POL00030217
POL00030217
Post Office Limited
Management letter for the year ended
27 March 2011
El! ERNST& YOUNG
Quality In Everything We Do
F/869/1
POL00030217
POL00030217
Private and confidential
Sarah Hall XX August 2011
Post Office Ltd
148 Old Street
LONDON
EC1V 9HQ
Dear Sarah
Internal control matters arising from the 2011 audit
1 am pleased to present our management letter for the year ended 27 March 2011.
Our review of the company’s systems of internal control is carried out to help us
express an opinion on the accounts of the company as a whole. This work is not
primarily directed towards the discovery of weaknesses, the detection of fraud or
other irregularities (other than those which would influence us in forming that
opinion) and should not, therefore, be relied upon to show that no other weaknesses
exist or areas require attention. Accordingly, the comments in this letter refer only to
those matters that have come to our attention during the course of our normal audit
work and do not attempt to indicate all possible improvements that a special review
might develop. We would be happy to discuss any of the points contained within this
letter in more detail with you.
We would like to take this opportunity to thank management for their input into the
management letter process and to thank you and your staff for assistance during the
course of our audit.
Yours sincerely
Angus Grant
Partner, on behalf of Ernst & Young LLP
Enc
The contents of this report are subject to the terms and conditions of our appointment as set out in our
engagement letter.
This report is made solely to the Board of Directors and management of Post Office Limited in
accordance with the terms of our engagement letter. Our work has been undertaken so that we might
report to the Board of Directors and management of Post Office Limited those matters that we are
required to and for no other purpose. To the fullest extent permitted by law we do not accept or assume
responsibility to anyone other than the Board of Directors and management of Post Office Limited for
this report or for the opinions we have formed. It should not be provided to any third party without our
prior written consent.
FI869/2
POL00030217
POL00030217
Executive summary
The finance leadership team at Post Office Limited (POL) has implemented
and process improvements throughout the organisation during the past financial
year.
In particular, focussed management action has addressed many of the issues
raised in our prior year management letter and led to significant improvement in the
overall payroll control environment. The recommendations we have made in this
report should be seen as refinements rather than fundamental control deficiencies in
comparison.
The main area we would encourage management focus on in the current
year is improving the IT governance and control environment.
Within the IT environment our audit work has again identified weaknesses
mainly relating to the control environment operated by POL'’s third party IT suppliers.
Our key recommendations can be summarised into the following four areas:
Improve governance of outsourcing application management
Improve segregation of duties within the manage change process
Strengthen the change management process
Strengthen the review of privileged access
VV V Vv
We also encourage management to continue to enhance the Legal & Compliance
review framework to manage risks in relation to regulatory compliance associated
with financial services activities.
FI869/3
vi698/4
2.
Prior Year Comments — Update
POL00030217
POL00030217
ue
Iss
Location
Background
Recommendation
Management Comment
Current Year Update
Liability
(Poss)
POL
-Chesterfi
eld
The liability for Post
Office Savings Stamps is
£25.6m. A further £11.6m
(£9.5m 2009) liability for losses
has been recognised due to
stamp redemption losses
(predominantly fraud).
The liability for
redemption losses is highly
judgmental and has been
calculated by updating the prior
year liability for an estimate of
losses incurred in the current
year from the results of sample
checks of pouches received.
Approximately 50% of returned
pouches are checked.
The product is due to be
curtailed during 2010/11 and as
a result it is expected that the
majority of the liability will be run
down by year end 2011.
» Based on the level of losses
estimated in the year (£2.1m),
we recommend that a higher
proportion of returned pouches
are checked while the product
is run off.
» At year end 2011 the
remaining liability should be
calculated on a whole portfolio
basis rather than as an
adjustment to the brought
forward liability as this will
improve the accuracy of the
remaining unknown liability
We accept the recommendation and
had already explained during the
course of the audit that we would
increase our coverage during the
period of the withdrawal of savings
stamps. The % of pouches checked
has increased from 25% at the
beginning of 2009/10 to 50% now,
with focus continuing to be on those
pouches which we expect to be most
at risk of errors.
The Savings Stamps product has.
been withdrawn on 25th May but will
continue to be accepted as a method
of payment in Post Office branches
until 28th August, 2010. The current
value and volume of redemptions
has increased by 10% and 14%
respectively, but we are anticipating
that by August the redemptions will
drop off significantly. We anticipate
that we will start to reduce the work
in this area during August and the
value and volume of redemptions will
drop off further after this date. We
will closely monitor the redemption
profiles and arrange the checking
work in line with these.
The support for the
calculation provided in the
current year addressed the
recommendation from prior
year. The calculation factored
in the basis of estimation and
showed both the higher and
lower end of the range of
potential outcomes. As
anticipated, the withdrawal of
this product has made the
tracking of the liability and
forecasting of redemptions
easier to manage and review.
s/698/4
POL00030217
POL00030217
12.
14.
We will also review the aggregate
liability on saving stamps and bring
to bear the facts of customer
migration as the budget card
replacement is rolled out.
Va Payroll — A300 page report is produced We repeat our recommendation I The report was kept in place in the We noted that the length of
riance every month showing a detailed I from prior year that the reports are I same level of detail following the the report has decreased
Report for I Bolton weekly variance analysis for shortened to focus on the key I internal audit visit at half year where, I significantly, with more
Agents agents. Payroll management variance analyses for the main I although time consuming, it was felt ,
18.
inform us that a review of
significant variances identified
within this report is intended to
be a key control. The front
summary sheet for each report
is now signed off. However, the
level of detail of the review
performed varies month on
month and the parametenDie
for selecting variances aré hot *
clear. It is also not clear why
some selected variances for
review are adjusted for and
others not.
The report is intended to be a
significant control to detect any
issues within the agent or
employee payroll. Failure to
complete the review increases
the risk of an issue in the agent
risks. We further recommend that
there is a second signatory of the
report at manager level to ensure
the review is happening, with a
short bullet point summary of any
significant variances and action
taken to follow up and resolve
them.
25.
to be of value.
The report has been reviewed and
subsequently revised and is now run
for key variances, the output of which
is a 70 page report rather than 300
pages. This has been in place since
Period 11.
In addition we have revised the front
facing sheet to include one off
payments and identification of weeks
in each period both of which will
highlight known variances. The
facing sheet is signed and dated by
both the person preparing the report
and the manager reviewing the work
performed.
27.
meaningful explanations for
variances being noted on
actual variance reports from
SAP, and a higher level of
detail noted on the front
summary sheet summarising
actions taken. This is also
now being signed off ata
manager level. We did
however note that a number
of variances that were noted
on variance reports were not
brought forward to the
summary sheet, and have
suggested that appropriate
parameters be put in place
for those variances which
require management review.
9/698/4
POL00030217
POL00030217
pay not being detected on a
timely basis or at all. This could
cause cash loss for the business
or increased administrative time
to correct the error.
Re
view of
Employee
Change
Request
(Contract
ual
Changes)
Payroll —
Bolton
30.
Payroll management's process
requires that all employee
change requests that lead to
new contracts should be
reviewed. A checklist for
individual change requests is
completed and signed off and
these are tracked on an overall
log for all change request:
received. 34.
Based on our review of the log
we identified that;
e Evidence of completed
reviews in respect of
contractual change
requests were not
recorded in the log
« The log was updated
based on inaccurate
provisional information
and not subsequently
amended.
It may not be possible for payroll
management to monitor that the
controls that are operating
We repeat our recommendation
from prior year that the log is
maintained and updated accurately.
This will give an oversight as to the
effectiveness of the control. The log
should clearly identify those
changes that require a new
contract.
37.
