Interim report into the progress made to address six HITJ Report issues
Post Office Limited :
*Please be aware that this report does not yet include inputs from Fujitsu Solutions Limited
16 December 2020
V2.2 ~ Client draft release
This interim report is provided pursuant to the terms of our contract with Post Office Limited (POL). The report is intended solely for
internal purposes by the management of POL and should not be used by or distributed to others, without our prior written consent. To the
fullest extent permitted by law, KPMG LLP does not assume any responsibility and will not accept any liability in respect of this Report to
any party other than the Beneficiaries ;
POL00031727
POL00031727
lL 03
Executive summary
A summary view of our current findings and reflects on the substantive issues that have emerged b
those examined through the lens of Judgement No. 6. ,
Emerging observations
Our observations are summarised in this section. They are aligned to the Six HITJ Report issues we al
auditing.
Emerging observations in detail — mapped to theme:
These observations are currently limited to our interactions with POL stakeholders.
As access to FJ is facilitated this section of report will be validated / clarified.
Appendices
Documents examined, stakeholders and meetings
Please note:
Emerging observations relate primarily to the currently reviewed Post Office Limited (POL) elements of Horizon
or POL's ability to view/manage identified elements of Horizon.
At the time of drafting this interim report engagement with Fujitsu (FJ) has not been possible. Content is therefore
the product of the evolving engagement with POL stakeholders only and review of FJ elements POL have been
able to provide.
It is anticipated that information from FJ will be available from mid January to mid February 2021, at which time
this interim report will be validated and updated where necessary. As such the contents of this report may not
accurately reflect the current state.
J J I © 2020 KPMG LLP, a UX leit labity partnership and a member frm ofthe KPMG global organisation of independent member ms affiated with KPMG I
Document Classification: KPMG Confidential
POL00031727
POL00031727
Post Office Limited (“POL”) is going through a major program of work to
address historical failings in its core Branch computer system (“Horizon”).
Horizon is used for transactions between POL and its Postmaster branch
network, and is owned, maintained and managed by Fujitsu Services
Limited ("FJ").
Postmasters raised issues with Horizon and these were linked to
prosecutions and convictions of Postmasters for offences such as theft
and false accounting.
In December 2019 POL settled with a group of claimants who established
legal action against POL in response to their convictions. Following this
settlement, the High Court ruled in the claimants’ favour. In February 2020
a public inquiry (“Inquiry”) was announced into the matter, with terms of
reference and the appointment of a chair being announced in September
2020.
The terms of reference of the Inquiry include “whether lessons have been
learned and concrete changes have taken place or are underway at Post
Office Ltd”, with respect to Judgment (No3) “Common Issues” and
Judgment (No 6) “Horizon issues”.
Subsequent actions
In response to the Judgement in October 2020 POL engaged KPMG LLP
("KPMG") to review progress made since the Judgement in 2019 and to
provide recommendations against observations. The engagement was
established to help POL report into the public inquiry; specifically,
Judgement No 6, the Horizon issues, summarised on page 9. The content
of this report was thus predicated upon KPMG’s review against these six
areas of concern.
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
To provide an independent view of progress made to address previously
identified failings categorised in Judgement No. 6 as the following six areas:
@=» Privileged I Remote Access “I _ Software Development
Access Lifecycle, Testing and
Management Quality Assurance
Known Error Known Error Horizon Next Generation
Logs ~ current Logs ~ historic (HNGA) Robustness
Section 1 introduces our report findings and key themes and a proposed
remediation programme structure. We raise Fundamental Issues which we
see as underlying issues which need to be addressed to prevent the
improvements that are needed from being sustained. The main body of the
report has two lenses for our observations, Section 2 provides a summary
view based upon each of the above scope areas and Section 3 provides our
detailed findings within key themes, mapped to the HIJT report.
Appendices 1 to 3 provide details Section 01: Executive summary
of the documents, interviewees
and meetings which have shaped
our opinion in this report.
Section 03:
Theme /
sub-theme _
Document Classification: KPMG Confidential
POL00031727
POL00031727
Executive summary
This section provides a summary view of our current findings and
reflects on the substantive issues that have emerged beyond those
examined through the lens of Judgement No. 6.
Please be aware that does not yet include inputs from Fujitsu
Solutions Limited
© 2020 KPMG LLP, a UX Imitedlaoilty partnership and & member fim of te KPMG globe ompanisation of ndepandert member fms aftateg wh KPMG International Limted, private Engish company limited ny guavartee All ights
Document Classiication: KPNG Confidential
Lore Message
Change is happening, but fundamental issues
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
addressed to effectively re-establish Postmaster trus
The Inquiry demands change and (data) integrity
One of the central tenets of the Inquiry is that POL must change and be able to
confidently assure Postmasters on the integrity of their branch data, and that
POL must be able to provide externally assured confidence in the approach by
key suppliers (or by itself). In short Postmaster trust must be re-established.
This requires POL to demonstrate it understands its Postmasters and the
demands they face as the customer-facing sales force. It must be abie to
manage and address risk in the broadest sense of the business definition, both
internally and, by extension of the approach, with its suppliers, and be based
upon a stable platform within a supportive environment for its Branch network,
be it direct or franchisee. It needs to make its business and that of its
representatives safe, trusted, uncomplicated to run and accountable.
Change is happening
POL's appointment of a GLO/Horizon IT Director and the building of a capability
with a revised operating model to manage the Horizon IT estate and
relationships is a clear signal of intent by the POL.
The team is assessing the current Known Errors in Horizon and has established
a method of approach which both improves inclusion and alleviates the impact
on Postmasters. Encouragingly, this signposts that the ‘voice of the Postmaster’
is central to C-level understanding of the need to accelerate change in what is a
unique organisation, with a core social purpose.
Fundamental issues remain
Our observations to date have established that there are fundamental issues
which must be first addressed in order to effectively drive the change that is
kPingI
desired. This is critical in successfully landing the Strategic Platform Migration
(SPM) currently being derived in a newly formed transformation unit. By way of
illustration:
+ The established organisational design and culture, and the way in which
process and risk are managed in the areas identified within the Judgement
means that governance and process gaps exist;
+ The outsourcing of activity has affected the (assumed) delegation of
accountability; and
Individuals are primarily concerned with their own area of responsibility.
There is no apparent challenge between siloed roles to broaden, connect or
change this, thus no visible collective management of risk and controls.
Consequently, there is a lack of consistent, reliable management of Horizon;
process, frameworks and approaches are not currently fit for purpose.
Moreover, the Horizon operating model and that of POL which it interfaces with
require significant attention to transform the Post Office into a successful and
future-proof direct and franchise-based model. Our observations, therefore go
beyond and behind the core findings of Judgement No. 6 as the two cannot be
separated.
Two high-level illustrations of the reach of our observations are:
Process -- Section 9D -- 3LOD. This highlights the lack of internal
communication of the Judgement finding actions to relevant teams in the
context of the need to address these at an operational level.
* Process ~ Section 14A ~ No User Acceptance Testing of Horizon releases is
performed and the impact of change on branch users is not considered.
Document Classification: KPMG Confidential
Lore message (cont
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
There is more that needs to be don
The main body of this report (Section 3) is categorised according to eight
themes. They align to the GLO/ Horizon IT target operating model currently
being designed and are split as follows:
Organisational wide Horizon service management
1, Governance 5. Data
2. Capabilities 6. Systems
3. Processes 7. Supplier and performance management
4, Culture and conduct 8. Technology
We also provide a HITJ report issues view — this is found in Section 2 and
summarised on page 9. Both point to Fundamental Issues (summarised on
pages 7 and 8) which go to the core of POL being able to address the HITJ
report issues. As such, significant further remediation is needed across all eight
themes in order to address the six HITJ report issues and land the SPM. In
effect, addressing the observed themes will allow POL to drive a successful
business through its direct and franchise branch network.
implementation roadmap
POL and the Horizon team are making progress. The immediate challenge
however must be to ensure that any in-flight activities, such as the migration
from Belfast and the underlying arrangements are assured as fit-for-future.
The workstreams we propose within the GLO/ Horizon IT target operating
model are all critical to the delivery of SPM (see page 10). However, our
concern is that there is limited value in commencing these if POL does not
embrace the changes which have to originate from the parent body. Put simply,
the new Horizon team needs the support of POL to succeed. Culture, roles,
kPingI
responsibilities, understanding of risk, processes cannot be sustained in
isolation, nor can the interdependencies be ignored.
The proposed roadmap must start with an organisation
that collaborates internally as well as with its Branches and its vendors, and
identifies areas of quick-fix and foundational change, such as:
+ Establish an oversight board to coordinate and govern the programme.
* Identify interdependencies between POL, vendors and Horizon.
+ Review, update and train staff in key roles of risk and governance.
In summary, the observations thus far point to issues which extend to people,
process and technology at a POL-wide level, and whilst change can be effected
within Horizon, POL must lead and follow the same path to succeed.
Conclusion
There is an apparent culture within POL which needs to adapt quickly,
embracing a collective responsibility where changes, in areas such as vendor
management, roles, responsibilities, process, training and technology, will
endure within the new operating model.
POL needs to reflect its Social Purpose in its internal business engagement by
adapting and maturing as an organisation to embed the improvements it is
about to make within Horizon. It needs to ensure these are driven through its
public-customer facing lens; that of the Postmasters, and these must be driven
throughout the POL organisation. The following pages of this section expand
upon this point.
“Please note, our conclusion will continue to develop following receipt of
information from FJ, and in some cases may change as a result.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
FUNcamental ISSUES
h go to the core of you being able to address the HITJ report issues.
Fundamental issues are present w!
Our report includes a set of broad-based observations or fundamental issues that must be addressed, without which any resolution of the wider observations will
be unsustainable. They are summarised here and denoted throughout the report with this symbol %&.
These Fundamental Issues have been uncovered throughout the Horizon investigation to date, however, it must be noted that it is highly probable that these
issues are POL-wide, and may have a much wider impact than just within Horizon. It would be appropriate for POL to investigate further, to ensure that company
wide policies, processes and approaches are in place, and that these are effective. This would validate that the expected management of other vendors, platforms
and systems is taking place within the company.
Additionally, a number of Emerging Issues have been identified during the architectural review. These items do require further investigation, however, as they
have the potential to cause serious problems that would align with the concerns of the Judgement, we have included them in this report for awareness. These are
found on the following pages.
‘#, Theme (as denoted in Section 4) Narrative
1. Governance + The accountability, ownership and responsibility for all management and control aspects on Horizon is not clearly defined between POL, FJ and
‘other vendors.
+ Notable gaps exist in vendor management, service performance management and contract renewal
4, Regulatory Compliance + KPMG has a concer that the lack of coordination in areas of Governance, above, and the absence of collaborative effort between monitoring and
‘oversight of Horizon regulatory compliance and risk management is significant, which may have impacted POL's ability to meet its
FCAVPRA obligations. POL and FJ have a programme in place to resolve a non-compliance issue regarding unencrypted PCI data, and GDPR Pil
requirements are not currently being met.
8. Risk Management maturity + POL's approach to risk assessment and managements unclear with regards to how IT operational risks are managed. This is compounded by
concems over the use and suitability of Archer as a tool to monitor, identify dependencies, aggregate risks and highlight potential impact.
9. Risk Management at Three Lines of + The Second Line and Third Lines of Defence do not seem to work in coordination and appear to operate independently. Review and assessment
Defence (3L00) of Horizon is provided by Fujitsu (via monthly reports); this self-assessment is not challenged by POL, and there seems to be no independent
review of Horizon by POL 3LOD staff, Audits conducted by the third line of defence tend to be thematic rather than risk based, and do not delve
into IT controls to determine the effectiveness of these controls.
We observed that the judgement issues have not been shared with the second and third lines of defence, meaning that the items were not being
tracked as corporate risks, or used as focus items for Internal Audit to examine.
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Fundamental SSUES (CONT.
heme (as denoted in Section 4) Narrative
410. Contractual Arrangements (Process) + The strategic IT vendor management process is performed on an ad-hoc basis rather than at regular, set intervals. These ad-hoc reviews do not
apply the latest business needs or re-evaluation of the required service levels against the contracts.
13. IT Controls Framework (Process) + The IT COBIT controls are not implemented at a meaningful and granular level, and the controls framework does not actually apply robust and
effective controls to IT processes across delivery, operations, change management and vendor management.
