POL00031391
POL00031391
=
De I oO itte 2s STRICTLY PRIVATE AND CONFIDENTIAL
/
\
OY, ~
HNG-X: Review of Assurance Soutces
\
\
ms \ 5
Subject to completion wih of
Deloitte Ref: Board Summary 130514 v2
SUBJECT TO LEGAL PRIVILEGE
POL00031391
POL00031391
Board Update at 13/5/14
Context
Post Office Limited (“POL”) is responding to allegations that the “Horizon” IT system used to record transactions in
Post Office branches is defective and that the processes associated with it are inadequate (e.g. that it may be the
source and/or cause of branch losses). POL is committed to ensuring and demonstrating that the current Horizon
system is robust and operates with integrity, within an appropriate control framework.
Since its implementation in branches, POL has commissioned or has received an increasing number of pieces of
work relating to Horizon to provide comfort over its integrity. Deloitte has been appointed to consider whether this
assurance work appropriately covers key risks relating to the integrity of the processing environment and raise
suggestions for potential improvements in the assurance provision.
Our work was performed in the context of activities we see in other, similar org; isations, as well as guidance
offered by recognised, best practise control frameworks. Our work has beenferformed ada desktop review and
thus has not tested the quality or accuracy of any of the assertions madein’dgetimentation Provided to us.
This part of our work (“Phase 1”) is now complete and will report inf t fra gement on fiday 16" May 2014.
Our work has been extended in certain specific areas (“Phase 2”), the cope which we also summarise below.
This Phase 2 work will report in summary on Friday 16" May 20° and in full on Friday 23" May 2014.
\ \
>
Phase 1 - Approach and Findings
order to fulfil your objective of being provided with comfort t t the Horizon system is fit for purpose and operating
with integrity: LON \
1. Assurance over the system’ “Baseline” this, provides comfort that the original implementation project
and other changes performed under formal projects were conducted in line with good project management
practices, and that detailed testing w€s pérformed against agreed business requirements. Such activity
verifies that the system Was, at that point in time, fit for purpose and implemented as intended.
4 \
2. Assurance over the system “Provision” — this provides comfort that the underlying IT activities,
necessary providing a system that can run and be used with integrity, are designed and operating
effectively. subh activity verifids that key day to day IT management activities, for example, relating to
security, IT operations andSystem changes are appropriately governed and controlled.
3. Assurance over the system “Usage” — this provides comfort that key features in the system, designed to
prevent or detect matters that would impact the integrity of processing, are in place and operating as
intended. This area of assurance often requires detailed underlying work hence is typically conducted
under a prioritised (“risk intelligent”) approach.
Overall a significant amount of work has been performed, producing significant volumes of documentation relating
to the Horizon processing environment. This type of work is comparable to that typically seen in other
organisations, where formal risk and control frameworks are not mandated and some IT activities outsourced.
Our key findings relating to each of the three areas of assurance provision are included in the table below,
including our recommendations for POL to consider in order to provide further key areas of assurance to the Board.
PHASE 14 - BOARD UPDATE AT 13/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031391
POL00031391
Assurance a I
Key Findings Recommendations
Area
The implementation of HNG-X in 2010 adopted Royal Mail's We recommend that POL complete their
“Harmony” project governance methodology. Wipro provided investigation of further Project documents
independent assurance that this Project's strategy and delivery I that evidence testing has been performed at
of testing, relating to system performance, was effective. those points in time and thus demonstrates
However, the 2010 changes did not significantly impact the Horizon was fit for the intended business
design features of the system which underpin the integrity of I PUPOSES-
processing by the system - hence this assurance should not be I In addition, we recommend that the
System __I relied on by the Board to provide such Baseline comfort. ‘aseline’ design features, which we will
Baseline I provision and examination of further Project documentation report as partofaur extension work, be:
has not yet identified a source of comfort for the Board which cs fated by POL and Fujitsu as a
we consider reasonably delivers “Baseline” Assurance. jolistic Schedule of those key ‘baseline’
We note that Fujitsu were planning an independent review in ae of the processing environment
this area in July 2012, but did not progress this when POL that mist operate effectively for the
appointed Second Sight for purposes understood to be si mid I > system tory with integrity
/ ) “aan tested to evidence effective
implementation and operation.