The data capture spreadsheet has
been re-aligned and now
encompasses all of the
recommendations. In addition we
have made further enhancements to
the data capture spreadsheet eg.
introduced new numbering system to
identify when the change was
processed, split out processing
months by unique tab, have a clear
indication of 10% checks for each
tab, added a further column to
identify incorrect source information
and also added a short facing sheet
for every change which will sit with
personal papers.
All of the above has been in place
since Period 1.
We noted during our review
that it is now possible to see
where the log has been
updated for changes
between contractual to non-
contractual changes,
however this is not always
clear when reviewing, and as
such have raised this as a
current year point. For our
sample selected in the
current year, we noted that
where the change was
contractual, the full buddy
check is being carried out.
We also noted that in one
month, the 10% check was
not fully carried out, although
this can be seen as being
completed in all other months.
in the year.
39.
2/698/4
POL00030217
POL00030217
effectively and to check that the
appropriate request forms are
being reviewed.
Review of Payroll — Payroll management's process We repeat our recommendation This is linked to Recommendation 2 See point 3 above. We have
Employee Bolton requires that 10% of all change I from prior year that the log is as both changes and contracts are noted that in one month,
Change request forms will be reviewed maintained and updated accurately. I captured on a single spreadsheet. fewer than 10% of changes
(Soncat each month. This review was Additionally, we recommend that In place from Period 1 as per Action I were subject to review and
Review) not being evidenced on the log the review of 10% of all changes is I 2 (on the same spreadsheet). we recommend that the 10%
until January 2010. Based on evidenced as reviewed. ins x threshold is met for all
our review we noted that less give an oversight as to the months.
than 10% had been evidenced effectiveness of the control.
as checked (33 out of 500 in 47 .
January, 24 out of 656 in
February).
a Payroll management is
not effectively monitoring that
the controls to check that the
appropriate request forms are
being reviewed are operating
effectively.
Human Payroll — Other divisions in Royal Mail are I We repeat our recommendation Solution for employees is via ‘My We noted that this control is
Asset Bolt sent a list every 6 months from from prior year that this control is Template’ and this is being rolled out I pot operating in the current
Check olton implemented in line with Royal Mail I from Period 2. My template allows
the payroll department listing all
the employees who should be in
their area. They review that list
and highlight if anyone is on the
payroll that should not be. This
was only performed at the start
of the period by POL. Payroll
management inform us that they
do not feel that the control is
Group policy on a 6 month basis or
an effective alternative control be
designed and implemented.
54.
real time access for Line Managers
to review their structure incudlaB,
their people at any given time. .
simplistic terms we will get periodic
sign off (all captured twice per year)
from each Line Manger via e-mail.
The solution proposed is for
year. See current year
comment noted below.
8/698/4
POL00030217
POL00030217
50.
appropriate given the nature of
the business and plan to
implement an alternative
procedure.
If this control objective is not
achieved there is an increased
risk of either ‘ghost’ employees
or that employees who have left
the business incorrectly remain
on the payroll.
56.
Employees only. A suite of options
are being developed to close the gap
for Agents. Current development
areas being looked at include
matching SAP data to sales reports,
agent check on contact with Advice
Centre, check on audit visit,
utilisation of area sales managers for
top 2.5k offices.
Complaint Payroll — The complaints process was We recommend that a log of I The complaints process is in place We noted that a complaints
s Log Bolton transferred over from Sheffield complaints is introduced similar to I and working from Period 2 which will I log is now being maintained
to Bolton in January 2010, the one that is performed by the I capture all complaints including in Bolton with evidence of
however no log is being other Royal Mail Group I those via our Advice Centre. resolution and signoff as
completed in Bolton to track the I subsidiaries. Complaints are also a standard completion being made in the
complaints received and the scorecard item for monthly log.
follow up actions being management performance meGirgs
performed in order to close the which will also capture specific
complaint. actions and improvement activity. In
61 addition we are working with HR
. Sheffield to identify any areas of best
Without —_ maintaining the practice that can be incorporated in
complaints log it may not be our complaints log.
possible for payroll management
to identify what actions were 65.
taken to resolve complaints.
Agent Pa _ I Based on our review of the I We recommend that the secondary I Revised process introduced from We noted that for our sample
A yroll . en . .
Joiner and Bolt secondary check-sheets used in check-sheets are maintained to I Period 1. All joiners and leavers selected, we were able to
Leaver olton the agent joiners and leavers I evidence review of agent joiners I source documentation will be cross evidence that a 10% review
Review processes, we identified a I and leavers amendment checks. checked on an individual basis to
6/698/4
POL00030217
POL00030217
70.
number of instances re
there was no evidence pee
of details being
entered/removed correctly.
Without adequate review,
agents may be input twice, at
the wrong pay amount and / or
not removed resulting in
overpayment.
75.
SAP reports and filed in monthly
order. Document retention has also
been extended to 15 months from 12
months. Facing sheet will also
accompany reports which will be
checked and signed off by team
leader each period.
was being carried out with
secondary check sheets for
agent joiners, but noted an
issue with regards to
employee leavers whereby
the 10% checks were not
being carried out in full when
the actual check sheets were
obtained. See management
letter comment below.
Bu No detailed review of payroll In order for the review process to . . Based on the procedures
Payroll & The high level review performed is.
dostary I Head payments to agents and =I act_as_an effective control we I 6+ sufficient to identify payroll performed in current year, it
nalysis employees against the budget is I "ecommend that a detailed review 1
Office ‘ A anomalies however, the detailed cost I was concluded that this
documented. A high level review I Of payments to agents and centre reports are reviewed on a a.
of staff costs against budget is I employees against the budget is monthly basis by the Finance process has been improved
performed by the finance team performed and documented. Business Partner teams comparing and the control is now
but this is insufficiently aBs. actual costs to budgets and operating effectively.
to identify payroll anomaliés.~ = reviewing the employee lists.
80 Attention is paid to leavers and
. . joiners and queries are followed up.
Payroll anomalies may not be Agents’ pay is reviewed by pay type
detected resulting in over against budget and queries followed
payment or under payment up. Anomalies are likely to be found
going undetected. through these reviews. The
importance of this review will be re-
emphasised within the Finance team.
E Payroll — Payroll management's process I We recommend that the secondary I This is actioned at Sheffield. Based on our sample
mployees Sheffield is that once an employee joiner check-sheets are maintained to I Gaps will be closed by end of May selected, we noted that we
Joiner is added to the system aI evidence review of agent joiners I and Period 1 picked up ; were able to obtain
Control secondary review is performed I and leavers. retrospectively. The Service Centre
and an audit — checklist
completed to evidence this
review. Based on our review, we
team were on site in Sheffield on
26th May to confirm audit findings
and to look at improvement
secondary check-sheets for
our sample selected, and
therefore concluded the
OL/698/4
POL00030217
POL00030217
89.
identified a number of instances
where there was no evidence of
review of details being
entered/removed correctly.
Without adequate review agents
may be input twice, at the wrong
94.
opportunities which will mirror those
from the Service Centre. Currently
reviewing our SLA with Sheffie9 6 .
which will be re-worked to
incorporate a number of areas
around controls.
control to be operating
effectively.
pay amount and / or not
removed resulting in
overpayment.
Mu Payroll — In prior year, management We recommend the evidence of This was in place from Period 12. We noted that for the sample
10 I Itiple Bolton agreed with the review is strengthened in order to I The front facing sheet has been selected, we saw evidence of
Agents in recommendation to re-introduce I support the control. enhanced to include greater detail of I explanations, follow up
pre ion the control and maintain the work performed and any actions and review being
100
evidence of the review of aD3
branches which have more than
one agent payment if a month,
being performed. From our
review this year, there is limited
evidence of the review being
performed for the months
selected for testing.
