POL00028062
POL00028062
=
De I oO I tte e STRICTLY PRIVATE AND CONFIDENTIAL,
Horizon: Desktop Review of Assurance
Sources and Key Control Features
Draft for discussion
23 May 2014
This report and the work connected therewith are subject to the Terms and Conditions of the engagement letter dated 09
April 2014 between Post Office Limited and Deloitte LLP. The report is produced for the General Counsel of Post Office Ltd,
solely for the use of Post Office Limited for the purpose of assessing assurance sources and the design of certain controls
relating to the Horizon system. Its contents should not be quoted or referred to in whole or in part without our prior written
consent, except as required by law. Deloitte LLP will accept no responsibility to any third party, as the report has not been
prepared, and is not intended for any other purpose.
DRAFT: Version 16
SUBJECT TO LEGAL PRIVILEGE
POL-0023065
POL00028062
POL00028062
Contents
1 Executive Summary 3
2 Introduction 7
3 Approach 9
4 Understanding the Horizon Processing Environment 19
5 Assessment of Assurance Sources 25
6 Matters for Consideration 29
Appendix 1: IT Provision Assurance Source Mapping and Gap Analysis 35
Appendix 2: Assurance Schedule over Horizon Features 38
Appendix 3: Inventory of Documentation Reviewed 56
Appendix 4: Engagement Letter 61
Appendix 5: Change Order 01 70
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
2
POL-0023065
POL00028062
POL00028062
1 Executive Summary
Context
As outlined to us by the Post Office Limited (“POL”) litigation team, “ POL is responding to allegations from Sub-
postmasters that the “Horizon” IT system used to record transactions in POL branches is defective and that the
processes associated with it are inadequate (e.g. that it may be the source and/or cause of branch losses). POL is
committed to ensuring and demonstrating that the current Horizon system is robust and operates with integrity,
within an appropriate control framework. “
POL is confident that Horizon and its associated control activities deliver a robust processing environment through
three mechanisms: POL have designed features directly into Horizon to exert control; POL operates IT
management over Horizon; and POL have implemented controls into and around the business processes making
use of Horizon. Collectively these three approaches of inherent systems design, ongoing systems management
and business process control are designed to deliver a Horizon processing environment which operates with
integrity.
Since its implementation in branches, POL has commissioned or has received a number of pieces of work relating
to the Horizon processing environment, to provide comfort over its integrity. This work, referred to in our report as
the “Assurance Work”, provides documented assertions relating to aspects of the design and operation of the
Horizon processing environment. The Assurance Work includes IT project documents; operational policies and
procedures; internal and external investigations and reviews; independent audits; and emails confirming otherwise
verbal assertions.
Deloitte has been appointed to:
c% consider whether this Assurance Work appropriately covers key risks relating to the integrity of the
processing environment,
«to extract from the Assurance Work an initial schedule of the Horizon Features’,
co to raise suggestions for potential improvements in the assurance provision.
* “Horizon Features’ is a term we have introduced to represent those features of the Horizon processing environment, including IT management
and business use controls, which provide that:
© movements in Branch ledgers have the full ownership and visibility of sub-postmasters; and
© audit trails kept by the system are complete and accurate.
Summary of Approach Key assertions requiring assurance, to underpin confidence in processing integrity
poi
We have structured our work around the
key control assertions shown in the
diagram (right), which has been agreed
with POL. We consider these to be key paeneay poied
matters that POL should control in order to i
gain comfort over the integrity of
processing. rc- oe
fan Daese ener At Sener
We have considered POL’s three design J Role Stead
approaches when evaluating the V4 ron Sunes nor
Assurance Work. = 7
"byt pours
DRAFT FINDINGS SUBJECT TO CHANGE FIGATION-
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
A key element of the approach was to identify the Horizon Features. POL did not have an existing document that
could be described as representing the Horizon Features in a demonstrably complete way, therefore we have
drawn out an initial view of the Horizon Features from the underlying documentation and considered Assurance
Work relating to them (Appendix 2) for the purposes of this review.
As communicated to us by management, we have also considered the following 5 key control objectives during our
activities to identify Horizon Features:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
These key control objectives are an important subset of the overall set of key control assertions highlighted in the
diagram above.
We have grouped the Assurance Work provided to us into three areas, corresponding to POL’s three mechanisms
of exerting control over the processing environment, as follows:
« System Baseline Assurance Work: This aims to provide comfort that the original Horizon implementation
and other changes performed under formal projects were well governed (compared to Deloitte project
management methodologies) and that detailed testing was performed against agreed business
requirements. Such activity would verify that the system was, at that point in time, fit for purpose and
implemented as intended. This assessment considers the point when the system and processes are
created.
« IT Provision Assurance Work: This aims to provide comfort that the IT management activities required to
run the Horizon system with integrity are designed and operating effectively. Such activity verifies that key
day-to-day IT management activities (e.g. security, IT operations and system changes) are appropriately
governed and controlled.
«© System Usage Assurance Work: This assurance aims to provide comfort that the controls in and around
the business processes which make use of the Horizon system are appropriately designed, in place and
operating as intended.
Our work has been performed as a desktop review of documentation made available and has neither tested the
quality, completeness or accuracy of the Assurance Work provided to us or tested any controls relating to the
Horizon processing environment.
Summary of Observations
Substantial Horizon-related system documentation exists, comparable to that typically seen in organisations of a
similar scale where IT activities are outsourced and formal assurance activities are not mandated. Some
organisations are externally mandated to have a greater level of end-to-end, risk orientated documentation and
testing, e.g. in financial services. POL is not so mandated.
Based on our review of the available documentation, our key observations are:
« The extensive Horizon system documentation is structured from a technical rather than a risk and controls
perspective and provides an understanding of the Horizon Features. POL should conduct a formal
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
assessment to identify a complete set of Horizon Features that respond to POL’s control objectives.
c« The integrity of the Audit Store is designed to be preserved by a system of “digital seals” and “digital
signatures”. This feature underpins the ability to confirm the completeness and accuracy of data kept in the
Audit Store, and that of subsequent reports generated from the Audit Store. These digital seals and digital
signatures are both key components in the Horizon Features which are both validated during the extraction
process from the Audit Store.
« POLis relying on the Horizon Features being implemented and operating as described. Whilst our review
focussed on the design of the Horizon Features, the Assurance Work we have assessed does not
completely test these features for implementation and operating effectiveness. Only those Horizon
Features relating to IT Provision have been validated and tested by independent third parties. In addition,
during the course of our engagement, one of the Horizon Features has been discovered by POL to not be
implemented as expected.
o« Business use (process) documentation is not complete or up to date, by some years in cases. As part of
completing or updating the documentation of Horizon Features, all relevant business uses should be
identified and evaluated from a control objectives perspective to identify potential additional matters being
relied upon.
o« Pre 2010 Baseline Assurance Work could not be provided by POL. This Assurance Work is required to
evaluate the comfort that the system was originally built and tested to specific business requirements. The
implementation in 2010 of HNG-X is asserted by POL to have not significantly impacted the design of the
Horizon Features.
« Governing controls over key, day-to-day IT management activities have been independently tested and
opined by Ernst and Young (since 2012) to a recognised assurance standard (ISAE3402).
co Anumber of third party systems are used by Horizon on a day-to-day operational basis. Documentation
asserts that these interactions do not impact on the Horizon Features.
Scope Limitations
Our work has been subject to the following exclusions:
« Only matters relating to the Horizon Features within the Horizon processing environment have been
considered during our review;
o« We have not provided a legal or any other opinion as to the completeness and accuracy of processing of
Horizon at any point throughout the work;
co We have not had direct contact with any third parties other than named contacts that you have provided to
us (Appendix 3);
« We have not verified or tested any information provided directly by you, or directly or indirectly by third
parties (the schedule of information received is in Appendix 3);
co We have not reviewed any contractual provisions in place between you and third parties;
eo Our work was limited by significant gaps existing in the information available, relating to both the granularity
of information and the existence of the Horizon Features over the entire timeline of operation of Horizon.
The effect of which is that there are in gaps within what we are able to comment upon over this timeline.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
Our findings below are written in the context of the information available, which relates to the current
system;
co An event occurred in 2010 which required the use of the exceptional Balancing Transaction process in
Horizon to correct a Sub-postmasters position from a technical issue. Information has not been provided on
the circumstances that lead to this system issue and how the issue was identified. It is assumed that verbal
assertions received from Fujitsu that this was the only time this process has been used hold true;
« We have not tested any of the Horizon Features; and
co We have not validated or commented on the quality of the Assurance Work supplied to us.
Our work was also based on the following assumptions:
«© The documents provided are a complete and accurate representation of the Horizon design. We therefore
cannot comment as to whether the Horizon Features described below are complete nor whether other
processes or mechanisms exist which would need consideration in the context of the Matters.
o« All changes made after the initial implementation have been properly approved, tested and validated as not
undermining the Horizon Features i.e. that the system's controls have retained their integrity throughout
and thus the controls identified within the documentation have been consistent over the system's lifetime.
o« The assertions received relating to the major upgrade of Horizon in 2010 not materially changing the
design of the Horizon Features hold true.
eo The cryptographic keys underpinning the digital signatures in Horizon have not been compromised.
«© The mechanisms for issuing cryptographic keys for signing baskets is secure and authenticates requests to
prevent unauthorised provision of keys.
o« Fraud or collusion to undermine or work around the Horizon Features has not occurred, in particular within
database administrator and security teams in Fujitsu.
oo Assertions made by POL and Fujitsu staff have been accepted as accurate without corroboration or
verification.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
2 Introduction
Introduction
The Horizon system has been used by POL since 1995. During this time it has processed many millions of
transactions across thousands of branches. Horizon is accredited by Payment Card Industry Data Security
Standard (PCI DSS) and 1SO27001. It is currently used by more than 68,000 users across 11,500 POL branches
and is administered by Fujitsu as part of a managed service agreement. It is a key operational system for POL and
integrity of processing on the system is crucial to the day-to-day operations of the business.
POL is responding to allegations that the Horizon processing environment, used to record transactions in POL
branches, is defective and/or that the processes associated with it are inadequate.
In order to respond better to the allegations (which have been, and will in all likelinood continue to be, advanced in
the Courts), POL management want to demonstrate that the Horizon processing environment is robust and
operates with integrity, within an appropriate control framework.
In particular, management at POL has highlighted two key statements they would like to assess their comfort over
in response to the allegations, being:
1. That Sub-postmasters have full ownership and visibility of all records in their Branch ledger; and
2. That the Branch ledger records are kept by the system with integrity and full audit trail
These statements have then been further sub-divided into the following statements:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
POL management have previously either been provided with or commissioned work (including independent
assurance reviews) into matters relating to Horizon’s operating environment and processing integrity. Documents
outlined in Appendix 3 have been provided to us and considered as part of the planning and delivery of our review.
Objectives and Activities Undertaken
The purpose of this report is to provide, based upon the information made available to us by you, an independently
produced summary of the Assurance Work undertaken over your current day Horizon processing environment and
make recommendations on further work that could be done to enhance these assurance sources.
The work we have performed to produce this report has included:
co Obtaining an understanding of the Allegations; POL's key risks in and internal controls over the Horizon
processing environment relevant to the integrity of processing; the measures in place to record and
preserve the integrity of system audit trails and other background matters that we may deem necessary to
complete our review;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
«© Obtaining an understanding of the key differences between the current Horizon processing environment,
and the system which this replaced (here-to referred to as the “Legacy System”);
co Reviewing, understanding and consolidating the Assurance Work (e.g.: investigations, assurance activities
and remediation actions) which POL or third parties have undertaken;
« Holding discussions with relevant members of POL staff and other key stakeholders;
co Reviewing project documentation relating to the 2010 implementation of Horizon, in order to compare the
nature and extent of project governance and documentation with Deloitte's good practice project
management methodology;
oo Preparing an initial schedule of Horizon Features and assessing the level of comfort over these, provided
by POL’s Assurance Work (including the use of a specialist to assess the design of the Audit Store's
tamper proof mechanisms); and
co Recommend further activities that management could undertake to improve the assurance provision.
Scope limitations and assumptions are outlined in the Executive Summary above.
Understanding of Historical Issues and Concerns
As an initial step, in building the requisite understanding required of the historical context leading to this review, we
have reviewed the documentation provided by POL in order to understand the history of issues and concerns which
have been raised in relation to the system.
From the documents provided, we have identified the following matters which have helped to provide us with a high
level understanding of the nature and extent of the potential concerns with the Horizon processing environment,
and thus focus our work in certain higher risk areas:
Branch 14 Issue - Involved a processing error where historic accounting entries in the 2010/11 financial year were
replicated in accounts for 2011/12 and 2012/13.
Branch 62 Issue - Involved a Receipts and Payments mismatch in Horizon when discrepancies were moved into
the local suspense account (this is an account which aggregates all discrepancies into a single gain or loss for a
branch trading period).
Falkirk Issue - The Falkirk Anomaly occurred when cash or stock was transferred between stock units.
Spot Review Bible — This outlines a sequence of matters raised during the work performed by Second Sight over
the allegations raised over the Horizon system, and summary commentary on 10 issues within.
Lepton Detailed Spot Review Information (included within Spot Check Bible) — Detailed documentation has
also been provided in relation to Spot Review 1. The issue raised was that a Sub-postmaster will not be notified
about automatic reversals of transactions when not connected to the data centre.
Reflecting on the nature and substance of these issues, and documentation relating to their follow-up and
resolution, we have understood the importance of the audit trail to provide evidence relating to disparities between
Sub-postmaster accounts of events and subsequent investigations, based on audit trail evidence, by POL/Fujitsu.
As a result of the above understanding, our work relating to IT Provision and System Usage Assurance Work paid
particular (but not exclusive) focus on Information System Operations (IT environment processing), and business
processes controlling relevant key data flows (the key data flow for our assessment being that of the complete and
accurate transmission of data from the Counter system at the Branch to the Branch Database and subsequently
into the Audit Store).
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
3 Approach
In the absence of POL's own holistic risk assessment relating to the Horizon processing environment, key to our
assessment of sources of assurance has been the formulation of an initial “risk universe”, against which coverage
of the associated risks by the relevant sources of assurance can be assessed (“mapped”).
We have considered this risk universe across three key areas:
1. Control objectives and risks relating to the ‘System Baseline’.
2. Control objectives and risks relating to ‘IT Provision’.
3. Control objectives and risks relating to ‘System Usage’.
Risks relating to the System Baseline — these are risks that the original implementation project and other
changes performed under formal projects were not conducted in line with good project management practices, and
that detailed testing was not performed against agreed business requirements. These risks are governed and
controlled outside of day-to-day system operating procedures. Controls which mitigate these risks are often
referred to as “Project Controls” and “Inherent System Controls” (those designed and built into the IT system).
Risks relating to IT Provision — these are risks that the underlying IT activities, necessary to provide a system
that can run and be used with integrity, are not designed and operating effectively. Such risks relate to key day-to-
day IT management activities, relating to security, IT operations and system changes. Controls which mitigate
these risks are often referred to as “General Computer Controls”. Our work focussed on assurance provided over
Fujitsu's activities in these areas.
