POL00031384
POL00031384
=
De I oO itte a STRICTLY PRIVATE AND CONFIDENTIAL
A
HNG-X: Review of AssurancéSources
Deloitte Ref: Project Zebra - Phase 2 Potential Next Steps v2 ~ Discussion document
SUBJECT TO LEGAL PRIVILEGE
POL00031384
POL00031384
Phase 2: Objectives for Discussion
Context to Phase 2
On the 30" April 2014, the Board raised 2 specific questions, and requested thoughts from Deloitte:
1. In the context of specific allegations regarding non-traceable, “phantom” transactions existing in Horizon —
what assurance could be provided over how the system records and maintains the transaction logs;
2. In wider context, what further assurance could be given both pre and post 2010 (when there was a change
in Horizon system in use).
In this context, and considering potential downstream public statements that PO! ay prake, we propose further
work which will:
MO”
« Complete the assessment of assurance sources relating to wane ‘day updating. improvement
suggestions as further work is performed and focussing on t} porting POL identify and respond to
specific risk areas where further assurance work sro idere to strengthen key risk coverage;
« Perform a series of deep dive assessments into areas Of ackni wile ed specific risk;
« From the foundation of the current day risk framework ae assuraice map, look back and construct a
timeline of variances from this known a \ \
Potential Areas of Further Work: Yoo
Phase 2 (a) ~ Deep Dive re: Impl ementation ribs /Reburance Sources (<2wks)
a, \
Goal — to be able to complete commentéry to the Board on sxhroes of comfort that were in place during the HNG-X
implementation in 2010 (which havo beer verbally assent to us so far). Using project governance and testing
specialists, activities being to: x
co Review design of, JING?) XP re jet Govethance versus Deloitte Project Governance Framework;
Review assuranée sources gro ptsiness requirements gathering, documentation and signoff;
o Review assurance( sources relating to unit, system and user acceptance testing, including an assessment
of the ‘coverage’ of any risk assessment (eg: comms failure) and testing with respect to other deep dive
areas of conce’ being” / /
o The Audit ‘Store,
o Third Party Ihteffaces and
o Other key themes of allegations (as provided by POL).
8
Hypothesis — that a public statement could be supported relating to the scope of testing and the assurance over
that testing, as part of the HNG-X implementation.
Phase 2 (b)~ Deep Dive re: IT Environment Risks - Assurance Sources (<2wks)
Goal — to be able to complete commentary to the Board on sources relating to IT Environment Risks since HNG-X
implementation. Using the existing team, activities being to:
o« Perform assurance map timeline analysis to show how the sources of assurance have evolved during and
since 2010 relating to the IT Environment Risks;
« Review external and internal audit findings since implementation in 2010 and assess responses re:
mitigating controls, remediation and follow-up actions;
DRAFT FOR DISCUSSION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031384
POL00031384
oo Review the documentation that POL produces regarding 3402 “User Entity Compliance Considerations”;
« Prioritise key areas for ISAE 3402 improvement (including clarifications / the removal of ambiguity).
Hypothesis — that a public statement could be supported relating to assurance activities over the current day
supporting IT environment through which Horizon is provided (and this may be extendable to ‘since its
implementation in 2010’ if the assurance map timeline support this).
Phase 2 (c} - Deep Dive re: Specific Risks - Audit Store Control Design (< & >2wks)
Goal — to be able to comment further on the design and operation of the Audit Store (not just its documentation).
The Audit Store is key to their first specific question relating to Horizon’s ability to record and then maintain an
accurate and complete (‘tamper proof’) record of system transactions. Using data governance, integrity and
analytics specialists, activities being to:
Focussing on the current day Audit Store: >
« Based on documentation provided, create a risk framework relating to theAudjt’Store, the data recorded
there-in and its integrity, identifying preventative, detective and monitoring conttals designed to mitigate
these risks (<2wks); g{”*~, \
« Validate this risk and control framework with Fujitsu and POL, agri eing any Patential yaps in the control
response and mapping sources of independent sxsrance a ti activity level {<2wks);
« Link to Phase 2(a) assurance and commentary above (<2Wwks); ‘
c« Perform testing of controls, to Deloitte sample size requirements, wh€re no source of independent
assurance is already available (>2wks); > . \
o« Conduct tests of detail to verify the completene: certain Rey contd} features (>2wks) — including:
o Full reconciliation (Period X) of Audi Store vartactgn contr to the Branch Database and
follow-up of any variances in this reconciliation; . .
Profiling of the Audit Store records by\documént Nouching completeness of documentation;
Inspection of ‘gn degree’ Audittrail matters (eg! tracing of non SPM initiated records);
Rebuilding, from under} ing data, of key Yeports used for monitoring or key control purposes;
Trend analysis and piultvarjant cluster, analytics on Audit Store data.
oo Produce a timeline of histgric changés to functionality relating to the audit store, inspecting key change
control documentation for each historié Ghange (business reasons, design impacts and control impacts
w.r.t to the risk ang -eontoMrarhgwork Above).
f fo
0000
Focussing on the history of je Audit slore: WY
co Perform asSurance’ nap timeline analysis to show how the risk and control framework relating to the Audit
Store (as defined above)fas changed both since 2010 and pre 2010.