The risk of more than one salary
being paid for each location is
higher if this control is not in
place. This then increases the
risk of fraud or cash payments
being made to individuals that
need to be reclaimed, with the
added administrative expense
required.
105
resolution of issues. This is signed
by the complier and manager
following a review of the work
performed 0 7
carried out on reports
produced and clear evidence
of sign off.
LL/698/4
POL00030217
POL00030217
Ov
erall
Payroll
Control
Environm
ent
Payroll —
Bolton
111
113
Whilst there have been some
limited improvements in the
control environment during the
current financial year, we were
again unable to rely ona
number of key payroll controls to
reduce our substantive work for
the year-end audit.
Further, during the course of our
work we identified areas where
controls were not operating as
payroll management believed
them to operate and where
actions included in
management's responses to our
management letter last year had
not been taken or were
ineffective in addressing the
deficiency identified. We believe
this indicates a weakness in the
overall control monitoring
process.
Weaknesses in the control
environment may lead to errors
in financial reporting or actual
losses to the business.
We recommend a stronger focus
on the payroll control environment
in terms of senior management
oversight, including obtaining a
better understanding of the
operating effectiveness of the
existing controls, encouraging a
stronger control culture and more
intensive control monitoring going
forward.
In overall terms it is agreed that there
needs to be a greater profile around
the whole area of controls. A number
of actions have now been agreed by
the management team and are in
place for Period 1 including random
independent checks and KPIs on the
local scorecard and on the overall
HR scorecard.
In addition the following has taken
place / planned to address the
overall recommendation and in
particular encouraging a stronger
control culture and intensive
monitoring. 1 20
¢ Audit recommendations
shared with all management
team.
e Briefing to all managers and
employees across the
Service Centre in relation to
on-going audit and controls.
¢ Allocation of dedicated
resource to assess status of
controls across all product
teams as a baseline
exercise.
¢ Full in house audit
conducted of all controls
detailed in our Internal
Control Manual (ICM).
We noted significant
improvements in the overall
control environment during
our review of controls in
2010/11. It is evident that
there has been a marked
effort in order to improve the
functioning and oversight of a
number of key controls, most
of which we now are able to
place reliance on and are
able to conclude that the
overall payroll control
environment is effective.
ZL/698/4
POL00030217
POL00030217
118
e Control champions for each
product area.
e Identified gaps from ICM
currently being addressed.
«ICM being updated and will
be launched at the end of
Quarter 1.
e Review of closed E&Y
recommendations completed
for Period 2 and scheduled
for full year.
¢ Internal audit to conduct
further sample checks
following launch of revised
ICM.
¢ Allindividuals have a
performance objective for
2010/11 linked to controls.
Credence
(back end)
change
process
T4124
During our walkthrough and 25
testing of the change control
procedures for the Credence
application we became aware of
the following issues:
1. Developers at Logica, the
third party provider of
application development
and support for Credence,
had access rights to the
Management should require ae?
their third party service provider
segregate the roles of developer
and implementer. Management
should also require that their third
party service provider maintaif 48
complete and accurate records thal
support the requests for changes,
testing of changes, approval to
move into production and the
This is clearly documented in OCP.
There will be further work to look at.
requiring Logica to comply and
ensure appropriate role separation.
To be retested in 3 months.
130
Application not in audit scope
for FY11. Therefore, we are
not able to comment on
whether management has
fully addressed our comment
as raised in the prior year.
eL/69g/d
POL00030217
POL00030217
production environment and
the database that would
permit developers to move
their own changes into the
production environment.
2. Documentation to app: 26
fixes and patches that are
applied to Credence outside
of the release process does
not always exist. We were
advised by Logica personnel
that for a sample of four
changes selected evidence
of approval to move into
production did not exist and
that it would not be possible
to link the changes to
problem tickets to record the
original request for the fix /
patch.
Developers have access to
move their own changes into
production and documentation is
not retained to substantiate
those changes there is a risk of
loss of data and application
integrity due to either
unauthorized, erroneous or
inappropriate changeng made to
the production environment.
separation of developer and
implementer. Management should
periodically audit the achievement
of service level agreements.
vLi6gsi4
POL00030217
POL00030217
Credence
(front end)
change
process
7134
135
136
During our walkthrough of bso
administration of the front end of
Credence we noted several
users with administrator rights,
including some generic users
(this is noted below as a
separate point). These users
have the access rights to create
and amend reports, including
those which may be relied upon
for audit evidence. These us;
can change report design bb
processing without documented
request, test or approval.
When users have the rights to
change reports that are used by
the business for reconciliation,
exception reporting or other
processing, there is the risk that
the reports are manipulated
either intentionally or
accidentally.
Changes to Credence should be
requested, tested and approved by
the business users. Changes
should be identifiable through
system logs and an appropriate
audit trail maintained of request,
testing and approval
documentation, Access to make
such changes should be limited to
authorised individuals.
Whilst users are able to make
changes to reports they “own”, those
which are used for business critical
processes are created globally and
owned by one of the administrators.
Users may be able to design their
own versions of the reports re S
would not be available globally, ial
used for business critical processes.
Application not in audit scope
for FY11. Therefore, we are
not able to comment on
whether management has
fully addressed our comment
as raised in the prior year.
Credence
(front end)
configurat
ion
7145
We noted several control 1 47
weakness in Credence front end
user administration and security
configuration:
1. The password configuration
is not aligned with network
Management should enhance
password controls on the Credence
web portal to the same standards
applied to other Post Office
environments.
Users are not generic, but role
accounts which are allocated to
individuals and for which an audit
trail is available. The correct
procedure to be followed for the
allocation and use of these roles is
Application not in audit scope
for FY11. Therefore, we are
not able to comment on
whether management has.
fully addressed our comment
SL/698/4
POL00030217
POL00030217
settings or those setti
required by Post Officg We
noted:
a. there is no minimum
password length
b. Password
complexity rules are
not applied
c. users are not
required to change
their password
d. password history is
not retained
e. idle session time-
outs are not in place
There are three generic
administrator accounts
without specific users
assigned to these accounts.
One of the three accounts
has not been used since
April 2009.
The process for requesting
and granting user access
rights to Credence does not
maintain documentation to
record evidence of request
or approval of access rights.
There is no process in place
for the revocation of user
access rights when a user
separates from the
organisation or moves to a
new role no longer requiring
access rights to Credence.
Management should consider
disabling generic administrator
accounts, or assigning the
accounts to specific individuals to
ensure accountability over the use
of the administrator accounts.
Management should consider
establishing user administration
controls which are in-line with the
processes used for other Post
Office applications.
being re-emphasised. A full risk
assessment of the Credence Spi,
is being undertaken later this y«
and this aspect will be reviewed.
Although system-based credential
control does not fully match POL
standards, user guidelines and
procedures do. The whole user
management piece is due to be
reviewed during the planned risk
assessment.
as raised in the prior year.
9L/698/4
POL00030217
POL00030217
146
Without effective logical
access controls there is
the risk of inappropriate
or unauthorised access
to the Credence reports.
Horizon
(back end)
user
administr
ation
1157
158
During our testing of the 1 60
appropriateness of users with
access to the Horizon back end
environment we noted one user
whose access was no longer
required due to a change in job
responsibilities.
When users have access to
environments which are ni
appropriate for their job function
there is the risk that users may
inappropriately or accidentally
use the access leading to loss of
application or data integrity.
Post Office management should
request periodic evidence from
Fujitsu that demonstrates that the
user population with access to the
Horizon environment has been
reviewed and access validated.
Additionally, Post Office should
consider requesting Fujitsu to
establish controls relating to
temporary access.
A note has been sent to Fujitsu on
their responsibilities in this area.
Although the note has been sent to
Fujitsu, it is likely this will be covered
in their up-coming 1SO27001 audit
and compliance work. This is going
to be an agenda item on the monthly
ISMS and considered for inclusion in
monthly reporting.