Risks over System Usage - these are risks that key features of Horizon and corresponding business use
activities (processes), aiming to prevent or detect matters that would impact the integrity of processing, are not
designed, in place or operating as intended. These are the more detailed risks in relation to particular aspects of
capturing and processing transactions across the Horizon processing environment. Controls which mitigate these
risks are often referred to as “End User Controls”, “Application Embedded Controls” and “Process Controls”. Our
work focussed on the internal dataflows within Horizon (Counter to Branch Database to Audit Store for example)
and we also considered the relevance of interfaces with other systems such as the DVLA.
In the context of these three areas of risk we have performed knowledge gathering activities in order to understand
the Horizon processing environment in sufficient detail to identify specific risk areas and those Horizon Features
identified to exert control over these risks.
1. Approach to Understanding of System Baseline Risks
In considering Baseline risks we have considered past iterations and changes to the Horizon IT system, including:
oo Any that lead to changes to the Audit Store;
The Horizon Implementation Programme in 2010-2011;
c« The Data Strategy Foundation project in 2012 and 2013 (which updated the dataflows into Horizon from
certain third party transactional systems, including ‘Post and Go’, and ‘Paystation +’); and
« The original Horizon platform delivered in 1995.
8
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
POL00028062
POL00028062
2. Approach to Understanding of IT Provision Risks
Our understanding of IT Provision risks has been formulated through our understanding of the system via
documentation review and verbal discussion with supporting POL and Fujitsu SMEs. Due to the nature of the
System Provisioning risk areas, the formulation of this understanding has been mainly through interview with
Fujitsu and POL security team members.
3. Approach to Understanding of System Usage Risks
Our understanding of System Usage risks has again been formulated through documentation review and verbal
discussion with supporting SME's to identify additional support areas. Due to the nature of the System Usage risk
areas, the formulation of this understanding has been mainly through interview with Fujitsu, POL Finance Shared
Services and POL Security team members.
4. Approach to Consideration of the Horizon Features
In the formulation of our risk universes across the three areas highlighted in 1 - 3 above we have considered the 5
key matters relevant to the Horizon Features as instructed by management:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
5. Combining the Above
Following our assessment across these four areas, the diagram below (see overleaf) describes the key risks
identified within the Horizon processing environment. We have number coded the risks in the below with (1)
corresponding to Baseline Risks, (2) corresponding to IT Provision Risks, and (3) corresponding to System Usage
Risks.
This diagram thus represents the framework of key risks that need to be controlled by Horizon Features and
appropriately assured in order to provide the comfort required by POL management.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
10
POL-0023065
Key assertions requiring assurance, to underpin confidence in processing integrity
‘That the system was fitfor pur
‘worked as intended when fi
“That major changes since Implementation have not
impacted the design features adversely.
Pre 2010
‘That assertions on
this diagram are
That supporting IT
‘That transactions from the Counter are
recorded completely, accurately and on a
timely basis.
[That the Audit Store i
complete and accurate
record of Branch Ledger
transactions.
That directly posted
19 Transaction
and approved.
‘Overnight
Svemant
N
Centera Audit Server
Y
2
Central
POL
Teams
That data posted from
other systems and teams
is visible to and accepted
by sub post-masters.
Adhoc
eee,
processes are well
‘controlled
°
That information
reported from the
Audit Store retains
original integrity.
That DBAs or others
granted DBA access
have not modified
ranch Database nor
‘Audit Store data
LEGALLY PRIVILEGED AND CONFIDENTIAL
© Deloitte LLP 2014
POL00028062
POL00028062
It can be observed that the majority of the risks identified are System Usage risks, which is expected based on the
complexity of the IT processing landscape and the diversity and volume of transa
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
ictions being handled.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
1
POL-0023065
POL00028062
POL00028062
Sources of Assurance Work relating to the Horizon Processing Environment
The diagram below summarises key examples of the Assurance Work reviewed and referred to as part of our
assessment.
END TO END Horizon PROCESSING ENVIRONMENT
System
IT Provisioning Risks
Baseline Risks
Non:
Branch
Processing
(e.g. FSC)
uonejuaweduy
Responsible for ‘Processing with Responsible for ‘Usage with integrity’ - Appropriate use
integrity’ — Provision of a reliable and delivery of processes using the Horizon IT system,
system processing environment.
Wipro Test ISAE3402 Internal Audit Reportin«
Strategy
PCI DSS Technical Documentation
Gap
Analysis and
Gartner
Report
rance
When considering the sources of assurance over IT Provision Risks, System Usage Risks and System Baseline
Risks, a number of parties have been (and continue to be), involved in performing work over the Horizon
processing environment which contributes to the overall assurance management has over the correct operation of
the system.
Assurance Work from the following organisations, in addition to information provided from POL, have been
identified and considered in our work:
« Fujitsu, who designed, built and now operate Horizon;
o« Bureau Veritas, who perform 1S027001 certification over Fujitsu’s networks, including that of Horizon;
x Information Risk Management (IRM) who accredit Horizon to PCI DSS;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
12
POL-0023065
POL00028062
POL00028062
co Ernst & Young, who produce an ISAE3402 service auditor report over the Horizon processing environment;
and
« Internal audit, who perform risk based reviews within POL.
In considering the Assurance Work provided to us by management during the course of this engagement we have
considered whether they constitute assurance provided under an assurance engagement, as defined by IFAC, or
are sources of information that provide comfort in other ways. For the purposes of clarifying the Assurance Work,
we have assigned each document received to one of two classifications, defined as follows:
“Assurance” —-The Assurance Work has been provided under an assurance engagement by an independent third
party, suitably qualified in the subject matter constituting the focus of the engagement to provide a valid opinion.
Sources of such assurance include:
«Internal Audit functions;
External Audit; and
oo Other third party reviews, not involved in the original design nor day-to-day operation of the system
containing (a) a formal opinion, such as those performed in line with recognised standards, such as
ISAE3402 or (b) no formal opinion (i.e. a report based on evidence and facts without interpretation).
8
“Other Sources of Comfort” — The Assurance Work is either not produced by an independent party or by an
individual who is suitably qualified in assurance engagements, or both. Other sources of comfort include:
«© IT Project Documentation;
«© Operational Documentation, such as policies, procedures and process / system information produced by
functional teams;
co Reviews or investigations performed by outsourcers (e.g. deep dives, diagnostics, spot reviews);
Business peer group review teams and functions; and
« ‘Second line’ compliance teams.
8
In Appendix 3 we have documented all the Assurance Work we received and added our classification of those
sources by these two categories.
Summary of Work Performed
Based upon the concepts outlined above we have performed the desktop based work below (further detail of which
is outlined in our Engagement Letter shown in Appendix 4). We have not performed any testing to validate the
information provided to us as part of our work.
Step 1: Analysis and Review
« Activity 1. Documentation Review - We have reviewed a number of documents produced by several
different organisations in order to understand key matters relating to the Horizon system and the
Assurance Work available.
e« Activity 2. Risk Universe Formulation - We have then, in the absence of a holistic risk assessment being
performed by POL and thus for the purposes of our assessment, created a risk universe based on our
experience of information processing systems encompassing the three primary risk areas previously
identified IT Provision, System Usage and Baseline Risks. The five key matters for consideration outlined
by management were also considered during this process.
« Activity 3. Review of Assurance Work — The available documentation was reviewed in order to
understand the Assurance Work available to POL, against each of the three identified risk areas.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
13
POL-0023065
POL00028062
POL00028062
Step 2: Gap Analysis and Assessment
Based on the analysis in Step 1 we have produced:
« Activity 4. System Provisioning Assurance Assessments and Gap Analysis - Considering key
potential gaps or areas of ambiguity in the available assurance sources when considering the System
Provisioning risk universe.
co Activity 5. System Usage and Baseline Assurance Assessments and Gap Analysis — Assessing the
documentation relating to System Usage Risks and then performed deep dives into the following areas of
specific risk:
Horizon interfaces (including DVLA);
Branch Database;
Audit Store;
Horizon Implementation Project;
Audit Store Changes; and
Data Strategy Foundation project.
000000
« Activity 6. Peer Comparison to Assurance Available to Similar Organisations — We have assessed
the Assurance Work available to similar organisations over System Provisioning Risks (the area of risk
where a benchmark is most valid due to the level of information available from POL) and assessed
therefore whether POL has comparable levels of assurance.
Step 3: Reporting
The analysis and interpretation in Step 2 has allowed us to formulate:
c« Activity 7. Produce an Assurance Schedule over Horizon Features, and Recommendations —
Mapping control assertions, Horizon Features and Assurance Work and reporting on the level of comfort
that we have assessed in each of these areas. Identification of the key considerations for management
arising from our analysis and plan of action to respond to these recommendations.
Amore detailed description of these activities performed follows.
Activity 1: Documentation Review
All of the documentation reviewed during the course of our review has been documented within Appendix 3. This
documentation can be divided into the following classifications:
«© Technical documentation on the Operation of the Horizon System — Reviewed in order to gain a deeper
understanding on how the Horizon system works, how complex it is, and where we should be focusing
further efforts and analysis;
«© Independent Third Party Assurance documentation — This documentation has been reviewed in order to
understand the existing assurance sources relevant to the environment;
c« Documentation of Historical Issues and Allegations in relation to the Horizon System — This documentation
has been reviewed in order to understand the background context and better position the IT Provision,
System Usage and Baseline System risk work performed over the environment; and
« Service Provider Analysis and Response to Issues — This documentation has been reviewed to gain an
understanding of the work performed by Fujitsu in investigating the issues raised, and how these will be
responded to.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
14
POL-0023065
POL00028062
POL00028062
A number of individuals from POL have been interviewed during the course of formulating this report to supplement
our understanding from the provided documentation.
Activity 2: Risk Universe Formulation
System Baseline Risk Universe
The original implementation of Horizon in 1995, together with subsequent changes (whether routine via change
management processes, or large complex change programmes such as the Horizon system implementation in
2010-11), represent events affecting Baseline System Risk.
To assess these risks we have understood the history of the Horizon system and selected three areas for more
detailed investigation including:
x Horizon Implementation;
Data Strategy Foundation project; and
co Asample of changes to the Audit Store (subsequent to determining that this key risk area for the system
had been left largely untouched by the key implementation events highlighted in the previous two bullets).
8
For each of these change areas we have assessed the Assurance Work from a governance and control
perspective, and POL ability to take comfort that the Horizon system was fit for purpose at the time of the change
and operated in line with management intentions (through business requirements definitions and project testing
against these).
IT Provision Risk Universe
This risk universe was formulated from our prior experience of auditing and assuring information systems and
involved the identification of high level risks across three core areas:
co Information Security;
«© Information System Operations; and
co Change Management.
Once the IT Provisioning risk universe had been formulated a mapping of control objectives within the Assurance
Work was performed in order to assess coverage.
The three sources of assurance included within this mapping were:
«© ISAE3402 report on the Horizon managed service;
« PCI DSS compliance report on Horizon; and
« 1§027001 Statement of Applicability.
System Usage Risk Universe
As POL has not conducted a holistic assessment of risk in this area, a full understanding and assessment of
assurance over the System Usage risk environment was not available for our review.
Instead we focussed our assessment on two key areas of risk: those relating to the completeness and accuracy of
the Audit Store, the Branch Database and key system interfaces with a significant third party, such as the DVLA.
We sought to understand the Assurance Work that has been done against each of these areas.
This involved:
co Enquiry with relevant SMEs;
a Review of documentation;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
15
POL-0023065
POL00028062
POL00028062
« Formulation of a risk universe in these specific areas; and
o« Understanding of existing assurance work over controls which mitigate these risks.
Horizon Features
Across each of the three risk universes we identified features within the processing environment that exert control
and provide that:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
We refer to these identified features as the “Horizon Features” and identification of these features in response to
the matters for consideration listed above was a core component of our work.
Activity 3: Review of Assurance Work
With the background context of the three risk universes outlined within the previous section, we reviewed the
available Assurance Work in order to assess the coverage and nature of the comfort provided by the work.
The documentation reviewed during this stage has been listed within Appendix 3, as are the names of individuals
consulted in relation to our work.
Activity 4: System Provision Assurance Assessments and Gap Analysis
Once the System Provisioning risk universes had been formulated a mapping of control objectives within each of
the main assurance sources was performed in order to assess coverage. The three sources of assurance included
within this mapping were:
«© ISAE3402 report on the Horizon managed service;
« PCI DSS compliance report on Horizon; and
«© 1§027001 Statement of Applicability.
The results of this mapping exercise are summarised within Section 5 and reproduced, in detail, within Appendix 1.
In parallel to this assurance exercise we have also summarised key matters relating to each assurance source.
This involved considering the context and focus of the relevant Assurance Work and comparing these to the
context and focus that would be required for coverage of the key risks (this was in recognition of the risk that some
of the documents could be used or applied out of context from their original purpose).
Activity 5: System Usage and Baseline Assurance Assessments and Gap Analysis
Following our understanding of the system and historical issues the following areas were singled out as relevant for
deeper analysis, and this approach was agreed with POL management:
1. Audit Store - The audit store has been used frequently in investigations by POL / Fujitsu and is used as
supporting evidence during legal proceedings. Therefore its integrity is paramount to responding to these
issues. However the audit store cannot be relied on in isolation, as its integrity is dependent upon the
correct processing of transactions by the wider Horizon system (upstream events if processed incorrectly
will be recorded incorrectly by the audit store).
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
16
POL-0023065
POL00028062
POL00028062
2. Horizon interfaces (including DVLA) — Horizon is reliant on a significant number of batch processes and
online services (including interfaces with third party systems) in order to function correctly. These routines
need to be functioning correctly and accurately for the transactions processed by the system and ultimately
recorded in the audit trail to be reflective of the underlying commercial realities and business transactions
they pertain to represent.
3. Branch Database - The Branch Database is a key ‘staging post’ for data being transacted on counters
within individual branches prior to transmission onwards to the Audit Store. As data from branches in held
within the messaging journal table on this system for up to a day before being processed into the audit
store the security controls and processes protecting this data whilst in temporary storage here are
paramount.
4. Horizon Implementation Project — This change represented the largest single change to the Horizon
system since implementation, and also the change implemented prior to adoption of the current major
release of the system, and so was considered of particular relevance to our overall understanding of
Baseline System risk.
5. Audit Store Changes — Our understanding of the HNG-X Implementation Project quickly highlighted that
this project had very little impact on the Audit Store itself. As a result we performed procedures to
understand some of the changes which had been made to the Audit Store following its original
implementation.
6. Data Strategy Foundation Project — We determined during the course of our work that this was another
key implementation project in the recent history of the Horizon system of particular relevance to a sub-
group of the system interfaces on Horizon. This project was therefore also deemed key for our
understanding of system Baseline risk.
