POL00029726
POL00029726
=
De I fe) I tte e STRICTLY PRIVATE AND CONFIDENTIAL
As at 16/5/14, subject to co.
™~,
a
Deloitte Ref: Board Summary 160514 v2
SUBJECT TO LEGAL PRIVILEGE
POL00029726
POL00029726
Board Update at 16/5/14
Our findings below are subject to the content of our final report which will be issued on Friday 23° May. Our final
report will contain further details on our approach, the matters we have identified and those actions we recommend
management consider which could provide further, evidenced based assurance to the Board, if required.
Summary
From our desktop based review of the documentation noted below, supplemented by verbal assertions, nothing
has come to our attention that suggests there are significant deficiencies in the identified design features of the
Horizon processing environment that underpins sub-pos master ownership and visibility of their Branch ledgers
and the integrity of audit trails kept by the system.
Overall, a significant volume of documentation exists relating to the Horizon proce sy environment. The extent
and nature of this documentation is comparable to that typically seen in similar” ‘ ‘tions, where IT activities
are outsourced and formal risk orientated work is notmandated. In organise Ww. ’\mandated approaches
to risk and control, we typically observe a greater levd of end to end, ris” “riéiitated dv. ‘ation and testing.
Day to day IT activities performed by POL’s IT outsourcing partner” ¢ gov ° yd bya formalised risk and contol
framework, with supporting documentation and procedures, ano, “re _nese have been independently tested
against a recognised assurance standard. \ <
In other areas necessary to the integrity of the processi” vironment ffice is reliant on the fully effective
implementation and operation of the design features” ~ ad. venally or in documentation. In many of
these areas, further assurance could therefore be ob, by» _g and updating documentation and
performing more evidence based testing. /™
/
Key Findings J
1. Assurance over the system bo
The implementation of HNG-¥* 2010 Sed on Royal Mail's “Harmony” project governance methodology.
Project documentation e~ Sows governing activities over the project occurred, such as Project
Board minutes, risk Io” ad teste, ‘ns. In’additon, Wipro provided independent assurance that this Project’s
approach to perforty sting w fective. These Project Governance activities are comparable to what we
would expect to see im qe” —_fulated, orgarisations.
Provision and examination 0. _<umentation from other Projects has not identified sources of comfort for the Board
which assure the baseline design and operation of system features that support processing integrity. We note that
Fujitsu were planning independent work in this areain July 2012, but did not progress the review following POL’s
appointment of Second Sight.
2. Assurance over the system provision
The assurance relating to the current day activities of [T and Fujitsu's system provision adopts and delivers good
practise. As noted above, a formal IT risk assessment has been performed and an IT control framework produced
and independently assured, under a recognised assurancestandard (ISAE 3402).
A number of third party systems are referenced by the Horizon processing environment, on a day to day
operational basis. Documentation indicates that such data flows do not significantly impact the design features that
underpin the integrity of the transactional system andthe underlying Audit Store.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00029726
POL00029726
The Audit Store's integrity is reported to be underpinned by the use of specialist technology, which fundamentally
protects data within that environment from alteration, once it has been written. Documentation to supportthis has
been requested. Design features are also documentedwhich underpin the completeness and accuracy of data kept
in the Audit Store, and that of subsequent reports generated from the Audit Store.
3. Assurance over system usage
Detailed documentation relating to the system has been produced, largely by technically competent professionab,
familiar with the detailed design of Horizon. Based on the documents we have seen, this work is extensive and
contains information relating to the key design features of the system. In order to provide greater comfort over the
completeness of these design features, certain specific areas could be assessed and documented through a risk,
rather than operational, lens.
Relating to wider business use activities, verbal confirmation has been received that pracesses are designed to
ensure that sub-post master ownership and visibility of their Branch ledgers is maint” > Typical of organisations
of similar regulatory regime and size to POL, these wider business use activities” elate to the integrity of
processing are not always documented or maintained in 2 up-to-date form. \
We noted that both the verbally described and the documented features 0 _ Apps. . ‘ ‘“e been independently
validated or tested, so this is an area where further assurance could tv c _Ated to the Bua Abe framework of
‘high priority’ key design features that will be contained in our final Yr cov “1 be considered as a basis for such
further assurance activity. c A
Context ,
Post Office Limited (“POL”) is responding to allegaic” ron.« system used to record transactions in
Post Office branches is defective and that the proces\ ‘gS Ait are inadequate (e.g. that it may be the
source and/or cause of branch losses). POL is commit “ _iny’and demonstrating that the current Horizon
system is robust and operates with integrit ‘nan ah sate control framework.
