POL00105635
POLO00105635
=
De I oO itte a STRICTLY PRIVATE AND CONFIDENTIAL
OW.
VRepor
\
N
Project Zebra — Phase
\
DRAFT - For vc iivadvance Of Board discussion on Wednesday 30" April.
NK
\
\
\
Deloitte Ref: VALIDATION DRAFT Version 8
SUBJECT TO LEGAL PRIVILEGE
Contents
Executive Summary 1
1 Introduction Xx
2. Understanding the Processing Environment Xx
3 Approach
4 Assurance Map
5 Key Matters for Consideration
ap.Anal ysi: x
Appendix 1: Inventory of Documentation Reviewed /
Appendix 2: Engagement Letter
Appendix 3: Assurance Source Mapping and G
\
\ AN
eo \ 4
f validation ahd the Board meeting on 30" April 2014, below).
DRAFT FOR VALIDATION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00105635
POLO00105635
POL00105635
POLO00105635
Executive Summary
Summary Introduction, Terms and Scope
In response to Post Office Ltd’s (POL's) desire to demonstrate that your current day Horizon Next Generation
(“HNG-X") system is robust and operates with integrity, within an appropriate control framework, POL has
commissioned and been provided with work relating to the HNG-X processing environment.
POL has appointed Deloitte to independently produce, based upon the information made available to us by POL, a
summary of this work undertaken, raising key matters for your consideration which we consider relevant to POL’s
objectives above.
This report introduces the concept of the “risk universe” over the HNG-X
processing environment. As part of our work we have created a high level ris!
Fig 1: Simplified COSO Mode!
« Project Risks — those risks relating to very significant changes to processing environment that require
formal project governance structures to be a leploye Contro! 5 which mitigate these risks are often
referred to as “Project Controls”. J
~
« Environmental Risks — those risks applicable to they ~palicies “and ‘procedures which support the day to day
running of the system, such as security rane we ate le oontrol management and system operations
management. Controls which mitigate these risks are offen séferiéd to as “General Computer Controls”.
« Specific Risks — those risks that ar fore granular oy unigue in nature, as applied to POL’s HNG-X processing
environment, specific to matters’ si as /application” enforced behaviours; unique system design and
interaction features; required end s ayem ss ape and-yControls which mitigate these risks are often referred to
as “Inherent System Controls’ NEnd User Li
x
As per best practises, we also Tecogcis he need for the response to the risk universe to be driven by the risk
appetite of the Board; arid Geng dene tl ough risk intelligent and balanced controls. Our report makes.
reference to these tefms, which we define in this context as:
os) * “Application Embedded Controls” and “Process Controls”.
co Risk Appetite — iS.the level of residual risk which is acceptable to those in charge of governance, around which
the internal control vironn ent ahd be designed and operated.
2% Risk Intelligence — is Tre abiity of management to take risk appropriately into consideration when making
decisions, to underpin conformance with risk appetite. ‘Monitoring’,’ Information and Communication’ and ‘Risk
Assessment’ are dimensions of COSO that are all relevant to management's ability to be risk intelligent.
« Control balance — is the ability to shape optimally efficient responses to risk, balancing control activities which
are preventative, detective and monitoring in nature.
To further assist with understanding our work in appropriate context, we note that:
co We have only considered assurance sources relating to the current day HNG-X processing environment, and
we have not looked at any assurance sources relating to POL’s legacy Horizon system(s).
2 We have relied on information provided by POL and, other than the approved contact we had with Fujitsu, we
have not met nor spoken to any third parties during our work.
« We have not verified or tested the information provided, and thus we cannot comment on its quality, accuracy
nor the completeness of any documents or matters there-in included.
co We have not reviewed nor considered any contractual provisions in place between you and any third parties.
DRAFT FOR VALIDATION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00105635
POLO00105635
Summary Understanding of the Processing Environment
The Horizon system has been used by POL since 1995. Designed, built and operated in conjunction with Fujitsu, it
has processed many millions of transactions across thousands Post Office branches during this time, and has a
significant number of interfaces to manage and control data-flows, both internally and externally with third party
systems. HNG-X is currently used by more than 68,000 users across 11,500 Post Office branches.
In 2010/11 the system underwent a significant upgrade, through the branch by branch implementation of the HNG-
X solution. The key purpose of this project was to enhance the infrastructure on which system was operating, for
example, removing data stores from local branch environments and providing the ability for POL to better secure
key data assets. Our report is thus only relevant to the processing environment from this point forwards.
A key feature of the HNG-X system is its audit trail. The system has an “Audit Store”, which is a secure area
containing digitally signed (tamper proof) copies of all completed branch transactions and other key operational
events. All records in this store have a unique, sequential identifier (assigned at the ter) which not only
provides evidence of completeness of the store, but also links the audit trail recor: permanently to its original
source — at both branch and counter (and therefore user) levels.
co Bureau Veritas, who perform ISO 27001 certification over Fojitsu’s he including that of HNG-X.
