POL00107160
POL00107160
I
. :
Deloitte. STRICTLY PRIVATE AND CONFIDENTIAL
Horizon: Desktop Review of Assurance
Sources and Key Control Features
Draft for discussion
23 May 2014
This report and the work connected therewith are subject to the Terms and Conditions of the engagement letter dated 09
April 2014 between Post Office Limited and Deloitte LLP. The report is produced for the General Counsel of Post Office Ltd,
solely for the use of Post Office Limited for the purpose of assessing assurance sources and the design of certain controls
relating to the Horizon system. Its contents should not be quoted or referred to in whole or in part without our prior written
consent, except as required by law. Deloitte LLP will accept no responsibility to any third party, as the report has not been
prepared, and is not intended for any other purpose.
DRAFT: Version 16
SUBJECT TO LEGAL PRIVILEGE
POL00107160
POL00107160
Contents a
EI
a
1 Executive Summary 3 a
2 Introduction 7 I
3 Approach 9 a
I I
4 Understanding the Horizon Processing Environment 19 a
5 Assessment of Assurance Sources 25 I
6 Matters for Consideration 29 a
a
Appendix 1: IT Provision Assurance Source Mapping and Gap Analysis 35 Zz
Appendix 2: Assurance Schedule over Horizon Features 38 t I
Appendix 3: Inventory of Documentation Reviewed. - 56 LI
a
Appendix 4: Engagement Letter 61 Py
Appendix 5: Change Order 01 - 70 I
a
a
L I
L I
a
B
a
a
a
a
a
a
L I
DRAFT FINDINGS a
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
2 8
POL00107160
POL00107160
1 Executive Summary
Context
As outlined to us by the Post Office Limited (“POL”) litigation team, “ POL is responding to allegations from Sub-
posimasters that the “Horizon” IT system used to record transactions in POL branches is defective and that the
processes associated with it are inadequate (e.g. that it may be the source and/or cause of branch losses). POL is
committed to ensuring and demonstrating that the current Horizon system is robust and operates with integrity,
within an appropriate control framework. “
POL is confident that Horizon and its associated control activities deliver a robust processing environment through
three mechanisms: POL have designed features directly into Horizon to exert control; POL operates IT
management over Horizon; and POL have implemented controls into and around the business processes making
use of Horizon. Collectively these three approaches of inherent systems design, ongoing systems management
and business process control are designed to deliver a Horizon processing environment which operates with
integrity.
Since its implementation in branches, POL has commissioned or has received a number of pieces of work relating
to the Horizon processing environment, to provide comfort over its integrity. This work, referred to in our report as
the “Assurance Work”, provides documented assertions relating to aspects of the design and operation of the
Horizon processing environment. The Assurance Work includes IT project documents; operational policies and
procedures; internal and external investigations and reviews; independent audits; and emails confirming otherwise
verbal assertions.
Deloitte has been appointed to:
* consider whether this Assurance Work appropriately covers key risks relating to the integrity of the
processing environment,
to extract from the Assurance Work an initial schedule of the Horizon Features’,
* to raise suggestions for potential improvements in the assurance provision.
* “Horizon Features” is a term we have introduced to represent those features of the Horizon processing environment, including IT management
and business use controls, which provide that:
* movements in Branch ledgers have the full ownership and visibility of sub-postmasters; and
* — audit trails kept by the system are complete and accurate.
Summary of Approach Key assertions requiring assurance, to underpin confidence in processing integrity
HSC ap as pa wa
Weited os ended nhen fsa
We have structured our work around the
key control assertions shown in the
diagram (right), which has been agreed
with POL. We consider these to be key
matters that POL should control in order to
gain comfort over the integrity of
processing.
We have considered POL’s three design
approaches when evaluating the
Assurance Work.
ara a
eer ayers os teas
seit oe ese
Sys posta
DRAFT FINDINGS LESALY PRIIKEGEO AND CONFIDENTIAL ‘OoeorouuP DONS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
A key element of the approach was to identify the Horizon Features. POL did not have an existing document that
could be described as representing the Horizon Features in a demonstrably complete way, therefore we have
drawn out an initial view of the Horizon Features from the underlying documentation and considered Assurance
Work relating to them (Appendix 2) for the purposes of this review.
As communicated to us by management, we have also considered the following 5 key control objectives during our
activities to identify Horizon Features:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
These key control objectives are an important subset of the overail set of key control assertions highlighted in the
diagram above.
We have grouped the Assurance Work provided to us into three areas, corresponding to POL’s three mechanisms
of exerting contro! over the processing environment, as follows:
e System Baseline Assurance Work: This aims to provide comfort that the original Horizon implementation
and other changes performed under formal projects were well governed (compared to Deloitte project
management methodologies) and that detailed testing was performed against agreed business
requirements. Such activity would verify that the system was, at that point in time, fit for purpose and
implemented as intended. This assessment considers the point when the system and processes are
created.
e IT Provision Assurance Work: This aims to provide comfort that the IT management activities required to
run the Horizon system with integrity are designed and operating effectively. Such activity verifies that key
day-to-day IT management activities (e.g. security, IT operations and system changes) are appropriately
governed and controlled.
« System Usage Assurance Work: This assurance aims to provide comfort that the controls in and around
the business processes which make use of the Horizon system are appropriately designed, in place and
operating as intended.
Our work has been performed as a desktop review of documentation made available and has neither tested the
quality, completeness or accuracy of the Assurance Work provided to us or tested any controls relating to the
Horizon processing environment.
Summary of Observations
Substantial Horizon-related system documentation exists, comparable to that typically seen in organisations of a
similar scale where IT activities are outsourced and formal assurance activities are not mandated. Some
organisations are externally mandated to have a greater level of end-to-end, risk orientated documentation and
testing, e.g. in financial services. POL is not so mandated.
Based on our review of the available documentation, our key observations are:
¢ The extensive Horizon system documentation is structured from a technical rather than a risk and controls
perspective and provides an understanding of the Horizon Features. POL should conduct a formal
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
assessment to identify a complete set of Horizon Features that respond to POL’s control objectives.
The integrity of the Audit Store is designed to be preserved by a system of “digital seals” and “digital
signatures”. This feature underpins the ability to confirm the completeness and accuracy of data kept in the
Audit Store, and that of subsequent reports generated from the Audit Store. These digital seals and digital
signatures are both key components in the Horizon Features which are both validated during the extraction
process from the Audit Store.
POL is relying on the Horizon Features being implemented and operating as described. Whilst our review
focussed on the design of the Horizon Features, the Assurance Work we have assessed does not
completely test these features for implementation and operating effectiveness. Only those Horizon
Features relating to IT Provision have been validated and tested by independent third parties. In addition,
during the course of our engagement, one of the Horizon Features has been discovered by POL to not be
implemented as expected.
Business use (process) documentation is not complete or up to date, by some years in cases. As part of
completing or updating the documentation of Horizon Features, all relevant business uses should be
identified and evaluated from a control objectives perspective to identify potential additional matters being
relied upon.
Pre 2010 Baseline Assurance Work could not be provided by POL. This Assurance Work is required to
evaluate the comfort that the system was originally built and tested to specific business requirements. The
implementation in 2010 of HNG-X is asserted by POL to have not significantly impacted the design of the
Horizon Features.
Governing controls over key, day-to-day IT management activities have been independently tested and
opined by Ernst and Young (since 2012) to a recognised assurance standard (ISAE3402).
A number of third party systems are used by Horizon on a day-to-day operational basis. Documentation
asserts that these interactions do not impact on the Horizon Features.
Scope Limitations
Our work has been subject to the following exclusions:
.
