POL00021774
POL00021774
TO AN
SON
CartwrightKing
we SOL I CLT OR S seem,
Offices Nationwide
weew.cartwrightking.co.uk
Fax: 0808 1681500
DX: 10032
POST OFFICE LTD
NOTE:
DELOITTE REPORT - QUESTIONS FOR POL
1. In this Note references to the ‘Deloitte Report’ are references to Draft 16 of the
report “Horizon: Desktop Review of Assurance Sources and Key Control Features —
Draft for Discussion” dated 234 May 2014 and provided to us on the 26th
February 2015. We have noted, and in settling this Note are mindful of, the
status of the Deloitte Report as being that of “....a work in progress which may
contain preliminary results or conclusions, incomplete information or information
which is subject to change....” (Deloitte letter, 16 January 2015 and headed “Project Zebra
consolidated report......”).
2. Page 31, paragraph ‘g.’ of the Deloitte Report identifies a method of posting of
‘Balancing Transactions’, that is, the posting of “....additional transactions
centrally without the requirement for these transactions to be accepted by the Sub-
postmasters....” The paragraphs goes on to indicate that, “Whilst an audit trail is
asserted to be in place over these functions, evidence of testing of these features is not
available...”
3. Later extracts for this paragraph are also of concern:
- “For Balancing Transactions....... we did not identify controls to routinely
monitor all centrally initiated transactions to verify that they are all
initiated and actioned through known and governed processes, or controls
Page 1 of 4
POL00021774
POL00021774
to reconcile and check data sources which underpin current period
transactional reporting for Sub-postmasters to the audit store record of
such activity...”
~ “Controls that would detect when a person with authorised privilege access
used such access to send a fake basket into the digital signing process could
not be evidenced to exist.”
4. This material is potentially disclosable in cases where a convicted defendant
had raised, as a part of his defence (either expressly or by implication), the
suggestion that:
~ POL or some other third-party had manipulated, interfered with or
otherwise compromised Horizon; or
~— Horizon had created or was the victim of a system generated but
inexplicable loss/entry/transaction(s); or
— The defendant simply had no idea how the relevant loss arose.
5. That is not to say that the material is presently to be disclosed, only that we
cannot determine that issue without further information. It may be that, once
we have seen all of the available information, we conclude that the duty to
disclose does not bite in relation to this material.
6. Ina telephone conference with Rodric Williams of POL and Andrew Parsons
of Messrs Bond Dickinson we were informed that the Deloitte Report was
correct where it identifies a method of posting of ‘Balancing Transactions’. We
were instructed that it was possible to ‘inject’ a transaction unilaterally into a
branch’s accounting records without the consent, approval or indeed
knowledge of the SPMR; an ‘injected’ transaction could be a negative-value
Page 2 of 4
POL00021774
POL00021774
transaction; it is not clear as to whether or not that ‘injected’ transaction would
be visible to the SPMR or a defence expert witness; there is one recorded
occasion upon which Fujitsu has used the procedure. We were further
instructed that there was no facility or capability to ‘edit’ any existing
transaction.
. We have seen a report dated 2"4 March 2010 concerning the use of a Balancing
Transaction. We are told that this is the single occasion upon which the
process has been used since the 1s January 2010. It cannot be ascertained
whether or not the Balancing Transaction process had been used prior to that
date because of (entirely proper) retention policies.
. In order to advise properly on this topic, we seek the answers to the following
questions:
i. Is or would the use of the Balancing Transaction function, or any effect
thereby achieved, be visible:
a) to anaffected SPMR either:
i. upon the immediate occasion of its use; or
ii. at some point after use, e.g. by notification, appearance on
Horizon, in branch accounts etc.
b) an auditor when conducting a branch audit?
c) when data is provided to or obtained by a prosecution expert
witness?
d) when data is disclosed to a defence expert, for any purpose?
e) in the final audit trail?
Page 3 of 4
POL00021774
POL00021774
ii How and in what circumstances may the Balancing Transaction
function be utilised?
iii, Who may use the Balancing Transaction function, in terms of authority,
access, efc.?
iv. What measures, controls or processes are in place to routinely monitor
centrally initiated Balancing Transactions, and to check and reconcile
data sources?
v. Similarly, what measures, controls or processes are in place to prevent
any unauthorised use of the Balancing Transaction function? Here we
note the reference in the Deloitte Report to ‘fake’ transactions;
vi. What records are maintained of any use of the Balancing Transaction
function?
vii. Is POL/Fujitsu sure that the Balancing Transaction function has only
been used on a single occasion since 1% January 2010? And if not, why
not?
Simon Clarke 27'» March 2015
Cartwright King Solicitors
Page 4 of 4