For each of the areas outlined in 1 - 6 above an assessment was made of the coverage and nature of the
Assurance Work provided.
For areas 1 - 3 (System Usage Risks) the functionality of the particular area was further understood and key
controls over the corresponding risks then sought.
For areas 4 - 6 (System Baseline Risks) we adopted a different approach, whereby the typical good practise
documentation requirements and project governance methods as stipulated by ‘Prince 2’ (amongst others) were
utilised as a baseline, and the approach to each of the sampled change initiatives assessed from the available
documentation. This work was conducted through a mixture of verbal discussion and the receipt of supporting
evidence where applicable.
Activity 6: Peer Comparison to Assurance Available to Similar Organisations
As part of our analysis we have also assessed whether the IT Provision assurance POL has obtained is
proportionate to that provided to similar organisations.
We have also considered the best practice approach outlined by the COSO framework, as published by The
Committee of Sponsoring Organisations of the Treadway Commission, in formulating suggestions for potential
areas of improvement in the risk, control and assurance activities of POL.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
17
POL-0023065
POL00028062
POL00028062
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment.
The COSO Cube: Presents a framework for best practice
approaches to risk, controls and assurance activities.
Activity 7: Produce an Assurance Schedule over Horizon Features and raise
Recommendations and Plan of Action
We have written up our assurance schedule, which maps the Assurance Work to specific controls relating the
Horizon Processing Environment, and commented on the level of comfort that the Assurance Work provides in
each area.
Our report also contains recommendations for management together with a suggested plan of action for
management consideration.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
18
POL-0023065
POL00028062
POL00028062
4 Understanding the Horizon Processing
Environment
Overview of the Processing Environment
The Horizon IT system was designed specifically for POL, and therefore an understanding of its operations,
processing environment and configuration was required in order to fully quantify the risks applicable to the IT
components of the processing environment.
Horizon has been the main operational system of POL since 1995 and:
oo Has a user base of 68,000 users;
© Terminals within 11,500 branches;
«© Processes an average of 6 million transactions a day; and
c« Interfaces with over 20 third party systems.
As highlighted in our ‘Approach’ section above, we have categorised the risks posed on the system into three
distinct areas (System Baseline Risk, IT Provision Risk and System Usage Risk), and the remainder of this section
outlines our understanding of the IT system that underpins these.
System Baseline Risk
Horizon (HNG-X) Project
The change to the HNG-X system in 2010 was governed using Royal Mail's “Harmony” project methodology (the
governing project standard at the time). The project saw the phased implementation over 18 months of the HNG-X
solution (also known as “Horizon On-Line”). Individual POL Branches were migrated from the Legacy System to the
new HNG-X system, one by one.
No historical data was migrated, although six months of data was maintained within the Legacy System. Our review
of Assurance Work shows that a number of key controls were operated over the project, which was managed by
Fujitsu on behalf of POL. These included:
e« POL signing off acceptance criteria;
A phased migration including a model office pilot; and
eo Branch by branch reconciliation between opening balances on the new system and closing balances on the
legacy system.
8
Wipro, an independent third party, were commissioned to provide a report on the performance testing strategy
including gap analysis and recommendations, and Gartner provided an assessment of the overall system design
and strategy.
The benefits from the migration included the removal of transactional data being held at local branches levels and
this data instead being stored centrally within the data centres.
Data Strategy Foundation Project
The project focused on moving the Accounts Payable file feed which was initially received into Credence via
Transaction Integrator to processing via Fujitsu Horizon systems (i.e. not the Counter). The goal of the project was
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
19
POL-0023065
POL00028062
POL00028062
to provide a longer term system solution which would provide complete reconciliation, resilience and disaster
recovery capabilities, as well as reduce the risk of client withdrawal.
The POL strategic requirements to expand its offerings to other platforms beyond Horizon introduced the
requirement for a data integrator function. Originally POL approached Fujitsu Services to supply this service as
plans to incorporate an integrator service within the Horizon architecture were considered to represent a clean
solution. However, Fujitsu Services were unable to respond within the desired timescales as it would have diverted
their resources from key Horizon on-line delivery milestones.
POL therefore investigated alternative options, finally selecting the use of IBM datastage as the Transaction
Integrator. This was delivered as part of the POLMI project. Fujitsu Services then submitted a high level design
proposal for the provision of a service for processing client transaction files which would provide end-to-end data
validation / reconciliation, with resilience and DR (the incumbent IBM datastage solution did not provide resilience,
DR or end to end reconciliation, presenting a threat to relationships and future contracts).
Assurance Work provided included:
Project overview document;
Business Case;
Weekly Project Meeting Committee Presentation;
Business Requirements;
Test Strategy;
Test Sign off; and
Test Report.
888 8 8 8
8
Audit Store Changes
In assessing change risks in relation to the Audit Store, documentation has asserted that the recent significant
changes above did not result in significant changes to the operation of the day-to-day Counter transaction flows or
the operation of the Audit Store.
To assess Baseline risk for the Audit Store the original implementation documentation for the Audit Store was
requested. Due to the data retention policy this documentation could not be provided and so a review of Fujitsu
provided documentation over subsequent changes over a large period of the Audit Store's history was performed.
In producing the diagram on page 9, we have considered the key System Baseline Risks in the context of two
control assertions below, which became the overall focus of our work in this System Baseline area:
c« The Horizon Features were fit for purpose and worked as intended when first implemented; and
« Major changes since implementation have not significantly impacted the Horizon Features.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
20
POL-0023065
POL00028062
POL00028062
IT Provision Risk
As part of our work, through review of documentation and discussions with subject matter experts in POL, we
familiarised ourselves with the topology and operations of the Horizon IT system.
The systems documentation and understanding obtained (shown in summary in diagrams below) highlights the
complexity of the Horizon IT system and the level of data being transacted via batch and real-time data flow. This
volume and level of complexity in the data flows, including interactions with other systems, highlights the
importance of effective IT Provisioning controls to the integrity of the processing environment.
‘itemal RAC Message-based Glens remal Web Services
Faure OWS
Serv
External
Systems [vss] sat II c0r0 II sierine
ke a :
MoneyGram ] [econ I
Gente I Fras I[ 2s II =e [ I [os] [ow] [new] [=
) ea]
‘Senice Hub
[wor
Training Web Senice
‘act
(iris POF BEND, AC,
See Es rec now Nes
700)
[bare Daas
f
H
Tamme} I
f=) ! (a)
I Branch Access Layer
(Authersicaton, reaver and service routing)
Roxing& Load Balancing (va CSM network)
Branch
Estate
Counters
Diagram provided by Pest Office Limited
The Horizon IT system is built in line with key principles that all data is held centrally within the data centre with the
exception of some standing data which is held locally within the branch. This centralisation principle applies to all
‘completed’ transactional data (known as “baskets”) and to the Audit Store.
To support this principle the network architecture of Horizon is formulated on:
« Data centre;
co WAN Services (connecting datacentres, POL central sites, and Fujitsu sites); and
co Branch Network.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
21
POL-0023065
POL00028062
POL00028062
The diagram below provided by Fujitsu shows the high level IT system infrastructure:
Client Systems Post Office Systems Fujitsu Support Sites is) Sites
Noma data path—— Sos wal
upper
Pes Test Access
case of DR
supper FEET
DMZ OMZ OMe onz “Bue
{ntercampus
- ria LA roan rial LA
f Primary ISecondary ate
Data 4 ot,
Centre Branch DMZ
ho
GPRSIEDE Receiver
Earth Station
EDGE / GPRS /36 Backup
Router & Osh
BroadBand VSAT °°
Mobile Branch
Branch
‘Small Branch
NetLogical VisoDocument
oa
The IT system is hosted on Bladeform technology with systems software being provided by:
Windows 2003 Server (Enterprise and Standard, 32Bit and 64Bit);
Red Hat Enterprise Linux (Release 4, 32Bit and 64Bit);
Solaris 10 (Discrete platforms only); and
Windows XP, Windows 2000 and Microsoft NT operating systems for some legacy services.
8888
A number of internal and external interfaces are necessary for the reliable day-to-day processing of the IT systems,
and hence the integrity of the Horizon Features which control these activities and interfaces; which is key to the
effective operation of the overall system.
External interfaces include (not an exhaustive list):
co DVLA;
«© Lottery; and
o« Bank Payment Channels (Vocalink, e-pay, Streamline).
Internal Interfaces include (not an exhaustive list):
Paystation;
POL SAP
Pay and Go; and
ATMs
88 8 8
A number of batch processes also run in facilitating the successful processing by the system.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
22
POL-0023065
POL00028062
POL00028062
Managing the processing of the real-time and batch processing environment is Tivoli Workflow Scheduler (TWS)
which is used to execute, monitor and handle exceptions within the processing environment. TWS is managed and
monitored by Fujitsu as part of the managed service contract between the two parties.
In producing the diagram on page 9, we have considered the IT Provisioning risks in the context of the following
assertion:
«© Supporting IT management processes are well controlled.
System Usage Risk
Responsibility for the administration of the system rests with Fujitsu who provide change control, security
management, system operations, and end-user support.
Responsibility for the effective usage of the system, including complaint and effective business processes, remains
the responsibility of POL.
The user base of Horizon can be subdivided into two core areas:
« Central Users — including Finance, and users at the Network Business Support Centre.
« Branch Users — Sub-postmasters and their staff who are processing shop floor transactions.
Outside of the POL user base, Fujitsu provide administration services, and hold service and super user account
privileges within the system.
Horizon supports the processing of a multitude of different transactions including:
co Purchases of goods;
Purchases of services (for example Lottery tickets or tax discs);
Payments to discharge customer debts (payment of mobile phone bills for example);
Refunds; and
Transaction corrections.
8 8
88
Several transaction mediums are accepted, for example:
«© Cash;
co Credit and debit cards; and
co Cheques.
A number of controls are in place to support the integrity of transactional processing including:
oo The Audit Store, a secure area of Horizon which pertains to store all transactional information in
sequentially numbered records, along with key system events;
« Monitoring controls facilitated by Tivoli Workflow Scheduler and associated exception handling processes;
co Handshakes and call offs between systems include various controls around the integrity of transmitted
data (such as digital signatures); and
oo Backup communication routes between branches and the central data centre (mobile technology).
Reconciliations are performed regularly both in branch and centrally. Key reconciliation processes carried out
include:
c« Daily branch cash declaration and reconciliation to Horizon balances;
Weekly balance of cash and stock and reconciliation to Horizon balances;
« Monthly trading period roll over (including resolution of any suspense account issues rolling over from
weekly or daily reconciliations); and
c« Central finance processes to reconcile central records to cash remitted to POL, cheques remitted to POL
etc.
8
In response to discrepancies as a result of these reconciliation processes investigations may be conducted by the
Finance Service Centre, and if required transactional corrections processed. These corrections are subject to
significant investigation and are subject to approval by Sub-postmasters in the first instance.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
23
POL-0023065
POL00028062
POL00028062
Workarounds are not usually required, the main workaround being in relation to mobile connections from branch to
data centre in the event that the main connection to the central data centre cannot be utilised.
In producing the diagram on page 9, we have considered the primary System Usage risks in the context of the
questions posed within the scope of our work, and refined these risks into the following control assertions:
Transactions from the Counter are recorded completely, accurately and on a timely basis centrally;
Transactions processed to Branch Ledgers are recorded completely and accurately in the Audit Store;
Directly posted "Balancing Transactions" are visible and approved;
Information reported from the Audit Store retains its original integrity;
Data posted from other systems and teams is visible to and accepted by sub post-masters; and
Database Administrators (DBAs) or others granted DBA access do not modify data directly.
888888
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
24
POL-0023065
POL00028062
POL00028062
5 Assessment of Assurance Sources
IT Provision Risk Assurance Sources / Gap Analysis
For the IT Provision risks the existing assurance sources appear to provide a good level of coverage over the risk
universe associated with this area of the Horizon processing environment.
Our high-level analysis of this coverage against the three core risk areas is as follows:
Information Security Information System Change Management
Operations
1$027001 Statement of
Applicability
ISAE3402 Report
PCI DSS Report
Detailed analysis at an objective level is included within Appendix 1.
In considering this assessment, POL management should be cognisant of the inherent limitations of each report,
given the purpose for which it was written:
Repo Limitations / Factors to Consider whilst Utilising
1$027001 Statement of I This document has been produced by Fujitsu, limiting its value from an independence perspective. It should be
Applicability noted however that it is supported by an independent assessment of IS027001 compliance by Bureau Veritas, an
accredited certification provider.
The main focus of 1S027001 is on security, although it does also focus (to a lesser degree) on the other core IT
Provision risk areas, Change Management and Information System Operations.
ISAE3402 Report This document has been produced by an independent third party, Ernst and Young. It has good coverage of all three
IT Provision risk areas, and is produced according to testing standards stipulated within the ISAE3402 standard.
In relying on this report management has considered ‘Section 6 Complimentary User Entity Controls’ which
stipulates the controls that POL should be operating in addition to the controls at Fujitsu in order to complete the
control environment over Horizon
PCI DSS Report The scope of the PCI DSS report is the narrowest of the three assurance reports. It is focused exclusively on the
security of cardholder data, and does not span the other two IT Provisioning risk areas to the degree of the other
assurance sources. It provides minimal coverage in particular of the Information Systems Operations System
Provisioning risk
Of note when considering coverage of IT Provision assurance sources is that the majority of the focus is over
Information Security, whereby based upon the historical issues and allegations being levelled at the system,
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
25
POL-0023065
POL00028062
POL00028062
Information System Operations and Change Management would appear to be higher risk areas in the context of
this particular piece of work.
Peer Comparison of IT Provision Assurance Available to Similar Organisations
Our comparison to peer organisations yielded the following results:
Sources of Assurance Regulatory Foct
Print Media External Audit N/A
‘Ad-hoc Risk Consultancy
Retail External Audit FCA (CCA)
Internal Audit,
Retail External Audit FCA (CCA)
Internal Audit, Loan Loss Provisioning Reporting
PCIDSS
Retail and payments processing External Audit FCA
Internal Audit
Government External Audit Data Protection
Internal Audit
PCI DSS
Risk
This highlights that the level of IT Provision Assurance Work that POL has performed is comparable to that in other
similar organisations which are not subject to risk and control regulatory requirements.
This should however also be interpreted in the context of the allegations being made against the Horizon
processing environment which may suggest that a higher level of assurance is warranted compared to these
similar organisational benchmarks.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
26
POL-0023065
POL00028062
POL00028062
Baseline Risk Assurance Sources / Gap Analysis
Our assessment of Baseline Risk was based upon three core scope areas:
x Horizon Project;
c« Data Strategy Foundation Project; and
« Audit Store Changes.
For each of these scope areas we queried relevant POL and Fujitsu personnel in order to understand the project
and change governance documentation available, and form an assessment as to the project controls applied to
these change events, compared to Deloitte's Project Management methodology.