17. Ambiguous attitude to taking + There appears to be a lack of understanding and/or acceptance of responsibilities and accountability across the POL landscape. Furthermore, the
accountability, ownership and importance of process changes required from the Inquiry does not seem to be understood, and there is a lack of urgency to develop the appropriate
responsibilities especially for GLO fesponse to the judgement items.
remediation (Culture and Conduct) + Apart from within the GLO team, there appears to be no detailed planning to address the judgement findings
+ There seems to be little willingness to challenge vendors within supplier relationships, and the contractual management framework is trusted as being
fit for purpose and is not challenged
As stated on Page 6, the following section is specific to our emerging themes, which are reflective of the ongoing discovery of the Horizon and wider POL. points of impact on Horizon.
These are of sufficient note that even at the early stage of discovery, they have been included within this report.
Emerging issues Narrative
“Non recoverable” or “lost” transaction + It is possible, in the current architecture, to begin the process of buying a product and then to exit from the process before payment is attempted. The
types fact that this process was initiated, and a basket created, is not captured or persisted (generally) until such time as the process is completed by
making a payment. This means that certain products can be allocated and provided without there ever being a record that this was done. This feature
of the architecture allows various undocumented work-arounds and has potential to be a vector for fraudulent transactions
Branch workarounds + There are various mechanisms within the Horizon platform that facilitate variations in the way Postmasters use the platform depending on their
particular business situation, For example; where a Postmaster operates a retail shop and a Post Office Limited and has no separate EPOS system
for their non Post Office Limited business, Posimasters may feel the need to use workarounds such as stamp reversals to allow them to use the
Horizon platform and payments mechanisms to pay for stock items not supplied by the Post Office Limited for the sake of supplying a convenient
single payment point for their shop customers. These processes and working practices have a high degree of risk associated since errors and
accounting mistakes can easily be made and there are some variations on how these facilities are used
Enfranchisement + The franchise structure that POL has set up has to take into account the various types and formats of the POL counters (dedicated, mixed business,
supplementary business, hybrid), however this does not seem to be the case. Our initial findings indicate that there is not an adequate and
standardised base which can be used to build upon a complex, multifunctional organisation that can act in a consistent and reliable manner. For
example, franchise post offices, when hiring staff, use their own contracts which are not necessarily POL templates or standardised POL contracts.
This means that there is no consistency between POL’s staff contracts.
Document Classification: KPMG Confidential
HOFZON JLICIGEMENt ISSUES
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
we 4
i j
fern
Please note: Emerging observations relate primarily to the currently reviewed Post
Office Limited (POL) elements of Horizon or POLs ability to view/manage identified
elements of Horizon. At the time of drafting this interim report engagement with
Fujitsu (FJ) has not been possible. Content is therefore the product of the evolving
engagement with POL stakeholders only and review of FJ elements POL have
been able to provide. It is anticipated that information from FJ will be available from
mid January to mid February 2021, at which time this interim report will be
validated and updated where necessary. As such the contents of this report may
not accurately reflect the current state.
Observations are summarised here according to the six HITJ report issues.
More detail can be found in Section 2.
@e» Privileged Access Management: There is no notable progress on an
approach to privilege or elevated access controls within the POL Horizon
environment beyond basic user enablement and access. No tooling is
deployed to automate and reduce human error. Moreover, there are scripts
or applications that are used to resolve issues within Horizon for which do
not use such controls either.
a Remote Access: The POL environments use limited controls around
Remote Access and although a few operational changes have
been implemented since the Judgement (post COVID) these do not
represent an improvement in the overall profile for Remote Access, which
remains sub-optimal.
* Software Development Lifecycle, Testing and Quality Assurance:
Overall, the governance and control of the SDLC and Testing within POL is
immature and requires immediate attention, with critical actions to take
kPingI
>
&
place as soon as possible. It is clear that limited focus has been applied to
this area, and there have been no substantial or incremental improvements
since the judgement in November 2019.
Known Error Logs (KELs) — current: Whilst there has been definite
improvement in the handling of current KELs, this progress has occurred
recently, with the commissioning of a dedicated owner, with a support team,
to take control of the KELs and drive them to conclusion. An updated and
improved process is being implemented, and tighter controls have been put
in place. Buy-in and commitment from the third parties has likewise
improved.
Known Error Logs — historic: Without more technical detail being
supplied for each of the historic KELs it is not possible to determine if each
of these items has been successfully resolved, or if they are still
outstanding. Whilst POL has improved the tracking and monitoring of the
historic KELs, there is still a large gap on the levels of information being
supplied from the third parties regarding these KELs/ Without that
information forthcoming, it will not be possible to conclusively close each of
these items.
Horizon Next Generation (HNGA) Robustness: This is a critical
outstanding area; POL has not implemented the expected and required
controls regarding robustness to give confidence that the Horizon platform
is resilient and reliable. Currently there is too much reliance upon FJ and
other vendors to handle robustness; this is not appropriate, and leaves POL
in a high risk position, as each vendor may be monitoring and controlling
their own scope, but the holistic and overall responsibility lies with POL.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Implementation roacmep
The suggested implementation approach
Data governance
Spe eemronrinre
4. Review and risk assess live projects to address gap in POL change mgrni_
5. Pesform regutatory change/impact assessment to ensure POL's regulatory compliance inc rectifying any gaps
ee
‘8. Overhaul {AM management (single user view, access and privieged access mgmt, strong authentication, tracking, reporting, automated certifications)
9. Implement tharough Organisational Test Policy
10h Des dle it Naroere prach cag i AD proce le aot ek con
Tannen
=
__ Snare
Se
14. Refresh change mgmt process to latest standards, including delivery methodotogies, quality confrots, programme and project governance, tooling, and mgmt. structures
Governance
15. Include contractual components in branch agreements and employee training
16. Introduce HZ information Asset Register 47. Drive HZ Data Management Training and Awareness
data
kPingI
Document Classification: KPMG Confidential
POL00031727
POL00031727
Emerging observations
Our observations are summarised in this section. They are aligned to the six HITJ
Report issues we are auditing.
ke iG! © 2020 KPMG LLP, a UX Imtad liability sartnersip and a mernber fim ofthe KPMG global organisation of indepandert member fim aftated with KPLG International Limted, a private Engish company limited by guavartee All ights
Document Classiication: KPNG Confidential
Horizon judgement mapping
For each emerging observation detailed in Section 4 we have themed them and provided a mapping
to one or more of the six HITJ report issues we have been tasked with auditing. These are:
@~ Privileged Access Management
B Remote Access
we Known Error Logs ~ current
>) Known Error Logs — historic
Software Development Lifecycle, Testing and Quality Assurance
“Horizon Next Generation (HNGA) Robustness
On the following pages we provide a summary narrative for each HITJ report issue, pulling together
multiple low level observations into higher level observations. In this table we list the number of
themes mapped to each issue.
HITS report issue #of themes mapped
Privileged Access Management
4
Remote Access
2
Software Development Lifecycle, Testing and Quality Assurance
5
Known Error Logs ~ current
Known Error Logs ~ historic
Horizon Next Generation (HNGA) Robustness
kPingI
Document Classification: KPMG Confidential
POL00031727
POL00031727
livleged access Managemen
leged access management are as follows.
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
eo
[ Overall theme: - a low-maturity, inefficient and uncoordinated approach in all aspects of IAM, with no view of priorities/risk exposures, requiring immediate attention.
Theme
1. Governance 3. Identity administration, Access governance,
Privileged and Remote Access (IAM) - Core
systems and management
Narrative
No coherent approach to IAM exists, with high degrees of manual process and no consolidated source of truth for all users
creating a sub-optimal process for all joiner-mover-leaver and certification processes.
There are no policies, guidance or controls to manage or audit elevated access.
There is a lack of visibility of vendors’ users or activities including elevated and privileged users with differing processes and
lack of correlation between user groups.
Toxic combination and segregation of duties checks are not made upon user creation or rights elevation
3. Identity administration, Access governance,
Privileged and Remote Access (IAM) -
certification and remediation
Access review of all user types is inconsistent in timing and conducted 6-monthly for Global users, and within seven days
for Global users leavers. No such process exists for Branch users
The lack of understanding of the Horizon estate inhibits risk-based good governance processes.
3.Governance _ 3. Identity administration, Access governance,
Privileged and Remote
Access (IAM) (Branches)
Postmaster can create user types and have elevated function rights including password creation. No auditing or controls
are driven by POL. to limit the use of these rights
3. Process 12. SmartiO/Authentication + Joiner-mover leaver processes are not defined, with leaver detection based primarily on inactivity, thus inactive users
including those with elevated or privileged rights may continue to be active. This is a known issue in the Branch network for
SMARTIO users,
12, SmartiD/Authentication (Branches) + Leavers' accounts are left active by Branch managers with elevated rights, enabling user account sharing
12. SmattlO/Authentication The approval process for access rights does not have a four-eyes check approach for POL. Global users and Branch users.
12, SmartiD/Authentication + There is no method of consistently enabling, monitoring, ceasing or auditing elevated and privileged access to ensure
prompt and appropriate access.
8.Technology 23. Tooling ~ 1AM & GRC + POL makes minimal (tactical) use of its current commercial IAM tools and has no strategy for IAM/GRC.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Remote aCCeSs
The observations that align to remote access are as follow:
[ Overall theme: - there a lack of a consistent approach to authentication or a linkage to IAM (see Privileged Access) / remote access within the POL environment.
‘Theme ‘Sub-theme Narrative
1. Governance —_Identity administration, Access governance, _Inefficiencies in JAM govemance results in inconsistent visibility or management of any user including those with remote access
Privileged and Remote Access (IAM) and @ heavy reliance upon third parties’ governance.
2. Process 12. SMARTID/Strong Authentication Strong/multi-factor authentication is not used consistently, and weak passwords are used for all Branch users. A consistent
approach is required to ensure identification of Global, third party and elevated users, particularly where credential theft is an
exposure
42. SMARTID/Strong Authentication SmartiD and password management processes for Branch users are not formalised and are communicated to
relevant individuals via email
12. SMARTID/Strong Authentication There is no evidencable auditing of user activity.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
pmereeny
fom
mw
I
SULG, Testing and Wualily Assurance =z
earnest
The observations that align to SDLC, Testing and Quality Assurance are as follow:
[ Overall theme: - there is a complete lack of effective governance, control, management and ownership across the entire SDLC.
Theme ‘Sub-theme Narrative
1. Governance —_4. Horizon governance roles and + The accountability, ownership and responsibility for all management and control aspects on Horizon is not clearly defined between
responsibilities POL, FJ and other vendors, which leads to confusion and contradiction regarding change being delivered into Horizon
2. Vendor management governance + There are notable gaps in vendor management processes around service performance management and contract renewal, leading to
and oversight “rogue” third parties acting on their own accord and making decisions for POL., without POL input or approval.
5, Test Governance + There is no organisation Test Policy in place, and as such the test govemance is fragmented and incoherent (e.g. quality gates are
poorly enforced)
+ Requirements traceability is incomplete or missing
+ There is a lack of a clearly defined test environment and data strategy.
6. SDLC Governance + POL does not have a Project Delivery Capability Framework in place, and there is no standardised delivery methodology. individual
programmes can implement their own delivery mechanisms, which means that there is no consistency between ongoing programmes.
Likewise governance and control varies from programme to programme.
2. Capabilities 7. POL Horizon capabilities + There is a lack of POL in-house technical capabilities, which imposes heavy reliance upon a number of vendors to manage Horizon
(i@. FJ for architecture, development and testing; ATOS for reference data and testing), or short term contractors. POL have no
capability to control the quality of technical delivery; they rely on third parties to fuffil this role.
Document Classification: KPMG Confidential
SULG, Testing and Quality Assurance =2
ccna!
Theme
3. Processes
Sub-theme
14. Product management
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
pmereeny
om
Narrative
‘There is no Product Owner for Horizon, and no product lifecycle is currently in place. This implies that there is no one single person
with an overarching and holistic view of all the changes ongoing across Horizon, with a clear and concise understanding of how these
changes impact POL’s business and customer front end. Additionally, there is no single approver for these changes,
‘The level of involvement from architects across Horizon change is limited; there is a poor understanding of the Horizon enterprise and
system architecture. There is limited understanding within POL of how Horizon works, what it does, and how change can be
effectively applied.
14, Testing
POL does not perform appropriate and effective User Acceptance Testing or Non-Functional Testing,
Regression testing is patchy and poorly applied to the platform.
18. Change Management
POL does not have a clearly defined change management process that is applied across all change and all third parties.
7. Supplier and
performance
management
20. Vendor performance
management
Service Key Performance Indicators (KPIs) appear to be poorly defined with performance being self-reported by Fujitsu and no
subsequent independent assurance activities being undertaken by POL as part of its own governance structure
8. Technology
21. Tool Support for change delivery
Spreadsheets are used to manage projects, as the use of DOORS and ALM having been discontinued
24. AP-ADC Soripts allow
uncontrolled change
Automated Payments — Advance Data Scripts (AP-AOC) are used to make changes in Production & Reference Data. There are
limited controls in place around this change, and most of the change implemented using these scripts is unrecorded
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Known error lags (KELS) - Curren I
I Overall theme: - Positive progress has been made in this area, with the implementation of a new process, and a dedicated team in place to handle the current KELs.