Only matters relating to the Horizon Features within the Horizon processing environment have been
considered during our review;
We have not provided a legal or any other opinion as to the completeness and accuracy of processing of
Horizon at any point throughout the work;
We have not had direct contact with any third parties other than named contacts that you have provided to
us (Appendix 3);
We have not verified or tested any information provided directly by you, or directly or indirectly by third
parties (the schedule of information received is in Appendix 3);
We have not reviewed any contractual provisions in place between you and third parties;
Our work was limited by significant gaps existing in the information available, relating to both the granularity
of information and the existence of the Horizon Features over the entire timeline of operation of Horizon.
The effect of which is that there are in gaps within what we are able to comment upon over this timeline.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
Our findings below are written in the context of the information available, which relates to the current
system;
e Anevent occurred in 2010 which required the use of the exceptional Balancing Transaction process in
Horizon to correct a Sub-postmasters position from a technical issue. Information has not been provided on
the circumstances that lead to this system issue and how the issue was identified. It is assumed that verbal
assertions received from Fujitsu that this was the only time this process has been used hold true;
© We have not tested any of the Horizon Features; and
e We have not validated or commented on the quality of the Assurance Work supplied to us.
Our work was also based on the following assumptions:
e The documents provided are a complete and accurate representation of the Horizon design. We therefore
cannot comment as to whether the Horizon Features described below are complete nor whether other
processes or mechanisms exist which would need consideration in the context of the Matters.
e Allchanges made after the initial implementation have been properly approved, tested and validated as not
undermining the Horizon Features i.e. that the system’s controls have retained their integrity throughout
and thus the controls identified within the documentation have been consistent over the system’s lifetime.
e The assertions received relating to the major upgrade of Horizon in 2010 not materially changing the
design of the Horizon Features hold true.
e The cryptographic keys underpinning the digital signatures in Horizon have not been compromised.
* The mechanisms for issuing cryptographic keys for signing baskets is secure and authenticates requests to
prevent unauthorised provision of keys.
e Fraud or collusion to undermine or work around the Horizon Features has not occurred, in particular within
database administrator and security teams in Fujitsu.
e Assertions made by POL and Fujitsu staff have been accepted as accurate without corroboration or
verification.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
2 Introduction
Introduction
The Horizon system has been used by POL since 1995. During this time it has processed many millions of
transactions across thousands of branches. Horizon is accredited by Payment Card Industry Data Security
Standard (PCI DSS) and 1S027001. Itis currently used by more than 68,000 users across 11,500 POL branches
and is administered by Fujitsu as part of a managed service agreement. It is a key operational system for POL and
integrity of processing on the system is crucial to the day-to-day operations of the business.
POL is responding to allegations that the Horizon processing environment, used to record transactions in POL
branches, is defective and/or that the processes associated with it are inadequate.
In order to respond better to the allegations (which have been, and will in all likelihood continue to be, advanced in
the Courts), POL management want to demonstrate that the Horizon processing environment is robust and
operates with integrity, within an appropriate control framework.
In particular, management at POL has highlighted two key statements they would like to assess their comfort over
in response fo the allegations, being:
1. That Sub-postmasters have full ownership and visibility of all records in their Branch ledger; and
2. That the Branch ledger records are kept by the system with integrity and full audit trail.
These statements have then been further sub-divided into the following statements:
Horizon only allows complete baskets of transactions to be processed;
Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
vo
A ©
POL management have previously either been provided with or commissioned work (including independent
assurance reviews) into matters relating to Horizon’s operating environment and processing integrity. Documents
outlined in Appendix 3 have been provided to us and considered as part of the planning and delivery of our review.
- Objectives and Activities Undertaken
The purpose of this report is to provide, based upon the information made available to us by you, an independently
produced summary of the Assurance Work undertaken over your current day Horizon processing environment and
make recommendations on further work that could be done to enhance these assurance sources.
The work we have performed to produce this report has included:
¢ Obtaining an understanding of the Allegations; POL’s key risks in and internal controls over the Horizon
processing environment relevant to the integrity of processing; the measures in place to record and
preserve the integrity of system audit trails and other background matters that we may deem necessary to
complete our review;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
* Obtaining an understanding of the key differences between the current Horizon processing environment,
and the system which this replaced (here-to referred to as the “Legacy System”);
« . Reviewing, understanding and consolidating the Assurance Work (e.g.: investigations, assurance activities
and remediation actions) which POL or third parties have undertaken;
¢ Holding discussions with relevant members of POL staff and other key stakeholders;
e Reviewing project documentation relating to the 2010 implementation of Horizon, in order to compare the
nature and extent of project governance and documentation with Deloitte's good practice project
management methodology;
«Preparing an initial schedule of Horizon Features and assessing the level of comfort over these, provided
by POL’s Assurance Work (including the use of a specialist to assess the design of the Audit Store’s
tamper proof mechanisms); and
e Recommend further activities that management could undertake to improve the assurance provision.
Scope limitations and assumptions are outlined in the Executive Summary above.
Understanding of Historical Issues and Concerns
As an initial step, in building the requisite understanding required of the historical context leading to this review, we
have reviewed the documentation provided by POL in order to understand the history of issues and concerns which
have been raised in relation to the system.
From the documents provided, we have identified the following matters which have helped to provide us with a high
level understanding of the nature and extent of the potential concerns with the Horizon processing environment,
and thus focus our work in certain higher risk areas:
Branch 14 Issue - Involved a processing error where historic accounting entries in the 2010/11 financial year were
replicated in accounts for 2011/12 and 2012/13.
Branch 62 Issue - Involved a Receipts and Payments mismatch in Horizon when discrepancies were moved into
the local suspense account (this is an account which aggregates all discrepancies into a single gain or loss for a
branch trading period).
Falkirk Issue - The Falkirk Anomaly occurred when cash or stock was transferred between stock units.
Spot Review Bible — This outlines a sequence of matters raised during the work performed by Second Sight over
the allegations raised over the Horizon system, and summary commentary on 10 issues within.
Lepton Detailed Spot Review Information (included within Spot Check Bible) — Detailed documentation has
also been provided in relation to Spot Review 1. The issue raised was that a Sub-postmaster will not be notified
about automatic reversals of transactions when not connected to the data centre.
Reflecting on the nature and substance of these issues, and documentation relating to their follow-up and
resolution, we have understood the importance of the audit trail to provide evidence relating to disparities between
Sub-postmaster accounts of events and subsequent investigations, based on audit trail evidence, by POL/Fujitsu.
As a result of the above understanding, our work relating to IT Provision and System Usage Assurance Work paid
particular (but not exclusive) focus on Information System Operations (IT environment processing), and business
processes controlling relevant key data flows (the key data flow for our assessment being that of the complete and
accurate transmission of data from the Counter system at the Branch to the Branch Database and subsequently
into the Audit Store).
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
3 Approach
In the absence of POL’s own holistic risk assessment relating to the Horizon processing environment, key to our
assessment of sources of assurance has been the formulation of an initial “risk universe”, against which coverage
of the associated risks by the relevant sources of assurance can be assessed (“mapped”).
We have considered this risk universe across three key areas:
4. Control objectives and risks relating to the ‘System Baseline’.
2. Control objectives and risks relating to ‘IT Provision’.
3. Control objectives and risks relating to ‘System Usage’.
Risks relating to the System Baseline — these are risks that the original implementation project and other
changes performed under formal projects were not conducted in line with good project management practices, and
that detailed testing was not performed against agreed business requirements. These risks are governed and
controlled outside of day-to-day system operating procedures. Controls which mitigate these risks are often
teferred to as “Project Controls” and “Inherent System Controls” (those designed and built into the IT system).