Our findings are as follows:
Baseline Risk Assurance Work Information Provides
Area
Audit Store Changes to Horizon, such as the migration to HNG-X in 2010 involved minimal changes to the operation of the Audit Store. As
a result these large scale projects are of minimal interest with regards to establishing a Baseline Risk position in relation to the
design and functioning of Horizon Features relating to Audit Store.
‘Some small changes have been made to the Audit Store in more recent years. Samples of documentation correlating to
changes throughout the years the Audit Store had been in place were requested in order to understand whether these
changes to the system had been managed to good practise standards.
Further at the point of implementation of the Audit Store verbal representation was provided that a ‘Security Report’ was
produced which pertained to demonstrate that the functionality of the system was as designed. This would be a key piece of
Assurance Work, demonstrating the correct fun:
nality of the Audit Store at that point in time, but
could not be located by
POLand thus could not be reviewed as part of our work.
HNG-X Implementation Detailed business and technical design documents have been verbally represented to have been created during the delivery of
(2010) the project life cycle.
Detailed test plans, Mi, Defect Management and other key testing artefacts were produced during the course of the project.
Several acceptance criteria related to the closure of testing defects. Examples of testing documentation have been provided to
our review team during the course of our work.
Migration checklists and instructions have been provided. These illustrate that site visits would be conducted during the
migration to support the Sub-postmaster with the migration and support the resolution of any queries.
We have been provided with verbal representation that detailed project acceptance criteria were agreed between Fujitsu and
POL, and then signed off during the lifecycle of the project. An example of such acceptance criteria in relation to Non-
Functional Requirements has been provided to us to support this verbal representation.
Data Strategy Foundation I Detailed business and technical design documents have been verbally represented to have been created during the delivery of
Project the project life cycle.
Assurance Work was provided to demonstrate business scoping and approval of changes to be applied (including a benefits
realisation and costings map), requirements tracker document, testing strategy plan, testing report plan and migration
summary documents. We were also provided with an example of the weekly reporting process at project close which
demonstrated the level of governance and oversight the project had from senior stakeholders.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
27
POL-0023065
POL00028062
POL00028062
Summarising the work we have performed against Baseline risk we conclude that for each sampled change,
Assurance Work has been produced in accordance with defined change management or project methodologies.
We have not however been furnished with all key items of documentation we would have liked to review, due to the
availability of such documentation to POL, and much of the Assurance Work provided to us were confirmations of
verbal representations made during our work.
Further work will be required to perform a ‘deep dive’ review of project and change documentation on particular
high risk areas (for example the original implementation of the audit store, and acceptance criteria sign off for the
Branch Database commissioning as part of the Horizon HNG-X Implementation project), in order to provide
assurance that the system baseline position were appropriately implemented and tested (timeframes of such
positions varying depending on the component of the system under investigation).
Assessment of Assurance against System Usage Risk Areas
Our assessment in each of these areas is based upon information contained within system documentation from
Fujitsu and operational policy and procedure documentation from the finance service centre, as well as emails
confirming verbal assertions we received during the course of our work.
No testing or independent sources of assurance were identified over these System Usage risk areas.
Our understanding of the design of Horizon Features responding to key risks is a core output of our work and is
outlined within Appendix 2 where we have provided a documentary listing of all of the Horizon features.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
28
POL-0023065
POL00028062
POL00028062
6 Matters for Consideration
In this section we set out our key matters for management consideration, further to the work we have performed
above.
We have structured this section as follows:
« (Key Matters for Consideration, by Risk Area reviewed;
« Factors to Consider in Formulating an Action Plan; and
co Proposed Action Plan.
Key Matters for Consideration
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. Risk Appetite: During our work, only occasional linkage of work to the risk appetite of POL
was noted. Whilst not unusual in the consumer business sector, such articulation and
embedding of risk appetite assists with the delivery of better optimised and prioritised key
controls and assurance activities.
s
. Holistic Risk and Assurance Framework: A holistic, risk intelligent assessment relating to
the identification and mitigation of key risks to the integrity of processing should be
considered in order to validate the completeness of the Horizon Features referred to in our Nia
work and thus provide a complete schedule of Key controls that require assurance. Whilst
Assurance Work has been provided demonstrating the use of key forums for tracking the
risk environment surrounding Horizon (such as the Information Security Management Forum
and Fujitsu Services Security Reports), these aren't set up to specifically consider the
holistic risk and assurance framework necessary to enable an overall comment on the
design, implementation and operating effectiveness of the Horizon Features.
(1)
General
a. Project Governance: Governance procedures described to us (verbally) suggest that the
expected levels of business involvement in pre-go live system and user acceptance testing
is performed as part of system implementation projects over the Horizon IT system; and that
business users would be appropriately involved in signing off of system requirements and
readiness to go-live (full system reconciliations). To supplement these verbal assurances,
management has provided us with samples of documentation from the three sampled
change areas (Horizon Implementation, Data Strategy Foundation, and Audit Store
changes). Despite these sources of evidence, management should consider whether further
(2) investigations into sources of assurance from the original Horizon implementation would be
worthwhile, given the importance of establishing a well-founded baseline position over the
System Horizon Features.
Baseline a
Verbal
representations
Limited
. Audit Store Baseline: The implementation of Horizon HNG-X in 2010-11 was asserted to documentation
not have had a significant impact on the Horizon Features. In particular no changes were
made to the Audit Store as a result of the implementation. Therefore the ‘baseline’ position
for the Audit Store was established as being at the original implementation of the Horizon IT
system. Key documentation around the baseline position for the Audit Store has not been
able to be provided to us during the course of our work. We note that a security report was
verbally represented to us to have been commissioned during the original implementation of
the Audit Store, although this report could not be located and provided to us.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
29
POL-0023065
Risk Area
(3)
IT
Provision
Key Matters for Consideration
a. End User Entity Control Considerations: The ISAE3402 report requires interpretation in
the context of these controls at POL. They are outlined in section 6 of the ISAE3402 report.
Without such analysis, the assurance provided by the ISAE3402 is weakened. We are
aware that POL has nearly completed work in order to address such considerations.
b. Assurance Clarifications: In the context of detailed testing and assurance procedures,
there are areas of the ISAE3402 report which would benefit from further clarification, in order
to remove the risk of ambiguity from its interpretation, and overlaps with other sources of
assurance that may be performed. For example:
© the report does not state from where populations of data tested in samples were
obtained and thus how exposed conclusions may be to internal fraud or deliberate
override of control (e.g. for change management testing, were samples picked from the
population in the secure Audit Store, or from another source?);
© the report does not draw out certain key features in the control design, which we would
assume are present, for example, control objective 4.8.11 (relating to access to the
system being restricted to appropriate users) does not explicitly state and test that users
must have and use their own unique username, thus underpinning audit trail integrity;
and controls relating to the management of administrator access could be more specific
as to the extent and nature of the design of controls and testing performed
© the report is not explicit in the sample sizes used for testing; and
© the report contains tests which could be strengthened, for example, control test 6.5 in
section 7 appears to test through discussion with personnel only, without clarifying if
anything was done to corroborate such verbal assertions.
°
Internal Audit Work - internal audit work conducted highlights progress in responding to
and closing down issues in relation to internal audit risks, but a number of issues remain
outstanding. Internal audit have also not done any specific assurance work over the
allegations being raised on the Horizon system and POL’s response to the issues raised.
POL00028062
POL00028062
Nature of
Assurance
Work
Extensive
documentation
Independent
testing
(4)
System
Usage
»
Risk Driven Considerations: The current documentation over System Usage Risks has
been largely written in response to key incidents or events, by non-independent parties and
from operational perspectives. Whilst detailed, itis also not written from a risk and
assurance perspective and is rarely evidential in its content.
s
Risk and Control Framework: There are areas where an understanding of the design and
nature of operations relating to System Usage Risks is available, but the design,
implementation and operating effectiveness of key controls has not been aggregated into a
risk driven framework nor formally assured through evidence based testing. Further, the
ability of documentation to fully support information relating to the detailed design of controls
relating to System Usage Risks is unclear (e.g. whilst JSNs are sequential is there a
systems operations control which checks the completeness of this sequence proactively?).
The Schedule of Assurance over Horizon Features we have formulated as part of our work
(and documented in Appendix 2) provides a basis for such a risk and control framework, as
well as targeted testing over key controls. Management should consider enhancing their
assurance provision by verifying the completeness of this schedule, and conducting
implementation and operating effectiveness testing of the key controls there-in.
9
Interfaces - DVLA: Whilst environmental risk relating to system operations is largely
assured in the ISAE3402, we note that no evidence of specific or detailed testing or
assurance work has been carried out over System Usage Risks relating to the DVLA
interface (both IT and business in nature). We note that many interfaces observed do not
relate directly with the Horizon Features in scope for this review, but we recommend that
such activities be considered for inclusion in the overall risk and control framework relating
to the Horizon processing environment.
d. Audit Store: We observed the following:
© Itis not clear from the documentation we have been provided whether POL has agreed
that the current capturing of certain, key system events, is complete and appropriate for
potential governance and investigation needs;
© We have not identified controls which formally report, review and consider the impact
and resolution of any exceptions identified during the Audit Store extraction process, nor
reconcile the data from other reporting systems in the business to those data sets
contained within the Audit Store ;
Partial
Documentation
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
30
POL-0023065
POL00028062
POL00028062
Nature of
Risk Area Key Matters for Consideration Assurance
Work
© Investigatory work on the Audit Store has all been performed by Fujitsu who, whilst
technically qualified, do not constitute an independent or risk experienced party for
assurance driven purposes. POL could consider doing more independent analysis of
Audit Store historic data to verify that itis recorded in line with expected characteristics;
and
© From the documentation we have reviewed, controls to assess that the digital signature
is valid and verify that there is a complete sequence of JSNs are retrospective. No
proactive checks were documented which describe the performance of such verifications
prior to the copying of data to the Audit Store.
e. Proactive monitoring of key System Usage Risks: The current assurance environment
appears to be “reactive” in nature, with exceptions in processing triggering diagnostic and
remediation activity only when reported. It would appear that no use is being made of the
Audit Store, for proactive monitoring of unusual or exceptional system events potentially
worthy of further investigation and action.
{. Hardware controls over the Audit Store: The Centera EMC devices used to host Audit
Store data have not been configured in the most secure EC+ configuration. As a result
system administrators on these boxes may be able to process changes to the data stored
within the Audit Store, if other alternative software controls around digital seals, and key
management are not adequately segregated from Centera box administration staff.
Privileged access to the cryptographic solution around digital signatures, and publically
available formulas on MDS hashed digital seals would potentially allow privileged users at
Fujitsu to delete a legitimate sealed file, and replacement with a ‘fake’ file in an undetectable
manner.
g. Branch Database: We observed the following in relation to the Branch Database being
© Amethod for posting ‘Balancing Transactions’ was observed from technical
documentation which allows for posting of additional transactions centrally without the
requirement for these transactions to be accepted by Sub-postmasters (as ‘Transaction
‘Acknowledgements’ and ‘Transaction Corrections’ require). Whilst an audit tral is
asserted to be in place over these functions, evidence of testing of these features is not
available;
© Processes around Transaction Acknowledgements and Transaction Corrections are
‘subject to out of date documentation, or in the case of Transaction acknowledgements,
no documentation at all. Such documentation should be produced or brought up to date;
© For ‘Balancing Transactions’, ‘Transaction Acknowledgments’, and ‘Transaction
Corrections’ we did not identify controls to routinely monitor all centrally initiated
transactions to verify that they are all initiated and actioned through known and
governed processes, or controls to reconcile and check data sources which underpin
current period transactional reporting for Subpostmasters to the Audit Store record of
such activity;
© Security on the Branch Database around the ‘Messaging Journal table’ is a key area of
risk due to branch transactional data being held on this table for up to a day before being
written to the Audit Store. It was unclear from the documentation reviewed whether
specific assurance work had been carried out in this area; and
© Controls that would detect when a person with authorised privileged access used such
access to send a ‘fake’ basket into the digital signing process could not be evidenced to
exist
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
34
POL-0023065
POL00028062
POL00028062
Recommendations
We have identified three areas where POL should consider further actions to strengthen the quality and nature of
assurance in place over the Horizon system.
These are actions that may:
eo Further support Project Sparrow;
« Integrate knowledge obtained from this work into the Future System Requirements project; and
c« Help POL to move towards a more holistic Programme of Assurance.
We have aligned each of the actions we would recommend to POL management to one of these areas, and we
present these below.
Actions that may further support Project Sparrow
At Perform a detailed review of Balancing Transaction use: Instruct a suitably qualified party (independent of
Fujitsu) to carry out a review of the circumstances leading up to the need to use the Balancing Transaction
Investigation -
of Balancing _I functionality in Horizon, including an assessment of the communications with the relevant Sub-Postmaster prior to
Tyansactions I any adjustment being made to their ledgers. This work should include a more detailed walkthrough of the current day
se in
“Balancing Transaction” policies, procedures and key controls, making recommendations for improvement
2
Verification I Perform implementation testing of Horizon Features: instruct a suitably qualified party (independent of Fujitsu) to
Work that I carry out implementation testing of the Horizon Features (or a selection of key Horizon Features) identified in this
oe report. The work should aim to provide POL with comfort that the Horizon Features extracted from documentation are
Implemented I actually designed and implemented exactly as described in that documentation
as Described
Analytical Testing of Historic Transactions: Audit Store documentation asserts that the system contains seven
years of Branch transactions, and a number of system event activities. In addition, a number of assertions relating to
data integrity, record / field structure and key control features (such as sequencing of JSN) are made in
a3
documentation, but have never been validated by parties outside of Fujitsu. With modern day technologies, the
eo analytic profiling and testing of such Big Data sets is likely to be feasible, thus POL should consider instructing a
esting o
Historie party independent of Fujitsu to perform independent risk analytics on an extract of all Audit Store data to verify that
Transactions I (a) key characteristics are seen in the data as expected and (b) what other matters / exceptions / insights can
potentially be derived. This exercise would also provide valuable insight into those Horizon Features that could be
automatically monitored as part of the optimised risk and control environment described below.
AS Update / Create documentation formalised all key adjustment and reporting processes in operation over
Documentation I Horizon in the FSC: Identify and document all key activities in the FSC relating to both adjustment processing to
of all Horizon ‘Sub-Postmaster ledgers and to the control activities that ensure that transactional data visible to Sub-Postmasters is
Pe penis fully reconciled to the Audit Store’s ‘high integrity’ copy of Branch Ledger transactions. Use this exercise to verify the
processes in I completeness and appropriateness of Horizon Features so far identified from verbal assertions, and then perform
these implementation testing (per A2 above) of such controls.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
32
POL-0023065
POL00028062
POL00028062
Actions that wi
project.
integrate knowledge obtained from this work into the Future System Requirements
Produce Future System Requirements Document: Produce a schedule of key system requirements that any
81 future Horizon replacement platform should deliver against, as an underpinning baseline for the integrity of
Produce __I processing. This schedule would outline key control objectives, with current day control activities / Horizon Features
requirements and /or other examples cited to show how such control objectives could be addressed in any future system. The
for future I schedule should include matters that will support the delivery of such design confidence in efficient ways, and
a providing foundations for preventative, detective and monitoring control activities. It could also highlight key
System I questions for POL to consider, such as the longevity of data head in the Audit Store and the type of cryptographic
mechanisms applied to the system
Actions that may help POL move towards a more holistic programme of Assurance
This area is the more significant piece of work recommended in a broad context for POL to consider as a result of
our assessment.