Narrative
NIA + POL have assigned a senior staff member, with a support team, to take ownership of the current KELs, to ensure that these
outstanding items are appropriately managed, tracked and resolved. Additionally, a new process to manage KELs has been
designed and is currently being implemented and embedded with all stakeholders, This process will be automated and
coordinated via Service Now. Weekly reports are being produced to track the progress on resolving the current KELs, and there
is oversight with a CAB in place. The CAB is staffed by the appropriate SMEs and people with the required seniority to make
{and sign off on) decisions. Third party engagement is currently in place, and the third parties are onboard with the new process;
teams within POL are likewise onboard and involved
Theme
2. Process
This is a positive improvement.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
KNOWN EFrOr IOUS (KELS) -NISLOFIC
toric KELs are as follows.
The observations that align to
Overall theme: - Without detailed technical information for the historic KEL it is not possible to determine if these items have been effectively resolved and can be
considered closed. The investigation in this area is ongoing.
Theme ‘Sub-theme Narrative
+ KELs documentation lacks adequate details (particularty technical details for the issue and fix)
2.Process 16. KELs (Historic)
+ KELreports are not always consistent with status reports.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Horizon Next Generation (HNGA) RoBUStNess
The observations that align to HNGA robustness are as follows.
Overall theme: - The investigation in this area is ongoing, and requires details to be supplied from the third party vendors. However, there seems to be a clear lack of
ownership within POL, and no individual has been identified as having responsibility for the management and control of HNGA robustness.
Theme Sub-theme Narrative
8. Technology 22. Business Continuity Pian (BCP)/ Disaster + The SV&i test environment doubles as the DR environment. This is a high-risk solution and is not an effective DR strategy.
Recovery (DR) The test environment is not an appropriate DR environment because code versioning would be different and may not be
reflective of the production environment (e.g. missing integrations / applications, size and scale).Repurposing the test
environment for DR could result in code conflicts, data issues and/or other code configuration issues which could invalidate
certain test results.
Document Classification: KPMG Confidential
POL00031727
POL00031727
Emerging observations in
detail - mapped to themes
The observations detailed on the following pages are currently
limited to our interactions with POL stakeholders. As access to FJ is
facilitated this section of report will be validated / clarified.
ke iG! © 2020 KPMG LLP, a UX Imtad liability sartnersip and a mernber fim ofthe KPMG global organisation of indepandert member fim aftated with KPLG International Limted, a private Engish company limited by guavartee All ights
Document Classiication: KPNG Confidential
HOw td use this Section
These titles denote either
an organisational wide or
Horizon service
management theme.
Here we break the high
level theme into sub-
themes.
Observations are provided
here. They are followed by
what evidence was
observed to draw our
conclusions.
Where possible we have mapped to the section of Ge
the HIJT report that is relevant. PAM RA
Or, where the observation isn't specific to a section *
or is POL wide, we have used the following
kha
POL wide
"The account, omrsTeR a
fasgeomsibiy tora manages Se
‘ctrl nse on Nera ao lary
Deonoon PO Fl and Sar vendors
ick ot cra
SDLC KEL KEL HNGA
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
This is our rating based on a
KPMG scale, as detailed below.
Description
High risk issues or eritica
ps identified, immediate
action required to rectiy
Serious issues or major gaps
idontified. Reciification a high
proxi,
Minor issues or gaps
identified, Mitigatior
planned, oF in prog
No issues or gaps identiied,
area is on track.
Area complete, or completing
shortly. No issues or gaps,
Identified
Not assessed during this
Where recommendations are
possible or appropriate we
make them here.
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
The following pages detail the emerging observations as they pertain Horizon governance
HIST report mapping Rating Recommendation
Emerging observations and impact
4. Horizon governance roles
and responsibilities
4A. The accountability, ownership and + 1Ai, Document a POL vendor management policy that clearly
responsibility for all management and
control aspects on Horizon is not clearly
defined between POL, FJ and other vendors
+ This is evidenced by the lack of certainty of
ownership and responsibility which was
demonstrated at a number of KPMG
meetings with representatives from POL and
confusion at an organisational and individual
level of who is accountable, owns or has
responsibility for processes and/or delivery
of components which impact Horizon (e.g.
PAM, RAM, change management, security
management, testing, etc.). This is leading
to inefficient processes, lack of controls
and change management and operational
issues
defines (hence mandates) the vendor management lifecycle
with defined processes, POL staff expectations for vendor
management such as service performance management,
establishes accountability, ownership and responsibilities, at
each stage of the lifecycle
‘Ali, Within the vendor management policy, establish clear
roles and responsibilities between POL, FJ and other vendors
for management of Horizon changes, new releases, PAM /
RAM and testing
1Aili. Within the iT controls framework include relevant vendor
management process and controls for governance, governance
oversight, service performance requirements and communicate
to all Horizon vendors.
‘1Aiy, Design and roll out training for relevant role holders to
ensure they understand their current roles and responsibilities
and, as changes are made, ensure revisions are understood
and accepted.
Document Classification: KPMG Confidential
Governance (cont
Emerging observations and impact
HIST report mapping
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendation
2. Vendor management 2A, There are notable gaps in the vendor
governance and oversight management process, with service
performance management poorly defined
and contract renewal treated in an ad-hoc
manner.
+ This could result in misalignment with
enterprise-wide vendor management
expectations, non-compliance with
regulatory requirements, regulatory criticism,
penalties, fines and further reputational
damage to POL. This was confimed during
discussions with POL representatives (29-
Oct-2020 and 3-Nev-2020), no formal
evidence has been supplied at this point in
time.
2B. The contractual management framework
is trusted as being fit for purpose and is not
challenged.
+ The contract management framework does
not provide the required and expected
contractual controls that a typical vendor
contract should contain, and the boundaries
on the third party are quite loose. There does
not appear to be any challenge from POL
staff regarding the contract and how is has
been configured. This is evidenced by review
of the provided “Contract Management
Framework Final 2020" and during
discussions with POL representatives (29-
Oct-2020).
2Ai, Perform a gap analysis between the vendor management
policy and the existing vendor management and service
management processes. Identified gaps should be used to
formulate process(es) and controls that should be
implemented
2Aii, Newly formed process(es) and controls should then be
included in the IT controls framework, where they should be
monitored, reported and self-assessed as per vendor
management policy defined intervals (also please refer to
recommendation 1Ai and observation 13A).
2Aili. Vendor contracts should be updated to match and meet
POL expectations of vendor delivery. Appropriate KPIs and
SLAs need to be included within the contract.
2Bi, Review the existing Contractual Management framework
against the ‘National Audit Office Good practice Contract
Management framework’ and update the existing POL
framework accordingly.
Document Classification: KPMG Confidential
Governance (Cont.
Sub-theme
3. Identity administration,
Access governance,
Privileged and Remote
Access (IAM)
Emerging observations and impact
3A. There is no coherent IAM approach for
Horizon and POL’s approach is forms driven,
with no clear workflow that ensures each
step of an overall process is linked, thus it
is disconnected, manual and sub-optimal.
3B. Identity and Access management
processes are disparate for different user
groups such as Global Users and
Postmasters, and are run by separate
operational process.
3C. Governance and administration is
heavily decentralised, and is owned by third
parties. POL has no visibility into FJ [AM
processes or how access to Horizon is
granted to FJ-side operatives.
+ POL is therefore unable to provide
assurance to one of the core findings of the
judgement; integrity of data and thus
confidence in the Horizon system, as it
cannot demonstrate control over the risk of
unauthorised or unaccountable access to
critical infrastructure and systems. ie. it
cannot prove who has or had access to
what. This was confirmed during discussions
with POL representatives (9-Nov-2020 and
17-Nov-2020), no formal evidence has been
supplied at this point in time.
HIT report mapping
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Rating — Recommendation
3A, Improve the overall IAM posture of POL. Establish strong
policy, controls and accountability for identity and
access management for POL and third-party users.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (cont
‘Emerging observations and impact HIT report mapping Rating Recommendation
(...cont,) 3D. Due to the decentralised model, there is + 30i.Maintain a single source of truth for all users or by user
3. Identity administration, no consolidated source of truth for internal type (employees, non-employees, service accounts etc.) and
Access governance, or third-party users (Fujitsu, ATOS, CC). have reliable correlation between accounts and users. Theme
Privileged and Remote 23 Technology ~ highlights existing tooling which should be
Access (IAM) + This compounds POL’s inability to create a considered as a part of this approach
consistent framework for [AM where joiners,
movers and leavers are managed on a
timely, easily audited manner; nor can POL.
maintain visibility into who has access to
what across its branches nor supporting
organisation and vendors
+ Without a single source of identity,
correlation of users to system accounts is
difficult as identity formats are inconsistent.
+ Without this, POL is unable to change the
current decentralised approach, nor
correlate or control third party user activity
itself. This was confirmed during
discussions with POL representatives (17-
Nov-2020), no formal evidence has been
supplied at this point in time.
Document Classification: KPMG Confidential
Governance (Cont.
Sub-theme
(...cont)
3. Identity administration,
Access governance,
Privileged and Remote
Access (IAM)
Emerging observations and impact
3E, JML processes are inefficient and
inconsistent across POL. Repeatable
processes are identified in Global user
access management, with gaps in mover and
leaver handling.
3F. Postmasters create user types
independently of Data Services team that
manages Global User accounts and there is.
no apparent audit or control.
3G. Data Services places Global Access
users into roles by a forms-based request
with no access review for conflicting rights.
+ This is inefficient, prone to error and
consequently falls short in providing a
service to deliver an effective joiner-mover-
leaver process for any user type. This can
result in accumulation of access, violation of
least privilege policy and insider threat. This
was evidenced during discussions with POL
representatives (5 Nov-2020, 17-Nov-2020)
and review of email received (26-Nov-2020,
14:22) "RE: Global User Admin
Access.msg’.
HUT report mapping
Come
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Rating Recommendation
+ 3Ei, Establish central and unified Joiner, Mover and Leaver
processes, including immediate termination, with associated
SLAs for users across branches, global users, and third-
party users.
Document Classification: KPMG Confidential
Governance (cont
Emerging observations and impact
(...cont) 3H. Branch Managers have full access to branch
3. Identity administration, user management functions such as create
‘Access governance, Horizon accounts, manage passwords for these
Privileged and Remote accounts. Elevation of user authority in
Access (JAM) branches is not audited or controlled by POL.
POL user administration is inefficient and
the expediency of an informal approach to
allow a branch to run effectively is a known
issue with no current practical resolution.
+ The ability to share accounts, creation of
accounts with incorrect ownership, and use of
such accounts to conduct transactions exposes
franchise owners, branch management, staff and
POL to the tisk of accusations
regarding inappropriate activities, albeit that the
employer in the Post Office Limited-franchised
branches is the business owner, ie. the
Postmaster. This was confirmed during
discussions with POL representatives (3-Nov-
2020), no formal evidence has been supplied at
this point in time.
+ Postmasters are currently provided with
temporary access to global access roles (due to
COVID remote help) which allows them elevated
access. This was confirmed during discussions
with POL. representatives (17-Nov-2020), no
formal evidence has been supplied at this point
in time.
Please also refer to ‘Theme 12 - Process ~
‘SmartiD’.
HIJT report mapping Rating Recommendation
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
3Hi, Review and strengthen multi factor authentication
processes. implement MFA for branch users
alongside/replacing SmartiO. (Please see Theme 12 - Process
~ SmartiD)
3HIi, Improve the audit and reporting capabilities for identity,
password and account related activities.
3Hiii, Educate Branch owners and staff on the risks and impact
of such activities and consider incorporating this into
supporting staff contracts
Document Classification: KPMG Confidential
N
N
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (cont.
Emerging observations and impact HIJT report mapping Recommendation
(cont) 31. Within POL limited policies, no guidance + 3lilmprove current controls for elevated access.
3. Identity administration, or controls exist to manage or audit usage, governance and adequate logging, monitoring and
Access governance, elevated access. auditing for elevated access activity via automation.
Privileged and Remote
Access (IAM) 3J. Toxic combinations are not defined, + 3lii improve current processes to introduce maker-checker (four
especially for elevated access. POL defined eyes) controls,
roles such as Branch Managers, Auditor E
and Admin do not have any Segregation of + Ui Review elevated access and identify toxic combinations
Duties (SOD) rules in the system. The Establish strong SOD policies and a process to handle
creation process is paper based and does violations, exceptions and remediations.
not check for SOD, and the recertification
process does not check for adherence to
joiner processes.