Whilst Horizon has been
upgraded to HNGX during
the audit period, this issue is
still relevant for the HNGX
estate based on procedures
performed in the current year.
Refer to #5 in the current
year recommendations
section.
LV/698/4
POL00030217
POL00030217
Current Year Recommendations — non IT related
Issue Background Recommendation Management
Comment
GRNI We recommended in previous years that I We have noted improvement in the review Agreed
management continue to look for ways to of the accrual and would encourage We have
improve the purchasing process to reduce the management to continue to strengthen the continued to
required levels of manual input into the GRNI review to ensure that: strengthen the
accrual. 4
- Aged balances are challenged review of old
The balance has continued to reduce - Significant services line items are purchase
during the period as management's review of reviewed for adequacy orders to
the balance has been more detailed. - Timely clearing of residual values. validate the
GRNI accrual
The main issues continue to be the In addition, with upcoming changes to the and will
volume of line items within the listing, the business, and in particular separation maintain focus
difficulty in tracking delivery dates, in particular activity, management should continue to on this review.
for services, and the clearing of residual values. I explore options to improve the purchasing The system and
Process. process are
group led but
we note the
opportunity to
improve after
separation,
Human An employee asset check We recommend that Agreed
Asset Check was completed for the first 6 HR reviews the results a) Employees —
of the trial run of the the final
months with a response rate
of 75%. The remaining 25%
was not completed given the
upcoming organisational
restructure. However, as all
employee asset check
and ensure that 100%
coverage is achieved.
In addition, we await to
see senior
verification of our
structure will in
effect deliver the
second 6 month
review as per the
8698/4
POL00030217
POL00030217
employees are expected to
be put onto new online
organisational chart before
March 2011, Management
believes this will allow for a
more robust human asset
check in the future.
The agent asset check
continues not to be in place.
The design of an asset check
for agents is still under
discussion and the HR
department have put forward
a suggested process to
senior management and are
awaiting approval.
As this control is not yet fully
operational, there is a
continued risk of either
‘ghost’ employees or agents,
or that employees or agents
who have left the business
incorrectly remain on the
payroll.
management's
decision regarding
implementation of the
proposed agent's asset
check but recommend
that the proposed
control is introduced at
the earliest opportunity
to migrate the inherent
risks.
agreed control.
We also hope to
deliver a trial in
March 2011 of
the new process
which will be
introduced from
the new financial
year.
b) Agents —
Currently we are
performing a
check of offices
paid on HRSAP-
against office
transacting
basics products
eg. 1 class
stamps (via
Credence). We
intend to
continue with this
check and await
a decision on
whether we
require anything
further to deliver
an acceptable
asset check for
our agent
population.
Change
Requests
We noted a marked
improvement in the
We recommend that
the change froma
Agreed — Now in
place
6L/698/4
POL00030217
POL00030217
(General
Review)
maintenance and
transparency of the
employee changes log
spreadsheet, however one
month sampled identified that
the 10% check had not been
carried out in full, with only
8% of changes (contractual
and non-contractual) being
subject to review.
It was also noted that the log
was not amended in cases
where the information would
suggest a contractual change
but once processed this was
not the case, however it is
recorded by sign off if the
change lead to a contractual
change.
This control is important in
ensuring that all changes are
being reviewed and input
onto SAP correctly. It was
noted that this was done in
the other months selected for
testing apart from the
exception noted above.
“contractual” change
request to a “non-
contractual” change
request be clearly
documented on the
spreadsheet in order to
ensure transparency
over what contractual
changes have been
made. In addition, we
recommend that the
level of secondary
check each month (eg
10% of the full
population) is adhered
too in all cases.
a) Additional
column has now
been included on
our spreadsheet
to highlight where
there is a change
in status from the
source document
ie. sent as
contractual and
processed as
non-contractual
or vice versa.
This is already
noted on the
source document
however this
addition adds
visibility.
b) 10% check as
detailed in our
Control Manual
will be delivered.
On the one
month where
only 8% was
documented this
has now been re-
visited
retrospectively
and the team
leader has
checked a further
sample to meet
the agreed
0z/698/4
POL00030217
POL00030217
requirements.
Agent Leavers
Review
Based on our review of the
secondary check-sheets
used in the agent leavers
processes, we identified 3
instances in one month
(January) where the leaver
was identified for secondary
checking but the secondary
review of the leaver details
was not completed. We did
note that the initial checks of
these leavers had been
completed.
The secondary checks are in
place to ensure that
adequate review of the
process is occurring and that
the leaver is correctly
removed from the system to
avoid overpayment.
We recommend that
management — ensure
that the control policy
to secondary check
10% of the population
of leavers each month
is fully implemented.
Agreed — Now in
place.
The 3 instances
identified have
now been
checked
retrospectively.
This check is in
place and
documented on
our Control
Manual so should
have been
delivered.
In addition to the
standard check
this area is
checked
periodically at
Service Manager
level however
given the audit
finding we will
extend this high
level check to be
delivered each
month,
commencing
P11.
Variance
It was noted when testing the
We recommend that
Agreed — Will be fully in
Lz/698/4
POL00030217
POL00030217
Report for
Agents
agents pay variance reports
for April, August &
September that there were a
small number of exceptions
per the generated exception
reports that had not been
brought forward and noted
on the summary front sheet —
which is in turn reviewed by
the Service Team Leader
(STL). There appear to be no
guidelines in place which
dictate which variances and
follow ups require
management review
although those exceptions
identified within the report
had been investigated in the
initial review but not included
on the front sheet ready for
STL review.
Alack of clear guidelines
dictating which variances
should be raised for
management review leaves
the potential for oversight of
significant variances
generated by the SAP report
which are not included in the
STL review.
there are clear process
guidelines for the level
of management checks
to indicate which
variances should be
raised for management
review, in order to
ensure no significant
variances and follow up
actions are omitted. All
items within the report
meeting this threshold
should then be
included on the front
sheet ready for
management review.
place for P12 processing.
The check is 100% on the
variances that are produced with
those requiring action documented
on a front facing sheet. Narrative
detailing the guidelines to perform
the check will accompany the front
facing sheet. The sheet will also be
updated to include a ‘balance’ of all
variances identified that period which
will form part of the team leader sign
off.
2Z/698/4
POL00030217
POL00030217
€2/698/4
POL00030217
POL00030217
Current Year Recommendations — IT Specific
Background Recommendation Management
Improve The outsourcing of Post Office Whilst we do recognise Work on
governance of
outsourcing
application
management
Rating: High
Limited's (POL) IT function to a
third party service provider
(Fujitsu) creates a degree of
complexity and difficulty for POL
in gaining assurance that there
are adequate IT general controls
in place around POL’s business
critical systems. This is further
complicated by the changes
within Fujitsu's support structure
whereby certain functions within
the RMGA business unit have
been further outsourced
internally to shared services
provided by Fujitsu. This second
layer of the outsourcing
arrangement further increases
the complexity and difficulty of
gaining assurance that
adequate IT general controls are
in place and operate effectively.
Despite the outsourced IT
environment, POL is responsible
for the governance, risk and
that the current
outsourcing model has
been pursued to
successfully deliver
very significant
commercial benefits to
POL, there is a need to
implement additional
governance measures
to reflect the shared
service nature of
Fujitsu's provision. We
recommend that POL's
approach to this should
include the following:
POL should take ownership of the
effectiveness of the control
environment with Fujitsu, requiring
Fujitsu to implement a control
framework devised by POL (including
standards and requirements) and to
provide assurance (independent or
otherwise) over its continued effective
operation
Whilst Fujitsu has indicated that the
provision of an ISAE 3402 (formerly
SAS70) report would be excessively
improving the
governance of
outsourcing with
Fujitsu has
already
commenced and
we have already
established an
approach.
