V14.0
15.0 11/04/2024 Moving all Schedules to V15.0
Schedule D5 Version 15.0
Page 1 of 5
FUJ00234931
FUJ00234931
CONFIDENTIAL
SCHEDULE D5
AUDIT
1. SCOPE
11 This Schedule identifies:
1.1.1 in paragraphs 2 to 6 (inclusive) the audit requirements with which Fujitsu
Services and its sub-contractors shall comply in connection with Post Office's
rights set out in Clause 25 to audit Fujitsu Services’ compliance with this
Agreement; and
1.1.2 in paragraph 7, provisions of this Agreement dealing with the audit trail of
Transactions.
2. POST OFFICE'S AGENTS.
21 For the purpose of this Schedule, Post Office's Agents shall mean:
2.1.1 Post Office;
2.1.2 _ internal auditors of Post Office or of the Royal Mail Group;
2.1.3 statutory or regulatory auditors of Post Office;
2.1.4 external auditors appointed by Post Office; and
2.1.5 authorised agents or successors of the persons listed in paragraphs 2.1.1 to
2.1.4 (inclusive) above.
provided that, for Payment and Banking Service, Post Office's Agent does not provide
services similar to the Services in competition with Fujitsu Services Subcontractor
Ingenico
3. RECORD KEEPING
3.41 Fujitsu Services shall maintain or shall cause to be maintained an audit trail of all
Transactions and Events in strict conformance to the relevant standards contained in
the documents referred to in paragraph 4.1.4 of Schedule A4.
3.2 Paragraph 3.1 shall not apply in respect of the Superstock Solution or the Salesforce
Support Service Hosting.
3.3 The audit trail of Records to which Post Office's Agents may have access in accordance
with Clause 25 and paragraph 4 is referred to as the commercial audit trail in the CCD
entitled “Audit Trail Functional Specification” (CR/FSP/006).
Schedule D5 Version 15.0
Page 2 of 5
CONFIDENTIAL
3.4
4.1
4.2
4.3
4.4
The exclusion in the CCD entitled “Audit Trail Functional Specification” (CR/FSP/006) of
any items from the Records shall not prevent Post Office from receiving those items (or
information relating to the same) where Post Office is entitled to such items or
information in accordance with the provisions of Schedule D4. To the extent that Post
Office duly requests and receives Open Book information from Fujitsu Services in
accordance with the provisions of Schedule D4 then, notwithstanding any such
exclusions in the CCD entitled “Audit Trail Functional Specification” (CR/FSP/006), Post
Office Agents shall have access to that Open Book information as part of the Records,
but shall not be entitled to any additional material pursuant to paragraph 4 as a result of
that Open Book information being part of the Records.
ACCESS
Fujitsu Services shall provide Post Office's Agents with access to such additional
material as may be reasonably required to support the Records. Such access shall
include access to:
4.1.1 premises;
4.1.2 facilities;
4.1.3 services;
4.1.4 documentation;
4.1.5 information (magnetic or otherwise);
4.1.6 — staff;
4.1.7 procedures; and
4.1.8 timesheets and other data used directly as a basis for charging,
4.1.9 belonging to Fujitsu Services, which relate to the provision of the Services.
Fujitsu Services shall provide reasonable assistance at all times during the currency of
this Agreement for the purposes of allowing Post Office to obtain such information as is
necessary to fulfil Post Office's obligations to supply information for parliamentary,
judicial, regulatory or administrative purposes.
On notification of an audit as specified in paragraph 5 Fujitsu Services shall provide
Post Office's Agents with reasonable access to the audit trail referred to in paragraph
3.1 and the facility to interrogate that audit trail using reasonably selected criteria.
Post Office shall require Post Office's Agents to comply with Fujitsu Services’
reasonable security requirements whilst on the Fujitsu Services’ premises, the scope of
which Fujitsu Services shall notify to Post Office's Agents directly on notification of audit.