+ This exposes franchise owners, branch
management, staff and POL to the risk of,
accusations regarding inappropriate activity,
deniability of actions, misuse of privileges
and to insider threat. This was evidenced
during discussions with POL representatives
(17-Nov-2020) and email received (26-Nov-
2020, 14:22) "RE: Global User Admin
Access.msg’.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (Cont.
Emerging observations and impact HIJT report mapping Rating Recommendation
(...cont) 3K, Access review timings are not uniform ___ + 3Ki, Prioritise applications and define access recertification
3. Identity administration, and remediation tracking is not streamlined frequency, ownership and SLA's for access remediation
Access governance, and mostly manual. I
Privileged and Remote + 3kii, Reduce manual intervention in the access recertification
Access (IAM) + Bi-annual access reviews are conducted I and remediation process.
only for Global users, which include FJ
users, by users’ respective line
managers. The window of exposure to
accumulated privileges is between 6-12,
months. This was evidenced during
discussions with POL representatives (17-
Nov-2020) and review of email received (24-
Nov-2020) “FW: Global User accounts -
removal from stock units. msg’.
+ Leaver checks for Global access are carried
out weekly based on a report from HR, with
remediation taking between 1 —6 days
resulting in residual access exposure of 7-14
days. This was confirmed during discussions
with POL representatives (17-Nov-2020), no
formal evidence has been supplied at this
point in time.
Document Classification: KPMG Confidential
Governance (cont
Emerging observations and impact
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendation
4, Regulatory compliance
HIJT report mapping
4A. There is an absence of collaborative
effort between monitoring and oversight of
Horizon regulatory compliance and risk
management within POL.
* Alack of regulatory compliance monitoring
is in place to ensure compliance of POL,
and its vendors with regulatory
requirements (e.g. GOPR, PCI DSS, DPA)
which could result in significant fines,
damage to reputation, possible withdrawal
of services from financial services from
partners, all of which would lead to
significant loss of revenue and impact the
sustainability of POL. This was confirmed
during discussions with POL
representatives (3-Nov-2020), no formal
evidence has been supplied at this point in
time.
4Ai, POL need to assess, record and plan against the
regulatory controls they are subject to ensure timely and
appropriate compliance and clear statements on the
consequences of non-compliance.
4Aii, Compliance approaches should be embedded within the
appropriate operating models — Risk, operations ete
4Aili. Establish clear responsibilities and plans for appropriately
authorised individuals with pathways for escalation to
leadership.
4Aiv. Review the IT risk management framework to establish
regulatory compliance expectations to be identified, evaluated
for risk and impact, escalated to leadership for awareness and
remediation plans to be formulated
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (cont
Emerging observations and impact HUT report mapping Recommendation
(..cont) 48. FJ are not meeting their GDPR + 4Bi, Add to IT risk register whilst remediation plans are being
4, Regulatory compliance regulatory requirements as Data implemented,
Processors. FJ are dependent upon POL to
provide strategic, organisational and Please see Recommendations 18 i-iv — Personal Identifiable
formally documented and agreed ways of information
working - but cannot absolve themselves
from being a Data Processor.
For both POL and FJ, this could result in
non-compliance by POL leading to
significant fines, damage to reputation and
loss of trust by business partners. This was
confirmed during discussions with POL
representatives (16-Oct-2020), no formal
evidence has been supplied at this point in
time.
(Please see Theme 18 ~ Personal identifiable
Information.)
4C. There is a lack of awareness within
areas of POL the impact of financial
services regulatory requirements
surrounding Operational Resilience (OR).
This is flagged as TBA as KPMG is still
investigating this but should be viewed
along with Theme 22 BCP/DR.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (cont
Emerging observations and impact HIJT report mapping Rating Recommendation
5. Test Governance 5A. No organisational Test Policy appears + 5Ai. Create and implement an overarching organisation wide
to be in place, and an overarching test =, Test Policy which applies to all testing ongoing within POL,
framework does not seem to exist.
+ This results in inconsistent test approaches
and processes being adopted across
various projects and vendors, thereby
including any third party testing.
+ 5Aii. Create and enforce a formal test framework, which
outlines and determines the required test deliverables for each
increased testing effort and cost. This was type of test engagement.
evidenced during discussions with POL
representatives (2-Nov-2020) and ATOS + 5Bi, implement appropriate and effective test governance to
representatives (11-Nov-2020), ensure that all testing follows and adheres to POL’s test
framework
5B. Test Governance is fragmented, and is
applied inconsistently. + 5Ci, Traceability of requirements should be both mandatory,
+ Little or no POL test governance over and automated via an appropriate tool
intemal and third party test delivery. This
leads to inconsistent quality, tack of
coherent test outputs and delivery, and
ambiguous results which cannot be verified
or relied upon. This was evidenced during
discussions with POL representatives (06-
Nov-2020, 12-Nov-2020) and ATOS
representatives (11-Nov-2020),
5C. Requirements traceability is incomplete
or missing.
+ Without clear traceability in place itis
difficult to determine if a requirement has
been designed, built and then tested. This
is evidenced by reviewing documents
shared by ATOS representative (11-Nov-
2020), and during discussions with POL.
representatives (30-Nov-2020)
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (con
‘Sub-theme Emerging observations and impact HUT report mapping Rating Recommendation
(cont) 5D. Lack of a clearly defined test grenencneeg + 5Di, Implement and maintain a Test Environment & Data
5. Test Governance environment and data strategy I ome I Strategy to ensure the appropriate management of the test
I wn I environments and test data. This strategy should also cover the
+ The pathway to live for change is unclear, one test environment components and support / operations (e.g
and how code is applied to the test on i how batches are organised and executed, etc.)
environments appears to be inconsistent and Ln.
uncontrolled. Whilst it is understood what
each test environment should be used for,
there doesn't seem to be a cohesive
approach to managing the test
environments, Likewise, test data is treated
as an after-thought and does not appear to
be controlled. This is evidenced by review of
the provided "Edge Fujitsu Test Environment
Review Report v1.1” and during discussions
with ATOS representatives (11-Nov-2020)
and POL representatives (06-Nov-2020,12-
Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance (cont
Emerging observations and impact HUT report mapping Rating Recommendation
6. SDLC Governance 6A. POL does not have a formal Programme.
6Ai, POL to implement a formal Programme and Project
or Project Delivery Process —, Delivery Process which outlines exactly how programmes and
j=7) projects will be delivered within POL.
+ Whilst POL does have a formal Portfolio jm y
Management Process, it does not have a j-y
Programme or Project Delivery Process. The serseasent
decision on which programme delivery
methodology to use is inappropriately
delegated to the individual programmes or
projects. This was evidenced during
discussions with POL representatives (29- + 6Bi, POL to adopt standardised templates for all
Oct-2020, 2-Nov-2020). documentation that is produced by POL and its vendors. A
document management process, and formal repository, should
6B. Documents do not adhere to POL also be implemented, and applied across all change delivery
standard templates, and the quality of the within POL, and third parties.
documents varies greatly. Sign-offs for
documentation also vary.
+ Without standardisation and appropriate
quality standards in place test documentation
is unreliable and may not contain required
information. Furthermore POL is not
obtaining a clear and precise understanding
of any ongoing testing. This is evidenced by
review of the provided “Test Strategy R1”,
“CM-POL.-IT Change Management Policy
v1.0", "POA-TSR-DM0119468 - Environment
Agency - GDPR changes v0.3" - etc
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Lapabillles
The following pages detail the emerging observations as they pertain Horizon capabilities
Emerging observations and impact HUT report mapping Rating Recommendation
7. POL Horizon capabilities
7A. There is a lack of POL in-house technical + 7A\, Establish a target operating model for Horizon and ensure
capabilities, which imposes a heavy reliance
upon a number of vendors to manage
Horizon (i.e. FJ for architecture, development
and testing; ATOS for reference data and
testing, Verizon for networks and
infrastructure, etc.), or short term
contractors. POL has no capability to control
the quality of technical delivery; they rely on
third parties to fulfil this role.
+ This could lead to lack of control over Horizon
data, gaps in testing quality control, future
litigations, regulatory criticism, fines, and
reputational damage to the POL brand with
Postmasters and the public. This was
confirmed during discussions with POL
representatives (16-Oct-2020, 29-Oct-2020
and 11-Nov-2020), ne formal evidence has
been supplied at this point in time.
this is supported by a complementary model in the broader
organisation and by the vendors.
7A\. identify relevant skills and capability gaps.
7Aili. Where capabilities are lacking, consider hiring or
contracting the required capabilities to design and assure
Horizon processes and testing, noting that good practice
dictates these as separate functions.
TAiv. The need for improvement in skills, capabilities and
culture is one which needs to be addressed corporately as a
part of the POL's strategy, feeding down into the various
business areas, such as Horizon
7Ay. The POL strategy for change should drive a training and
development programme for POL Horizon associated staff and
those who will be relied upon to support Horizon in the wider
POL business
Document Classification: KPMG Confidential
[OCESS
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
The following pages detail the emerging observations as they pertain Horizon process
8, Risk Management maturity
Emerging observations and impact HUT report mapping Rating Recommendation
+ 8Aj, Establish a clear process for risk and dependency
management with defined roles and responsibilities.
BA. POL's approach to risk assessment and
management is unclear as to how IT
operational risks are managed. Currently
there are 42 active risks with expected + Ali, Re-evaluate risk management processes to identify gaps
response dates ranging from 31 July till 4 and remediate accordingly.
December 2020.
+ This could lead to high risks not being
identified and open risks not being
addressed resulting in misalignment with
POL's risk appetite, exposing POL to
potential regulatory criticism including future
reputational damage. This was confirmed
during discussions with POL representatives
(3-Nov-2020) and review of evidence
provided (26-Nov-2020) "20201104 Security
Risk.xisx’,
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
Sub-theme Emerging observations and impact HIT report mapping Rating Recommendation
(cont.) 8B. The inadequacy of the Archer risk + 8Bi, Consider platform consolidation - for example,
8, Risk Management maturity management framework tool to track (e.g. ServiceNow, to enable a single pane approach across all
date of risk identified), monitor, identify relevant teams and improved collaboration.
dependencies, aggregate risks and
highlight potential impact makes Archer not + 8Bii, Ensure agreed Risks, Assumptions, Issues and
fit for purpose for the size and complexity of Dependencies (RAID) are tracked & maintained
POL.
+ This could cause failures in management of
internal controls to provide complete and
accurate reporting metrics leading to
inefficient strategic and operational
decisions being made by POL leadership.
This was confirmed during discussions with
POL representatives (3-Nov-2020) and
review of evidence provided "20204104
Security Risk.xlsx’ (26-Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
Emerging observations and impact HIST report mapping Rating Recommendation
9. Risk Management at Three 9A. The annual Service Organisation + 9A\i, Second and third LoD to review all internal, external audit
Lines of Defense (3LoD) Controls Report ISAE3402 (SOCR) obtained reports and controls reports initiated by POL or Horizon
from FJ reviews high level infrastructure vendors. Any identified findings with potential risks to Horizon to
controls and does not provide reasonable be included in Archer, second LoD to discuss with first LoD and
assurance for FJ managed controls over formulate actions to be taken and dealt with accordingly as a
Horizon. The 3LoD do not review the report, part of continual dialogue between first and second LoD.
challenge FJ on findings or self-assure that
any findings are risk managed. + QAji, Second and third LoD to adopt a collaborated approach to
strength the internal control framework at POL by holding open
See also 9B. discussions regularly pertaining to all areas of Horizon
+ This could result in lack of knowledge and + 9Aili, Second and third LoD to leverage the findings from this
awareness of FJ activities, insufficient interim report to agree roles and responsibilities between POL
management of FJ as a vendor, resulting in and Horizon vendors.
regulatory criticism, potential fines,
reputational damage and possible further
litigation against POL. This was confirmed
during discussions with POL,
representatives (3-Nov-2020 and 5-Nov-
2020), no formal evidence has been
supplied at this point in time.
Document Classification: KPMG Confidential
[OCESS (COML
Sub-theme
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
(..cont)
9. Risk Management at Three
Lines of Defense (3L0D)
Emerging observations and impact HIST report mapping
9B. Lack of self-assurance activities
performed around Horizon with no apparent
cohesion between POL’s 3LoD.
+ This could result in lack of knowledge and
awareness of FJ activities, insufficient
management of FJ as a vendor, resulting in
regulatory criticism, potential fines,
reputational damage and possible further
litigation against POL. This was confirmed
during discussions with POL representatives
(S-Nov-2020), no formal evidence has been
supplied at this point in time.