Regular meetings
underway and
plans to share
the approach
with E&Y by July
2011.
Application of
control reviews
will be monitored
through an Audit
Control
Governance
Board fed by the
regularly
scheduled
vz/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
control framework over its
business critical systems, and
should have visibility and
assurance over their design and
operating effectiveness.
costly and the preference within POL
at present is to focus on improving the
existing audit process going forward,
POL should keep the ISAE 3402
option under consideration over time,
as there are indications that Fujitsu
will adopt an increasingly global
approach to service provision, further
complicating the process of gaining
audit evidence.
embedded BAU
interactions with
Fujitsu. This
governance
board to be
established by
July 2011.
Monitoring
controls and
measures will be
defined between
POL and Fujitsu
for embedded
BAU
management
purposes.
The POL and
Fujitsu approach
is an optimised
control
framework to
manage controls
and evidence
requirements
(see point 1
SZ/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
above)
Segregation of
duties within the
manage change
process
Rating: High
We reviewed the logical and
organisational controls in place
to segregate the development
and migration of changes as
part of the review of the manage
change process for all
applications in scope. Our
examination of this process
revealed the following:
POLSAP
The transport selected for our walkthrough was
implemented by a user (NAVEEDM01) who
was also identified to have access to the
development environment via DEVACCESS in
the development environment;
20 active SAP accounts with access to develop
changes (via DEVACCESS in the development
environment) and access to release transports
into production (users with access to STMS in
the production environment); and
10 out of 29 accounts were identified to have
The following
improvements are
recommended:
Developers should not be given
access to migrate changes to
production to minimise the risk of
developing unauthorised changes and
promoting these changes to the live
environment. As such a review of
access to release changes into the
POLSAP (via STMS) and HNGX (via
TPM, TCM and active directory)
production environment is required to
determine whether developers require
access to migrate changes. The
review should also assess whether
access to deploy is appropriate based
on the user's job responsibilities. A
review of appropriateness of access to
the terminals used to send changes
from Dimensions/PVCS to the DXE
server as part of the deployment
process to the live HNGX estate
should also be performed;
A Fujitsu project
has been
established to
review all user
management
areas and is
being led by the
CISO of the RMG
account.
Fujitsu will
provide and
agree with POL
aclear
segregation of
duties guideline
for Senior
Management and
Line
managers/Assign
ment managers
to ensure that
development and
test are clearly
separated from
97/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
inappropriate access to STMS in the production live in all
environment. Specifically:
o Three accounts belonging to
terminated Fujitsu employees whose
access to POLSAP was no longer
required;
o Seven accounts belonging to CSC
users that were no longer required;
Whilst we obtained confirmation
from the POLSAP Programme Manager at
Fujitsu that the remaining accounts with access
to STMS were appropriate, we identified five
users with access to DEVACCESS in the
development environment who also promoted a
total of 30 transports into the production
environment from the period between
01/04/2010 to 26/11/10.
HNGX
Three developers out of 36 user accounts were
identified to have access to deploy changes
manually to the HNGX live estate via privileged
access within active directory. Whilst we
confirmed with their manager that access is
required for their support roles, we were unable
to obtain authorised documentation to support
the last login activity for each user;
All inappropriate access as a result of
the review should be revoked. If it is
determined that developer access is
required, evidence to support the
request and authorisation to grant
developers access to promote
changes should be retained. A control
should be implemented to monitor the
use of accounts that are used to
deploy changes manually to the live
HNGxX estate and evidence to support
this control should also be retained;
and
Implementing a change monitoring
control for the in-scope applications
whereby system generated list of
changes made to production are
independently reviewed by POL ona
periodic basis to determine that
changes have been authorised, tested
and approved prior to migration. This
will help POL gain assurance that
changes implemented by third party
service providers have been approved
by POL management.
technological and
staff areas. If itis
not possible to do
this then risks
identifying why
this is not the
case should be
documented and
assessed and
communicated to
POL for
agreement.
Third parties
including other
parts of Fujitsu
outside of RMG
BU also should
have obligations
upon them to
ensure the
segregation of
Development and
Test systems, a
review by Fujitsu
of OLA’s, SLA's ,
27/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
NDA's and
There are an excessive number of accounts A Contractual
with access to deploy automated changes to Management should implement agreements is
the live HNGX estate via the Tivoli Provisioning monitoring controls to help ensure that required to
Manager (TPM) and Tivoli Configuration controls operated by third party ensure adequate
Manager (TCM) tools. We also identified service providers are in place and are control.
inappropriate access to deploy automated
changes to HNGX via TPM and TCM.
Specifically:
o We noted 122 accounts with access to
deploy automated counter changes via
TCM;
o We noted 114 accounts with access to
deploy automated back end changes
via TPM;
co 11 out of 25 sampled accounts tested
were identified to have inappropriate
access to the TPM and TCM due to the
following reasons:
= Access was not revoked for
nine terminated Fujitsu
employees;
= Access was not revoked for
one user that had left the
Fujitsu RMGA account;
= Access was not appropriate for
one user based on his job
responsibilities.
in operation for example, monitoring
that there are no developers with
access to promote changes to
production.
POL is to ensure
through a
periodic sample
and exception
review that
changes have
been authorised
tested and
approved prior to
deployment. (see
ref 1)
8Z/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
The EUROPE\Domain Admins active directory
group was identified to have inappropriate
access at the operating system level to the
terminals used to send changes from
Dimensions/PVCS to the DXE server as part of
the process to deploy changes to the HNGX
live estate.
Refer to Appendix A for detail of
the accounts identified to have
inappropriate access to
POLSAP and HNGX.
There is an increased risk of
inappropriate/unauthorised
programme changes being
migrated to production if there
are inappropriate users with
access to deploy and/or users
are granted with access to both
develop and deploy into
production. This risk of
inappropriate/unauthorised
changes remaining undetected
is enhanced as there is no
control in place to perform an
67/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
independent periodic review of a
system generated list of all
changes migrated into the
POLSAP and HNGxX production
environment to determine that
changes have been authorised,
tested and approved prior to
migration.
creer the We reviewed he voce th t Management should Work has
implemented to determine that
management all program changes are enhance the current commenced on
process change management the strengthening
Rating: High
appropriately authorised, tested
and approved prior to
implementation into the
production environment for all
applications in scope. Our
examination of this process
revealed the following:
POLSAP
Based on a testing sample of 18 changes made
to the POLSAP production environment during
the audit period we were unable to obtain
evidence of the following:
Authorisation prior to development for
five changes;
process/policy to
include:
The level of documentation retained to
evidence that POL are involved in
testing and approving changes made
to the in scope applications. In
particular, evidence to support POL
and third party service provider's
authorization of the change prior to
development and POL approving
HNGxX counter changes prior to
deployment across the counter estate
should be retained. This will provide
management reasonable assurance
of the change
management
process.
Centralisation of
approvals for
change for POL.
within Fujitsu is to
be established,
which is
accessible to all
relevant staff
and is to be
applied
throughout the
oc/698/4
POL00030217
POL00030217
Background Recommendation danagement
Testing for nine changes; and ; that program changes being development,
POL approval prior to implementation implemented into the production testing and
for four changes. For one of these
changes POL approval was not
required per the Fujitsu process as the
nature of the change was a
configuration change and as such
internal approval within Fujitsu was.
deemed to be appropriate.
HNGX
Based on a testing sample of 15 back end
changes, ten counter changes and five manual
changes deployed to the HNGxX live estate
during the audit period we noted the following:
°
For 15 back end changes, ten counter
changes and five manual changes,
evidence of testing by POL was not
retained;
For ten counter changes, evidence of
POL approval of the change to be
deployed across the counter estate
was not retained;
For one manual change, evidence of
POL authorisation to begin
development (i.e. a signed off CT.
document) was not retained; and
environment have been tested and
approved prior to deployment and that
HNGX counter changes are approved
prior to roll out to all counter/branches.