The development of such a holistic assurance programme should be seen as a ‘strategic’ response to the issues
raised. If delivered successfully it will bring assurance benefits beyond the confines of assuring the integrity of
processing within Horizon.
Whilst not raised specifically below, such an exercise would first require the appointment of a role in POL who
would be responsible for the coordination of assurance across the whole organisation and the reporting of key
areas where assurance provision could be improved (a “Head of Assurance”). This would ensure that POL
Management and the Board have the ability to map, coordinate and assess assurance sources (and their quality)
on an ongoing basis for the organisation.
Risk Workshop’: Conduct an exercise with key stakeholders in POL, including those in charge of Governance, to.
ct
create a baseline understanding of risk and risk management concepts; share examples of how similar organisations
... an manage, define and control key risks; and obtain suggestions and consensus as to if, where and how POL could
become a more “Risk Intelligent” organisation and reporting of risk and assurance matters could be improved
Construct Risk and Control Framework: Extend and confirm the completeness of the Horizon Features which are
c2
designed to exert control over the Horizon processing environment. The framework can be used to prioritise key
Construct Risk I areas for improvement (including clarifications / the removal of ambiguity in existing sources) and embed agreed
iene I changes in current assurance sources. A key component for the construction of this risk and control framework is the
initial information produced as part of our analysis and reproduced in Appendix 2. This Framework could be
extended to cover POL’s overall risk and control framework, not just those areas relevant to Horizon processing
Test Controls: Once the framework is verified as complete, key controls can be identified and evidence based
c3 testing performed to validate that they are operating effectively. Such operating effectiveness work could be
Test performed on a sustained basis and could be delivered by an independent party in line with a recognised assurance
Controls standard. In addition, this exercise can be used to feedback on the design of the control environment so that it can
be optimised (i.e. maximise coverage of key risks, with minimal duplication).
i, Sustain Assurance Delivery and Implement More Proactive Monitoring”: The longer term assurance map can
be designed to sustain assurance delivery for POL over key risks. This may include a transition to a more proactively
pede monitored control environment (‘continuous controls monitoring"), where automated alerts are generated if certain
testing key behaviours in the system are identified.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
33
POL-0023065
POL00028062
POL00028062
Notes:
‘Risk Workshop: Risk appetite statements may be considered as part of this exercise, but are typically found by
key stakeholders to be a different area to understand. Such statements are effectively matters which help an
organisation to avoid imprecise or open statements relating to risk, which do not assist with the effective
management of responses to such risks. Statements are mechanisms that also help management to define
parameters relating to risk, against which key decisions and escalation activities can be performed.
‘Key risk indicators’ are often a tool used by management, and those in charge of Governance, in these areas.
Whilst POL needs to consider their own risk statements and indicators, some examples of those that may be
worthy of consideration in relation to the integrity of processing in Horizon could include:
The number of allegations or concerns raised by Sub-postmasters during a defined period;
The number and value of adjustment postings being performed by FSC
The use of balancing transactions
The number of security incidents on the Horizon system during a defined period;
The value of unreconciled differences between systems / ledgers
The number and nature of errors or exceptions in processing; and
Key controls found to not to be operating effectively ina period.
888 888 8
The above are not exhaustive and key risk indicators need to be considered thoroughly in response to the
particular risks and controls which are required in response to the risk universes formulated over the Horizon
processing environment.
Sustain Assurance Delivery and Implement more Proactive Monitoring: Benefits of these activities could
include:
Minimising duplication in the control framework, and the assurance activities there-on;
Support targeted assurance provision in the context of existing or potential future allegations;
Provide more measureable benchmarks of performance against other organisations;
Underpin further efficiencies in the assurance provision, for example the automation of existing manual
controls;
Incentivise ongoing improvement in both the processes and the assurance provision, by highlighting
deficiencies on a timely basis and reporting these directly back to those business or outsourced
owners who need to take a remediation or corrective action; and
2% Support the maintenance of the completeness of documentation over the Horizon Features.
888 8
8
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
34
POL-0023065
POL00028062
POL00028062
Appendix 1: IT Provision Assurance Source Mapping and Gap
Analysis
The mapping below outlines the more detailed IT Provision assurance mapping against IT Provision risks, as summarised in Section 4:
Environmental Risk Boke SEMIS CSE ISAE3402 Section Se eae
of Applicability Rating Rating Rating
‘A.10 Communications and
Data converted from legacy systems I Operations Management
or previous versions introduces data
Requirement 6: Develop
Change A.12 Information Systems 4.8.10 Change
errors if the conversion transfers and maintain secure
Management I incomplete, redundant, obsolete, or I Acgtieiton, Development Management systems and applications.
inaccurate data.
‘A.10 Communications and
Inappropriate changes are made to Operations Management
system software (e.g., operating A.12 Information Systems Requirement 6: Develop
Change at I system, network, change- Acquisition, Development qeslehenge and maintain secure
a management software, access- and Maintenance 3 systems and applications.
control software).
‘A.10 Communications and
Operations Management
Inappropriate changes are made to I A.12 Information Systems Requirement 6: Develop
Change I the database structure and Acquisition, Development Reto change and maintain secure
9 relationships between the data. and Maintenance 9 systems and applications.
‘A.10 Communications and 4.8.2 Backup
Operations Management 485 Incident
Financial data cannot be recovered I A.14 Business Continuity Management Information System
Operations _I or accessed in a timely manner Management 4.8.6 Major Incident Operations not within
when there is a loss of data Process scope for PCIDSS review.
4.8.7 Security Incident
Process
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
35
POL-0023065
Coverage
Rating
a 5 18027001 Statement Coverage A
Area Environmental Risk feet i 8 ISAE3402 Section
of Applicability Rating
‘A.10 Communications and 4.8.3 Job Scheduling
Operations Management 4.8.4 Availability and
Produetion systems, programs, Segre lee
and/or jobs result in inaccurate, ian
Operations I incomplete, or unauthorized bey ern dont
processing of data. Broses
4.8.7 Security Incident
Process
A11 Access Control
Inappropriate changes are made
saomtiy directly to financial data through doseces aan nian, at
means other than application iad t
transactions. Prog
‘10 Communications and
Inappropriate changes are made to I Operations Management
Application systems or programs A.12 Information Systems
that contain relevant automated Acquisition, Development 48.10 Change
Security controls (i.e., configurable settings, I and Maintenance Manesenent
automated algorithms, automated 9
calculations, and automated data
extraction) and/or report logic.
= 7 ‘AB Human Resources
Individuals gain inappropriate access I Security
to equipment in the data centre and I ‘9 ph
u : .9 Physical & 48.1 Physical and
Security exploit such access to circumvent
logical access controls and gain Environmental Security Environmental Controls
inappropriate access to systems.
Systems are not adequately A.11 Access Control
Secuag configured or updated to restrict 4.8.10 Change
y system access to properly Management
authorized and appropriate users.
Ait Access Control
The network does not adequately 4.8.9 Networks
Security prevent unauthorized users from 48.10 Change
gaining inappropriate access to
information systems.
Management
4.8.11 Security
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
Coverage
PCIDSS Rating
Information System
Operations not within
scope for PCIDSS review.
Requirement 3: Protect
stored cardholder data.
Requirement 6: Develop
and maintain secure
systems and applications.
Requirement 6: Develop
and maintain secure
systems and applications.
Requirement 9: Restrict
physical access to
cardholder data.
Requirement 6: Develop
and maintain secure
systems and applications.
Requirement 6: Develop
and maintain secure
systems and applications.
Requirement 11: Regularly
test security systems and
processes.
36
POL-0023065
Environmental Risk
Users have access privileges
beyond those necessary to perform
Security their assigned duties, which may
create improper segregation of
duties,
18027001 Statement
of Applicability
‘8 Human Resources
Security
A.11 Access Control
Coverage
Rating
ISAE3402 Section
4.8.11 Security
4.8.12 Access to
databases, data files, and
programs
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Coverage
Rating
PCIDSS
Requirement 7: Restrict
access to cardholder data
by business need-to-know.
Requirement 12: Maintain
a policy that addresses
information security for
employees and
contractors.
Coverage
Rating
POL00028062
POL00028062
37
POL-0023065
POL00028062
POL00028062
Appendix 2: Assurance Schedule over Horizon Features
We present below a schedule of the Assurance Work and sources we have identified which relate to certain groups of Horizon Features.
We have structured these in line with our three areas of assessment (System Baseline, IT Provision and System Usage), as defined in our report.
We have also recorded our assessment of the level of comfort that POL has over that Horizon Feature, defined as:
“Significant” means we have seen Assurance Work that delivers comfort through evidence based testing by independent parties.
“Partial” means we have seen Assurance Work in the form of descriptions in formal documentation, but no testing of implementation or operating effectiveness.
“Limited” means we have seen Assurance Work that documents verbal assertions we received during our work.
“None” means that Assurance Work has not yet been provided to us.
88 8 8
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
38
POL-0023065
System Baseline
Baseline
Key Assertion
re. Processing
Integrity
The system was
fit for purpose
and worked as
intended when
first put in?
Description of feature
The design of key elements of the
Horizon system relevant to the
integrity of auditing and capturing
transactions was formally agreed and
signed off prior to systems
deployment.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Level of
Comfort
Baseline I The system was I Traceability Matrices have been No information provided. Preventative Manual
fit for purpose documented, implemented and
and worked as periodically reviewed to ensure that
intended when business requirement documents
first put in? have been regularly reviewed against
project progress.
Baseline I The system was I During the initial implementation of No information provided. Preventative Manual
fit for purpose the software, Key Project Governance
and worked as mechanisms were put in place to
intended when I ensure the:
first put in? Working Group
Steering Group/Project board
Requirements Review Group
Baseline I Major changes Traceability Matrices have been No information provided. Preventative Manual
since
implementation
have not
impacted the
system.
documented, implemented and
periodically reviewed to ensure that
business requirement documents
have been regularly reviewed against
project progress.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
39
POL-0023065
Baseline
Key Assertion
re. Processing
Integrity
Major changes
since
implementation
have not
impacted the
system.
Description of feature
Key Project Governance mechanisms
have been enacted and operated over
significant changes to the system since
implementation. Examples of such
mechanisms include:
- Working Group
- Steering Group/Project board
- Requirements Review Group
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Level of
Comfort
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Baseline
The system was
fit for purpose
and worked as
intended when
first put in.
Prior to implementation into the live
environment (and in some cases post)
acceptance criteria in relation to key
system elements important for
auditing and capturing transactions
were formally agreed and signed off.
For Audit Store Baseline:
Example acceptance criteria
document entitled Acceptance
Report 20070917BL01.13WIP
(note no sign off of
acceptance criteria is included
within this document).
For 2011 Horizon
Implementation (BRDB
Baseline):
Testing plans were provided in
the document 'Copy of IT
Health Check 23-07-2009.xIs',
a Risk Assessment of the
project has been provided in
‘Security All Risk Extract
090928 v2.xIs' and Migration
instructions have also been
provided in the document
‘Migration_ Instructions.pdf*.
Also a report by third party
consultancy firm Wipro has
Preventative
Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
40
POL-0023065
Area Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
been provided to demonstrate
the project was delivered as
planned in the document
‘Horizon : Performance Test
Audit Post Office Limited (
POL)'.
For 2012 Data Strategy
Foundation (External Feeds
Baseline):
- Example acceptance criteria
document entitled CFD New
Requirements v1.11.xls (note
no sign off of acceptance
criteria is included within this
document). Additionally, an
example of a designed, and
reviewed Migration Strategy,
titled ‘Migration Strategy CFD
v0.4’, was provided, in
addition to a Test Report,
‘POLTSTREPOO10 - CFD E2E
Test Report vO 1’.
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Level of
Comfort
Baseline I The system was
fit for purpose
and worked as
intended when
first put in?
The testing of key elements of the
system important for the auditing and
capturing of transactions was formally
agreed and signed off and then
delivered against.
For 2011 HNG-X
Implementation:
For 2012 Data Strategy
Foundation:
- Test Strategy Document
entitled 'Acceptance Testing
Strategy’ - authorised version
Preventative
Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
a
POL-0023065
Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
dated 10/11/2011.
- Test Exit Report entitled
‘Client File Delivery Report E2E
- Exit Test Report’, draft
version 0.1 dated 06/01/2012.
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Baseline I Major changes Sign off for design of significant 2005 Design Proposal Preventative Manual
since change is formalised and documented. I ASDPRO27.doc
implementation 2005 Audit Centera API
have not Implementation
impacted the DELLDO26.doc
system. 2002 Change Proposal
CP3240.rtf
2004 Change Proposal
CP4021.rtf
Baseline I Major changes Acceptance criteria related to key 2002 Acceptance Test Preventative Manual
since areas such as the branch database and I Specification IAACSO02.doc
implementation I audit store.
have not
impacted the
system.
Baseline I Major changes Test Strategy and Execution have 2003 Acceptance Test Report Manual
since been documented and signed off, and I IAACROO3.doc Preventative
implementation
have not
impacted the
system.
provide an adequate audit trail for the
testing of key system features such as
the Audit Store and Branch Database.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
Level of
Comfort
42
POL-0023065
Key Assertion
re. Processing
Integrity
Baseline I Major changes
Description of feature
Independent Assurance over design of
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent
Manual)
Manual
since HNG-X system by Gartner.
implementation
have not
impacted the
system.
Baseline I Major changes Programmes and projects affecting Harmony Delivery Lifecycle Preventative Manual
since the Horizon system are controlled and I document
implementation I governed using an established change
have not methodology.
impacted the
system.
Baseline I Major changes Independent Assurance report over Wipro performance testing Preventative Manual
since
implementation
have not
impacted the
system.
testing procedures has been obtained.
report.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
43
POL-0023065
POL00028062
POL00028062
IT Provision Assurance
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Automated Comfort
Detective / / IT Dependent
Monitoring) Manual)
Provision I IT supporting Management have ISMF Minutes Preventative
processes are well established forums to FJS Security Report
controlled. oversee the performance of
third party IT providers.
Provision I IT supporting POL has documented end POL End User Preventative Manual
processes are well user control considerations Considerations
controlled. to supplement third party Document
service provider controls
assurance reports
Provision I IT supporting Third party assurance ISAE3402 Report Preventative Manual
processes are well reports are in place to PCIDSS Report
controlled. ensure the overall control of
the IT environment,
including: ISAE 3402 reports,
PCIDSS compliance report
and ISO27001 certified
accreditation.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
44
POL-0023065
POL00028062
POL00028062
Usage Assurance
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Counter transactions I Only baskets that balance to I Horizon Online Data Preventative Automated
are recorded £0 can be accepted by the Integrity_POL
completely, accurately I central database (double document.
and onatimely basis I entry concept exists).
centrally.