Risks relating to IT Provision — these are risks that the underlying IT activities, necessary to provide a system
that can run and be used with integrity, are not designed and operating effectively. Such risks relate to key day-to-
day IT management activities, relating to security, IT operations and system changes. Controls which mitigate
these risks are often referred to as “General Computer Controls”. Our work focussed on assurance provided over
Fujitsu's activities in these areas.
Risks over System Usage ~ these are risks that key features of Horizon and corresponding business use
activities (processes), aiming to prevent or detect matters that would impact the integrity of processing, are not
designed, in place or operating as intended. These are the more detailed risks in relation to particular aspects of
capturing and processing transactions across the Horizon processing environment. Controls which mitigate these
tisks are often referred to as “End User Controls”, “Application Embedded Controls” and “Process Controls”. Our
work focussed on the internal dataflows within Horizon (Counter to Branch Database to Audit Store for example)
and we also considered the relevance of interfaces with other systems such as the DVLA.
In the context of these three areas of risk we have performed knowledge gathering activities in order to understand
the Horizon processing environment in sufficient detail to identify specific risk areas and those Horizon Features
identified to exert control over these risks.
So m= mm
4. Approach to Understanding of System Baseline Risks
r I In considering Baseline risks we have considered past iterations and changes to the Horizon IT system, including:
I e Any that lead to changes to the Audit Store;
¢ The Horizon Implementation Programme in 2010-2011;
‘a e The Data Strategy Foundation project in 2012 and 2013 (which updated the dataflows into Horizon from
. certain third party transactional systems, including ‘Post and Go’, and ‘Paystation +’); and
L ¢ The original Horizon platform delivered in 1995.
B
B
ag
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
SB 9
POL00107160
POL00107160
2. Approach to Understanding of IT Provision Risks
Our understanding of IT Provision risks has been formulated through our understanding of the system via
documentation review and verbal discussion with supporting POL and Fujitsu SMEs. Due to the nature of the
System Provisioning risk areas, the formulation of this understanding has been mainly through interview with
Fujitsu and POL security team members.
3. Approach to Understanding of System Usage Risks
Our understanding of System Usage risks has again been formulated through documentation review and verbal
discussion with supporting SME's to identify additional support areas. Due to the nature of the System Usage risk
areas, the formulation of this understanding has been mainly through interview with Fujitsu, POL Finance Shared
Services and POL Security team members.
4. Approach to Consideration of the Horizon Features
In the formulation of our risk universes across the three areas highlighted in 1 — 3 above we have considered the 5
key matters relevant to the Horizon Features as instructed by management:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
5. Combining the Above
Following our assessment across these four areas, the diagram below (see overleaf) describes the key risks
identified within the Horizon processing environment. We have number coded the risks in the below with (1)
corresponding to Baseline Risks, (2) corresponding to IT Provision Risks, and (3) corresponding to System Usage
Risks.
This diagram thus represents the framework of key risks that need to be controlled by Horizon Features and
appropriately assured in order to provide the comfort required by POL management.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE.
oe ee ee ee eee ee ee ee ee
10
POL00107160
POL00107160
B82 82 Bee 8 & Bf & we
oa oe so om sg so BB
et
"That the system was fitfor purpose and
worked as intended when first put
“That major changes since implementation have not
Pp ___ impacted the design features adversely.
Pre 2010
Key assertions requiring assurance, to underpin confidence in processing integrity
“That assertions on
this diagram are
complete.
That supporting IT
That transactions from the Counter are
fecorded completely, accurately and on a
Tat the Audit Store &
complete and accurate
‘That directly posted
processes are wel
controlled.
"That information
“Balancing Transactions”
are visible and approved.
lecord of Branch Ledge
transactions.
Central
POL
Teams
[That data posted trom
other systems and teams
is visible to and accepted
by sub post-masters.
Credence
(100 days)
Adhoc. ry
reported fromthe
Audit Store retains
original integrity.
‘That DBAS of olhers
granted DBA access
have not modified
ranch Database nor
Audit Store data.
LEGALLY PRIVILEGED AND CONFIDENTIAL
It can be observed that the majority of the risks identified are System Usage risks, which is expected based on the
© Deloitte LLP 2014
complexity of the IT processing landscape and the diversity and volume of transactions being handied.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
1
POL00107160
_ POL00107160
Sources of Assurance Work relating to the Horizon Processing Environment a
a
The diagram below summarises key examples of the Assurance Work reviewed and referred to as part of our
assessment. 8
L I
END TO END Horizon PROCESSING ENVIRONMENT
a
eee IT Provisioning Risks System Usage Risks a
Baseline Risks
Ey H La
— Hi
» 8 j Ld]
3 8 i
Be : 5
o§ '
g 3. a
& oF '
525 H ]
& eg H
3 3 3 FPapitae ' P
so 8 H
23 3 H
Ses ' B
Bas ' ij
SS '
gs i
Bo !
5 i
a i
¢ '
i
H
i
Win Test orem alAuclinepor ng]
Siaegy ~
Gen FQIGSS: . Frecnnicaboctmentaton
Ava ame) : i
Canis
Raawe .
Example Assurance
Sources
When considering the sources of assurance over IT Provision Risks, System Usage Risks and System Baseline
Risks, a number of parties have been (and continue to be), involved in performing work over the Horizon
processing environment which contributes to the overall assurance management has over the correct operation of
the system.
Assurance Work from the following organisations, in addition to information provided from POL, have been
identified and considered in our work:
« Fujitsu, who designed, built and now operate Horizon;
e Bureau Veritas, who perform 18027001 certification over Fujitsu’s networks, including that of Horizon;
* — Information Risk Management (IRM) who accredit Horizon to PCI DSS;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE.
ne _t_s_s__.
12
POL00107160
POL00107160
ne = & 2 @ &@ oH oh eek ee ee Pe
¢ Ernst & Young, who produce an ISAE3402 service auditor report over the Horizon processing environment;
and
¢ Internal audit, who perform risk based reviews within POL.
In considering the Assurance Work provided to us by management during the course of this engagement we have
considered whether they constitute assurance provided under an assurance engagement, as defined by IFAC, or
are sources of information that provide comfort in other ways. For the purposes of clarifying the Assurance Work,
we have assigned each document received to one of two classifications, defined as follows:
“Assurance” —The Assurance Work has been provided under an assurance engagement by an independent third
party, suitably qualified in the subject matter constituting the focus of the engagement to provide a valid opinion.
Sources of such assurance include:
¢ — Internal Audit functions;
e External Audit; and
* — Other third party reviews, not involved in the original design nor day-to-day operation of the system
containing (a) a formal opinion, such as those performed in line with recognised standards, such as
ISAE3402 or (b) no formal opinion (i.e. a report based on evidence and facts without interpretation).
“Other Sources of Comfort” — The Assurance Work is either not produced by an independent party or by an
individual who is suitably qualified in assurance engagements, or both. Other sources of comfort include:
¢ IT Project Documentation;
¢ Operational Documentation, such as policies, procedures and process / system information produced by
functional teams;
¢ Reviews or investigations performed by outsourcers (e.g. deep dives, diagnostics, spot reviews);
¢ Business peer group review teams and functions; and
« ‘Second line’ compliance teams.
In Appendix 3 we have documented ail the Assurance Work we received and added our classification of those
sources by these two categories.
Summary of Work Performed
Based upon the concepts outlined above we have performed the desktop based work below (further detail of which
is outlined in our Engagement Letter shown in Appendix 4). We have not performed any testing to validate the
information provided to us as part of our work.