Please note that all documentation
should be retained;
Definitions of the responsibilities of all
parties involved in the authorization,
testing and approval of changes
deployed into the production
environment, based on the nature of
the change. There is a need for POL
to increase their involvement in the
change management process,
specifically business user testing of
fixes and maintenance changes to the
in scope applications. The change
management policy documentation
should also describe the overall
manage change process; and
Management should implement
monitoring controls to help ensure that
controls operated by the third party
release process
to evidence POL
approval at each
stage.
Classification of
maintenance and
fix changes, and
responsibilities
and control levels
required are to
be agreed
between POL
and Fujitsu.
POL is to ensure
management and
control of this
change process
through the
embedded BAU
process to
ensure the
correct level of
engagement for
Le/eog/4
POL00030217
not obtained from POL prior to the
change being implemented.
All in-scope application
We noted that POL are not usually involved in
testing fixes or maintenance changes to the in-
scope applications;
We were unable to identify an internal control
with the third party service provider to authorise
fixes and maintenance changes prior to
development for the in-scope applications.
There is an increased risk that
unauthorised and inappropriate
changes are deployed if they
are not adequately authorised,
tested and approved prior to
migration to the production
environment.
in operation.
POL00030217
Background Recommendation Management
Comment
For one manual change, approval was service providers are in place and are user testing.
Regular joint
sessions are
required to
ensure that the
change
management
principles are
being applied.
POL to review
the current BAU
governance to
ensure the
change
management
principles are
being applied
and monitored
We reviewed privileged access
to IT functions including access
to user administration
functionality across all in-scope
applications and their supporting
infrastructure. Our examination
We recommend that
management conducts
a review of privileged
access to IT functions
across all in-scope
applications and their
A Fujitsu project
has been
established to
review all user
management and
is being led by
Ze/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
revealed: supporting CISO for the
infrastructure to RMG account
determine whether the (see ref 2)
POLSAP level of privileged
access granted is . .
appropriate. Where Fujitsu will
e The following eight dialog and service
accounts were identified to be assigned to the
SAP_ALL and SAP_NEW profiles:
o ADMINBATCH
o BASISADMIN
© DDIC (SAP_ALL only)
o OTUSER
o OSS508140
o =SAP*
o SOLMANPLM500
o WF-ADMIN
Users with SAP_ALL access
allow unrestricted access to POLSAP including
the capability to process and approve financial
transactions. The SAP_NEW profile provides
general access to any new profiles and
authorisations which are included in a new SAP
release.
¢ The SAP* account was not locked. This does
access is deemed to
be inappropriate, this
access should be
revoked immediately.
For POLSAP accounts
associated to the
SAP_ALL and
SAP_NEW profiles,
management should
revisit the need to grant
this level of privileged
access to the
production
environment. Access to
accounts with the
SAP_ALL and
SAP_NEW profiles
should only be used
when needed.
Where privileged
POLSAP accounts are
cascade to all
areas of the
account to advise
them of the
process for new
joiners, movers
and leavers and
will ensure
appropriate
compliance.
Reporting and
evidence to be
agreed (see ref
1) regarding BAU
reports of
Privileged
Access abuse to
provide POL with
the assurances
they require.
ee/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
not meet recommended practice of removing all
profiles from SAP* and locking the account.
HNGX
There are inappropriate system privileges
assigned to the APPSUP role and
SYSTEM_MANAGER role at the Oracle
database level on the Branch Database server
(BDB) supporting HNGX;
There is inappropriate privileged access at the
Oracle database level on the Transaction
Processing System server (DAT) supporting
HNGX:
o System privileges assigned to the
APPSUP role and OPS$TPS account
are inappropriate;
o The following accounts associated to
the DBA role are no longer required:
= CFM_DBA
* SPLEX_ROLE_BOTH
co The following accounts have
inappropriate access to user
administration functionality via the
used to configure and
run scheduled jobs,
management should
consider creating
system accounts to run
scheduled jobs so
manual login is not
allowed and individual
dialog accounts to
configure scheduled
jobs in order to
promote accountability.
Where it is unavoidable
to remove SAP_ALL
and SAP_NEW
access, it is
recommended that a
periodic review of the
activities executed by
the accounts granted
permanent SAP_ALL
and SAP_NEW access
is performed to gain
assurance that no
inappropriate or
unauthorised activity
has been performed
which may adversely
impact the financial
statements.
As part of the
embedded BAU
process
management will
review adequacy
and regularity of
the controls in
place.
vel6og/d
POL00030217
POL00030217
Background
Recommendation
Management
Comment
Admin access parameter ‘ADM is set to
yes’:
OPS$TPS
SPLEX_ROLE_BOTH
Refer to Appendix B for detail on
the accounts identified to have
privileged access to POLSAP.
Unrestricted access to privileged
IT functions increases the risk of
unauthorised/inappropriate
access which may lead to the
processing of unauthorised or
erroneous transactions.
Management should
implement monitoring
controls to help ensure
that controls operated
by the third party
service providers are in
place and are in
operation, for example,
monitoring of
appropriateness of
access to privileged
users/profiles.
We noted that there is currently
no process to review POLSAP
user accounts or HNGX back
end user accounts on a periodic
basis to determine that user
access is appropriately granted
given the job responsibilities. As
a result, our review revealed the
following:
Management should
consider the
implementation of a
POL owned periodic
review of
appropriateness of
access to in-scope
applications and their
supporting
infrastructure. The
A Fujitsu project
has been
established to
review all user
management and
is being led by
CISO for the
RMG account
(see ref 2).
Se/69e/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
Two out of a sample of 25 active directory
accounts belonged to terminated employees
whose access to the HNGX estate was no
longer required; and
One account out of a sample of 25 active
directory accounts have inappropriate access to
the ikey-exemptou-users active directory group
within HNGX.
We also noted that there is no
process to monitor privileged
access to POLSAP and HNGX
on a periodic basis. Specifically:
Whilst we noted that there was a monitoring
control in place for privileged access to
POLSAP whereby accounts associated to the
SAP_ALL profile are reviewed and monitoring
of failed and successful login attempts for
SAP*, DDIC and BASISADMIN accounts is
performed, this control does not include
accounts associated to the SAP_NEW
privileged profile. As part of our walkthrough,
we also noted that there was no POL
representative present for the December
monthly security meeting where the
documentation supporting the monitoring
implementation of this
review will assist in the
identification of
inappropriate access
and potential
segregation of duties
conflicts. In addition,
this will act as an
additional control to
help detect terminated
users with continued
access to the financial
applications.
The following outlines how this
process may be
implemented:
User listings containing all active
users and their access levels to be
generated by IT and emailed to
relevant department managers
whereby they provide responses
detailing:
Whether the current access of
their employees is in line with
their job role; and
Fujitsu will review
User
Management
Process
SVM/SEC/PRO/O
0012 RMGA User
Management
Process Guide
and
SVM/SEC/PRO/O
006 RMGA
Application for
Access to the
Live Network to
ensure that the
requirements are
documented.
Fujitsu senior
management to
include
responsibilities
on all Line
managers/Assign
ment Managers
to review rights of
9e/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
controls are reviewed; and
e There are no monitoring controls in place for
privileged IT access to HNGX.
Furthermore, we were unable to
obtain evidence of the quarterly
review of access to the data
centre housing the infrastructure
supporting POLSAP and HNGX.
Refer to Appendix C for
accounts identified to have
inappropriate access to HNGX.