{Impact comment also applies to 9A)
Rating Recommendation
9Bi. POL to consider external risk based internal audit training
such as ‘Fundamentals of Risk-based Auditing’ by the institute
of internal Auditors (1/A) or use professional services to deliver
training to IA (Senior Management)
9Bii, 1A to adopt a risk based approach to internal Audits to
initially create audit universe of all entities around Horizon and
Horizon vendors (Also please refer to recommendation 9Ci)..
9Biii. Subsequently 1A to expand the audit universe to create all
other entities within POL, create audit plans for the next 12
months to 3 years and provide assurance over controls for
Horizon and broader POL.
9Biv. As part of the collaborated efforts between second and
third LoD , third LoD to continually monitor emerging risks,
conduct business monitoring, risk assessments and refresh
audit plans accordingly.
Document Classification: KPMG Confidential
[OCESS (CONE
Emerging observations and impact
HUT report mapping
Rating
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendation
(...cont.)
9. Risk Management at Three
Lines of Defense (3LoD)
9C. Third LoD Internal Audit assurance
activities are based on thematic reviews.
These reviews do not include assurance
over controls specifically around Horizon
and POL IT Controls framework, thereby
resulting in a lack of risk management
activities and appropriately scoped reviews
of in-house and outsourced controls around
Horizon.
+ This could make it difficult for third LoD to
satisfy regulatory requests, and to align third
LoD with the first LoD to provide assurance
over intemal controls within POL. This was
confirmed during discussions with POL
representatives (5-Nov-2020 and 9-Nov-
2020) and review of email response (19-
Nov-2020, 15:43) "Project Iris - IA evidence
requests”.
+ 9Ci, Third LoD IA teams to review and update current structure
to reflect and mimic POL departmental structure ~ including as
it evolves with changing operating model structures. This will
assist IA to formulate entities and therefore formulate risk based
1A activities including risk assessments,
+ 9Cii. As part of the risk based audit activities, POL 1A should
concentrate efforts primarily on 1A of Horizon and Horizon
vendors. The review should include all identified judgement
issues scope areas.
Document Classification: KPMG Confidential
[OCESS (CONE
Emerging observations and impact
HUT report mapping Rating
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendation
(...cont.)
9. Risk Management at Three
Lines of Defense (3LoD)
9D. We observed that the judgement issues
have not been shared with the second and
third LoD.
+ This could result in misalignment between
second and third LoD assurance activities,
lack of collaborative efforts from all LoD at
POL, lack of risk management, lack of
knowledge and information sharing and
insufficient controls and decision making to
address GLO judgement issues. This was
confirmed during discussions with POL
representatives (3-Nov-2020 and 5-Nov-
2020), no formal evidence has been
supplied at this point in time.
+ 9Di, GLO to include second and third LoD in all discussions
around judgement issues and planned remediation actions for
risk management. Second and third LoD to input into the
discussions and remediation actions to ensure any pending
risks are captured and dealt with accordingly
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
Sub-theme Emerging observations and impact HIJT report mapping Rating Recommendation
10. Contractual 410A. The strategic IT vendor management + 10Aj. Determine the key issues and gaps within the service
Arrangements process is performed on an ad-hoc basis delivery, and address these core issues within the vendor
rather than at regular, set intervals. These contract.
ad-hoc reviews do not seem to apply the
latest business needs or re-evaluation of the + 40Aii, Implement appropriate and required SLAs to ensure that
required service levels against the FJ meets POL's expectations when delivering support service
contracts. regarding Horizon.
+ This has caused significant gaps between + 10Aiii, Implement POL process to assure and present challenge
business needs and vendor provided to FJ and other relevant vendors as a part of the
services resulting in vendors not meeting revised operating model.
with business expectations leading to
Horizon performance issues. This was
confirmed during discussions with POL,
representatives (29-Oct-2020), no formal
evidence has been supplied at this point in
time.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COM
Sub-theme Emerging observations and impact HIJT report mapping Rating Recommendation
14. Product management 114A. There is no Product Owner for Horizon. + 44Ai, POL should assign a Product Owner for the Horizon
oononenn
i me I platform, with the remit of owning all change being implemented
+ There is no single person responsible for i onto the platform.
‘ownership of the Horizon platform - i.e. with ",
responsibility across change, operations, oe
strategic vision, business support, ete. =~.
+ Updates are made based on requests by
Business Product managers with limited
oversight from POL IT on sequencing and
prioritisation.
+ These items were evidenced by discussions
with POL representatives (22-Oct-2020 and
28-Oct-2020),
14B. Level of involvement from architects is
limited. + 118i. Mandate early and continuous engagement of enterprise
and solution architects for any change across Horizon
+ Late oF inadequate engagement of a
Solution Architect have resulted in poor
documentation (including design
documentation) thereby resulting in design
issues/gaps. These was evidenced by
discussions with POL representatives (22-
Oct-2020).
Document Classification: KPMG Confidential
[OCESS (CONE
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendation
42. SMARTIDs/ Strong
Authentication
Emerging observations and impact
HIST report mapping
412A. Multifactor authentication is used by
support staff but its use is not extensive —
for example - SmartD consists of a four-
letter identifier and a login of an additional
two numeric digits (e.g. ABCD & ABCD01).
+ This does not provide a meaningful way of
identifying users, thus sharing of logins and
impersonation of users are is easily achieved
, compromising auditability and security. This
was confirmed during discussions with POL,
represeniatives (19-Nov-2020), no formal
evidence has been supplied at this point in
time.
128, Joiner Mover Leaver (JML) processes
for SMARTID are not fully defined. Mover
and leaver processes are reactive. Leaver
detection is largely based on inactivity.
+ There is a lack of in-house POL, controls or
oversight on creation and use of SMARTIDs.
This was confirmed during discussions with
POL representatives (17-Nov-2020), no
formal evidence has been supplied at this
point in time.
+ Dormant account policy is not efficient,
based upon a 60 - 90 days' inactivity
window, This was confirmed during
discussions with POL representatives (17-
Nov-2020), no formal evidence has been
supplied at this point in time.
12A\. Linking of POID to SMARTID should be unique and
should be tied to personnel along with branch
12Aii, Enable MFA for users where there is the potential for
credential theft, and assess the benefits for extending this to
Branch user access.
12Bi. JML processes for SMARTID must be defined,
periodically reviewed and updated as necessary.
126i, Immediate termination of leavers is recommended for
SMARTIDs as they provide critical access to Horizon and
Branch hub.
128i, Assess current operations and identify opportunities for
automation to improve efficiency and reduce human error.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
‘Sub-theme Emerging observations and impact HIST report mapping Recommendation
(...cont) 42C. It is known that inactive SMARTIDs are “12C. Refer to 12Bii
12. actively transacting.
SMARTIDs/ Strong Authentic +42Di. Until such time as the current process can be improved
ation «In all of the observations, 12 A to ©, the current {emailing of user names and passwords), audit and notify changes
process is demonstrably inefficient and error to end user accounts to a checker identity, and ensure end users
prone and does not provide adequate acknowledge changes to their account information.
governance and control for the POL.
or managers to be able to assert and prove “420i, implement maker checker controls (manual or automated)
that only duly authorised individuals obtain for all JML actions undertaken
appropriate access. This was confirmed by
review of email received from +12Ei, Define and implement segregation of duties for elevated
POL representatives (21-Nov-2020) "RE: access roles such as Branch manager.
Document Evidence Request for POL -
20Nov2020_v0.2.xIsx ” “126i, Establish strong controls over branch manager access.
Ensure adequate logging, monitoring and auditing is enabled
42D. Though SMARTIDs are owned by
personnel, logon information is shared via
the branch managers’ email addresses.
12E, Password management is solely owned
by branch managers, and no process is
identified for password management.
“This is an exposure for franchise
owners, branch management, staff and POL as
it provides branch managers full access to
Horizon IDs and SMARTIDs of their
entire branch staff. This was confirmed during
discussions with POL representatives (19-Nov-
2020), no formal evidence has been supplied at
this point in time.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
‘Sub-theme Emerging observations and impact HIST report mapping Recommendation
(...cont) 42F. Leavers’ accounts remain available and + 12Fi, Check and address devolved policies and contracts
12. SMARTIDs/ Strong are "useful" where staff replacements are training and understanding for:
Authentication waiting for their own accounts.
4. employment contracts for staff,
+ This could breach staff contracts or
referenced policies on appropriate use, if 2. regulations and processes in particular
these are in place, allowing staff who have for Postmasters (Direct and Franchisee), and
not passed mandatory training to access
Horizon and is likely to 3. auditing of these at a branch level.
breach centrally developed policies,
irrespective of whether Consider these in the viewpoint of franchisee enablement
these are communicated appropriately (See $2. Emerging Observations - Enfranchisement)
to Postmasters and their employees/statt.
This was confirmed by review of email + 12Fii, Refer to 12Bii
"Document Evidence Request for POL -
20Nov2020_v0.2.xIsx" provided by POL.
representatives (21-Nov-2020, 10:31)
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
‘Sub-theme Emerging observations and impact HIST report mapping Recommendation
(...cont) 42G. Post-Covid, only one POL staff member + 12Fii, Refer to 128i
12. SMARTIDs/ Strong from BSC can create, amend
Authentication and delete SMARTIDs. + 12Gi. Ensure elevated / privileged access is approved,
monitored, periodically reviewed and prompily remediated
+ Single point of failure risk exists. This was
confirmed during discussions with POL, + 12Gii, Evaluate existing processes and identify single point of
representatives (17-Nov-2020) and email failure / risk and implement necessary interventions
received (18-Nov-2020) “FW: Post Office
Limited Horizon discussions - follow up.
check’,
+ The process does not have a four-eyes
approach to protect the individual and POL,
as a good governance process. This was
confirmed during discussions with POL.
representatives (17-Nov-2020) and email
received (18-Nov-2020) FW: Post Office
Limited Horizon discussions - follow up
check’,
Please see Governance ~ IAM Section 3G
onwards.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
‘Sub-theme Emerging observations and impact HIST report mapping Recommendation
13. IT Controls Framework 413A. The IT COBIT controls are not + 13A\i, Update and extend the COBIT IT controls framework to
implemented at a meaningful and granular include the required relevant control processes, documentation
level, and the controls framework does not and objective control descriptions to implement effective
actually apply robust and effective controls controls across the IT landscape withing POL, including vendor
to IT processes across delivery, operations, supported applications. Design the controls accordingly to
change management and vendor ensure the controls are granular, well understood by the staff
management. performing CSAs, and are applicable to POL.
+ 43A\i, Ensure that an independent and periodic intemal audit of
the IT Controls Framework is performed,
+ 43Aiii, Finalise In-Scope Controls and periodically review the
controls to ensure their relevancy is maintained. ie. any aged
or duplicate controls should be updated and/or removed
+ 43Aiv. Enhance the IT Control reporting schedules, and ensure
the reporting contains the required information to accurately
determine the effectiveness and completeness of the controls.
+ 18Av. Develop and implement the Controls Process
Management document, and ensure adherence.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
Sub-theme Emerging observations and impact HIJT report mapping Rating Recommendation
(...cont.) + The lack of an efficient IT Controls
13. IT Controls Framework Framework could hinder management's
ability to identify and address issues relating
to functioning of internal controls, thereby
resulting in delayed improper decision
making which could potentially affect
company’s brand or reputation. This was
confirmed during discussions with POL,
representatives (10-Nov-2020) and a
subsequent review of the extracted controls
“Copy of Risk and Control Matrix.xlsx”,
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
Sub-theme I Emerging observations and impact HIST report mapping Rating Recommendation
14, Testing 414A. POL does not perform appropriate or + 14Ai. A UAT phase should be Introduced as standard for all
comprehensive User Acceptance Testing. ] Horizon change. UAT should be conducted within it's own non-
r I Production environment, post the completion of functional
+ Without appropriate UAT being performed I testing
there is no user validation of the change. —v i
Postmasters do not have exposure to the omnes
change until after it goes into Production, so
there is little chance for them to comment or
examine the change in detail prior to being
forced to use it. This was evidenced during
discussions with ATOS representatives (11-
Nov-2020 and 8-Dec-2020) and POL
representatives (30-Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
Emerging observations and impact HIJT report mapping Rating Recommendation
14, Testing 14B. The test environments are improperly son + 14Bi, Testing for each project should be carried out in dedicated
managed and utilised, with single I —e ] environments with different data sets. The phases should be
environments in use by multiple projects and A I conducted sequentially (ST first, then SIT followed by UAT) and
test phases. Test data within the in yl with robust entry and exit stage gates between these test
environments is not refreshed. I phases.