2% Information Risk Management (IRM) who accredit to. the Payment veil Industry Data Security Standard.
2 Post Office internal audit.
When considering the work performed by rman to it in one of two ways:
o Assurance work — work provided wa independent, organisation, suitably qualified in the subject matter and
experienced in the provision coriclusive/ assurance I statements. In the context of HNG-X sources, we
consider the ISAE 3402 report, Pcl DSS apt and work of internal audit to be examples of ‘assurance
work’. 7
eo Other work — work not prevrded ‘by. an ingpendent party, and/or who is unlikely to be experienced in the
provision of resem assurance work, We" ‘consider work such as that from POL's outsourcers, peer reviews
and the diagnosti pstigations / Spot reviews that have been performed, to be examples of ‘other work’.
ertoraeg/
Our detailed scope of sorvoes isotined in our Engagement Letter (Appendix 2). To summarise, we have:
Summary of Wor
co Reviewed the documents listed in Appendix 1 and clarified certain matters with POL and Fujitsu.
« Created a high level risk universe, based on our experience of computer processing environments.
s« Considered the documents POL has shared relating to work done over project and environmental risks.
eo Considered the documents POL has shared relating to work done over specific risks, and looked further at
work to do with specific risks relevant to the:
o Interfaces with DVLA systems;
o Implementation of and migration to HNG-X; and
o Integrity of the HNG-X Audit Store.
oo Mapped key assurance work and other work to the risk universe, highlighting key potential gaps or areas of
potential ambiguity.
DRAFT FOR VALIDATION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Key Matters for Consideration
POL00105635
POLO00105635
Risk Area
Key Matters for Consideration
Nature of
Work Done
(1)
General
»
ia
Risk Appetite: During our work, only occasional linkage of work to the risk appetite of POL
was noted. Whilst not unusual in the consumer business sector, such articulation and
embedding of risk appetite assists with the delivery of better optimised and prioritised key
controls and assurance activities.
Internal Audit: During our work we have not been furnished with any examples of Internal
Audit assurance over key HNG- risks on behaif of those in charge of governance. We find
it unusual that a risk driven internal capability such as internal audit have performed no work
on the HNG-X processing environment over the time period considered by our review.
Nia
(2)
Project
»
a
°
Project Governance: Governance procedures described to us (verbally) suggest that the
expected levels of business involvement in pre-go live system and user acceptance testing
was performed as part of the implementation; and that business users were appropriately
involved in signing off of system requirements and readiness to go-live (full syst
reconciliations). The quality and nature of this testing is key to the ‘baseline’ of“inher
we understand is being recovered by POL).
Post Implementation Assurance: Project assurance relating to
assessment, incident reporting and lessons learned is outstandi
Deloitte.
y,
‘suppdt information relating to the
lear (eg Whils/SNs are sequential
Control Framework: The ability of documentation to ful
detailed design of controls relating to specific risks is u
is there an systems operations control which checks the
proactively?).
Other work only,
no assurance
work noted.
(3)
Environmental
2
s
°
Risk Appetite and Assessment: Whilst Work performed is Comparabié to that which we
see at other organisations, POL has not yat perfarmed an exercisétto assess coverage of
key controls and assurance work against their own ri appetite,”
A
End User Control Considerations: The ISAE 3402 $4 requires interpretation in the
L. The},are outlined inSection 6 of the ISAE 3402 report.
‘assurance provided'by the SAE3402 is weakened. We are not
aware of any such work’bei [performed by POL, or ther organisations.
Assurance Focus There is significant, potentially. duplicated, assurance (from multiple
sources) relating to’¢ertain security.managemént risks. However, only one source of
assurance (the ISAE 3402 report}.is available relating to non-security related “system
operations? and-“changé'managenent" risks. This leads to significant reliance on the quality
and nature of assuranee proyided by that source
\, ‘ed teeth
Assdrance Clarifications: In the€ontext of detailed testing and assurance procedures,
re aréareas ofthe ISAE 3402 report which would benefit from further clarification, in
ler to remove ambiguity from its interpretation. For example:
co Yhe report'dges not diarity from where populations of data tested in samples were
obtained and thus how exposed conclusions may be from internal fraud or deliberate
override of control (eg: for change management testing, were samples picked from the
population pine ‘secure Audit Store, or from another source?).