Conflicts in segregation of duties and excessive or
inappropriate access to financial systems may arise
if a regular re-validation of user access is not
performed.
Whether any users require
their access be modified or
removed. Where additional
access is required requests
should be made through the
existing user modification
process. Where access is
required to be removed,
flagging these users and
providing comments is
sufficient. These responses
should be actioned by IT ona
timely basis.
All documentation to support the
operation of these controls should be
retained, including:
Emails to managers
requesting responses;
Responses from managers
detailing whether changes are
required (responses should be
provided whether changes are
required or not); and
Overall signoff on the
completion of the review from
management.
their staff and
their
appropriateness
every quarter.
Quarterly BAU
Assurance
reports to POL
concerning
reviews that have
occurred across
the account will
be governed by
the Audit Control
Governance
Board.
2e/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
The above review should include all
user accounts including
those privileged user
accounts owned by IT
and vendors. In
addition, the individual
responsible for
performing the review
should have limited
access to the
application in order to
prevent the review of
their own access.
In terms of monitoring
privileged access,
management should
specifically consider
the following:
Expanding the scope of the
current monitoring control for
POLSAP to include accounts
associated to the SAP_NEW
profile;
Implementing a periodic review of
users with privileged access to IT
functions within the HNGX estate;
Evidence to support
8e/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
the operation of the
above monitoring
controls for privileged
IT access should also
be retained to facilitate
the audit of these
processes.
Strengthen the Our examination of the user The following A Fujitsu project
User administration process improvements are has b
Administration recommended: as Deen
Process
Rating: Medium
implemented for all applications
in scope revealed the following:
POLSAP.
e We noted that the existing user administration
process for the granting, modification and
removal of Supply Chain users access to
POLSAP do not include Cash Centre staff. In
addition, we confirmed that POL Cash Centre
managers are granted limited access to user
administration in POLSAP via SU01 allowing
them to assign cash centre profiles to users
within their depot. As such there is a lack of
segregation of duties between the authorisation
and granting of access to Cash Centre users;
Reviewing the current logical access
policy to include definitions of the
responsibilities of all parties involved
in the user administration process.
The policy should also include a
description of the overall user
administration process;
Strengthen the existing user
administration process implemented
within POL and with the third party
service providers so that
documentation supporting the request,
approval and setup/removal of access
are retained for all applications in-
scope;
established to
review all user
management and
is being led by
CISO for the
RMG account
(see ref 2).
Fujitsu will review
User
Management
Process
SVM/SEC/PRO/O
0012 RMGA User
Management
Process Guide
6e/698/4
POL00030217
POL00030217
Background Recommendation danagement
e From our sample of 25 profile additions on POLSAP and
POLSAP we noted the following: —
o For 24 users we were unable to obtain Review the current user administration on stan
evidence to support the level of access Process for POLSAP business users it
PP to incorporate Cash Centre users. As Application for
requested and that the access had part of this review, determine how Access to the live
been authorised by an appropriate segregation of incompatible duties can network to
individual. From these users we noted be maintained within the user ensure that the
that three (3) of these users’ access administration process. Where — requirements are
was granted and authorised by CSC segregation of duties is impractical, documented (see
with no involvement from POL; and management should consider ref 5).
implementing a monitoring process
o For 14 users we noted that the Cash around the activities of privileged
Centre line manager providing users (i.e. Cash Centre managers with . .
confirmation of appropriateness of access to SU01); Third parties
access has limited access to user including other
administration functionality via access I I ————______ parts of Fujitsu
to SU01, —____________ HNGx outside of RMG
—_______ BU also should
HNGX Implementing a standard user have obligations
The “Change of Access to Live Network” form
for the modified user selected for our
walkthrough was not authorised by a line
manager prior to the request being actioned;
From our sample of nine active directory user
accounts created during the audit period we
noted the following:
°
One instance of access being
administration process to include all
creations, modifications and removal
of access to HNGX;
A review of documentation involved in
the HNGX user administration process
(specifically the access request forms
and the AD mapping document) to
help ensure that access assigned is
consistent with the roles defined in the
documentation. In situations, where
access requests are not defined in the
upon them to
ensure user
administration is
in place,
therefore a
review of OLA’s,
SLA's , NDA's
and Contractual
agreements is
required by
Ov/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
requested via a TFS call rather than via
an access request form per the
standard user administration process;
Three instances of additional access
being granted to a user without
supporting evidence;
One instance of a system account
being granted inappropriate access to
the “pathways” active directory group.
Refer to Appendix D for detail
on the accounts outlined above.
Failure to maintain appropriate
documentation for the user
administration process
increases the risk that accounts
with excessive or inappropriate
privileges may exist, therefore
increasing the risk of
unauthorized/unnecessary
access to systems.
Furthermore, this risk is
enhanced by inadequate
segregation of duties between
the approval and setup of
access.
AD mapping document or request
forms, management should ensure
that evidence to support authorisation
of any modifications to access is
retained.
Where part of the user
administration process
is controlled by third
party service providers,
management should
ensure adequate
monitoring controls are
in place to help ensure
the controls operate as
intended.
Fujitsu to ensure
this.
Quarterly BAU
Assurance
reports to POL
concerning
reviews that have
occurred across
the account will
be governed by
the Audit Control
Governance
Board (see ref 5).
Post Office is
currently
reviewing
segregation of
duty activities
within the cash
centre system
administration
processes.
Processes
policies and
guidelines will be
Lv/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
produced and
monitored ona
regular basis.
Improvements
to logical
security settings
Rating: Low
We reviewed the logical security
settings for the infrastructure
supporting all applications in
scope. Our examination
revealed the following logical
security weaknesses:
For the operating systems of the Linux
application servers (R3A) supporting the
POLSAP application and on the Branch Access
Layer (BAL) Linux application servers
supporting HNGX:
o We noted that there is no setting in
place to restrict root login to the
console;
o We noted that there is no setting in
place to disallow non-local login to
privileged accounts.
For the Oracle database supporting SAP XI
(XID) and the Branch Database server (BDB)
and Transaction Processing System server
(DAT) Oracle databases supporting HNGX, we
Management should
consider the following:
Restricting root login to the console on
all Linux servers supporting the in-
scope applications;
Disallowing non-local login to
privileged accounts on all Linux
servers supporting the in-scope
applications;
Setting an encrypted password for the
LISTENER.ORA file on all Oracle
databases supporting the in-scope
applications;
Disable the default Administrator
account and create a new
Administrator account with a strong
password.
Management should
A technical
architectural
review of all
applications,
operating
systems and
access and
authentication
tools is to be
undertaken by
Fujitsu and
findings and
recommendation
s will be shared
with POL.
Fujitsu will
perform a
periodic scan of
passwords to be
made as part of a
regular Pen Test
Zr/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
ret ine password for tre bled consider implementing monitoring controls Exercise.
t! NER.ORA file has not been ena’ led and to help ensure robust security settings are Findings and
the password entry does not contain an in place particularly those operated by exceptions
encrypted value.
e Within the Active Directory server controlling
access to the HNGX estate (ACD), we noted
that the default Administrator account exists.
Inadequate system security settings increase risk of
unauthorised access to financial data.
third party service providers.
outside of best
practice to be
raised at the
regular
embedded BAU
monitoring
sessions within
the existing BAU
governance
process within
POL and to be
supported by the
Audit Control
Governance
Board.
oeenamnen the We reviewed the password Whist we The
parameters configurations for all in scope acknowledged that SVM/SEC/POL/O
applications and the password weaknesses 003 RMG BU
Rating: Low infrastructure supporting these in the application, Security Policy
applications. Our examination operating system and requires
revealed:
e There are password setting weaknesses within
database level are
mitigated to some
extent by the network
amendment to
section 11.2.5 in
the next review
ev/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
the RMGA Information Security Policy: Active Directory subject to
°
Number of passwords that must be
used prior to using a password again is
defined as ‘Re-use of the same
password must not be permitted for
either a specified time or until at least 4
other passwords have been used’; and
Account lockout duration is defined as
‘the user must be locked out for at least
30 minutes or until reset by an
administrator’.