Schedule D5 Version 15.0
Page 3 of 5
FUJ00234931
FUJ00234931
CONFIDENTIAL
5. NOTIFICATION OF AUDIT
5.1 Subject to Clause 25.3 (Audit), Fujitsu Services and Post Office shall from time to time
5.2
6.1
6.2
agree arrangements (such agreement not to be unreasonably withheld or delayed),
including timescales, for audits required by Post Office. Such audits shall take place no
more than once per year during normal business hours for Payment and Banking
Service and shall be subject to a minimum of fifteen (15) Business Days’ notice, save
that, the limitations and notice requirements in this Paragraph shall not apply where
Post Office reasonably suspects (i) fraud, material accounting mistakes or suspected
criminal activity; or (ii) non-compliance with security requirements applicable to the
Payment and Banking Service, provided that in such cases Post Office shall (where
possible and permitted by applicable law) still provide to Fujitsu Services as much
notice as is reasonably possible.
With respect to Clause 25.3 (Audit), where the investigations find no evidence of
fraudulent activity or other impropriety by Fujitsu Services or Fujitsu Services' agents,
then at the discretion of Post Office, Fujitsu Services may be paid reasonable additional
charges for its assistance.
RESPONSE TO AUDITS
General
6.1.1. Post Office's Agents may produce reports to Post Office indicating areas of
non-compliance with the Agreement or any other reports they deem
appropriate. Post Office's Agents may also make recommendations.
6.1.2 Following each audit Post Office shall provide, to Fujitsu Services, a report
approved by Post Office's Agents indicating:
6.1.2.1 any areas of non-compliance with this Agreement which Fujitsu
Services is required to rectify; and
6.1.2.2 any audit recommendation with which Post Office requests Fujitsu
Services to comply.
6.1.3. Post Office shall give Fujitsu Services a minimum of 30 days to review the
factual issues relevant to Fujitsu Services which are raised by the audit reports
and to comment upon the recommendations.
6.1.4 In the event that Fujitsu Services disputes the findings of any audit then the
Dispute Resolution Procedure shall be invoked.
Action on agreed Non-Compliance
Any agreed non-compliance shall constitute a Default and Fujitsu Services shall at
Fujitsu Services’ own expense, implement any changes necessary to remedy areas of
non-compliance with the terms of the Agreement as identified by Post Office's Agents.
Schedule D5 Version 15.0
Page 4 of 5
FUJ00234931
FUJ00234931
CONFIDENTIAL
6.3
6.4
7A
7.2
7.3
8.1
8.2
Action on Recommendations
Post Office may request Fujitsu Services to implement audit recommendations in
accordance with the provisions of the Change Control Procedure.
Evidence
Fujitsu Services shall provide, in accordance with the timescales agreed in the
implementation plan for any change arising from an audit, evidence, either documentary
or demonstrative, of changes required by Post Office in accordance with paragraphs 6.2
and 6.3 above, and shall, if required, provide access to the representatives of Post
Office, to permit Post Office's Agents to monitor and confirm the implementation of such
changes.
AUDIT TRAIL OF TRANSACTIONS.
The Business Capabilities and Support Facilities provided by Fujitsu Services relating to
the audit trail of Transactions undertaken in Branches are provided for in Schedule B3.2
and the provisions dealing with the operational audit trail set out in the CCD entitled
“Audit Trail Functional Specification” (CR/FSP/006).
Fujitsu Services shall ensure that Post Office's Agents can gain access in each Branch
to the Post Office Data in respect of that Branch held by Fujitsu Services to enable
internal Post Office audit requirements to be met.
Paragraph 7.2 shall not apply in respect of the Superstock Solution or the Salesforce
Support Service Hosting.
ASSOCIATED DOCUMENTS
The following CCDs are associated with this Schedule D5:
FUJ00234931
FUJ00234931
Document Reference Document Title
1 CR/FSP/006 Audit Trail Functional Specification
The following CRDs are associated with this Schedule D5:
Document Reference Document Title
NO CRDs APPLICABLE
Schedule D5 Version 15.0
Page 5 of 5