The assurance provision relating to the current, 2 f We'recommend that POL work with the ISAE
IT and Fujitsu in this area adopts and deliver$ good practise. A» 3402" providers to clarify, in those areas we
formal IT risk assessment has been performed and an IT will highlight in our final report, the extent
control framework produced and independently absuréd, I and nature of testing performed to support
T a recognised assurance standard) AISAE 3402) 7 their opinion.
Provision
Some areas of documentatiof v would beheft from further detail I This will help to ensure that POL’s assurance
or clarification of the as and‘ nature éFtesting J performed provision is both complete, sufficiently
under this standard. SGch improvement would dalso help avoid I granular and avoids potential duplication of
potential duplication, if additional suraioe ‘Work is performed. I effort in its delivery.
Va >
Extensive afd detailed dSbumdrtot relating to the system —_I We recommend that POL extend the formal
has bs prodticedI ‘bytechnically Go Competent professionals, risk and control framework, already in place
tami ith th&detailet design of Horizon. However, for areas of assurance above, to include
documentation relating I to} wider business use activities, these more holistic areas of risk relating to
relevant to the integrity 6f processing, does not always exist. _I the integrity of processing
Documentation a¥effable typically includes good descriptions I For example, assurance over adjustment
of the key design features that underpin the integrity of posting processes, balance transfer
system I Provessing, but would benefit from enhancement and processes and transfer acknowledgement
Usage clarification in certain detailed areas. activities, operating in the Finance Service
No work could be demonstrated that provides independent
validation and testing of key assertions contained in this,
documentation and thus we conclude that the Board has
minimum assurance in this area.
Our extension work (below) is designed to provide suggestions
‘on where such further assurance activity could be prioritised.
Centre, should be considered.
This exercise would provide a fully
encompassing and coherent framework and
a platform from which POL can deliver more
comprehensive, efficient and sustainable
comfort that the integrity of system
processing is being managed appropriately
‘on an ongoing basis.
PHASE 14 - BOARD UPDATE AT 13/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031391
POL00031391
Phase 2 - Scope
POL has extended our work to perform a desktop review of those detailed features of Horizon which:
. ensure that the sub-post master has full ownership and visibility of all records in their Branch ledger; and
. ensure that these Branch ledger records are kept by the system with integrity and full audit trail.
Our extension includes a technical validation of the Audit Store’s tamper proof mechanisms and we will also
consider, based on supplied documentation, where key events in the past could have impacted these features.
We will structure our work around the further key questions shown in the diagram below (supplementing those key
questions from Phase 1), identifying high priority features of Horizon which help manage such risks to system
integrity and assessing the extent to which such key features are both documented and assured.
We will then make recommendations on how the Board could prioritise and deliver further assurance in these
specific areas.
Our Phase 2 work will report in full by Friday 23° May 2014.
Phase 2: Horizon — Key Questions Underpinning Your Confi ein System Integrity
How do you know the system was fi
ose and worked as intended when first put in?
How do you know if major changes since
then have impacted the system? jow do you know
ee _— I that supporting 1T
[ How do you know that everything from the processes are well
I Counter is recorded completely, accurately, L___controlied?
and on a timely basis central I aw ot ow thal)
everytht écessed to
° “Brangt eagers is I
directly posted ox ing I recorded accurately in I
site
How do you know
that information
reported fromthe
Audit Store retains
original integrity 7
‘do you know that }
BAS oF others granted,
DBA access have not
modified Branch
Databese data?
Transactions” are
approved!
‘toca Bench
ote
Post ® Go)
I How do you know that 7
ithe system used by your,
Finance teams for
[How do you know iat ail
I data posted from other
Hi
“cists and teams is I control contains all
visible to and accepted by I
records?
LEGALLY PRIVILEGED AND CONFIDENTIAL, © Deloitte LLP 2014
PHASE 14 - BOARD UPDATE AT 13/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Other than as stated below, this documént is confidential and prepared solely for your information and that of other
beneficiaries of our advice listed in our engagement letter. Therefore you should not, refer to or use our name or
this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make
them available or communicate them to any other party. If this document contains details of an arrangement that
could result in a tax or National Insurance saving, no such conditions of confidentiality apply to the details of that
arrangement (for example, for the purpose of discussion with tax authorities). In any event, no other party is
entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who
is shown or gains access to this document.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number 0C303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private
company limited by guarantee, whose member firms are legally separate and independent entities. Please see
www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00031391
POL00031391