Usage Counter transactions Digital Signature is applied Horizon Online Data Preventative Automated
are recorded to each transaction basket Integrity_POL
completely, accurately I at the point of counter document.
and ona timely basis inception to prevent
centrally. downstream tampering.
Usage Counter transactions Transactional Verbal confirmation Detective Automated
are recorded Acknowledgement and from Rod Ismay and
completely, accurately I manual review process. Jane Smith in Finance
and ona timely basis Shared Services.
centrally.
Usage Counter transactions Sequential numbering is Horizon Online Data Preventative Automated
are recorded applied to each counter Integrity_ POL
completely, accurately I basket prior to digital document.
and ona timely basis I signature application to
centrally. provide a ‘baked in'
sequence check.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
45
POL-0023065
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
completely, accurately
and ona timely basis
Description
Oracle commit and roll-back
process is atomic (i.e. either
a complete transaction is
posted or nothing is
Horizon Online Data
Integrity_ POL
document.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Level of
Comfort
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
centrally. posted).
Usage Counter transactions A fall back mobile link is in Horizon Online Data Preventative Automated
are recorded place to ensure that if Integrity_ POL
completely, accurately I transactions are still document.
and onatimely basis I processed in a timely
centrally. manner
Usage Counter transactions A private cryptographic key I Horizon Online Data Preventative Automated
are recorded is securely established for Integrity_ POL
completely, accurately I each transmitted basket. document.
and ona timely basis
centrally.
Usage Directly posted Formalised change control Email communication I Preventative Manual
transactions, such as approval and monitoring from John Simpkins
“Balancing process over the usage of dated 15/05/2014,
Transactions", are Balancing Transactions articulating control
visible and approved. design around this
process.
Usage Directly posted An audit trail log is in place Email communication I Detective Manual
transactions, such as
“Balancing
Transactions", are
visible and approved.
to monitor the use of
balance transactions. The
log is monitored by an
independent department
that does not have access to
the function.
from John Simpkins
dated 15/05/2014,
articulating control
design around this
process.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
46
POL-0023065
Usage
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
the Audit Store.
Description
JSNs are processed into the
audit store and reviewed
when users access audit
store information. The Audit
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Technical Design
Document for Audit
Extract Process -
DESAPPHLDO029.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
IT Dependent Manual
Usage Branch Ledger Digital seals are in place to Technical Design Preventative Automated
transactions are ensure that files are not Document for Audit
recorded accurately in I amended following load to Extract Process -
the Audit Store. the Audit Store DESAPPHLD0029
Usage Branch Ledger The digital seal applied to Security Architecture Preventative Automated
transactions are
recorded accurately in
the Audit Store.
the batched digital
signatures ensures that any
amendments to data leaves
a traceable audit trail
Document
Network Architecture
Document
Cryptography
Architecture
Document
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
47
POL-0023065
Usage
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
the Audit Store.
Description
JSNs are processed into the
audit store and reviewed
when users access audit
store information. The Audit
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
BRDB Technical
Design Document
Audit Technical Design
Document
Control Type
(Preventative /
Detective /
Monitoring)
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Automated
Usage Branch Ledger Formalised change control Email communication I Preventative Manual
transactions are approval and monitoring from John Simpkins
recorded accurately in I process over the usage of dated 15/05/2014,
the Audit Store. Balancing Transactions and articulating
control design around
this process.
Usage Branch Ledger Audit trail monitoring the Email communication I Preventative Manual
transactions are usage of balance from John Simpkins
recorded accurately in I transactions dated 15/05/2014
the Audit Store.
Usage Information from the I Logical access controls in Audit Store Preventative Automated
Audit Store retains place over user Procedures
original integrity.
management to ensure that
only appropriate staff have
access to extract
information from the audit
store
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
48
POL-0023065
Key Assertion re.
Processing Integrity
Description
Control Type
(Preventative /
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Information from the I Hardware controls are in Audit Store Preventative Automated
Audit Store retains place to prevent the Procedures
original integrity. modification of data in the
Audit Store
Usage Information from the I JSNs are processed into the I Audit Store Detective Automated
Audit Store retains audit store and reviewed Procedures
original integrity. when users access audit
store information. Audit
store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Usage Information from the I The digital seal applied to Audit Store Detective Automated
Audit Store retains the batch on data transfer is I Procedures
original integrity. checked back to the initial
seal to ensure that hash
value has not been altered.
Usage Information from the I The integrity of the digital Audit Store Detective Automated
Audit Store retains signature is checked for all Procedures
original integrity.
baskets used in the extracts.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
49
POL-0023065
Usage
Key Assertion re.
Processing Integrity
Information from the
Audit Store retains
original integrity.
Description
Exceptions identified in
integrity checks on digital
seals or signatures or in the
sequence check are formally
raised and handled as part
of day-to-day IT operational
processes within the Tivoli
Monitoring tool.
Audit Store
Procedures
Control Type
(Preventative /
Detective /
Monitoring)
Detective
Level of
Comfort
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
Usage The system used by 3 way match between Data Flow Diagram IT Dependent Manual
the Finance teams for I Branch Database, provided by Finance
control contains all Transaction file and POLSAP I (Jane Smith)
records load file
Usage Data posted from Amendments posted Transactional Preventative Automated
other systems and centrally via transactional Corrections
teams is visible to and I corrections must be Procedural Evidence
accepted by sub post- I approved by sub-Post
masters Masters must be approved
before they can be applied
to the Branch Database
Usage Data posted from Amendments posted Branch Database Preventative Automated
other systems and
teams is visible to and
accepted by sub post-
masters
centrally via transactional
acknowledgements must be
approved by sub-Post
Masters must be approved
before they can be applied
to the Branch Database
Procedures
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
50
POL-0023065
Key Assertion re.
Processing Integrity
Data posted from
other systems and
teams is visible to and
accepted by sub post-
masters
Description
For any outstanding (non-
accepted) Transaction
Acknowledgement or
Transaction Corrections at
month end, a formal
resolution process exists
which enables non-accepted
items to be identified, held
in suspense and actively
investigated to the point of
resolution with the Sub-
postmaster. Business as
usual resolution activities
can be taken to conclude
outstanding items and have
them cleared down.
Rod Ismay
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Usage
Data posted from
other systems and
teams is visible to and
accepted by sub post-
masters
Sub-postmasters have
access to view all
transactional records
underpinning their current
accounting period’s ledgers.
This information is used to
support their daily branch
cash declarations and
reconciliation, their weekly
balance of cash and stock
reconciliation, and their
monthly trading period roll
over activities.
Branch Database
Procedures
Preventative
IT Dependent Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
51
POL-0023065
POL00028062
POL00028062
Key Assertion re. Description Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Usage Data posted from All processes create an Branch Database Preventative IT Dependent Manual
other systems and identifiable transaction in Procedures
teams is visible to and I Horizon, with an audit trail
accepted by sub post- I to the originator in the
masters Finance Services team. This
transaction ID is protected
by the JSN, digital signature
and digital seal features.
Usage DBAs or others Sub post-master must Branch Database Preventative IT Dependent Manual
granted DBA access functionally approve the Procedures
have not modified Transactional
Branch Database data. I Acknowledgement file
produced by the POLSAP
system before items can be
processed through to the
branch database.
Usage DBAs or others Formalised change control Email communication I Preventative Manual
granted DBA access approval and monitoring from John Simpkins
have not modified process over the usage of dated 15/05/2014,
Branch Database data. I Balancing Transactions and articulating
control design around
this process.,
Usage DBAs or others Audit trail monitoring the Email communication I Preventative Manual
granted DBA access usage of balance from John Simpkins
have not modified transactions dated 15/05/2014
Branch Database data.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
52
POL-0023065
Key Assertion re.
Processing Integrity
Description
Control Type
(Preventative /
Detective /
Monitoring)
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
DBAs or others Hardware controls are in Audit Store Preventative Automated
granted DBA access place to prevent the Procedures
have not modified modification of data in the
Branch Database data. I audit store
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated
granted DBA access that would enable a person
have not modified to delete a digitally signed
Branch Database data. I basket are restricted to
authorised administrators at
Fujitsu.
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated
granted DBA access that would enable a person
have not modified to create or amend a basket
Branch Database data. I and re-sign it with a ‘fake’
key, detectable if
appropriately checked, are
restricted to authorised
administrators at Fujitsu.
Usage Counter transactions TWS scheduler and ISAE3402 Detective Automated
are recorded
completely, accurately
and ona timely basis
centrally?
monitoring processes are
defined and formalised. Any
issues or errors are reported
and responded to by Fujitsu
as part of day-to-day IT
Operational activities.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
53
POL-0023065
Usage
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
completely, accurately
and ona timely basis
centrally
Description
Logical security access
controls in place to
minimise the risk of
inappropriate access to the
counter software within
branch.
Source
Security Architecture
Document reference -
ARCSECARCO003
section 6.2 and
ISAE3402, PCIDSS and
1SO27001 reports as
well.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00028062
POL00028062
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Automated
Usage
Branch Ledger
transactions are
recorded accurately in
the Audit Store
Logical security access
controls are in place in
relation to the Branch
Database and audit store to
ensure that only
appropriate staff members
have access. Key
transactions and tables are
monitored and activity is
verified by an independent
third party.
ISAE3402 report.
Preventative
Automated
Usage
Branch Ledger
transactions are
recorded accurately in
the Audit Store
Database access privileges
that would enable a person
to delete Audit Store data
are restricted to authorised
administrators at Fujitsu.
ISAE3402
Preventative
Automated
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
54
POL-0023065
Key Assertion re. Description
Processing Integrity
Branch Ledger Database access privileges ISAE3402
transactions are that would enable a person
recorded accurately in I to create new entries, re-
the Audit Store sealing it with a valid
(publically available) ‘hash’
are restricted to authorised
administrators at Fujitsu.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
Level of
Comfort
55
POL-0023065
Appendix 3: Inventory of Documentation Reviewed
The following documentation was reviewed during the course of our review:
Document
Document
Horizon Core Audit Process (Powerpoint)
Document Ty;
Other sources of comfort
2 Fact file (updated with SS comments) Other sources of comfort
3 ISAE3402 Report over Fujitsu managed service on Horizon Assurance
4 Centrally Generated Transactions document Other sources of comfort
5 POL Summary of Horizon Anomalies Referred to in Second Sight Report Assurance
6 Report on Local Suspense (14 Branch) Issue Other sources of comfort
7 Report on Receipts Payments (62 Branch) Issue Other sources of comfort
8 Spot Review Bible Other sources of comfort
9 Horizon Data Integrity Document Other sources of comfort
10 Horizon Data Integrity Document Other sources of comfort
1 Fujitsu 1SO27001 Certificate Assurance
12 1SO27001 Statement of Applicability produced by Fujitsu Assurance
13 PCI DSS Attestation of Compliance Assurance
14 PCI DSS Report by Bureau Veritas Assurance
15 ISMF Minutes for three months Other sources of comfort
16 Fujitsu Security Reports for three months. Other sources of comfort
17 Fujitsu Information Security Management System (ISMS) Scope Other sources of comfort
18 Horizon Solution Architecture Outline Other sources of comfort
19 Post Office to Driving & Vehicle Licensing Agency Automated Payments Client File Interface document Other sources of comfort
20 DVLA Internal Web Service High Level Design document Other sources of comfort
21 Security All Risk Extract Other sources of comfort
22 Migration Overview Document for Horizon system Other sources of comfort
23 Horizon Technical Security Architecture Other sources of comfort
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
56
POL-0023065
Document Document Document Ty
Number
24 Solution Architecture Document Other sources of comfort
25 Batch Processing Overview Document Other sources of comfort
26 EMC Centera Acceptance Test Report - IAACROO3 Other sources of comfort
27 Centera Accepting Testing Specification - IAACSO02 Other sources of comfort
28 Application Interface Design - DELLD026 Other sources of comfort
29 Audit Server Specification Design -TDDESO71 Other sources of comfort
30 Configuration Design - TDMANO06. Other sources of comfort
31 Configuration Design - TDMANO09 Other sources of comfort
32 Centera star OS upgrade to version 2.4 design proposal Other sources of comfort
33 Centera star OS upgrade to version 2.4 design proposal Amendment -CP4021 Other sources of comfort
34 Centera star OS upgrade to version 2.4 design proposal Amendment -CP3241 Other sources of comfort
35 Exception and Event Guide - TDMANO07 Other sources of comfort
36 Functional Separation - CRFSPOO6 Other sources of comfort
37 High Level Design - SDHLDO001 Other sources of comfort
38 Audit Data Retrieval - SDHLD002 Other sources of comfort
39 Centera Migration HLD - TDIONO39 Other sources of comfort
40 Centera - High Level Test Plans - VIHTP014 Other sources of comfort
4 Horizon System Audit Manual - IAMANOOS Other sources of comfort
42 Low Level Design Document Other sources of comfort
43 Centera Operational Procedures - TPMANO08 Other sources of comfort
44 Centera - Performance Test Specification - TDLLTOO8 Other sources of comfort
45 Centera Support Guide - TDMANO17 Other sources of comfort
46 Centera Support Guide - TDMANO18 Other sources of comfort
47 Centera Test Report - VITRPO29 Other sources of comfort
48 Centera User Guide - TDMANO05 Other sources of comfort
49 Data Strategy Foundation - 04 - G149 Data Strategy Foundation - Client File Transfer - PODG Closure v2 0 Other sources of comfort
50 Data Strategy Foundation - CFD New Requirements v1.11 Other sources of comfort
51 Data Strategy Foundation - Data Strategy Foundation Test Strategy V10 Other sources of comfort
52 Data Strategy Foundation - Migration Strategy CFD v0.4 Other sources of comfort
53 Data Strategy Foundation - POLTSTREPOO10 - CFD E2E Test Report vO 1 Other sources of comfort
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
57
POL-0023065
Docume! Document Document Ty
Number
54 Data Strategy Foundation - Revised business case CFD 24 11 10 Other sources of comfort
$6 Horizon Technical Network Architecture - ARCNETARCOO01 Other sources of comfort
56 Horizon Crypto Services High Level Design -DESSECHLD0002 Other sources of comfort
S7 E2E data flows Other sources of comfort
58 idocs involving settlement Other sources of comfort
59 Process Management Systems Diagram (Version 14 - 24.10.2011) Other sources of comfort
60 AR11.005 - Horizon controls Other sources of comfort
61 AR12.050 - Horizon follow up Other sources of comfort
62 AR12.050a -Follow-up Horizon May2013 Other sources of comfort
63 Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
64 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL Other sources of comfort
65 Horizon Operational and Support Services Requirements Other sources of comfort
66 ACCEPTANCE REPORT FOR DESIGN WALKTHROUGH EVENT DW03 - SECURITY. Other sources of comfort
67 Draft Deloitte Phase 2 Instructions (RDW 07 05 14)2 Other sources of comfort
68 Phase 2 - Areas of Focus diagram (DRAFT v1) Other sources of comfort
69 Project Zebra - Phase 2 Potential Next Steps v3 Other sources of comfort
70 REQAPPAIS1392v3.2.PayStation.ETL Other sources of comfort
a REQAPPAIS1391v2.1.PoGo.ETL. Other sources of comfort
72 Acceptance Report 20070917BL01.13WIP. Other sources of comfort
73 All Streams Plan vsn 0.98 Other sources of comfort
4 BC PLA 001 v 0.3 Other sources of comfort
7 BC020 HNG PD Potential Risks and Issues Register v1.0 Other sources of comfort
76 Change Management Assessment Template Other sources of comfort
7 DES SEC HLD 0010 v 1.0 Other sources of comfort
78 Engagement Meeting Log Notes v1.2 Other sources of comfort
79 Gartner Report Findings 1.1 with Appendix Assurance
80 HARMONY Full Guide 1.1a Other sources of comfort
81 HARMONY Full Guide 1.1a Other sources of comfort
82 HNG Benefits Tracking in confidence May 08 final Other sources of comfort
83 Other sources of comfort
HNG Board Report 080408
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
58
POL-0023065
Document Document Document Ty
Number
84 HNG PID v1.3 Other sources of comfort
85 HNG Reqts Team Meeting 050606 Other sources of comfort
86 HNG Risk and Issues 070424LY Other sources of comfort
87 Horizon Testing Strategy - HXTSROO1 Other sources of comfort
88 In Touch report for HNG 080418a Other sources of comfort
89 In Touch Report for HNG 081205 Other sources of comfort
90 POL HNG IMP 002 v 1.0 Other sources of comfort
91 POL HNG REQ.014 Other sources of comfort
92 QRHO31 HNG Reats PID v0.1f Other sources of comfort
93 ACCEPTANCE REPORT FOR Horizon ACCEPTANCE GATEWAY 1 & 2 - REQ GEN ACS 0001 v0.2 Other sources of comfort
94 Horizon GENERIC ACCEPTANCE PROCESS -REQGENPROO735 Other sources of comfort
95 Stakeholder Engagement Log_091218 Other sources of comfort
96 Test Report for the Integrity Testing of Horizon Data-centre Disaster Recovery —- Week Commencing 1st
September 2008 - SVMSDMREPOO0S Other sources of comfort
97 Wipro - Horizon : Performance Test Audit Post Office Limited ( POL) Assurance
98 DVLA Internal Web Service High Level Design - DESAPPHLD0012 Other sources of comfort
99 Audit Data Retrieval High Level Design - DESAPPHLD0029 Other sources of comfort
100 Audit Data Collection & Storage High Level Design - DESAPPHLD0030 Other sources of comfort
101 Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
102 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL -DEV
CNT CTP 0068 v 2.1 Other sources of comfort
103 DVLA AP Client File AIS Other sources of comfort
104 Product Branch Accounting - Issuing Process for Transaction corrections v0.1 Other sources of comfort
105 Audit Data Collection and Storage High Level Design Other sources of comfort
106 Data Flow - Transaction Processing for client file delivery Other sources of comfort
107 Other sources of comfort
Data Flow - NBSC Miskey Process - Network Banking
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
59
POL-0023065
With the prior permission of POL, the following individuals were interviewed or consulted during the course of our review:
Contact Name
Job Title / Role
Organisation
Dave King Senior Technical Security Assurance Manager POL
Julie George Head of Information Security and Assurance Group POL
Rod Williams Litigation Lawyer POL
James Davidson I Fujitsu Primary Point of Contact Fujitsu
Pete Newsome Quality responsibility Fujitsu
Will Russell Regional Network Manager NT - South POL
Phil Norton Horizon Requirements responsibility Atos
James Brett Senior Test Manager — Post Office Account Atos
Bill Membery Requirements/Testing responsibility on Horizon Fujitsu
Gareth Jenkins Distinguished Engineer Fujitsu
Neil Crowther Senior Business Analyst POL
Matthew Lenton I Document Management responsibility Fujitsu
Rod Ismay Head of Finance Service Centre POL
Jane Smith AP Enquiry Team Leader, Finance Service Centre POL
Dave King Senior Technical Security Assurance Manager POL
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
60
POL-0023065
POL00028062
POL00028062
di
Appendix 4: Engagement Letter
Deloitte. Deloitte.
