POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
Jonathan Swift QC and Christopher Knight: Meetings on 14/12/2015 at Finsbury Dials
Fujitsu (Pete Newsome, Gareth Jenkins, Martin Harvey)
Jonathan began by giving an introductory patter to the meeting’s purpose and that of the Review
more generally. The meeting followed, as you might expect, a pattern of Jonathan and Christopher
(though principally Jonathan) asking a series of questions for Fujitsu to answer. Attendees from
Fujitsu were keen to make reference to the Core Audit Processes and noted that the term ‘Horizon’
had widened to include issues not actually related to Horizon. Jonathan stated he was only
interested in the alleged software issues.
The meeting was cordial, though at moments, Jonathan had to be persistent in his questioning to
obtain an answer to the question he had asked, particularly in respect of the number of system
‘errors’ that have been identified and Fujitsu providing him with a log of these.
Jonathan and Christopher were particularly interested in:
1. The allegations made by Richard Roll during the Panorama broadcast, the various ‘lines of
support’ available to Postmasters and, broadly speaking, the number of people who worked
on and were tasked with servicing the Horizon system and ‘fixing’ errors (i.e. 3% / 4" line
support). Fujitsu have taken this action away.
2. The number of system errors that have been identified, by year, which could affect branch
accounting. Further, although such a bug affected only, for example, 14 branches — how
many could each have affected and what were the reasons for why those branches not
affected, were indeed not affected, Fujitsu have taken this action away
3. What level of branch / transaction data could be retrieved and reviewed, the circumstances
in which it was or was not reviewed by Fujitsu and the impact, if any, of not being able to
replicate the exact ‘key stroke sequence’ after the 42/60* day time period had passed
* Pete noted that Fujitsu had only been asked to retrieve and retain branch data for
cases that applied to the Scheme, but not analyse it
=" Gareth Jenkins noted that in the logs he had reviewed as part of Spot Reviews, what
the logs showed did not match up with the story of events being told by the former
Postmaster(s)
= Jonathan asked that although not initially reviewed by Fujitsu, presumably the ARQ
data could still be, if it were still available
4. The Balancing Transaction Process and the implications of no consent being required from
the Postmaster for it to be implemented
5. The assertion made on Page 6 of Deloitte’s Board Briefing Document, where it states data
can be deleted from the Audit Store
= Pete said Fujitsu had not seen this paper and would need to be able to see it in order
to be able to provide comment.
Gareth Jenkins stated that the exact key sequence could be replicated up to a month after the event in question has taken place. I have
assumed, for the purposes of this note, that he is referring to the time period for which transaction data is available in branch. 42 days pre
2010 and 60 days thereafter
POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
6. That Second Sight had only requested the emails of the Post Office employees who worked
at Bracknell, rather than the Fujitsu employees as well
Outstanding Actions include
1. Fujitsu to supply Jonathan and Christopher with the comments they provided on the Second
Sight Reports
2. Post Office to provide the presentation Pete Newsome supplied Angela on the recent ‘forced
log out’ issue on Friday
3. Fujitsu to supply Jonathan and Christopher on details surround the ‘Falkirk’ bug including:
= Number of branches affected
= The ‘capability’ of the bug in respect of the number of branches it could have
affected and assuming this is more than the number actually affected, the reasons
for this
4. Post Office to make enquiries into whether it can provide a copy of the Deloitte Board
Briefing Paper to Fujitsu
5. Fujitsu to provide the number of system errors identified, by year, that could affect branch
accounts together with the number of branches that were affected and were capable of
being affected by these errors, together with reasons
6. Fujitsu to investigate its email / data retention policy and how this would, if asked for the
information, affect its ability to provide the emails for those Fujitsu employees who worked
at Bracknell in 2008/09
7. Post Office to share with Jonathan and Christopher the Post Office investigation in to Jo
Hamilton’s allegation that her discrepancy doubled upon following the NBSC’s advice
Investigations Team (Angela Van Den Bogerd, Kath Alexander, Shirley Hailstones)
Again, Jonathan opened by introducing the purpose of this meeting and the ‘Review’ more generally.