Ieorenen
Condueting multiple test phases which have
different test objectives in the same
environment will result in environment conflict
(e.g. different batches being run at the same
time and on the same environment).
+ Using obsolete test data can result in code
conflicts, data issues and other code
configuration issues which could invalidate
certain test results.
Additionally test analysts from different teams
could attempt to use the same test data
resulting in data conflicts.
This is evidenced by review of the provided
"Edge Fujitsu Test Environment Review
Report v1.1” and during discussions with
ATOS representatives (11-Nov-2020, 8-Dec-
2020),
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
_ Emerging observations and impact HUT report mapping Rating Recommendation
(..cont.) 44C. POL does not have an owner for Non- + 44Ci. POL to identify a NFT subject matter expert (SME) to
14. Testing Functional Testing (NFT), and there is no take ownership of all non-functional testing, and govern third
overarching NFT approach. party delivery of NFT.
+ The lack of POL ownership means that the
third party vendors make their own decisions
on NFT, which can leave POL exposed to.
risk. Additionally, without a POL NFT SME in
place, validation and acceptance of NFT
results is incorrectly delegated to the third
parties; there is a risk that the required level
of quality will not be met, and there is no
independent validation of the results. This
was evidenced during discussions with
ATOS representatives (11-Nov-2020). + 14Di. Develop / identify a standard set of Non-Functional
requirements which apply across the Horizon platform.
14D. POL do not have a standard set of Non-
Functional requirements (NFRs) covering the
Horizon platform.
+ Non functional aspects of the system cannot
be designed, built and tested adequately
thereby providing limited/no confidence
around system robustness, performance,
integrity and security. This was evidenced
during discussions with ATOS.
representatives (11-Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
Emerging observations and impact HIJT report mapping Rating Recommendation
(...cont) 14E, The regression test suite should be . + 146i, Enhance the current Regression test suite and automate
14. Testing enhanced and automated. Regression testing ey I the test scripts within the suite. This will enable the execution
needs to be regularly executed across the I 4 I of consistent and continuous regression.
Horizon landscape (at least monthly). I zy I
* Without appropriate regression testing in place e a
{and the regression suite being regularly
executed) there is no guarantee of the stability
of the platform after constant and ongoing
change. This is evidenced by review of the
provided "Rig 0094 - Regression Tests - Back
Office”, “Rig 0093 - Regression Tests - Front
Office” ” and during discussions with ATOS
representatives (11-Nov-2020)
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
Sub-theme Emerging observations and impact HIJT report mapping Rating Recommendation
45. Change Management 415A. The POL change control process and + 45Ai, Uplift the Change Management Framework, Policy and
framework is immature and poorly defined. i, Process Documentation to capture details on how the change
= process works (e.g. transition to different change status,
+ Not all change is governed by the change inv objective risk assessment, impact assessments etc.) and
control process; some change is redirected to 4 ensure adherence by POL and all third parties.
project work, some is not seen until after the tbs ]
change is implemented, some change occurs + 158i, Enforce appropriate impact assessments, performed by
without passing through this process (e.g. POL experts and architects and technical staff
Type X, the informal and undocumented
relationships that exist between change
initiators and change management).
+ Due to the lack of a structured and formal
framework, many of the decisions within the
change management process are made
subjectively and without consultation,
+ Horizon change can come via non-IT projects;
this change is sometimes unknown and does
not pass through the change control process.
+ This is evidenced by review of the provided
20200907 Horizon Governance Terms of
Reference v1.0" and "CM-POL-IT Change
Management Policy v1.0" and during
discussions with POL representatives (27-
Oct-2020).
45B. Impact assessments of Horizon changes
are irregular and inconsistent.
+ Inadequate impact assessments carry the risk
that the impact of the change is not fully
understood, and the change can have a more
dramatic impact than expected. This was
evidenced during discussions with POL
representatives (27-Oct-2020, 30-Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (CONE
Emerging observations and impact HIT report mapping Recommendation
(cont) 18C. The documentation provided by the third 18Ci. Enforce document standards, and challenge any
18. Change Management parties into the change process are limited, i, documentation without an appropriate level of detail.
and do not adequately describe the change or I A I
the impact of the change. These documents I A I + 15Di. Implement a formal Design Authority, and ensure all
are not appropriately challenged by POL. I change is appropriately routed through this group for review
i and analysis.
Without clear and concise details, the full
scope of the change cannot be understood,
and there is a risk that the impact of the
change may be wider than originally though,
Additionally, without clear challenge there is no
incentive for the third parties to provide more
in-depth and accurate information. This is
evidenced by review of the provided “20200907
Horizon Governance Terms of Reference v1.0"
and "CM-POL-IT Change Management Policy
v1.0" and during discussions with POL
representatives (27-Oct-2020)
15D, There is no obvious Design Authority type
function.
Without a Design Authority in place te oversee
changes or ensure they are consistent with
Post Office Limited strategy, compliance or
data governance, change can occur without
oversight and appropriate review. This is
evidenced by review of the provided ‘Current
Architecture and Forums.ppt and during
discussions with POL representatives (14-Dec-
2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COM
Emerging observations and impact HIST report mapping Rating Recommendation
(...cont) 45E. There is no central change repository, — + 18Ei, Set up a formal change repository, and require all change
45. Change Management which holds records of all change (historic and —~e to be recorded and captured into this repository.
on-going). I mm
=v
Changes, particularly to reference data and AP- l mee
ADC scripts, are not always persisted in a sesaaead
centralised repository which would allows
oversight of change history and dependency
management. Without this record in place, POL.
cannot determine the historical profile of change
being applied to Horizon, or effectively analyse the
impact of change to Horizon. This was evidenced
during discussions with ATOS representatives,
(710e¢2020) and during discussions with POL
Architects.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
[OCESS (COML
Sub-theme Emerging observations and impact HUT report mapping Rating Recommendation
16. KELs (Historic) 16A. Historic KELs documentation lacks + 16Ai, Ensure complete technical details are sought from FJ.
adequate details (particularly technical details Once these have been supplied, an analysis of the historical
regarding the issue, the cause and how it was KELs can be completed to determine if any are extant.
resolved).
+ Without adequate details supplied, there is a
level of confusion regarding whether or not
the historic KEL has actually been resolved
and is no longer impacting the Horizon
platform. This is evidences by review of the
provided "Horizon Known Error Review ToR
V1" and during discussions with POL.
representatives (06-Nov-2020, 19-Nov-2020).
Document Classification: KPMG Confidential
Gullure and CONdUC
The following pages detail the em
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
17. Ambiguous attitude to
taking accountability,
ownership and
responsibilities especially
for GLO remediation
Emerging observations and impact
417A. It is apparent that there is a lack of
understanding, or a lack of acceptance,
amongst general POL staff with respect to
their accountabilities and responsibilities
within their roles. This is especially apparent
regarding implementing change to support
the judgement issues
+ The abdication of responsibility, or lack of a
sense of accountability, may cause
challenges or delays to POL progressing with
the required remedial actions. This is
confirmed by discussions with POL
representatives (21-Oct-2020, 23-Oct-2020,
29-Oct-2020, 30-Oct-2020, 3-Nov-2020 and
10-Nov-2020), no formal evidence has been
supplied at this point in time.
HAT report mapping.
Rating Recommendation
+ 17Ai, Assign responsibility for the design and implementation
of cultural change programme to address the cultural problems
within POL
17Aii, Update and refine the roles and responsibilities for
managing Horizon risks and conduct appropriate training
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Cullure and conduct (Cont.
Sub-theme
Emerging observations and impact
Rating Recommendation
HIJT report mapping
(cont.)
17. Ambiguous attitude to
taking accountability,
‘ownership and
responsibilities especially
for GLO remediation
17B. Evidence of detailed planning, outside
the GLO remediation team, to address the
Horizon judgement findings appears to be
missing. This is leading to a lack of urgency,
awareness, drive and focus across POL to
address the judgement items.
+ Implementation of the changes required to
address the judgement issues may be
delayed, unnecessarily challenged, or even
resisted. This is confirmed by discussions with
POL representatives (21-Oct-2020, 23-Oct-
2020, 29-Oct-2020, 30-Oct-2020, 3-Nov-2020
and 10-Nov-2020), no formal evidence has
been supplied at this point in time.
+ 178i, The comprehensive remediation plan for rectifying the
Horizon judgment issues, and resolving the Horizon risks
should be shared across the IT business unit, and wider as
required. Backing and support from C-level executives may be
required to enforce and insist upon implementation of the plan,
and ensuring adherence to timelines and schedules.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Cullure and conduct (Cont.
Sub-theme Emerging observations and impact HUT report mapping Rating Recommendation
(cont) 17C. Willingness to challenge vendors within + 17Ci, Implement the new TOM, along with the appropriate
17. Ambiguous attitude to supplier relationship is lacking. vendor management and governance, with the required quality
taking accountability, controls and SLAs, to empower POL personnel to appropriately
ownership and + Without clear and appropriate challenge, challenge third parties.
responsibilities for GLO vendors can go “rogue” - in effect, making
remediation decisions for POL which are not in POL’s best
interests, or take POL’s risks into account. This
is confirmed by discussions with POL
representatives (27-Oct-2020 and 4-Nov-2020),
no formal evidence has been supplied at this,
point in time.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Vala
The following pages detail the em as they pertain Horizon data
Emerging observations and impact HIJT report mapping Recommendation
18. Personal Identifiable 418A. POL are not Payment Card industry Data + 48Ai, Continue to completion the PC! compliance in-flight
Information (Pil) at rest Security Standard (PCI DSS) compliant. project.
and in transit Horizon contains Pll data - managed by FJ -
with data at rest and in transit not being + 48Ai, Add PCI OSS non-compliance to the IT risk register.
encrypted.
+ 418A, Introduce GDPR and DPA compliance monitoring
+ if this breach in compliance is uncovered by processes for Horizon.
the regulators, it could result in a formal
finding of non-compliance with the Data + 48Aiv. Engage with FJ to design, implement, monitor and
Protection Act (DPA 2018) and General Data report compliance and non-compliance to relevant regulators
Protection Regulation (GDPR). This could and POL.
result in high fines and reputational
damage. This was confirmed during
discussions with POL representatives (16-Oct-
2020 and 12-Nov-2020), no formal evidence
has been supplied at this point in time
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
syStems
The following pages detail the em as they pertain Horizon system
Emerging observations and impact HIJT report mapping Rating Recommendation
419A. Migration to AWS is in-flight however POL 19A\. Review interdependencies and the core contracts
still have too many decisions to make (i.e. surrounding the migration to ensure no potential conflicts or
whether to stay with FJ to manage Horizon or future complications materialise.
not, integration or migration of legacy systems.
onto AWS).
19. Key dependencies
+ 19Aii, Ensure that the current POL - Fujitsu contract is fit for
purpose to accommodate the in-flight migration and future
+ Not remediating the identified findings from the states.
current environment in Belfast datacentre could
lead to future Horizon operational issues with
potential cost implications. This was confirmed
during discussions with POL representatives
(28-Oct-2020 and 8-Nov-2020), no formal
evidence has been supplied at this point in
time.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
SUDDIEr and performance manegemen
The following pages detail the emer!
Sub-theme Emerging observations and impact HIT report mapping Recommendation
20. Vendor performance
management
20A. Key Performance indicators (KPIs) are too
high-level with poorly defined service
performance being self-reported by Fujitsu and
no subsequent self-assurance activities being
undertaken by POL.
+ High-level and non accountable performance
reviews are leading to unacceptable and
unjustified trust of the vendor provided services
with no improvement expectations from
stakeholders. These levels of trust lead to the
Service Management Report (SMR) being
accepted as is with no challenge from POL.
+ The results of the metrics from the FJ provided
SMR do not include sufficient technical analysis
regarding any issues or problems which had
arisen during the reported month
Lack of overall visibility and governance of the
Horizon service, which could lead to
performance metrics not being met and result in
operational issues.
This was confirmed during discussions with
POL. representatives (29-Oct-2020 and 9-Nov-
2020) with subsequent review of the provided
Service Management Report “SMR Pack -
September 2020”.
20Ai. Develop service performance management frameworks
for the current and future target operating models. Ensure there
is inclusion of relevant forum(s) with FJ presence for POL to
discuss and present relevant challenges on reported metrics in
order to maximise service performance for Horizon
20Aii. Review and update the defined expected KPIs and
thresholds to meet with POL defined Horizon risk appetite
20Aili. After completion of 20Aii, working in collaboration with
FJ revise the SMR to include relevant and detailed technical
analysis to ensure that POL are made aware of Horizon related
issues and problems that are being or have been resolved.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
supple and performance management (Cont.