Ln
Soest eastem nonreee eres?
10 legal professional privilege.
Nathaniel Beatle
Moan deen 0 lfomatn retin fo le mr, ere rh wb led ty ed pry
ant pace
Pew) ‘You have advised us that all correspondence and all preparatory papers for any report we might make
a ss
PF Apeil 2014
——
a - oe
Si rer Ana Yr ean eg See eee referee feeling re
SGguen) fae aarenes “ gees naa
In onder to respond better to the Allegations, You require services from us, a outlined in paragraph z ithe aor re a
Sjpteen. Thee uengonen bets ooh oer naborsia by sooo Toneal toon ia ee ctr emer een, a is
es, will establish direct working relationships with the appropriate peopke working on the Client Team
‘So that we are able to assist You effectively, please ensure that You have considered fully all of the pony yor bender per ele yee bvn ambecodan rel tare
merase tems tt Sacre
Sa
ony nT
‘ i Seal ie by reeled, ov would need to agen & spurte engagement ler for
tn order to respond better to the Allegations (which have been, and will i all likclibood coetinue t9 ae
con
= For the of this t, we are advised that the client POL. will consist of I
[in NOH opening enim nang feb yore en bape nie pone eer
pak Fegrt teh acne ea
esi nia ty Wo ay, yo ee die Wins Pox Offs Lod Liipain Lenya Tic cheat inte wil ope on ls engngntect
== erate beet Sienna eee
part toot
We understand that the iaput provided by Deloite will inform Your decisioes relating to potential en eran eet
‘of adcltional work that You may choove to commission to respond better to the Allegations, and (0) Serviese
rare
Onder or suparete Engagement. Part I of owr Services will provide the following:
i iacbls pretiltadesnnttkakiLnvggecp a
in Scan 346) te Foor Plerrrpeann tah onwerperiiral fing obcheh covet ceyr tc en
pod napa aa red scarce esac A pda el gel gull aaa
Re ‘matters that we may deem necessary to complete ou? Del
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
61
POL-0023065
Deloitte.
‘+ Obtain an understanding of the key differences between the current Horizon HNG-X
procesing environment, and the system which this replaced (here-to referred 10 asthe “legacy
Horizon system”),
+ Review, and te investigations, assurance sod
remediation actions which You or third parties have undertaken (see Appenix 1 for the
“Sources of Information” known to be within scope at this stage) Focussing on three primary
areas:
© Work that has been performed to assure the design and operation of key control
Activities that created and preserve the integrity of processing across the Horizon
HHING-X environment (the Audit Store),
° ber ag hp lar pony ole pr dards ba page
‘with the DVLA third
that created and pr
pry tem andthe Heron TNX coir,
‘© Investigations and actions that have been taken in response to the thematic findings of
‘Second Sight, x outlined in Your supplied document "POL. Summary of Second Sight
‘anomalies” (see Appendix 1).
‘+ Hold discussions with relevant members of Your staff and other key stakeholders as pre-
‘agreed with You, to deliver the work outlined above;
'* Prepare the Deliverable outlined in section 2(4) below:
© Attend twice weekly meetings or conference calls with Your Client Team, to explain our
approach, status of work and the commentary within our Deliverable, and
‘© Carry out any other work required by You which is rersonably incidental tothe above.
a et ne li mmc sari iyo sien el iad
opine on its adequacy, sufficiency or conclusions, or the integrity of the Horizon HNG-X processing
ceavironment (nor the leyacy Horizon system).
As engagement requirements are discussed, clarified and agreed further, we will outline the additional
scope and timeline for such work via the Change Order process as set out in Appendix 2. Any Part 2
‘work You require us to perform will be agreed under these Change Order processes. This may inchide,
‘but will not be limited to:
‘© Testing on data held within the system audit trail, to assess (for example) conclusions
previously drawn by Fujitsu into the extent of known deficiencies,
‘© Assessment and profiling of system audit trails, to look for characteristics of and trends in
‘unusual behaviours in the system transactional core;
‘© Enquiry into and testing of the nature and extent of uni, system and user acceptance testing of
the Horizon HNG-X processing environment, during its implementation;
© More detailed consideration as to any aspects of the internal control cnvironment which
‘operate over the current Horizon HING-X processing environment which were not in place or
“operating over the lacy Horizon system
© Understand the nature and extent of interfaces with other third party systems and test the
operating integrity of dataflow to and from certain ofthese systems ad
Pages of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
‘© Testing of responses to thematic concems raised by other independent reviews.
“The scope of our t will be limited solely to the and Det
Jaca & ls Comert Wo wi ao so mpeesaions ropes fend wil pt cone any oer
aspect.
Our work will be performed through a combination of desk based inspection of documentation,
corroborative enquiry and through thint party provided evidence or contact, as agreed between You
and us.
(©) Our responsibilities
In performing the Services, we will be responsible for:
. the a 1 produce ovr; and
‘© confirming the factual accuracy of our report with You.
You aps th te than a tot inthe Services sec abowe, we wil ot lit or tering et ot
verify the information given to us in the course of the Services. In particular, unless otherwise
inte by You to do twa will npr or grim ty sue werk tha ted ed
‘and operational effect of any ls over
the design,
the Heraonpoceming covirarest.
‘Our work willbe limited by the time and the information available. Whilst we will report our findings
im accordance with the agseed scope of work having considered the information provided to us inthe
course of carrying out the ‘additional information that You may regard as may exist
that is not provided to (and therefore not by) us. iy, our Deli and our
work shoukt not be relied upon as being comprehensive in such ‘We accept no responsibility
for matters not covered by or omitted from our Deliverable(s) due to the specific nature of our work
instructions from You.
‘In particular, we note that, in certain respects, we will be reliant om the integrity of those people whom
‘we interview, and that our ability to corroborate and tet what we have been tok! may be limited by the
_wvailable information
We shall discuss with You any difficulties we encounter with completing our work should any
problems arise,
You edge that You are for and maintaining an effective internal
coal tor Gat rodeos tn Uihood Set owes ot kenge wil come sal! rela
does not 7. Nothing in our work that eroes
rit
cr eroeleton wil ot cor, arts Signed te Gane see or brgaiain tel ay
‘veut.
‘The scope of our Services and our responsibilities will not involve ws in performing the work
seco forthe rye of providing. seter sell we provide. ey sence cn trail.
proper compilation oF clerical accuracy of any plan, budget, projection oF forecast ("prospective
9") nor the of the underlying Since any
financial information relates to the future, it may be affected by unforescen events. Actual results are
likely to be different from those projected because events and circumstances frequently do not occur as
‘expected, and those differences may be material
Page 4 of 8
POL00028062
POL00028062
62
POL-0023065
Deloitte.
(@) Format and use of the Deloitte Deliverables:
“The format and timing ofthe reports (the “Delivernbles”) issued by us will be agreed with You. The
‘content of such Deliverables is expected to be an executive summary and a written report, as follows:
Executive Summary:
‘© A.summary of our objectives, approach, work performed and observations, suitable for Board
(resnion and deen ir meting on he 3 Apt 214 (ntng ey ay cng
Veins aot ed tert fo he asercy of er sometime einen of
‘Your responsibilities, below),
Weiten Report:
. - ng the context of our andthe scope of work
© Our Approach — outlining the procedures we have adopted in the delivery of our work, those
and the we have i
eu ing the HNG-X i ~ based on the
i overview:
‘© Rolating to the Technical processing environment — envisaged to be a description of
technical matters of the Horizon HING-X system, consisting of, where information is
provided to us:
‘© key statistics relating to the processing environment and its range of functions (as
stipulated by Fujitsu) incleding the design and operation of the data integrity
‘protocols (the Audit Store),
+ Day seme sen 09 Be eink meta, Stent and ered teats
software components, hardware components,
. ig mar ng hey including the timing of its implementation, the
secunty management, system
‘operations (including err handling procedures, follow-ep and resolution), etd
her support and system recovery, and assurance responsibilities over these key
controls.
© Relating to the User environment - envisaged to be a description of the usage
cnvironment of the Horizon HNG-X system, consisting of, where information is
provided to us:
"= a description of the types of users in the system and the physical environments in
Which Horizon HING-X is accessible;
* the pes of transactions processed by the system and, ata reasonable level, how
preserved:
= how more than daily, weekly. monthly, quarterly and annual reconciliation
= Ge ems of hey we and other ad hoe that are ly
. Siar) oft cageros of he loged defies a Horton HNO-X,
'* An Assurance Map - showing those sources of Your assurance which You have shared with
‘us and the areas of key risk relating tothe integrity of processing that these were designed 10
assure,
Page 5 of 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
‘+ Matters for Consideration ~ an assessment of Your Assurance Map in the context of Your
‘objectives and significant matters we have observed during our work that we recommend You
‘contr further.
‘Any Deliverable should not be copia, referred to or quoted to any other party, except inthe context of
‘Your defence of the Allegations, or be wsed for any other purpose. We draw Your altention to clause 5
of the enclosed Terms of Business that sets out the conditions under which the Deliverables will be
provided to You.
{nthe event that You wish to share our Deliverable with third parties, we may consent to such a course
subject to us receiving *hok! harmless” undertakings (or their equivalent), These procedures notify
them that
‘© the disclosure to them will not create any duty, libilty or responsibility whatsoever to
‘thom in relation to our Delivernble or any of its contents;
'* the Deliverable was not prepared for their use or with their needs or interests in mind: and
'* they should keep our Deliverable confidential and not copy or circulate our Deliverable, or
‘any extracts of them, to any third party without our express writen permission.
‘We understand that You are unlikely to make any public announcements which would refer to our
work. If this situation changes however, You agree that You will not make any such public
‘ansouncement(s) on this matter referring to Deloitte or our work in any way without providing prior
notification ofthe wording of any public announcement to us and without our prior wrticn consent %0
‘such wording, such consent will not be withheld unreasoaably,
3 Client Responsibilities and Assumptions
(a) Client Responsibilities
In connection with the provision of the Services, we refer Yow to clause 3 of the enclosed Terms of
These, ‘Your forthe pr and ing in
with the ‘we ae to provide. ln addition, our delivery ofthe Services is
‘upon Your completion ofthe following:
* You and agree that our per ofthe Services is on the timely and
effective completion of Your own activities and responsibilities in connection with this
engagement, as wel as timely decistoes and approvals by You,
‘© You agree 19 making available tows all information You deem relevant ta this review;
‘+ You agree to providing timely access to relevant personnel in order for us to obtain sufficient
Information to inform our understanding and report,
‘© Unless we are otherwise instructed, You agree to carrying out all contact with third parties,
‘© You agree to providing « nominated point of contact for ws throughout the work;
‘* You agroe to provide a room for our team and secure storage Facilities for paperwork, if required,
at 148 Old Street, London; and
‘+ You agree to assess the Deliverable we provide to You, to determine the most appropriate courses
of action for You.