The tone of the meeting was relaxed with the investigations team offering relevant factual
information in a manner that seemed to be appreciated by Jonathan and Christopher
Jonathan and Christopher were particularly interested in:
1. What background and experience the 20 strong investigations team had
* Shirley detailed that most were previously Field Support Advisors, though some had
worked in the Post Office Security Team or were Auditors
= Angela added that particular cases were mapped to respective Investigator’s skillset
/ expertise and knowledge
2. To what extent the 7 year data retention policy had, if at all, hampered the investigations
= Shirley stated that, in terms of finding out what had happened, it had not really
hindered the investigations, save for in a couple of very old cases.
POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
"Angela added that they had adopted a very proactive approach to requests for the
preservation of data. As soon as it was felt an individual was likely to apply (i.e. pre
CQR submission / receipt) to the Scheme, Post Office had asked Fujitsu to preserve
data relating to that branch. Angela felt, the only real consequence of some data
falling outside of the typical data retention timeframe was that it took longer to
produce the POIR
= Kath noted that NBSC logs are retained as far back as 2000 and that these often
provided nuggets of information to follow up on. Kath used this as an example of
how routes of enquiry, clues or indeed the answer(s), would not only be contained
or available through a review of the transactions data
3. Other inhibitors to full investigations taking place e.g. NBSC calls not being recorded
(audibly) and instead, in some cases, the only log record being that of “KB”
* Shirley noted that although KB would not be specific, it did not necessarily need to
be as the call logs themselves, their volume and frequency would also show a
pattern / tell the story
4. Whether all retrieved ARQ data was analysed by Fujitsu or whether PO Investigators
analysed the data themselves. In the circumstances where PO Investigators performed the
analysis, did they feel they were less likely identify a system bug compared with, for
example, a Fujitsu Software Engineer
= Shirley stated that the PO Investigators did the analysis of transaction logs
themselves
* Kath noted that the type of advice sought from Fujitsu related to technical issues or
terminology. Kath also noted that Post Office investigators were not really looking
for clues that would suggest a system bug, but rather, an explanation or the answer
for what had actually happened in each case
* Angela added that had it not been obvious what had happened in each case, like it
had not with the recent ‘forced log off’ issue, they would have followed up with
Fujitsu. But for the 150 applications to the Scheme, this was not necessary.
5. Whether, where False Accounting has taken place, this would affect the ability to be able to
spot an issue that should have been referred to Fujitsu
"Angela replied that even in cases where False Accounting had taken place, they were
still able to analyse ONCH and other patterns of behaviour. This often enabled them
to identify when the loss or False Accounting had begun — though of course, being
able to get to this point would also be dependent upon how an Applicant had
falsified the accounts
6. The argument that the investigations that took place as part of the Scheme were more
thorough than those that would have taken place at the time of the original (non-scheme)
investigation
"Shirley acknowledged that where a case had not, at the time of the original
investigation, been referred to the Security team this may be the case
POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
Kath and Angela detailed how this could be because of a variety of reasons. For
example, at the time of the original investigation, applicants would often offer very
little information and when interviewed answer all questions with “No Comment”,
in an attempt to avoid prosecution. By contrast, CQRs included a huge amount of
information and assertions that could be investigated
7. The lessons learnt from the investigations
Angela highlighted that there is a lessons learnt documents. She provided this to
Christopher for him to review.
Outstanding Actions include
1. Post Office to review the “Case Catalogue” for the number of cases that involved False
Accounting
Deloitte (Andrew Whitton, Mark Westbrook)
I joined this meeting five or so minutes late. Though I introduced myself as working on the
Complaint Review & Mediation Scheme, I do not think Mark recognised that I worked for Post
Office. I was struck by his tone. He was noticeably, I felt, self-assured and not, in my opinion, overly
positive of the Post Office.
The meeting centred on Deloitte’s Board Briefing paper and Andrew giving a view on what, having
been asked by Jonathan, additional testing of the Horizon system could take place.