Step 1: Analysis and Review
¢ Activity 1. Documentation Review - We have reviewed a number of documents produced by several
different organisations in order to understand key matters relating to the Horizon system and the
Assurance Work available.
¢ Activity 2. Risk Universe Formulation - We have then, in the absence of a holistic risk assessment being
performed by POL and thus for the purposes of our assessment, created a risk universe based on our
experience of information processing systems encompassing the three primary risk areas previously
identified IT Provision, System Usage and Baseline Risks. The five key matters for consideration outlined
by management were also considered during this process.
¢ Activity 3. Review of Assurance Work — The available documentation was reviewed in order to
understand the Assurance Work available to POL, against each of the three identified risk areas.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
13
POL00107160
POL00107160
Step 2: Gap Analysis and Assessment
Based on the analysis in Step 1 we have produced:
° Activity 4. System Provisioning Assurance Assessments and Gap Analysis - Considering key
potential gaps or areas of ambiguity in the available assurance sources when considering the System
Provisioning risk universe.
« Activity 5. System Usage and Baseline Assurance Assessments and Gap Analysis — Assessing the
documentation relating to System Usage Risks and then performed deep dives into the following areas of
specific risk:
Horizon interfaces (including DVLA);
Branch Database;
Audit Store;
Horizon Implementation Project;
Audit Store Changes; and
Data Strategy Foundation project.
000000
¢ Activity 6. Peer Comparison to Assurance Available to Similar Organisations - We have assessed
the Assurance Work available to similar organisations over System Provisioning Risks (the area of risk
where a benchmark is most valid due to the level of information available from POL) and assessed
therefore whether POL has comparable levels of assurance.
Step 3: Reporting
The analysis and interpretation in Step 2 has allowed us to formulate:
e Activity 7. Produce an Assurance Schedule over Horizon Features, and Recommendations —
Mapping control assertions, Horizon Features and Assurance Work and reporting on the level of comfort
that we have assessed in each of these areas. Identification of the key considerations for management
arising from our analysis and plan of action to respond to these recommendations.
Amore detailed description of these activities performed follows.
Activity 1: Documentation Review
All of the documentation reviewed during the course of our review has been documented within Appendix 3. This
documentation can be divided into the following classifications:
* Technical documentation on the Operation of the Horizon System — Reviewed in order to gain a deeper
understanding on how the Horizon system works, how complex it is, and where we should be focusing
further efforts and analysis;
* Independent Third Party Assurance documentation — This documentation has been reviewed in order to
understand the existing assurance sources relevant to the environment;
¢ Documentation of Historical Issues and Allegations in relation to the Horizon System — This documentation
has been reviewed in order to understand the background context and better position the IT Provision,
System Usage and Baseline System risk work performed over the environment; and
* Service Provider Analysis and Response to Issues — This documentation has been reviewed to gain an
understanding of the work performed by Fujitsu in investigating the issues raised, and how these will be
responded to.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
ee ee ee ee ee ee ee ee ee ee ee ee ee ee eo
14
POL00107160
POL00107160
A number of individuals from POL have been interviewed during the course of formulating this report to supplement
our understanding from the provided documentation.
Activity 2: Risk Universe Formulation
System Baseline Risk Universe
The original implementation of Horizon in 1995, together with subsequent changes (whether routine via change
management processes, or large complex change programmes such as the Horizon system implementation in
2010-11), represent events affecting Baseline System Risk.
To assess these risks we have understood the history of the Horizon system and selected three areas for more
detailed investigation including:
¢ Horizon Implementation;
e Data Strategy Foundation project; and
« Asample of changes to the Audit Store (subsequent to determining that this key risk area for the system
had been left largely untouched by the key implementation events highlighted in the previous two bullets).
For each of these change areas we have assessed the Assurance Work from a governance and control
perspective, and POL ability to take comfort that the Horizon system was fit for purpose at the time of the change
and operated in line with management intentions (through business requirements definitions and project testing
against these).
IT Provision Risk Universe
This risk universe was formulated from our prior experience of auditing and assuring information systems and
involved the identification of high level risks across three core areas:
¢ Information Security;
¢ Information System Operations; and
e® Change Management.
Once the IT Provisioning risk universe had been formulated a mapping of control objectives within the Assurance
Work was performed in order to assess coverage.
The three sources of assurance included within this mapping were:
¢ ISAE3402 report on the Horizon managed service;
e PCI DSS compliance report on Horizon; and
¢ 18027001 Statement of Applicability.
System Usage Risk Universe
As POL has not conducted a holistic assessment of risk in this area, a full understanding and assessment of
assurance over the System Usage risk environment was not available for our review.
Instead we focussed our assessment on two key areas of risk: those relating to the completeness and accuracy of
the Audit Store, the Branch Database and key system interfaces with a significant third party, such as the DVLA.
We sought to understand the Assurance Work that has been done against each of these areas.
This involved:
« Enquiry with relevant SMEs;
e Review of documentation;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
15
POL00107160
POL00107160
e Formulation of a risk universe in these specific areas; and
« Understanding of existing assurance work over controls which mitigate these risks.
Horizon Features
Across each of the three risk universes we identified features within the processing environment that exert control
and provide that:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports from a complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters of all centrally generated transactions processed to their
Branch ledgers.
We refer to these identified features as the “Horizon Features” and identification of these features in response to
the matters for consideration listed above was a core component of our work.
Activity 3: Review of Assurance Work
With the background context of the three risk universes outlined within the previous section, we reviewed the
available Assurance Work in order to assess the coverage and nature of the comfort provided by the work.
The documentation reviewed during this stage has been listed within Appendix 3, as are the names of individuals
consulted in relation to our work.
Activity 4: System Provision Assurance Assessments and Gap Analysis
Once the System Provisioning risk universes had been formulated a mapping of control objectives within each of
the main assurance sources was performed in order to assess coverage. The three sources of assurance included
within this mapping were:
« 1ISAE3402 report on the Horizon managed service;
« PCI DSS compliance report on Horizon; and
e 1§027001 Statement of Applicability.
The results of this mapping exercise are summarised within Section 5 and reproduced, in detail, within Appendix.1.
In parallel to this assurance exercise we have also summarised key matters relating to each assurance source.
This involved considering the context and focus of the relevant Assurance Work and comparing these to the
context and focus that would be required for coverage of the key risks (this was in recognition of the risk that some
of the documents could be used or applied out of context from their original purpose).
Activity 5: System Usage and Baseline Assurance Assessments and Gap Analysis
Following our understanding of the system and historical issues the following areas were singled out as relevant for
deeper analysis, and this approach was agreed with POL management:
1. Audit Store — The audit store has been used frequently in investigations by POL / Fujitsu and is used as
supporting evidence during legal proceedings. Therefore its integrity is paramount to responding to these
issues. However the audit store cannot be relied on in isolation, as its integrity is dependent upon the
correct processing of transactions by the wider Horizon system (upstream events if processed incorrectly
will be recorded incorrectly by the audit store).
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
16
\
POL00107160
POL00107160
2. Horizon interfaces (including DVLA) — Horizon is reliant on a significant number of batch processes and
online services (including interfaces with third party systems) in order to function correctly. These routines
need to be functioning correctly and accurately for the transactions processed by the system and ultimately
recorded in the audit trail to be reflective of the underlying commercial realities and business transactions
they pertain to represent.
3. Branch Database — The Branch Database is a key ‘staging post’ for data being transacted on counters
within individual branches prior to transmission onwards to the Audit Store. As data from branches in held
within the messaging journal table on this system for up to a day before being processed into the audit
store the security controls and processes protecting this data whilst in temporary storage here are
paramount.