Page 6 of 8
POL00028062
POL00028062
63
POL-0023065
and
‘as well as timely decisions and approvals by You.
‘The responsibilities set out above and those contained in clause 3 of the Terms of Business are
‘together referred to jn this Contract asthe “Client Responsibilities”.
(©) Assumptions
The Services, Charges (as set out in Section 4 below) and timetable are based upon the following
assumptions, and by You 0")
'¢ Horizon HING-X is also knows as Horizon Online in Your organisation. We will refer to the
‘processing environment as Horizon HNG-X through-out our work. The system which Horizon
HING-X replaced will be referred to as “the legacy Horizon system”,
‘¢ Only mators relating to the Horizon HNG-X processing environment will be considered in our
review. We will not consider any information relating to the legacy Horizon system, with the
‘of that necessary for us to obtain an understanding of key enhancements that the
Horizon HING-X delivered when it was implemented,
‘+ Deloitte will not provide «legal or any ether opinion at any point throughout the work:
‘+ That sufficient information is available on a timely basis regarding the scope of Services and
[Deliverables for ws to be able to carry out our work;
+ That all pertinent information relating to the nature of the Allegations against You has been
‘provided to us such that we are fully aware ofthe detail of the Allegations;
Unless otherwise instructed, that Deloitte staff will have no direct contact with any third parties
other than named Fujita contacts that You provide to us;
‘+ The individuals we may need to interview will be available to us for sufficient time for ws to
‘perform our work during the period of our assessment and third parties can be contacted on
timely basis by You to request further information should this be required;
+ Deloite will not verify or test any information provided directly by You, or indirectly by third
parties via You,
‘Deloitte will adopt a time limited approach to our work, operating to key milestone dates
dependent on the accuracy of our assumptions and the fulfilment of Your responsibilities, above;
and
‘ eloice will not review any contractual provisions in place between You and third parties,
(6) Cliewt contacts
‘We understand that Rodric Williams, Litigation Lawyer, will be Your nominated point of contact and
‘that requests for information und documentation shou be copied to Belinda Crowe,
Page 7 of 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
Deloitte.
4 Our Charges
‘We will base our charges upon the actual time and materials incurred, plus out-of-pocket expenses and
applicable value added tax. The billing rates we will apply match those of previous specialist advisory
‘work which we have performed for You in 2013.
‘We estimate that the Part 1 work will take 15 days of senior time,
over our fees, we will cap our total fee for Part I work (pls VAT and ot of pocket
expenses). Charges for work done under a Change Onder will be based on the rate card below (in
‘dition to this fee cap forthe Part I work), unless otherwise agreed.
der
Af during the course of our work, or Change Onder there-under, a need for ancillary specialist
tot specified his Contac is ealifed agreement other te and read charges willbe obtained
before any expenditure is incurred.
5 Terms of Business and Liability Provisions
‘The enclosed Terms of Business form an integral part ofthe Contract between us and Your attention is
drawn t0 them. You agree that for the purpose of clause 6 ofthese Terms of Business, our aggregate
Tiability arising from or in any way i connection with the Services shall not exceed £750,000.
6 Variations
1 Yo oo wiht rope cr reread my ation, mdiietono te chang en Savon
required under this Contract, we each agree to follow the change control procedures
tacrbed in Appendn 2.
Paget of 18
64
POL-0023065
Deloitte.
Acknowledgement and acceptance
We appreciate the opportunity to be of service to You and look forward to working with You on this
‘assignment. You can be assured that it will reccive our close attention,
If, having considered the provisions of this Contract You conclude that they are reasonable in the
context of all the factors relating to our proposed appointment and You wish to engage ws on these
terms, please let us have Your writen agreement to these arrangements by signing and retuming, 10 us
the enclosed copy of this leer
‘Yours faithfully
GRO
ont OL gre te ppamen of Dt LF on and abject her the
‘Contract set out in this Eonngetwen Letter nd is leanne.
Appendix 1 ~ Sources of tnformation
‘Appendix 2 ~ Change Control Procedures
Appendix 3 ~ Template Change Order
‘Appendix 4 Delote LLP Tens of Business, Consulting and Advisory Services
Page 9 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
APPENDIX 1
ENGAGEMENT Lerrer DATED 9 Anil. 2014
SOURCES OF INFORMATION
For Part I work, we will use the following sources of information which have been provided by Yow:
1, “Horizon Core Audit Process” which outlines how Horizon HING-X has been designed to
operate,
2. “Draft Factfile" which deals with how POL uses Horizon HING-X in the branch network,
3. “Description of Fujitsu's System of TT Infiastructure Services supporting Post Office
Limited's POLSAP and HING-X applications” which outlines the environment in which
Horizon
4. “Table of the deficiency themes” which outlines areas that underlie some of the allegations
‘that Horizon HNG-X is det
5. “POL Summary of Second Sight anomalies” which is an internal POL surnmary of the
anomalies within Horizon HING-X referring to para's 6.4 to 6.10 of Second Sight’s July
2013 Report:
6. Fujtsa’s response on the “Local Suspense” / 14 Branch anomaly;
7, Fujitew's response on the “Receipts Payments” / 62 Branch anomaly,
8. The “Spot Reviow Bible", which contains the ten “Spot Reviews” sent to POL and POL's
responses (cf para 2.7 of Second Sight’s July 2013 Report),
9. Fujsn's “Horizon Data Integrity" document, which provides technical desrigton of the
‘measures built into Horizon HNG-X to ensure data intogrity, including a description of
several failure scenarios, nd descriptions as to how those measures apply in each ease,
10. Fujitsu's “Horizon Online Data integrity for Post Office Lid document, which provides a
of the ‘that are built into HING:X to ensure data
13. The Pox Office Honzon PCI DSS erent:
16. The lat 3 published Pot Orfice ISM minutes with Fuji; and
17. The last 3 Fujitsu Security Ops Reports
‘Additional documents may be provided by You as part of our engagement. The full list of information
sources will be disclosed in our Deliverable.
Pog 10. of 8
POL00028062
POL00028062
65
POL-0023065
Deloitte.
APPENDIX 2
Inecitsetty Larewa ATR 9 APRAL 3016
CHANGE CONTROL PROCEDUR'
1. fat any time either party wishes to request oF recommend any addition, modification or other
change to the Services oF performance required under the Contract (a “Change”, the party
proposing the Change will submit a written request for the Change (a “Chamge Request”) to the
ther party
2 All Change Requests will require the authorisation in writing by the named peeson who has
signed the Engagement Letter for and on behalf of the Client, inthe case of Requests
‘nitated by the Client or the Delite client service partner as specified in the Engagement Letter
in the case of Change Requests initiated by Deloitte.
3 Deloitte will investigate the implications for the Contract of implementing cach Change
Request, and prepare and subwnit to the Client a proposed Change Order, in the form attached as
‘Appendix 3, in respect of such Change Request. If ina party's judgement, the time to evaluate
tand respond to one or more Change Requests, because of their magnitude, complexity or
frequency, may result in a delay in the Services, that party will notify the other party. The
parties wil then need to agree an appropriate course of action,
4. The Client will notify Deloine in writing of its decision as to whether or not it wishes 10
implement the proposed Change as soon as reasonably practicable but in any event later than
5 days (or such other period agreed by the partics) afer receipt of the Change Order submitted
by Deloitte. Should the parties wish to proceed with the proposed Change, the Change Order
shall be signed by the named person who has signed the Engagement Lette for and on behalf of I
the Client and the client service partner, or other authorised representatives (such signed
document being referred to as a “Change Order”).
5) Neither party is obliged to proceed with any proposed Change (and the related changes) and no
(Change (and related changes) will be effective and enforceable against a party, unless and until @
‘Change Order for that Change is signed on behalf of both partis. Until the Change Order for
‘any proposed Change is signed, Deloitte will continue to perform and be paid for the Services as,
iTthe Change hd nt been proposed
© Deloite shall be 10 charge for alt cots and
win iveupating te kpc fa Change Regu. whoa ert t Change Orr
signed in respect of such Change Request.
Poge Hof
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
ENGAGEMENT LETTER DATED 9 APRIL 2014
Deloitte.
(CHANGE ORDER NUMER
‘may only be amended in writing signed by authorised representatives of I
APPENDIX 3
and/or attachments), reconts agreed changes to the
‘The stoma) of the Engagement Leer tt fort blo and sty err Change Onde) or mendes
is/are hereby i
‘effective as of (
‘Scope and objectives
Our Services and responsibilities
Client Responsibilities and Assumptions
Our Charges
‘Consequential chanzes to the Contract
by the following text
Poage 12 of 18
POL00028062
POL00028062
66
POL-0023065
Deloitte.
Except as expressly modifi herein, all other terms and conditions of the Contract remain Please
indicate Your agreement to the terms of this Change Order by signing and returning to Deloitte the enclosed
copy of this Change Order.
‘Yours faithfully,
Deloitte LLP
Agreed by Post Office Lid:
For and on behalf of Post Office Lad
Printed Name:
Page 13 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
APPENDIX 4
ENGAGEMENT Lerten DATED 9 Arwit. 2014
Lue
!
4
5
1
i
i
I
i
POL00028062
POL00028062
67
POL-0023065
POL00028062
POL00028062
HH bat ii i sti isi :
ey
4 ee il BE if
i Hl til iil
Hl
i
ih
i
HERA! fl pe
ity a it ane MG
ny af H ia i quit 2
ne o ne i A le
Hilti eae ARH
I i fy alte
at al
t
it
il
i
tity
Hae Ht
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL-0023065
was
ory
2 We wi he tid aie cares nd op i
(mein fo Coat oy ee
1 We
ur tome nan
(ger ar wey
praraned at eewely
rome ci Sat wt Segue mets
‘ate Servet gst ot Nt Coke en may ech ht i emg gd i
shoe ton bo een. bcaing eo cor peprntry Ee cn wing at Wf of emai Wh the Coes
‘crate, echestgy tod mow hw, be tnd gy ope og
‘Samy ov ome ‘sperms, Sermgumune
etme rt
(apenet t aent ‘ad chee goed a
at oreing : Oe
Toes wiae ae aren mse.
‘care Der
12, meine Save wits bed AUR rents tin gn af muh. pee end
pose anaes ete ding ect or
Page 17 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Poge 18 of 18
POL00028062
POL00028062
POL-0023065
Appendix 5: Change Order 01
Deloitte.
ENGAGEMENT LETTER DATED 09 APRIL 2014
CHANGE ORDER NUMBER O1 (VERSION2)
(06 May 2014
Dea es
This Change Order (inching any appendices, schedules, andor attachments, records agreed changes
to the Contract between Delite LLP (Debite” or "we") and Post Office Lid CPOL” or "Yow" dated
(09 April, 2014, a8 amended by prior agreed Change Orders) oF amendments thereto. This Change
‘Order constitutes the entire understanding and agreement between the Client and Debit with respect
to the changes set out in this document, supersedes all prior oral and writen communications with
respect to such changes (inching, but not limited to Change Requests), and may only be amended in
writing, signed by authorised represereatvesof both partis
‘Te acco) ofthe Engagement Ltrs ath blow ae hereby amen tne a of 6 May
2014, by the following text
1 Project scope and objectives
‘Your project scope and objectives remain os previously described within our engagement kter dated
09 April2014.
2 OurServices and responsibilities
‘Our services within 2(b) of ow contract dated 09 Api! 2014 will be amended 10 ince the two
‘lowing extension areas:
Extension Arce I
Deloitte will contin to review further supplied documertation relating tothe 2010 implementation of
HNC and other key project documentation supped by POL, inorder to compare th ar and
‘extent of project governance and documentation with the Debitte methodology. The assessment will
lnclode a review of documents tht outline if nd how transactional tranch ditafhows and Avdit Store
‘features ofthe sytem were impacted by the implementation,
{In addition Deloite will assess documentation relating to signofT of business requirements as well as
the project's testing strategies ad testing assurance provision
Debt wi itgnte« erin of eur pproch, ings ad recomendations fom hs work
enter
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
Extension Arca 2:
Delite wil review further documentation relating t the specific design features of the processing
‘environment which are aserted tobe in place to underpin two hey objectives:
1. That sub-post masters have fll ownership and visibility ofall records in their Branch ledger;
2. That the Barc ledger record are kept by the system with integrity and fll audit rail
Debite will produce a schedule of these specific design features, iemtified only through desktop
review of documentation provided by Post Office, and use this to asess whether the existence ofthe
spect design feature has boca tested anivor assed. elite wil comment om the 2 poirt above in
this context.
Delite wil not on the quality of and wil ot perform any
‘or operating effectiveness testing
Delite’ work, stil tased on desktop review procedes wil abo include:
* Corpboruon wih an propre Delite iio ake he Ant Stor’ tmp roo
. hing yr ges nd me ihe ih ele ap
the cortrol design features
+ Mighighing te Soignferes where father implementation or opening eters
testing shouldbe considered by POLL to provide further assurance to the Board.
Deboite wil integrate a description of our approach, findings and recommendations ffom this work
into our deliverable.
In mdttion to the above areas of addtional service, Debitte will support the delivery of ongoing
project update mectings with POL. stakchoklers prepare a Board Update document (marked as Draft)
‘3 close of our work on the Tuesday 13" May 2014 and Friday 16" May 2014.
4 Owe Charges
‘Ove time charges for this additonal work willbe charged oo a time and materials based, in ine with
the rte card shown in our orginal Engagement Letter.
5S Consequential changes to the Contract
Except as expressly modified hein, all other terms and conditions ofthe Contract remain unchanged.
Pleas indicate your agreement to the terms ofthis Change Order by signing and returning to Deloitte
the enclosed copy ofthis Change Order.
commer
POL00028062
POL00028062
70
POL-0023065
POL00028062
POL00028062
Deloitte
Yours faithfully,
Deloitte LLP
Agreed by Post Office. Limited:
wes — GRO
For and on behalf of Post Ofice Tiited: ~~
Printed Name: Cres Avyags
Position Gevenst. Covrser.
Date: 15-04 .20/
© 0eet LP
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
71
POL-0023065
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters
raised in this report are only those which came to our attention during the course of our work and are not
necessarily a comprehensive statement of all the weaknesses that may exist or all improvements that might be
made. Any recommendations made for improvements should be assessed by you for their full impact before they
are implemented
Deloitte LLP
London
May 2014
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kingdom
member firm of Deloitte Touche Tohmatsu Limited ("DTTL”), a UK private company limited by guarantee, whose
member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed
description of the legal structure of DTTL and its member firms.
© 2014 Deloitte LLP. Alll rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00028062
POL00028062
POL-0023065
#33.1
Metadata
POL00028062
POL00028062
Filename
6.12 Project Zebra Consolidated Report Draft Subject to Change 21_08_2014 18_
(1).pdf
ORIGINAL
POL-0023065