Jonathan and Christopher were particularly interested in:
1. The assertion made on Page 6 that data in the Audit Store can be deleted by administrators
during the 7 year retention period and the evidence supporting this
Mark explained that a document (of a few hundred pages) exists which articulates
the hardware of the Audit Store. Having read this report they had spoken to an SME
who, in conversation, said that the Audit Store was not set at its “maximum security
level” and that this enables the capability for data to be deleted from the Audit
Store. If the Audit Store security settings were at their maximum, this would not be
possible
Andrew noted that this would amount to a very technical abuse of the system and
something only a Fujitsu employee (with the necessary access, time and knowledge)
would be able to do
Jonathan noted, specifically, that whether this had happened, would be “a matter
that would need to be considered further”
2. Centrally generated transactions such as TCs and how Deloitte became aware of the BTP
Mark stated that he had become aware of the BTP through it being included in the
Annex of a large technical document. Though he was not, he said, provided with any
documentary evidence to the controls surrounding it, he did, in length, speak to
Fujitsu.
POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
"Andrew questioned why Post Office would have mechanisms such as the BTP in
place if technical failures did not take place. Jonathan challenged this point stating
surely it was good practice
* Andrew also mentioned the Suspense Account. He, in my opinion, appeared
suspicious of its existence
= Again, Jonathan challenged this, saying that as a mechanism “this is not striking is it?
It seems sensible”
* Andrew stated that it was “not its existence but rather, what is going on within it
and it volume of usage and the type of transactions being placed within it”
3. What further technical analysis could be done in respect of answering the question of
whether faults in the Horizon computer system had caused shortfalls in branch accounts
= Andrew took the lead. He mentioned three pieces of work:
A technical analysis of branch transactions. He stated this would involve
the analysis of data, relevant to the periods of time when alleged
unexplained losses are said to have taken place, for all cases in the
Scheme, searching for the less common transactions (identifiable by
their respective codes), identifying any patterns and comparing these to
general population. He said it would also involve a more general
“interrogation” of the data and a comparison between the data
recorded in the Audit Store and that held locally (in branch)
Andrew noted that any fault in Horizon, if it did exist, was not “Core
Systemic” as evidently, most of the time for most of its users, Horizon
works well. He said, you would therefore be looking for “boundary
issues” and that to look for boundary issues, would require the analysis
of transaction data 6 months either side of any alleged incident.
Jonathan commented that the starting point could be the individual
cases in the Scheme and asked for an indication as to the resource
required to carry out such testing. Andrew said he felt the initial piece of
work would take two people four weeks to complete. This would
produce some “thoughts to explore further, if agreed”.
A piece of work around whether Subpostmasters, for centrally
generated transactions (TAs, TCs and BTPs), had:
= been made aware of their existence
"received any training on how to identify and review them and
where possible, challenge them
Chris noted that, to a degree, we would be reliant on a Postmaster giving
accurate information. The complication of any review of this being historic
was also raised, by Jonathan, though Andrew felt this could be overcome,
albeit perhaps anecdotally
POL00103010
POL00103010
Strictly Private and Confidential: Subject to Legal Privilege
lll. A piece of work around the specific control processes in place to govern
centrally generated transactions
= Referencing P8 of their Board Paper, Andrew said they could
not, at the time of writing their report, identify any documented
controls being in place
= Jonathan challenged the ‘no controls’ assertion, citing the fact
that TC’s have to be accepted by the Subpostmaster
"Andrew countered, stating the BTP can be injected without the
Postmasters consent and they could, in theory go unnoticed
= Jonathan argued that this had only taken place once since 2010
* Mark made the more general point that any further piece of work should involve not
just “reading and talking but also looking and touching” e.g. testing the key controls
and risks, not just being told about them
My view
It was useful to sit in on all three meetings today. The two areas I feel Jonathan seemed most
interested in were:
¢ Post Office Investigators, rather than Fujitsu ‘techys’ analysing the branch ARQ data and
whether this increases the likelihood of software bugs, capable of affecting branch accounts,
being missed
e The assertion made in the Deloitte Board Briefing Paper that data could be deleted from the
Audit Store
I would be surprised if, in their report, Jonathan and Christopher did not recommend further
additional testing of the Horizon System. My guess would be that it would be:
Whether data can be deleted from the Audit Store and if it can, whether there is any
evidence to suggest it has been. As noted above, Jonathan expressly stated this is “a matter
that would need to be considered further”
e Additional analysis of branch ARQ data. This is the only recommendation by Deloitte that
Jonathan did not challenge and actually questioned likely timescales and resource
requirements