4. Horizon Implementation Project — This change represented the largest single change to the Horizon
system since implementation, and also the change implemented prior to adoption of the current major
release of the system, and so was considered of particular relevance to our overall understanding of
Baseline System risk.
5. Audit Store Changes — Our understanding of the HNG-X Implementation Project quickly highlighted that
this project had very little impact on the Audit Store itself. As a result we performed procedures to
understand some of the changes which had been made to the Audit Store following its original
implementation.
6. Data Strategy Foundation Project — We determined during the course of our work that this was another
key implementation project in the recent history of the Horizon system of particular relevance to a sub-
group of the system interfaces on Horizon. This project was therefore also deemed key for our
understanding of system Baseline risk.
For each of the areas outlined in 1-6 above an assessment was made of the coverage and nature of the
Assurance Work provided.
For areas 1-3 (System Usage Risks) the functionality of the particular area was further understood and key
controls over the corresponding risks then sought.
For areas 4 - 6 (System Baseline Risks) we adopted a different approach, whereby the typical good practise
documentation requirements and project governance methods as stipulated by ‘Prince 2’ (amongst others) were
utilised as a baseline, and the approach to each of the sampled change initiatives assessed from the available
documentation. This work was conducted through a mixture of verbal discussion and the receipt of supporting
evidence where applicable.
Activity 6: Peer Comparison to Assurance Available to Similar Organisations
As part of our analysis we have also assessed whether the IT Provision assurance POL has obtained is
proportionate to that provided to similar organisations.
We have also considered the best practice approach outlined by the COSO framework, as published by The
Committee of Sponsoring Organisations of the Treadway Commission, in formulating suggestions for potential
areas of improvement in the risk, control and assurance activities of POL.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE,
17
I
I
POL00107160
POL00107160
Control: Activ
Risk Assessment
Control Environment
The COSO Cube: Presents a framework for best practice
approaches to risk, controls and assurance activities.
Activity 7: Produce an Assurance Schedule over Horizon Features and raise
Recommendations and Plan of Action
We have written up our assurance schedule, which maps the Assurance Work to specific controls relating the
Horizon Processing Environment, and commented on the level of comfort that the Assurance Work provides in
each area.
Our report also contains recommendations for management together with a suggested plan of action for
management consideration.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE.
18
I
POL00107160
POL00107160
4 Understanding the Horizon Processing
Environment
Overview of the Processing Environment
The Horizon IT system was designed specifically for POL, and therefore an understanding of its operations,
processing environment and configuration was required in order to fully quantify the risks applicable to the IT
components of the processing environment.
Horizon has been the main operational system of POL since 1995 and:
« Has a user base of 68,000 users;
¢ Terminals within 11,500 branches;
* I Processes an average of 6 million transactions a day; and
¢ Interfaces with over 20 third party systems.
As highlighted in our ‘Approach’ section above, we have categorised the risks posed on the system into three
distinct areas (System Baseline Risk, IT Provision Risk and System Usage Risk), and the remainder of this section
outlines our understanding of the IT system that underpins these.
System Baseline Risk
Horizon (HNG-X) Project
The change to the HNG-X system in 2010 was governed using Royal Mail's “Harmony” project methodology (the
governing project standard at the time). The project saw the phased implementation over 18 months of the HNG-X
solution (also known as “Horizon On-Line”). Individual POL Branches were migrated from the Legacy System to the
new HNG-X system, one by one.
No historical data was migrated, although six months of data was maintained within the Legacy System. Our review
of Assurance Work shows that a number of key controls were operated over the project, which was managed by
Fujitsu on behalf of POL. These included:
* POL signing off acceptance criteria;
« Aphased migration including a model office pilot; and
e Branch by branch reconciliation between opening balances on the new system and closing balances on the
legacy system.
Wipro, an independent third party, were commissioned to provide a report on the performance testing strategy
including gap analysis and recommendations, and Gartner provided an assessment of the overall system design
and strategy.
The benefits from the migration included the removal of transactional data being held at local branches levels and
this data instead being stored centrally within the data centres.
Data Strategy Foundation Project
The project focused on moving the Accounts Payable file feed which was initially received into Credence via
Transaction Integrator to processing via Fujitsu Horizon systems (i.e. not the Counter). The goal of the project was
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
19
I
I
I
POL00107160
POL00107160
to provide a longer term system solution which would provide complete reconciliation, resilience and disaster
recovery capabilities, as well as reduce the risk of client withdrawal.
The POL strategic requirements to expand its offerings to other platforms beyond Horizon introduced the
requirement for a data integrator function. Originatiy POL approached Fujitsu Services to supply this service as
plans to incorporate an integrator service within the Horizon architecture were considered to represent a clean
solution. However, Fujitsu Services were unable to respond within the desired timescales as it would have diverted
their resources from key Horizon on-line delivery milestones.
POL therefore investigated alternative options, finally selecting the use of IBM datastage as the Transaction
Integrator. This was delivered as part of the POLMI project. Fujitsu Services then submitted a high level design
proposal for the provision of a service for processing client transaction files which would provide end-to-end data
validation / reconciliation, with resilience and DR (the incumbent IBM datastage solution did not provide resilience,
DR or end to end reconciliation, presenting a threat to relationships and future contracts).
Assurance Work provided included:
e Project overview document;
e Business Case;
« Weekly Project Meeting Committee Presentation;
« Business Requirements;
« = Test Strategy;
«Test Sign off; and
e Test Report.
Audit Store Changes
In assessing change risks in relation to the Audit Store, documentation has asserted that the recent significant
changes above did not result in significant changes to the operation of the day-to-day Counter transaction flows or
the operation of the-Audit Store.
To assess Baseline risk for the Audit Store the original implementation documentation for the Audit Store was
requested. Due to the data retention policy this documentation could not be provided and so a review of Fujitsu
provided documentation over subsequent changes over a large period of the Audit Store’s history was performed.
In producing the diagram on page 9, we have considered the key System Baseline Risks in the context of two
control assertions below, which became the overall focus of our work in this System Baseline area:
* The Horizon Features were fit for purpose and worked as intended when first implemented; and
e Major changes since implementation have not significantly impacted the Horizon Features.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
20
a
POL00107160
POL00107160
oo
IT Provision Risk
As part of our work, through review of documentation and discussions with subject matter experts in POL, we
familiarised ourselves with the topology and operations of the Horizon IT system.
The systems documentation and understanding obtained (shown in summary in diagrams below) highlights the
complexity of the Horizon IT system and the level of data being transacted via batch and real-time data flow. This
volume and level of complexity in the data flows, including interactions with other systems, highlights the
importance of effective IT Provisioning controls to the integrity of the processing environment.
Eitenal RAG Message bved Gets eral Web Services
Extemal =
systems I [viens] I aa I[ caro II steonne II spy I [aa] (= =]
esi
a [ee (Ee
[alee fea) oo al
ms oa
[wer] a
Tig ie
a
rane Doabane
TH
‘Branch Asoess Layer
(Gsshenscaon recovery and erviee ouing)
‘Routing & Lead Balancing (a CSM netvorR)
Branch
Estate
counters
ns tes,
Diagram provided by Post Office Limited
The Horizon IT system is built in line with key principles that all data is held centrally within the data centre with the
exception of some standing data which is held locally within the branch. This centralisation principle applies to all
‘completed’ transactional data (known as “baskets") and to the Audit Store.