© the report does not draw out certain key features in the control design, which we would
assume are present, for example, control objective 4.8.11 (relating to access to the
system being restricted to appropriate users) does not explicitly state and test that users
must have and use their own unique username, thus underpinning audit trail integrity
© the reports not explicit in the sample sizes used for testing
°
the report contains tests which appear ‘weak’ in nature, for example, control test 6.5 in
section 7 appears to test through discussion with personnel only, without clarifying if
anything was done to corroborate such verbal assertions.
Both assurance
work and other
work
DRAFT FOR VALIDATION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00105635
POLO00105635
a. Risk Driven Considerations: The cutrent documentation over specific risks has been
largely written in response to key incidents or events, by non-independent parties and from
operational perspectives. Whilst detailed, it is also not written from a risk and assurance
perspective and is rarely evidential in its content.
b. Control Framework: There are areas where an understanding of the design and nature of
operations relating to specific risks is available, but the design, implementation and
operating effectiveness of key controls has not been aggregated into a risk driven
framework nor assured by independent parties in detail
c. Interfaces - DVLA: Whilst environmental risk relating to system operations is largely
assured in the ISAE 3402, we note that no evidence of specific or detailed testing or
assurance work has been carried out over specific risks relating to the DVLA interface (both
(4) IT and business in nature)
d. Audit Store: This records all transactional activity and certain (key) system events. Work we I Other work only,
Specific
ps have seen performed on this store has been performed by Fujitsu and is not ‘evidence no assurance
based’, as the documentation provides a description of the process they have performed work noted.
only. Itis also not clear from the documentation we have been provided whether:
© POL has agreed that the current capturing of certain, key system events, js“compiéte
and appropriate for potential governance and investigation needs; and
© Investigatory work on the Audit Store has all been performed by Fyjifsu who, whilst
technically qualified, do not constitute an independent nor experiénced partyvfor risk
driven assurance purposes, or what risk analytic tools were usécNonthiese pur}
©. Proactive monitoring of key specific risks: The current as; enyironment appears
to be “reactive” in nature, with exceptions in processing tris fo8tic and
remediation activity only when reported. It would appear, isefs beirig made of the
Audit Store, for proactive monitoring of unusual or exceptional system events potentially
worthy of further investigation and action.
Key Potential Next Steps \ x
VA
We recommend that POL consider the following actions to
LoS, \
y TA
\duet.an exercise with the POL Board and those in charge of Governance to define
1 Risk Appetite Workshop: 96n
Risk Appetite relating tote ung xprooodrg anager
Risk and Control Framework: Extend-and.confirmh the completeness of the HNG-X processing environment risk
universe and crgate-a more Wetailed internal control framework which responds to these risks (in particular at Specific
Risk levels)-Prioitise key areas Yr improvement (including clarifications / the removal of ambiguity in exist sources)
and one agréGaohanges Ih existing assurance sources. This will include the areas already identified below.
(a) End User Conitrol Considerations Testing: POL controls called out in the ISAE 3402 as being ‘key’ to
supporting those eéntrojs in operation at Fujitsu should be identified and tested;
2 2(b) Addit Store Testing: An independent party should review and test the Audit Store functionality, as
described Within the technical documentation provided by Fujitsu. This should include certain data analytic tests
on underlying Audit Store data, to better understand, profile and examine the operation of the Store, and,
potentially, use historic characteristics of incidents and errors to analytically search for like characteristics and
trends within the audit records
2(c) Interfaces: An independent party should review and test Key interfaces, as described within the technical
documentation provided by Fujitsu. This should include certain data analytic tests on transactions flowing
through interfaces, to better understand, profile and examine the operation of those data-flows.
3 Review Project Documentation: Assess evidence that business requirements, testing and post implementation
assurance were performed sufficiently and adequately as part of the 2010/11 HNG-X implementation project
Implement More Proactive Monitoring of Key Risks: Key risks and the operation of key mitigating controls should
4 be proactively monitored, with automated alerts generated when certain key behaviours in the system are not in line
with expectations or intended outcomes (eg: ongoing verification of sequential JSN records in the Audit Store),
5 Sustainable Assurance Delivery: Once the design of the assurance requirements is concluded, an exercise should
be performed to optimise the assurance map, to ensure full coverage of key risks, with minimal duplication.
DRAFT FOR VALIDATION ONLY
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
\
Other than as stated below, this Pw is confidential and prepared solely for your information and that of other
beneficiaries of our advice listed in our engagement letter. Therefore you should not, refer to or use our name or
this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make
them available or communicate them to any other party. If this document contains details of an arrangement that
could result in a tax or National Insurance saving, no such conditions of confidentiality apply to the details of that
arrangement (for example, for the purpose of discussion with tax authorities). In any event, no other party is
entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who
is shown or gains access to this document.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number 0C303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ("“DTTL"), a UK private
company limited by guarantee, whose member firms are legally separate and independent entities. Please see
www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00105635
POLO00105635