Since its implementation in branches” AL 2 sramigsid dor has received an increasing number of pieces of
work relating to Horizon to provide. aa aty. Deloitte has been appointed to consider whether this
assurance work appropriately covers. ‘5 relating tothe integrity of the processing environment and raise
suggestions for potential im~ “ents . ‘surance provision.
Our work was perfor” “ athe Ge, of aciivities we see in other, similar organisations, as well as guidance
offered by recognist 7 ‘ractis} Atrol frameworks. Our work has been performed as a desktop review and
thus has not tested the. Ww _Aacy of any of the assertions made in documentation provided to us.
Further to the extension of Ow ork, we will issue a consolidated final deliverable on Friday 23° May 2014.
Approach — Review of Sources of Assurance
Our work considered three main areas where we would expect assurance sources to be available for the Board in
order to fulfil your objective of being provided with comfort that the Horizon system is fit for purpose and operating
with integrity:
1. Assurance over the system “Baseline” — this provides comfort that the original implementation project
and other changes performed under formal projects were conducted in line with good project management
practices, and that detailed testing was performed against agreed business requirements. Such activity
verifies that the system was, at that point in time, fit for purpose and implemented as intended.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00029726
POL00029726
2. Assurance over the system “Provision” — this provides comfort that the underlying IT activities,
necessary to providing a system that can run and be used with integrity, are designed and operating
effectively. Such activity verifies that key day to day IT management activities, for example, relating to
security, IT operations and system changes are appropriately governed and controlled.
3. Assurance over system “Usage” — this provides comfort that key features in the system, designed to
prevent or detect matters that would impact the integrity of processing, are in place and operating as
intended. This area of assurance often requires detailed underlying work hence is typically conducted
under a prioritised (“risk intelligent”) approach.
This initial work identified a number of high priority areas where further review and assessment was required. POL
therefore extended our work to perform a desktop review of those detailed features of Horizon which:
. ensure that the sub-post master has full ownership and visibility of all records i ie their Branch ledger; and
. ensure that these Branch ledger records are kept by the system with integr a full audit trail.
y,
Our extension included a technical validation of the Audit Store’s tamper prods) ro ms and consideration of,
based on supplied documentation, where key events h the past could have” an features.
We structured our work around the key questions shown in the diagram” Now, ‘Foouss. >levant high priority
features of Horizon and assessing the extent to which they had begr” Aap and we
Horizon — Key Questions Underpinning Confidence i “_degrity
How do you know the system was fit
for purpose and worked as intended when first put in?
How do you know if major changes since”
then have impacted the system? _\
How do you know
that supporting IT
processes are well
controled?
How do you know that everything \
Counter is recorded completely, ack
__and on a time ~~ “s.centraly’,
7 \
/ I How do you know that
\, [everything processed to
Branch Ledgers is
recorded accurately in
the Audit Store?
How do you know
that information
reported from the
Audit Store retains
a, original integrity 2
Adhoc I
Oren wee,
ern I
I
Centera Audit Server
How do you know that
DBAs or others granted
DBA access have not
‘modified Branch
Database data?
{ How do you know that
e system used by your
Finance teams for
control contains all
records?
How do you know that ail
data posted from other
systems and teams is,
visible to and accepted by
ster
LEGALLY PRIVILEGED AND CONFIDENTIAL © Deloitte LLP 2014
Further detailed information, including our final findings and recommendations for management will beissued in
our report on Friday 23" May 2014.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Other than as stated below, this document is confidential and prepared solely for your informationand that of other
beneficiaries of our advice listed in our engagemert letter. Therefore you should not, refer to or useour name or
this document for any other purpose, dsclose them or refer to them in any prospectus orother document, or make
them available or communicate them to any other paty. In any event, no other party is entitled to rey on our
document for any purpose whatsoever and thus we accept no liability to any other party who is shown orgains
access to this document
Deloitte LLP is a limited liability partnership regstered in England and Wales with registered numberOC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (‘DTTL"), a UK private
company limited by guarantee, whose member firms ae legally separate and independent entities, Pleasesee
www.deloitte.co.uk/about for a detaileddescription of the legal structure of DTTL and itsmember firms.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00029726
POL00029726