To support this principle the network architecture of Horizon is formulated on:
« Data centre;
« WAN Services (connecting datacentres, POL central sites, and Fujitsu sites); and
e Branch Network.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE,
21
POL00107160
POL00107160
The diagram below provided by Fujitsu shows the high level IT system infrastructure:
Client Systems Post Office Systems Fujisu 3) Sites i3) ‘Sites
an
OOO lena!
Ee
[Router & Dish
BroadBand SAT PC *
Branch Large Branch ‘Small Branch
Mobile Branch
NetLogial VisioDocument
oa
The IT system is hosted on Bladeform technology with systems software being provided by:
Windows 2003 Server (Enterprise and Standard, 32Bit and 64Bit);
Red Hat Enterprise Linux (Release 4, 32Bit and 64Bit);
Solaris 10 (Discrete platforms only); and
Windows XP, Windows 2000 and Microsoft NT operating systems for some legacy services.
A number of internal and external interfaces are necessary for the reliable day-to-day processing of the IT systems,
and hence the integrity of the Horizon Features which control these activities and interfaces; which is key to the
effective operation of the overall system.
External interfaces include (not an exhaustive list):
« DVLA;
«Lottery; and
« Bank Payment Channels (Vocalink, e-pay, Streamline).
Internal Interfaces include (not an exhaustive list):
* Paystation;
« POL SAP
e Pay and Go; and
« ATMs
Anumber of batch processes also run in facilitating the successful processing by the system.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE.
22
, Panne eee eee eee eee eee eee
POL00107160
POL00107160
Managing the processing of the real-time and batch processing environment is Tivoli Workflow Scheduler (TWS)
which is used to execute, monitor and handle exceptions within the processing environment. TWS is managed and
monitored by Fujitsu as part of the managed service contract between the two parties.
In producing the diagram on page 9, we have considered the IT Provisioning risks in the context of the following
assertion:
¢ Supporting IT management processes are well controlled.
System Usage Risk
Responsibility for the administration of the system rests with Fujitsu who provide change control, security
management, system operations, and end-user support.
Responsibility for the effective usage of the system, including complaint and effective business processes, remains
the responsibility of POL.
The user base of Horizon can be subdivided into two core areas:
* Central Users — including Finance, and users at the Network Business Support Centre. ,
e Branch Users — Sub-postmasters and their staff who are processing shop floor transactions.
Outside of the POL user base, Fujitsu provide administration services, and hold service and super user account
privileges within the system.
Horizon supports the processing of a multitude of different transactions including:
e Purchases of goods;
Purchases of services (for example Lottery tickets or tax discs);
Payments to discharge customer debts (payment of mobile phone bills for example);
Refunds; and
Transaction corrections.
Several transaction mediums are accepted, for example:
e Cash;
¢ Credit and debit cards; and
e Cheques.
A number of controls are in place to support the integrity of transactional processing including:
e The Audit Store, a secure area of Horizon which pertains to store all transactional information in
sequentially numbered records, along with key system events;
¢ Monitoring controls 'facilitated by Tivoli Workflow Scheduler and associated exception handling processes;
¢ Handshakes and call offs between systems include various controls around the integrity of transmitted
data (such as digital signatures); and
¢ Backup communication routes between branches and the central data centre (mobile technology).
Reconciliations are performed regularly both in branch and centrally. Key reconciliation processes carried out
include:
* Daily branch cash declaration and reconciliation to Horizon balances;
« Weekly balance of cash and stock and reconciliation to Horizon balances;
e Monthly trading period roll over (including resolution of any suspense account issues rolling over from
weekly or daily reconciliations); and
¢ Central finance processes to reconcile central records to cash remitted to POL, cheques remitted to POL
etc.
In response to discrepancies as a result of these reconciliation processes investigations may be conducted by the
Finance Service Centre, and if required transactional corrections processed. These corrections are subject to
significant investigation and are subject to approval by Sub-postmasters in the first instance.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
23
POL00107160
POL00107160
a
Workarounds are not usually required, the main workaround being in relation to mobile connections from branch to a
data centre in the event that the main connection to the central data centre cannot be utilised. I
In producing the diagram on page 9, we have considered the primary System Usage risks in the context of the
questions posed within the scope of our work, and refined these risks into the following control assertions: a
¢ Transactions from the Counter are recorded completely, accurately and on a timely basis centrally; a
¢ Transactions processed to Branch Ledgers are recorded completely and accurately in the Audit Store;
¢ Directly posted "Balancing Transactions" are visible and approved; a
¢ Information reported from the Audit Store retains its original integrity;
« Data posted from other systems and teams is visible to and accepted by sub post-masters; and a
e Database Administrators (DBAs) or others granted DBA access do not modify data directly. r]
a
a
a
a
Lj
a
5
a
Ld
I
a
a
Lt
o
a
Li
a
g
a
g
Li
a
gz
x
DRAFT FINDINGS a
STRICTLY PRIVATE AND CONFIDENTIAL, SUBJECT TO LEGAL PRIVILEGE. oa P]
I
POL00107160
POL00107160
5 Assessment of Assurance Sources
IT Provision Risk Assurance Sources / Gap Analysis
For the IT Provision risks the existing assurance sources appear to provide a good level of coverage over the risk
universe associated with this area of the Horizon processing environment.
Our high-level analysis of this coverage against the three core risk areas is as follows:
Information Security Information System
Operations
Change Management
18027001 Statement of Good coverage Fair coverage Fair Coverage
Applicability
ISAE3402 Report Good coverage
PCI DSS Report Good coverage Fair coverage
Detailed analysis at an objective level is included within Appendix 1.
In considering this assessment, POL management should be cognisant of the inherent limitations of each report,
given the purpose for which it was written:
Report
imitations / Factors to Consider whilst Utilising
18027001 Statement of I This document has been produced by Fujitsu, limiting its value from an independence perspective. It should be
Applicability noted however that it is supported by an independent assessment of IS027001 compliance by Bureau Veritas, an
. accredited certification provider.
The main focus of 1$027001 is on security, although it does also focus (to a lesser degree) on the other core IT
Provision risk areas, Change Management and information System Operations.
ISAE3402 Report This document has been produced by an independent third party, Ernst and Young. It has good coverage of all three
IT Provision risk areas, and is produced according to testing standards stipulated within the ISAE3402 standard.
In relying on this report management has considered ‘Section 6 Complimentary User Entity Controls’ which
stipulates the controls that POL should be operating in addition to the controls at Fujitsu in order to complete the
control environment over Horizon.
PCI DSS Report The scope of the PCI DSS report is the narrowest of the three assurance reports. It is focused exclusively on the
‘security of cardholder data, and does not span the other two IT Provisioning risk areas to the degree of the other
assurance sources. It provides minimal coverage in particular of the Information Systems Operations System
Provisioning risk.
Of note when considering coverage of IT Provision assurance sources is that the majority of the focus is over
Information Security, whereby based upon the historical issues and allegations being levelled at the system,
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
25
POL00107160
POL00107160
Information System Operations and Change Management would appear to be higher risk areas in the context of
this particular piece of work.
Peer Comparison of IT Provision Assurance Available to Similar Organisations
Our comparison to peer organisations yielded the following results:
Organisation Sector Sources of Assur:
ice Regulatory Focus
Print Media External Audit N/A
Ad-hoc Risk Consultancy
Retail External Audit FCA (CCA)
Internal Audit
Retail External. Audit FCA (CCA)
Internal Audit Loan Loss Provisioning Reporting
PCI DSS
Retail and payments processing External Audit FCA
Internal Audit
Government External Audit Data Protection
Internal Audit
PCI DSS
Risk
This highlights that the level of IT Provision Assurance Work that POL has performed is comparable to that in other
similar organisations which are not subject to risk and control regulatory requirements.