\ fo .
Hypothesis — that a public Statemént could be supported relating to the integrity of Horizon’s design regarding the
recording and maintenance of its transaction logs (extendable back to X period?).
Phase 2 (d) ~ Deep Dive re: Specific Risks ~ Adjustment Postings (<2wks)
Goal — to be able to comment further on transactions in the Branch database which are initiated outside of the
Branch / Counter environment, verifying data flow design, control / approval requirements, reconciliations and
enquiring into ‘unusual’ events and handling. Using risk and control specialists, activities being to:
« Visit the Finance Service Centre, inspect documentation and hold interview to establish current day policies
and procedures relating to adjustment postings, including typical sources if issue for which centrally
initiated adjustment postings are created;
2% Review existing sources of assurance over the end-to-end process, linking to implementation requirements
and testing in 2(a) above and how the transactions are recorded in the underlying Audit Store;
oo Identify key risks and controls and how these are monitoring / logged and/or assured;
DRAFT FOR DISCUSSION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031384
POL00031384
c« Enquire into other matters which may impact the integrity of the adjustment posting process, including:
o adhoc issues and responses experienced in the FSC,
© access controls over adjustment posting functionality,
© appeal processes and resolution activities.
c« Perform analytics on the underlying branch database to confirm that only items posted or approved by the
local Branch are recorded; and consider how the branch database ‘rolls up’ into Branch ledgers and
reconciliations.
Hypothesis — that a public statement could be supported relating to the control and oversight of local branches
transactional activities.
Phase 2 (e} - Deep Dive re: Specific Risks ~ Database Administrator Controls (<2wks)
Goal — to be able to verify the depth of control relating to database administration over both the branch database of
Horizon and the Audit Store. Using existing team, activities being to:
co Perform a deep dive into control activities assured in the ISAE 3402 retating to Vatabase administration;
a Perform a risk assessment over database administration capabilities, andf/how sdch access permissions
could enable the underlying database structure, records or topo amended or deleted in
circumvention of change control procedures.
Hypothesis — that a public statement could be supported muir the log of the underlying database.
<
Phase 2 (f} - Deep Dive r
: Specific Risks
hat is ‘Dut thebe that’s “key”? (>2wks}
Goal — to give confidence that other, potentially key,‘spet ‘risks, ‘Outside Of those in 2(c),(d),(e) above, should not
be reviewed in greater depth to provide further eviderige relat ating to the, iftegrity of Horizon system. Using risk
specialists, activities being to:
\ <
« Conduct an exercise with key. POL (and pé potentially Fyjitsu) stakeholders to define key risks (across all
Horizon processes) relating‘to thé compidteriess- accuracy and timeliness of processing within Horizon and
perform risk clustering andpriortisation.to form the basis of a Specific Risk framework.
eo Consider ranking each, of the’ Wigks by Signi ‘ance and likelinood, to produce a specific risk heat map
V4
Hypothesis — that oi cold be supported relating to a risk assessment over the use of the Horizon
system.
YK MY /
Phase 2 (g) - Deep Dive reySpecific Risks ~ Manual Data Entry Risk (<2wks)
\
Goal — to assess assurance sources over “manual” transactional data entry by Branches (end of day totals /
transactions performed in batch — such as ATM, Post & Go?). Using risk and control specialists, activities being to:
« Work with Horizon specialists to identify all sources of ‘batch total’ data entry performed by Branches on a
repeated basis;
o« Review the risk and control framework governing these processes and identify and review sources of
assurance;
o« Understand how adjustments, due to error and/or fraud are processed, in line with Phase 2 (d) above.
Hypothesis — that a public statement could be supported relating to the control and oversight of local branches
transactional activities.
DRAFT FOR DISCUSSION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031384
POL00031384
Phase 2 (h) ~ Deep Dive re: Specific Risks — Third Party System Interfaces (>2wks)
Goal - to validate documentation. Using the existing team, activities being to:
oo Seek sources of evidence that relate to 3P system interface logs;
o« Examine contents of such logs to advise on potential next steps.
Note: Before investment in this stage, further verification of implementation testing scenarios and the data flows
from third party systems into the branch database should be considered, as the mitigating counter-database
messaging protocol may mean that third party systems are a step further removed from the risks of
complete/accurate data recording (ie: additional work here in automated interfaces may not be a high priority
area to look at).
Hypothesis — that a public statement could be supported relating to interfaces to third party systems
DRAFT FOR DISCUSSION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Other than as stated below, this documént is confidential and prepared solely for your information and that of other
beneficiaries of our advice listed in our engagement letter. Therefore you should not, refer to or use our name or
this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make
them available or communicate them to any other party. If this document contains details of an arrangement that
could result in a tax or National Insurance saving, no such conditions of confidentiality apply to the details of that
arrangement (for example, for the purpose of discussion with tax authorities). In any event, no other party is
entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who
is shown or gains access to this document.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number 0C303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private
company limited by guarantee, whose member firms are legally separate and independent entities. Please see
www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031384
POL00031384