There are password setting weaknesses within
the POLSAP application:
o Minimum password length is 6 advise them of
characters. This does not meet RUG the policy and
Information Security Policy guideline of lassword setting Re@commended guidelines, and
a minimum of 7 characters; will ensure
o Idle session time out is set to 3600 inimum 8 characters appropriate
seconds. This does not meet the compliance.
recommended setting of 1800 seconds
or less; omplexity Alphanumeric Monitoring and
o Table logging is not enabled (i.e. communication
reciclient = OFF). This does not meet requency of days or less will be provided
the recommended setting of ON. to POL through
There are password setting weaknesses at the the regular
Linux operating system level on both the lumber of Should be embedded BAU
process to
a)
password controls, the
following are still
recommended to
further strengthen the
control environment
Review and update the ‘RMG
Information Security Policy’ to meet
the recommended good practice
password settings outlined below.
Configure all network, application and
supporting infrastructure components
in line with the policy requirements.
architectural
agreement. Any
risks for non
compliance to be
identified and
communicated to
POL.
Fujitsu will
cascade to all
users, especially
SAP and Linux to
vvl6gsis
POL00030217
POL00030217
Background
Recommendation
Management
Comment
application servers supporting POLSAP (R3A)
and HNGX (BAL) :
°
Minimum password length is 5
characters. This does not meet RMGA
Information Security Policy guideline of
a minimum of 7 characters;
Maximum password age is set at
99999 days. This does not meet RMGA
Information Security Policy guideline
that passwords must expire in 30 days;
Minimum password age is set to 0
days. This does not meet the
recommended setting of 1 day;
Account lockout after failed login
attempts is not set. This does not meet
the RMGA Information Security Policy
guideline of 3 failed login attempts;
Password history is not set. This does
not meet the recommended setting of 5
passwords; and
Idle session timeout is not set. This
does not meet the recommended
setting of 30 minutes. Note: This setting
only applies to the POLSAP R3A
platform.
There are password setting weaknesses on the
he number of
ccount lockout
Idle session
Management should
consider implementing
monitoring controls to
help ensure robust
security settings are in
place particularly those
operated by third party
service providers.
Initial log-on uses ~~ Erjabled
control
management is
robust.
5 invalid
Fdrever until
}G minutes
ensure access
Svi698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
Windows 2003 Active Directory Controller
supporting HNGX:
°
Account lockout threshold is set to 6
failed login attempts. This does not
meet the RMGA Information Security
Policy guideline of 3 failed login
attempts;
Account lockout reset counter is set to
30 minutes. This does not meet the
recommended setting of 60 minutes;
and
Account lockout duration is set to 30
minutes. This does not meet the
recommended setting whereby an
Administrator is required to unlock the
account.
There are password setting weaknesses at the
Oracle database level on the database servers
supporting POLSAP (R3D)and SAP XI (XID)
and on the branch database server (BDB) and
transaction processing system server (DAT)
supporting HNGX :
°
Minimum password length is not set.
This does not meet the RMGA
Information Security Policy guideline of
a minimum of 7 characters;
9v/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
Password composition is not set. This
does not meet the RMGA Information
Security Policy guideline of
alphanumeric;
Frequency of forced password changes
does not meet RMGA Information
Security Policy guideline of 30 days or
less;
The number of unsuccessful log on
attempts allowed before lockout is set
to set to 10. This does not meet the
RMGA Information Security Policy
guideline of 3 failed login attempts;
Account lockout duration is not defined.
This does not meet recommended
practice of at least 5 days;
The number of passwords that must be
used prior to using a password again is
not set. This does not meet the
recommended setting of 5 passwords;
and
Idle session timeout is not set. The
does not meeting the recommended
setting of 30 minutes.
Refer to Appendix E for actual,
recommended and policy
requirement settings for the
above listed applications,
Lv/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
operating systems and
databases.
Weak password settings
increase the risk of unauthorised
access to financial data.
Review of As part of our review of Management should A Fujitsu project
generic privileged access to all in-scope consider a review of has been
privileged icati A i ,
Socounts applications and their supporting generic privileged established to
Rating: Medium
infrastructure we noted multiple
generic privileged accounts
where knowledge of the
password to these accounts is
shared between individuals:
We determined that the password to the
privileged SYSTEM account on the Oracle
database on the BDB server and DAT
servers supporting HNGX is known to 4 of
the 12 members of the IRE11 TST DBA
team. We also noted that the SYSTEM
account on the XID and R3D servers
supporting SAP XI and POLSAP
applications is known to the SAP Basis.
team;
accounts across the in-
scope applications and
their supporting
infrastructure to
determine whether
such accounts can be
replaced with individual
user accounts to
promote accountability.
Management should
consider implementing monitoring controls
to help ensure robust security practices
are in place particularly those operated by
third party service providers.
review all user
management.
This is to include
all system/s,
accounts and
privileges (see
ref 2).
Monitoring and
communication
will be provided
to POL through
the regular,
embedded BAU
process to
ensure access
8r/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
We determined that the password to the
privileged DBA account on the Oracle
database on the BDB and DAT servers
supporting HNGX is known to the RMGA
Unix team and 4 of the 12 members of the
IRE11 TST DBA team respectively. The
DBA account on the XID and R3D Oracle
database servers supporting the SAP XI
and POLSAP applications is known to the
SAP Basis team.
We determined that the password to the
privileged SYS default account on the
Oracle database on the BDB and DAT
servers supporting HNGX is known to 4 of
the 12 members of the IRE11 TST DBA
team respectively. The SYS account on the
XID and R3D Oracle database servers
supporting SAP XI and POLSAP
applications is known to the SAP Basis.
team.
We determined that the password to the
following accounts with the SAP_ALL
privileged profile on POLSAP was known to
the 4 members of the Fujitsu Basis
Consultants team:
control
management is
robust. (see ref 8)
6r/698/4
POL00030217
POL00030217
Background Recommendation Management
Comment
o ADMINBATCH
o BASISADMIN
o OTUSER
o SOLMANPLMS00
« We determined that the password to the
default privileged Administrator account on
the Active Directory server controlling
access to the HNGX estate was known to
the 10 members of the IRE11 NT team; and
The use of generic accounts prevents the
accountability of its use from being determined and
can lead to unauthorised access to financial data.
10
Improvements
to the problem
and incident
management
process
Rating: Low
We reviewed the processes
implemented to determine that
problems and incidents are
identified, resolved, reviewed
and analysed in a timely manner
for all in-scope applications. Our
examination of these processes
revealed the following:
e Two out of five problems were incorrectly
classified as problems when they should
have been raised as incidents. We also
Management should
consider a regular
review of the problem
and incident
management process
to ensure that
problems and incidents
are correctly classified
and resolved in a
timely manner.
Agreement of the
classification and
timescales for the
identification,
resolution, review
and analysis of
incidents is to be
documented in a
review of
SVM/SDM/PRO/
0001 and
SVM/SDM/PRO/
os/698/4
POL00030217
POL00030217
Background
Recommendation
Management
Comment
noted that they were not resolved in a
timely manner.
There is an increased risk of
disruption of key business
operations if problems and
incidents are not classified
correctly and not resolved,
reviewed and analysed in a
timely manner.
0018 Incident
Management pro
cesses.
As part of the
regular
embedded BAU
process POL will
sample review
classification of
problems and
incidents to
ensure they are
correctly
classified. This
will be subject to
a six monthly
review.