This should however also be interpreted in the context of the allegations being made against the Horizon
processing environment which may suggest that a higher level of assurance is warranted compared to these
similar organisational benchmarks.
DRAFT FINDINGS .
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
26
Eee eee
POLO0107160
POL00107160
Baseline Risk Assurance Sources / Gap Analysis
Our assessment of Baseline Risk was based upon three core scope areas:
e Horizon Project;
e Data Strategy Foundation Project; and
e Audit Store Changes.
For each of these scope areas we queried relevant POL and Fujitsu personnel in order to understand the project
and change governance documentation available, and form an assessment as to the project controls applied to
these change events, compared to Deloitte’s Project Management methodology.
Our findings are as follows:
Baseline Risk Assurance Work Information Provided
Area
Audit Store Changes to Horizon, such as the migration to HNG-X in 2010 involved minimal changes to the operation of the Audit Store. As
a result these large scale projects are of minimal interest with regards to establishing a Baseline Risk position in relation to the
design and functioning of Horizon Features relating to Audit Store.
Some small changes have been made to the Audit Store in more recent years. Samples of documentation correlating to
changes throughout the years the Audit Store had been in place were requested in order to understand whether these
changes to the system had been managed to good practise standards.
Further at the point of implementation of the Audit Store verbal representation was provided that a ‘Security Report’ was
produced which pertained to demonstrate that the functionality of the system was as designed. This would be a key piece of
Assurance Work, demonstrating the correct functionality of the Audit Store at that point in time, but it could not be located by
POL and thus could not be reviewed as part of our work.
HNG-X Implementation Detailed business and technical design documents have been verbally represented to have been created during the delivery of
(2010) the project life cycle.
Detailed test plans, MI, Defect Management and other key testing artefacts were produced during the course of the project.
Several acceptance criteria related to the closure of testing defects. Examples of testing documentation have been provided to
our review team during the course of our work.
Migration checklists and instructions have been provided. These illustrate that site visits would be conducted during the
migration to support the Sub-postmaster with the migration and support the resolution of any queries.
We have been provided with verbal representation that detailed project acceptance criteria were agreed between Fujitsu and
POL, and then signed off during the lifecycle of the project. An example of such acceptance criteria in relation to Non-
Functional Requirements has been provided to us to support this verbal representation,
Data Strategy Foundation I Detailed business and technical design documents have been verbally represented to have been created during the delivery of
Project the project life cycle.
Assurance Work was provided to demonstrate business scoping and approval of changes to be applied (including a benefits
realisation and costings map), requirements tracker document, testing strategy plan, testing report plan and migration
summary documents. We were also provided with an example of the weekly reporting process at project close which
demonstrated the level of governance and oversight the project had from senior stakeholders.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
27
POL00107160
POL00107160
Summarising the work we have performed against Baseline risk we conclude that for each sampled change,
Assurance Work has been produced in accordance with defined change management or project methodologies.
We have not however been furnished with all key items of documentation we would have liked to review, due to the
availability of such documentation to POL, and much of the Assurance Work provided to us were confirmations of
verbal representations made during our work.
Further work will be required to perform a ‘deep dive’ review of project and change documentation on particular
high risk areas (for example the original implementation of the audit store, and acceptance criteria sign off for the
Branch Database commissioning as part of the Horizon HNG-X Implementation project), in order to provide
assurance that the system baseline position were appropriately implemented and tested (timeframes of such
positions varying depending on the component of the system under investigation).
Assessment of Assurance against System Usage Risk Areas
Our assessment in each of these areas is based upon information contained within system documentation from
Fujitsu and operational policy and procedure documentation from the finance service centre, as well as emails
confirming verbal assertions we received during the course of our work.
No testing or independent sources of assurance were identified over these System Usage risk areas.
Our understanding of the design of Horizon Features responding to key risks is a core output of our work and is
outlined within Appendix 2 where we have provided a documentary listing of all of the Horizon features.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
28
\
POL00107160
POL00107160
6 Matters for Consideration
In this section we set out our key matters for management consideration, further to the work we have performed
above.
We have structured this section as follows:
e Key Matters for Consideration, by Risk Area reviewed;
« Factors to Consider in Formulating an Action Plan; and
« Proposed Action Plan.
Key Matters for Consideration
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. Risk Appetite: During our work, only occasional linkage of work to the risk appetite of POL
was noted. Whilst not unusual in the consumer business sector, such articulation and
embedding of risk appetite assists with the delivery of better optimised and prioritised key
controls and assurance activities.
b. Holistic Risk and Assurance Framework: A holistic, risk intelligent assessment relating to
a) the identification and mitigation of key risks to the integrity of processing should be
considered in order to validate the completeness of the Horizon Features referred to in our Na
General work and thus provide a complete schedule of key controls that require assurance. Whilst
Assurance Work has been provided demonstrating the use of key forums for tracking the
tisk environment surrounding Horizon (such as the Information Security Management Forum
and Fujitsu Services Security Reports), these aren't set up to specifically consider the
holistic risk and assurance framework necessary to enable an overall comment on the
design, implementation and operating effectiveness of the Horizon Features.
p>
Project Governance: Governance procedures described to us (verbally) suggest that the
expected levels of business involvement in pre-go live system and user acceptance testing
is performed as part of system implementation projects over the Horizon IT system; and that
business users would be appropriately involved in signing off of system requirements and
readiness to go-live (full system reconciliations). To supplement these verbal assurances,
management has provided us with samples of documentation from the three sampled
change areas (Horizon Implementation, Data Strategy Foundation, and Audit Store
changes). Despite these sources of evidence, management should consider whether further
) investigations into sources of assurance from the original Horizon implementation would be Verbal
worthwhile, given the importance of establishing a well-founded baseline position over the Tepresentations
Horizon Features. imi
geen Limited
b. Audit Store Baseline: The implementation of Horizon HNG-X in 2010-11 was asserted to I documentation
not have had a significant impact on the Horizon Features. In particular no changes were
made to the Audit Store as a result of the implementation. Therefore the ‘baseline’ position
for the Audit Store was established as being at the original implementation of the Horizon IT
system. Key documentation around the baseline position for the Audit Store has not been
able to be provided to us during the course of our work. We note that a security report was
verbally represented to us to have been commissioned during the original implementation of
the Audit Store, although this report could not be located and provided to us.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
29
POL00107160
POL00107160
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. End User Entity Control Considerations: The ISAE3402 report requires interpretation in
the context of these controls at POL. They are outlined in section 6 of the ISAE3402 report.
Without such analysis, the assurance provided by the ISAE3402 is weakened. We are
aware that POL has nearly completed work in order to address such considerations.
s
. Assurance Clarifications: In the context of detailed testing and assurance procedures,
there are areas of the ISAE3402 report which would benefit from further clarification, in order
to remove the risk of ambiguity from its interpretation, and overlaps with other sources of
assurance that may be performed. For example:
© the report does not state from where populations of data tested in samples were
obtained and thus how exposed conclusions may be to internal fraud or deliberate
override of contro! (e.g. for change management testing, were samples picked from the
population in the secure Audit Store, or from another source?); Extensive
3) documentation
8) © _ the report does not draw out certain key features in the control design, which we would
iT assume are present, for example, contro! objective 4.8.11 (relating to access to the Independent
Provision system being restricted to appropriate users) does not explicitly state and test that users testing
must have and use their own unique username, thus underpinning audit trail integrity;
and controls relating to the management of administrator access could be more specific
as to the extent and nature of the design of controls and testing performed.