Emerging observations and impact HIJT report mapping Rating Recommendation
20. Vendor performance 20B. Horizon service performance is overseen + 20Bi. In collaboration with second LoD, service managers,
management through different governance routes such as. compliance team and ISMF review the existing end to end
the Information Security Management Forum vendor performance management process for FJ. identified
(ISMF) and Service Management Report gaps to be addressed and understanding of the end to end
(SMR) process to be documented and made available to relevant
teams in POL to adopt a standardised coherent approach.
+ This drives a fragmented view of supplier
performance leading to potential inaccurate or
incomplete metrics used by POL leadership to
manage the vendors and make strategic
decisions. This was confirmed during
discussions with POL representatives (29-Oct-
2020) with subsequent review of the provided
Service Management Report “SMR Pack -
September 2020".
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Technology
The following pages detail the emerging observations as they pertain Horizon technology
Emerging observations and impact HIJT report mapping Rating Recommendation
21A\. Whilst POL has IBM DOORS and Microfocus ALM
present, these may no longer be suitable for use (and
licensing may be expensive). A suitability assessment of the
current market available tools should be conducted, and the
most appropriate tools implemented - and their use enforced
across all change.
21. Tool support for 24A, Projects are managed via spreadsheets
change delivery and email.
+ There seems to be no overarching tool in place
to facilitate the delivery of project change or test
management, which causes inefficient control
and coordination on change management. This
is evidenced by review of the provided "Test
Strategy R1”, “POA-TPN-2415 - PCI DSS Test
Plan v0.2", “PCI DSS - Master Test Strategy
v1.0" and during discussions with POL
representatives (11-Nov-2020, 12-Nov-2020)
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Technology (cont
Sub-theme Emerging observations and impact HIT report mapping Rating Recommendation
22. Business Continuity 22A, The SV&1 test environment doubles as 4 . + 22Ai, Build and establish a dedicated OR/BCP environment
Plan (BCP) / Disaster the DR environment. which is a mirror of Production, and is only used for DR
Recovery (DR) purposes.
+ This is a high-risk solution and is not an
effective DR strategy. The test environment is + 22Aii, Update BCP/DR plans (if available) to include Amazon
not an appropriate DR environment because DR approach now that Horizon is migrating to AWS.
code versioning would be different and may
not be reflective of the production environment
(e.g. missing integrations / applications, size
and scale).Repurposing the test environment
for DR could result in code conflicts, data
issues and/or other code configuration issues
which could invalidate certain test results. This
was evidenced during discussions with ATOS
representatives (11-Nov-2020).
This area is still under investigation.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Technology (cont
Sub-theme Emerging observations and impact HUT report mapping Rating Recommendation
23. Tools for AM and GRC 2A. There is insufficient usage of technology I + 23A\, Assess existing tools and processes and create a
and tools for IAM and risk management. — strategic roadmap to leverage or consolidate current tooling
+ Although POL has ForgeRock, Microsoft + 23Aii, Consider additional Commercial Off The Shelf (COTS)
Identity Manager, ServiceNow, TRACtion _ tools where existing tools are not fit-for-future use
and Archer, their capabilities are not fully : or to achieve additional efficiency.
leveraged nor used in an integrated way, which
if they were could: I
© alleviate, streamline and
automate manual processes, -
©. provide a single view of
users/identities,
© improve governance and reporting,
and oo
© reduce risk exposure.
This was confirmed during
discussions and evidenced during the
share screen session with POL .
representatives on TRACtion to view
the Risk and Control Matrix ((3-Nov-
2020, 9-Nov-2020 and 10-Nov-2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Technology (cont
‘Sub-theme Emerging observations and impact HINT report mapping Rating Recommendation
24. AP-ADC Scripts allow 24A. Automated Payments ~ Advance Data ppommenseny + 24A\, Analyse and build an index of the AP-ADC scripts to fully
uncontrolled change Scripts (AP-ADC) are used to make changes aA understand what they can be used for, and how they are used
in Production & Reference Data. I I within Horizon,
=v
+ AP-ADC scripts provide a facility for the Post i=-v I + 24Ali. Formalise the process by which AP-ADC scripts can be
Office Limited to make configuration and ee used to effect change, and restrict the access to these scripts
reference data changes to the platform. The to only the most appropriate people (PAM/Access controls),
scripting language provides potentially
powerful functionality, is proprietary and + 24Aiii, Ensure all change involving AP-ADC scripts is
‘extremely complex. There are currently over appropriately routed through the updated change process, and
900 such seripts in production each of which any change is appropriately captured and recorded.
can contain 100s of lines of function of various
levels of complexity and these can be
changed relatively easily through formal and
informal methods. This facility has evolved
into a complex and relatively undocumented
“system” which has the potential to cause
unanticipated system behaviours and
unwanted user experiences. There is currently
a high volume of such changes at any time
and this fact seems at odds with what should
be a relatively stable platform essentially
doing the same or similar things it has done
for some time. This was confirmed during
discussions with POL representatives (14-
Dee-2020) with subsequent review of the
provided ‘AP-ADC script reference manual’
(20Nov2020).
Document Classification: KPMG Confidential
POL00031727
POL00031727
Appendices - to be updated
ke iG! © 2020 KPMG LLP, a UX Imtad liability sartnersip and a mernber fim ofthe KPMG global organisation of indepandert member fim aftated with KPLG International Limted, a private Engish company limited by guavartee All ights
Document Classiication: KPNG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Document Ist - PAM/RAM
They are listed below.
wed several docume!
Title Description ‘Source
IT Access Control Details provisioning of PAM and RAM access on Horizon POL
Policy/Standards/Guidelines/Manual
User Access Management Details permitted actions for user access management and POL
Policy/Standards/Guidelines/Manual privileged access management.
Information Security Details security expectations or PAM and RAM. POL
Policy/Standards/Guidelines/Manual
Records of corrective action(s) taken by Post Office Details corrective action(s) taken by Post Office Limited when POL
Limited failings in the PAM and RAM processes have been identified,
discussed and actions taken to remediate/resolve and to ensure
the same does not happen again
Horizon landscape document Description of the environment and architecture. POL
Horizon analysis VO.3a
Horizon description (1)
ARC030 Horizon Solution Architecture Outline
ARCSECARC0003V6po
UEM-012b - POL IT Landscape v1.5 (002)
UEM-012b - POL IT Landscape v1 6
User access request form for requesting global Evidence for User Access Management activities performed by POL
access Data Services Team
Bi-annual user access reviews and remediations Evidence for User Access Management activities performed POL
of access by Data Services Team
20201104 security Risk Evidence of the IT risk register POL
kha
Document Classification: KPMG Confidential
Document list - PAIM/RAM (CONT
wed several docume!
They are listed below.
Title Description ‘Source
Weekly leaver checks and access remediation of Evidence for the Global user access accounts POL
leavers
Populated forms and approvals for creating new Evidence for the Global user access accounts POL
users for global access
Evidence that the Admin role is only granted to Evidence for the Global user access accounts POL
users from Data Services Team
Number of SMARTids that have not been used in To evidence if any redundant or orphan accounts exist. POL
the last 6 months to date
Harm Table Published The likelihood and impact table used by the POL Central Risk POL
team
ITGC Update - IT Audit result for discussion_POLv1 POL
IT Controls Progress Report Results from the COBIT IT controls review POL
CSA Monthly Detail Report Results from the Controls Self Assessment (CSA) POL
Risk and Control Matrix POL
Contract Management Framework New POL Contract Management framework POL
Archer IT Risk report 261120 IT risk team report from IT GRC tool Archer POL
POL - FJ contract Current contractual agreement between POL and its business POL
critical vendor FJ.
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Al Document Ist - PAM/RAM (Cont
In the course of this audit we reviewed several docum hey are listed below.
Title Description ‘Source
Fujitsu-Post Office ISAE3402 FINAL report - 1 April Service Organisation Controls Report (SOCR) performed by EY, POL
2017 to 31 December 2017 provided to POL by FJ
Fujitsu-Post Office ISAE3402 FINAL report - 1 April SOCR performed by EY, provided to POL by Fd POL
2018 to 31 December 2018
Fujitsu-Post Office ISAE3402 FINAL report - 1 April SOCR performed by EY, provided to POL by FJ POL
2019 to 31 December 2019
JML - Final Report Joiners, Movers and Leavers thematic internal audit conducted by POL
POL IA in 2020
1A Audit Reports - HMU IT IT Internal Audit plan for the thematic reviews (2016-2020) POL
AP-ADC script reference manual Reference manual for the AP-ADC scripts 20/12/2020
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
DocumentiiSt- KELS, SULG, HNGA
wed several docume!
They are listed below.
Title Description ‘Source
Test Strategy R1 Document covering all testing and integration activities performed — POL
for the HNG-X Programme
Edge Fujitsu Test Environments Report v1.1 Document covering Edge Testing's review of Fujitsu/Post Office POL
Limited Test Environments estate and recommendations for
improvement.
Test Strategy Post R1 Document covering all testing and integration activities performed — POL
for the HNG-X Programme
Rig 0094 - Regression Tests - Back Office Covers regression tests for back office POL
Rig 0093 - Regression Tests - Front Office Covers regression tests for front office POL
Hydra_0823 Covers test script & report for the CC (Computacenter) HNG-a POL
Microsoft Patches
Hydra_0817 Covers test script & report for the CC (Computacenter) HNG-a POL
Microsoft Patches
Change Management Process V2 Minutes of a meeting discussing the PO change process POL
20200907 Horizon Governance Terms of Reference Terms of Reference for the Horizon governance board POL
v1.0
20201016 Horizon Known Errors Joint Review Terms of Reference for the Horizon Known Errors governance POL
Working Group Tof R v1.2 board
Copy of Horizon Known Error Review WE161020 Known Errors for 16th Oct 2020 POL
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Documentiist - KELS, SULG, HNGA {cont
wed several docume!
They are listed below.
Horizon Known Error Review ToR V1 Process for managing KEL items POL
Horizon Known Error Review Agenda 191020_ Horizon Known Error Review meeting agenda or minutes POL
Horizon Known Error Review WE021020 KELs for 2nd Oct 2020 POL
SIP Test Action 1.1 Response to SIP environment issues Fujitsu
SIP Test Action 1.2 Response to SIP transaction issues Fujitsu
SIP Test Action 1.3 Response to SIP automation issues Fujitsu
SIP Test Action 1.5 Response to SIP regression issues Fujitsu
CM-POL-IT Change Management Policy v1.0 The change management policy for IT POL
CM-PRO-IT Change Management Process V2.0 The change management policy for IT POL
Change Control Framework Extract_October 2020 _Extract of Change Control Framework Deliverables POL
Change Examples-> Change Example_Fujitsu POL
CHG0037290 Campus DR Change Request Draft
v2 (8)
CHG0037290 Change Plan DR_2020 Script for CHG0037290 Change Plan DR_2020 POL
CHG0037290 Sample Fujitsu Change Request POL
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Documentiist- KELS, SUL, HNGA (Cont
wed several docume!
They are listed below.
Zip Tech CAB Agenda Minutes Technical CAB Agenda and minutes detail sheet POL
Zip Business CAB Agenda Minutes Business CAB Agenda and minutes detail sheet POL
CHG0037544 Computacentre Change Request Sample POL
CHG0037838 Verizon Change Request Sample POL
CHG0037846 Verizon Change Request Sample POL
CHG0037898 Verizon Change Request Sample POL
CHG0036991 Computacentre Change Request Sample POL
CHG0036992 Computacentre Change Request Sample POL
POA-TSR-DMO0119468 - Environment Agency - Test Summary Report POL
GDPR changes v0.3
Fujitsu-Post Office ISAE3402 FINAL report- 1 April Internal Audit Report - Fujitsu-Post Office report - 1 April2019to. —- POL.
2019 to December 2019 December 2019
POA-TSR-Drop & Go -EUM Restrictions v0.2.docx Test Summary report - DROP & GO -EUM RESTRICTIONS Atos
Test Plan - Drop & Go -EUM Restrictions v0.1.docx. Test Plan - DROP & GO -EUM RESTRICTIONS Atos
PCI DSS - Master Test Strategy v1.0.docx PCI DSS Master Test Strategy POL/Atos
Pocono Regression Test Update Friday 9th October Regression testing update Mail Atos
Document Classification: KPMG Confidential
Documentiist- KELS, SUL, HNGA (Cont
wed several docume!
They are listed below.
