POL00030261
POL00030261
Audit Results Report for the year ended
28 March 2010
Royal Mail Holdings ple
Royal Mail reference: ARC (10)21
13 May 2010 - I
El] ERNST & YOUNG
F/646.1/1
POL00030261
POL00030261
CONTROL THEMES AND OBSERVATIONS.
IT
Audit process and approach
During 2010, Royal Mail Group Information Technology continued its transformation in the
areas of project management, systems implementation (SAP-HR) and IT security, through
the placement of a Chief Information Security Office. Following the significant
improvements noted in our reports in 2008 and 2009, the Royal Mail Group. (‘RMG') IT
audit continues to be an efficient and effective process. Key individuals within the Group IT
function are responsible for managing third party suppliers, particularly the outsourced {
service provided, CSC, and delivery of our audit information requests. Whilst some 7
improvements were noted in the POL !T audit process, we continue to face difficulties in
obtaining accurate information from Fujitsu, one of the outsourced providers of POL IT
systems. This is discussed in more detail below.
In order to make our. audit approach as efficient as possible, we seek to rely on SAS 70.
audits. These audits are independent audit reports over the control.environments of the '
Group's IT suppliers. Whilst we were able to place reliance on this third party testing for j
one of the Group's suppliers, CSC, we were unable to place reliance on Fujitsu, due to a
SAS 70 audit report not being available. The Fujitsu control environment is bespoke to
POL. and therefore the cost of a SAS70 is borne entirely by POL, whereas for CSC the i
control environment is similar for a number of companies and therefore the cost is shared. i
The cost of Fujitsu obtaining a SAS 70 audit was prohibitive; therefore we have performed I
our own independent audit procedures to obtain assurance over the Fujitsu IT general
control environment.
Control observations
POL has made significant changes to its IT environment in 2010, resulting in the inclusion
in scope of the Credence application for the first time, replacing POL-MI and the Reference
Data System. During 2010, POL also worked with Fujitsu to deliver a new version of the [
Horizon application used at, and in support of, Post Office branches, This new version of
Horizon was also included in scope,
Following difficulties in performing the IT general control procedures with Fujitsu in 2009 a
new key contact was identified to assist in the management of the IT general controls
procedures with Fujitsu, However, challenges were again experienced in obtaining audit
evidence in a complete and timely manner from Fujitsu, resulting in significant delays in {
completion of the IT general control procedures. We were not able to identify an individual
within POL who owns the relationships with outsourced providers to reinforce our requests I
and we required intervention from senior POL finance staff and senior Fujitsu UK I
executives. An alternate contact from Fujitsu has been proposed and we will develop this i
relationship into 2010-11, aiming for a more efficient process,
While the controls operated by Fujitsu on behalf of Post Office were appropriately designed i
an exception was noted in the revocation of user access. Access was immediately revoked
by Fujitsu when this was identified.
Our procedures relating to Credence found that a lack of segregation of duties in the
development and production environment.: We also found that complete records were not
available such that we could test that developers were not moving their own changes into
production. Further, we found that password controls on Credence were aligned:with the
password configuration standards required by Post Office. As a result of the findings on
Credence, additional audit procedures were performed to address risks'associated with
reports and information used from Credence in the operation of controls and audit I
evidence, with no issues noted. :
Ernst & Young I23
F/646.1/2
POL00030261
POL00030261
CONTROL THEMES AND OBSERVATIONS
Status on 2008-09 management letter points
In 2008 and 2009 we noted third party users with SAP_ALL access (unlimited access to
the SAP systems). In 2010 we found that only select individuals and user-ids had this
access and controls had been established to monitor actions of users with SAP_ALL access.
and to periodically review the requirement of SAP_ALL access. Our testing of these
compensating controls concluded that the controls were operating effectively.
2010-11 challenges
The challenges the Group faces in 2010-11 will be the continued transformation of IT and
the delineation of IT services provided by CSC and Fujitsu. We understand that some of
this separation is already underway as certain SAP environments move to Fujitsu and other
service providers away from CSC, the primary provider for Royal Mail Group.
The implementation of the SAP - HR system to replace the existing Infinium payroll
application will present potential significant risk to Royal Mail, as it implements a major
application supporting the payroll of tens of thousands of employees. The implementation
team, in conjunction with Internal Audit, have sought our input in the planning phase of the
project and we are currently working to review the proposed control framework and
highlight potential gaps and share best practice. We are also reviewing the proposed
system security and the plan for data migration from the existing system to provide our
experiences from similar exercises at other clients.
Ernst & Young I24
F/646.1/3