Title Description ‘Source
POA-TSR-2415 - PCI DSS PIN Changes Test Test Summary Report for a Large change POL/Atos
Summary Report v0.4
POA-TPN-2415 - PCI DSS Test Plan v0.2.docx Test Plan for a Large Change POL/Atos
PCI DSS - Master Test Strategy v1.0 Master test strategy for large project POL
RIPE Project Closure Concurrence Project closure documentation mail POL
IT Concurrence - Guidelines v3.0 IT Concurrence Document POL
IT concurrence - Closure report IT Service Project closure documentation mail POL
transformation
Copy of Risk and Control Matrix Risk and Control Matrix sheet POL
IT Controls Progress Report IT Controls Progress Report POL
Copy of CSA Monthly Detail Report CSA Monthly Detail Report POL
TSTSOTHTP4072 SV&l Test plan for CP2459 — Payment Pilot - Phase 2 POL/Fyjitsu
TSTSOTREP4126 SV&i - End of Testing Report - PBS Phase 1 and 2 POL/Fujitsu
POA-TPN-0002411- Autumn Tariff Change Test Atos reference data change test plan - Autumn Tariff Atos
Plan v0.1
POA-TSR-0002411 - Autumn Tariff Change Test Atos reference data change test summary report - Autumn Tariff Atos.
Summary Report - Approved v1.0
KELs Process Flow diagram(PEAK and KEL KEL's management process diagram POL
process Swimlanes MG2.5.vsdx)
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Documentiist- KELS, SUL, HNGA (Cont
wed several docume!
They are listed below.
Title Description Source
Summary Notes Post-HiJ Historical KELs summary notes Post-HlJ POL
Summary Issue Reports Historical KELs summary reports Post-HlJ POL
Copy of _DOC_159267141(2)_29 Issues - key Historical KELs key details sheet POL
details. xisx
20201113 Known Error Log Decision and Funding Known Error Log Decision and Funding Tracker POL
Tracker v2.xIsx
Horizon Known Error Review Minutes 161120.docx Known Errors Review Minutes Fujitsu
Horizon update November 2020 - Release Release Notes for Horizon November update POU/FJ
Notes.doox
Knowledge Base - carde2117L.151119.pdf Knowledge Base Article POL/FJ
Knowledge Base - dsed1614M 060420.pdf Knowledge Base Article POL/FJ
Knowledge Base - GelderR488Q 131120.pdf Knowledge Base Article POUFJ
Knowledge Base - jsim1429I 151119.pdf Knowledge Base Article POL/FJ
Known Errors - Stakeholders and Management Horizon Known Errors ~ Latest Status of Open Items (as at POL
Update - 23 November. pptx 23/11/2020)
MemoView Branch Reminder - Drop & Go Drop & Go Compliance Communication POUFJ
Compliance Communication 17.11.2020.docx
Current Architecture and Forums.ppt Current Architecture and Forums details POL,
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
A2. Interviewees
In the course of t
audit we spoke to a number of in als. They are listed below.
Name Title Area of Focus:
Adrian Eales [TBC] Horizon walkthrough
‘Andrew Kenny [Tec] Demonstration of the Tier 2 team usage of HORice when conducting investigations
‘Adam Malach [Head of Cyber Assurance] Meeting to understand PO side of security management
Tony Hogg [Head of Cyber Operations]
Graham Hemingway [GLO Portfolio Manager] Understand the GLO Portfolio and how the Horizon Issues programme fits in this bigger picture
Simon Oldnall [GLO and Horizon IT Director] At least daily interaction on direction of travel, validation of hypotheses and emerging findings.
Martin Godbold [Head of IT Service for Retail]
Paul Smith (TBD)
Dean Bessell [TD]
Paul Kingham [78D]
Charlotte Muriel fu)
Dionne Harvey [Contract Vendor Management ] To understand the vendor relationship management aspect between POL and FJ.
Sree Balachandran (TBD) Obtain an understanding of the IT landscape (e.g. IT equipment, email, server, networking, etc) of the Post Office
Limited and branches; understand how a Branch processes transactions and how data moves from Branch to
Horizon; understand feedback from Postmasters
Joy Lennon (TBD) Overview of the process for management of global user accounts, Privileged Access Management, Remote
Access Management
Dave king [Head of Security Architecture] Walk through privileged Access Management/PAM/RAM process(es) for Horizon at Fujitsu
Walk through break-glass procedure including approvals, monitoring, audit log reviews etc.
Shaun Tumer Horizon Access Management: process for access to Horizon using Smart IDs
Ehtsham Ali [Head of Cyber Security Compliance] General overview and specifics around compliance checks with suppliers, detail on builds, understanding of
approach
kina!
Document Classification: KPMG Confidential
A2. INterVIEWEES (CONT.
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Name We Area of Focus
Aatish Shah [TBD] IT Change Framework: POL IT controls and the framework in place around these controls
James Brett [ATOS Test Manager] Discuss the testing which ATOS is responsible for delivering
Luke Harrison {TBD} Further develop understanding of the IT landscape (e.g. IT equipment, email, server, networking, etc) of the Post
Office Limited and branches
Sally Rush (TBD} Understand the current documentation and processes for data management in Horizon
Rob Wilkins {Director for Cloud Office) Understand the Horizon move to Amazon Web Services
Gary Walker {TBD} Understand the Release management process
lan Sage [PM for AWS migration] Discussion of how the Belfast Migration programme is governing change
Ben Owens [TBD] Introduction to the testing being performed across change occuring on Horizon, and how the testing is governend
and controlled including the test approach for the Belfast migration
Jonathan Acres {Internal Audit} To understand the POL environment from IA’s perspective and evaluate the internal audits involvement with risk
Diogo Vidinhas {TBD} management around Horizon and FJ
Rebecca Barker [Head of IT & Digital Risk} Understand the role/records/actions under POL's Risk Management function
Stephen Browell (Fujitsu CIS] Discussion of ways of working with Fujitsu including access to documentation and resources
Katrina Holmes {TBD} Horizon change mgmt, testing and incident management
Stuart Banfield [TBD] Horizon change processes
Harry Vazanias {TBD} Discussion of change management, gaps and problems in IT org structure and SDLC management
Joseph Moussalli {TBD} Discussion on how the PCI programme is being governed
Tony Jowett {CISO] Governance around Horizon and the IT controls framework
Steve Page {Solutions Architect] Library of architecture documentation on Horizon and an overview of the Horizon data flow
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
A2. Interviewees (Cont.
Name Title Area of Focus
Saira Burwood {TBD} Walkthrough of the portfolio process; Discussion on detailed programme and project management; Governance of
George Cross {TBD} third party delivery
Cherise Osei (TBD} Walkthrough and discussion of the POL change management process
Gareth Clark {TBD} Portfolio management within IT
Matthew Warren [TBD] Discussion of how ATOS are involved with POL change
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
A2. Interviewees (Cont.
The following individuals were interviewed as part of the Investigations
M work but relevant observations were shared and have
been
Name Tite Area of Focus:
Tim Perkins Head of Service and Support Investigations TOM
Alison Bolsover Branch Reconciliation Area Lead Branch reconciliation
Colette Mcateer Branch Reconciliation Operations Branch reconciliation
Manager
Alison Clark Branch Analysis and Control Manager_—_Branch analysis and loss prevention
Andrew Kenny Service Centre Manager BSC Tier 2
Louise Liptrott Tier 2 Team Leader BSC Tier 2
Sharron Logan Case Review Manager Case review teams
David Southhall Contract Investigation and Resolution Case review teams
Manager
Wayne Brant {TBD} Case review teams
Huw Williams Contract Investigation and Resolution Case review teams, key logging, ARQ process
Team
Michelle Stevens Loss Prevention Manager Branch analysis and loss prevention
Paula Jenner Head of IT Service for Corporate IT Systems
Matt Quincey Service Manager for Accenture and IT Systems
Verizon
Drew Mason Network Monitoring and Support Branch analysis and loss prevention, FREDD-O.
nays
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
A2. Interviewees (Cont.
The following individuals were interviewed as part of the Investigations
been incorporated in this report:
M work but relevant observations were shared and have
Name Tite Area of Focus:
Ketul Patel Network Delivery Director Key logging and network analysis
Ruk Shah Group MI and Analytics Director Data Platform
Maria Opaniran {TBD} Data Platform
Dean Whitehead Service Centre Support Manager Dynamics and Puzzel
Laura Tarling {TBD} Flag Case Team
Tony Hogg Head of Cyber Operations Security operations
Matthew Lenton Fujitsu Investigation requirements for Fujitsu
Christopher Knight Intel Team Manager ARQ data request process
Min Dulai ServiceNow System Manager ServiceNow
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
been incorporated
shared and have
in this report:
Ref! Focus Area Attendees Date
1 Horizon Overview Adrian Eales 16-Oct Horizon walkthrough meeting
2 HORIce walkthrough for ‘Andrew Kenny 46-Oct HORice walkthrough
investigations
3 KPMG Engagement Adam Malach 21-Oct Meeting to understand PO side of security management
Tony Hogg
4 Project iris - Audit simon Oldnat D3-oct 10 agree on the engagement deliverables and aucit report structure using the examples that Amina provided and was agreed
deliverables at this meeting.
5 Callwith PO Head of Cyber Entsham Ali 23-Oct General overview and specifics around compliance checks with suppliers, detail on builds, understanding of approach etc.
Security Compliance
Graham Hemingway
6 GLO Programme Overview 28-Oct Understand the GLO Portfolio and how the Horizon Issues programme fits in this bigger picture
Kevin Hutchinson
Project Iris - Vendor
7 Dionne Harvey 29-Oct To understand the vendor relationship management aspect between POL and FJ
management meeting
8 Project ris- CISO meeting Tony Jowett 30-Oct Discussion on governance around Horizon and the IT controls framework
9 moun ~Branch process 126 Balachandran 03-Nov_ Session to understand how a branch processes transactions and how data moves from branch to Horizon
10 Risk Management Rebecca Barker 03-Nov Understand the role/records/actions under POL's Risk Management function
Steve Page
Martin Godbold
Charlotte Muriel
11 Horizon Data Flow Overview Dean Boscell O6-Noy Session for Steve Page to introduce us tothe library of architecture documentation he has on Horizon and an overview of the
horizon data flow
Martin Godbold
Paul Kingham
Sally Rush
Document Classification: KPMG Confidential
POL00031727
POL00031727
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad: Meetings Ist (cont
Ref# Focus Area Attendees Date Comments
Project Iris - Intemal Audit
12 Jonathan Acres 09-Nov Meeting to discuss Internal Audit coverage of Horizon controls.
follow-up meeting
13 Project Iris - Security Dave M King 09-Nov _ (PAM/RAM meeting) Discuss and obtain an understanding of the IT security architecture of the Post Office Limited and branches
Architecture meeting
14 IT Security: Inia! Discussion Dave M King 09-Nov (Forensics meeting) Discuss and obtain an understanding of the IT security architecture of the Post Office Limited and branches
15 KPMG GLO Assessment-IT atish shah 10-Nov Discuss the POL IT controls and the framework in place around these controls
Change Framework
Project iris - PAM/RAM
evidence request
Simon Oldnall 11-Nov Discuss the testing ATOS is responsible for delivering
Sree Balachandran Luke 45 ,),, _ Discuss and obtain an understanding of the IT landscape (e.g. IT equipment, email, server, networking, etc) of the Post Office
Harrison ‘ Limited and branches
‘An overview of the process for management of global user accounts, role of Joy Lennon, Privileged Access Management, Remote
17 IT Scoping Discussion
Project Iris — Global User
18 Joy Lennon 17-Nov
accounts meeting Access Management
49 Project Iris - Security Dave M King 18-Nov Walk through privileged Access Managemen¥/PAM/RAM process(es) for Horizon at Fujitsu
Architecture Walk through break-glass procedure including approvals, monitoring, audit log reviews etc.
Simon Oidnail
20 Evidence request meeting 18Nov Walkthrough the evidence list - meeting requested by Simon
Sree Balachandran
21 Horizon Access Management Shaun Turner 19-Nov Discuss the process for access to Horizon using Smart IDs
Sree Balachandran Discussion on our understanding on Horizon Change processes
22 Horizon Change processes 20-Nov
Sally Rush
23 Evidence request meeting Sree Balachandran 23.Nov Walkthrough of the evidence list
74 Review document request ist ‘Sree Balachandran D5Nov Walkthrough of the evidence list- meeting requested by Simon
Project iris additional
25 documentation Sree Balachandran 10-Dec Walkthrough of the evidence list for PAM/RAM
26 AP-ADC scripts Steve Page 14-Dec
Discussion regarding the AP-ADC scripts
kha
Document Classification: KPMG Confidential
POL00031727
POL00031727
home.kpmg/socialmedia