© the report is not explicit in the sample sizes used for testing; and
© the report contains tests which could be strengthened, for example, control test 6.5 in
section 7 appears to test through discussion with personnel only, without clarifying if
anything was done to corroborate such verbal assertions.
9
. Internal Audit Work — Internal audit work conducted highlights progress in responding to
and closing down issues in relation to internal audit risks, but a number of issues remain
outstanding. Internal audit have also not done any specific assurance work over the
allegations being raised on the Horizon system and POL’s response to the issues raised.
Risk Driven Considerations: The current documentation over System Usage Risks has
been largely written in response to key incidents or events, by non-independent parties and
from operational perspectives. Whilst detalled, itis also not written from a risk and
assurance perspective and is rarely evidential in its content.
La
Risk and Control Framework: There are ateas where an understanding of the design and
nature of operations relating to System Usage Risks is available, but the design,
implementation and operating effectiveness of key controls has not been aggregated into a
risk driven framework nor formally assured through evidence based testing. Further, the
ability of documentation to fully support information relating to the detailed design of controls
relating to System Usage Risks is unclear (e.g. whilst JSNs are sequential is there a
systems operations contro! which checks the completeness of this sequence proactively?).
‘The Schedule of Assurance over Horizon Features we have formulated as part of our work
(and documented in Appendix 2) provides a basis for such a risk and control framework, as
well as targeted testing over key controls. Management should consider enhancing their
assurance provision by verifying the completeness of this schedule, and conducting
implementation and operating effectiveness testing of the key controls there-in. Partial
- Documentation
°
Interfaces - DVLA: Whilst environmental risk relating to system operations is largely
assured in the ISAE3402, we note that no evidence of specific or detailed testing or
4) assurance work has been carried out over System Usage Risks relating to the DVLA
interface (both IT and business in nature). We note that many interfaces observed do not
System relate directly with the Horizon Features in scope for this review, but we recommend that
Usage such activities be considered for inclusion in the overall risk and control framework relating
to the Horizon processing environment.
d. Audit Store: We observed the following:
© Itis not clear from the documentation we have been provided whether POL has agreed
that the current capturing of certain, key system events, is complete and appropriate for
potential governance and investigation needs;
© We have not identified controls which formally report, review and consider the impact
and resolution of any exceptions identified during the Audit Store extraction process, nor
reconcile the data from other reporting systems in the business to those data sets
contained within the Audit Store ;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
30
_ eee eRe RR eee
POL00107160
POL00107160
Nature of
Risk Area Key Matters for Consideration Assurance
Work
© Investigatory work on the Audit Store has all been performed by Fujitsu who, whilst
technically qualified, do not constitute an independent or risk experienced party for
assurance driven purposes. POL could consider doing more independent analysis of
Audit Store historic data to verify that it is recorded in line with expected characteristics;
and
© From the documentation we have reviewed, controls to assess that the digital signature
is valid and verify that there is a complete sequence of JSNs are retrospective. No
proactive checks wete documented which describe the performance of such verifications
prior to the copying of data to the Audit Store.
e. Proactive monitoring of key System Usage Risks: The current assurance environment
appears to be “reactive” in nature, with exceptions in processing triggering diagnostic and
remediation activity only when reported. It would appear that no use is being made of the
Audit Store, for proactive monitoring of unusual or exceptional system events potentially
worthy of further investigation and action.
Hardware controls over the Audit Store: The Centera EMC devices used to host Audit
Store data have not been configured in the most secure EC+ configuration. As a result
system administrators on these boxes may be able to process changes to the data stored
within the Audit Store, if other altemative software controls around digital seals, and key
management are not adequately segregated from Centera box administration staff.
Privileged access to the cryptographic solution around digital signatures, and publically
available formulas on MDS hashed digital seals would potentially allow privileged users at
Fujitsu to delete a legitimate sealed file, and replacement with a ‘fake’ file in an undetectable
manner.
e
Branch Database: We observed the following in relation to the Branch Database being:
© —Amethod for posting ‘Balancing Transactions’ was observed from technical
documentation which allows for posting of additional transactions centrally without the
requirement for these transactions to be accepted by Sub-postmasters (as ‘Transaction
Acknowledgements’ and ‘Transaction Corrections’ require). Whilst an audit trail is
asserted to be in place over these functions, evidence of testing of these features is not
available;
© Processes around Transaction Acknowledgements and Transaction Corrections are
‘subject to out of date documentation, or in the case of Transaction acknowledgements,
no documentation at all. Such documentation should be produced or brought up to date;
° For ‘Balancing Transactions’, ‘Transaction Acknowledgments’, and ‘Transaction
Corrections’ we did not identify controls to routinely monitor all centrally initiated
transactions to verify that they are alll initiated and actioned through known and
governed processes, or controls to reconcile and check data sources which underpin
current period transactional reporting for Subpostmasters to the Audit Store record of
‘such activity;
© Security on the Branch Database around the ‘Messaging Journal table’ is a key area of
risk due to branch transactional data being held on this table for up to a day before being
written to the Audit Store. It was unclear from the documentation reviewed whether
‘specific assurance work had been carried out in this area; and
© Controls that would detect when a person with authorised privileged access used such
access to send a ‘fake’ basket into the digital signing process could not be evidenced to
exist. .
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE,
31
POL00107160
POL00107160
Recommendations
We have identified three areas where POL should consider further actions to strengthén the quality and nature of
assurance in place over the Horizon system.
These are actions that may:
e Further support Project Sparrow;
¢ Integrate knowledge obtained from this work into the Future System Requirements project; and
« Help POL to move towards a more holistic Programme of Assurance.
We have aligned each of the actions we would recommend to POL management to one of these areas, and we
present these below.
Actions that may further support Project
M Perform a detailed review of Balancing Transaction use: Instruct a suitably qualified party (independent of
Investigation Fujitsu) to carry out a review of the circumstances leading up to the need to use the Balancing Transaction
of Balancing I functionality in Horizon, including an assessment of the communications with the relevant Sub-Postmaster prior to
y Transactions I any adjustment being made to their ledgers. This work should include a more detailed walkthrough of the current day
Use in 2010
“Balancing Transaction” policies, procedures and key controls, making recommendations for improvement .
& Kil Re Ls Ths needs he Ye here now I
g A2
Perform implementation testing of Horizon Features: Instruct a suitably qualified party (independent of Fujitsu) to
Verification
d Work that I carry out implementation testing of the Horizon Features (or a selection of key Horizon Features) identified in this
oS FetenzOn I report. The work should aim to provide POL with comfort that the Horizon Features extracted ffom documentation are
YA} Imptemented I actually designed and implemented exactly as described in that documentation. AFRAID. TC cortve's I
; as Described a
Probie SIS Pl ndtoyndAer Li eeKS
Analytical Testing of Historic Transactions: Audit Store documentation asserts that the system contains seven _
years of Branch transactions, and a number of system event activities. in addition, a number of assertions relating to
data integrity, record / field structure and key control features (such as sequencing of JSN) are made in
q
documentation, but have never been validated by parties outside of Fujitsu. With modern day technologies, the
ee analytic profiling and testing of such Big Data sets is likely to be feasible, thus POL should consider instructing a
Historic - I party independent of Fujitsu to perform independent risk analytics on an extract of all Audit Store data to verify that
fi Transactions I (a) key characteristics are seen in the data as expected and (b) what other matters / exceptions / insights can
potentially be derived. This exercise would also provide valuable insight into those Horizon Features that could be
C- automatically monitored as part of the optimised risk and control environment described below.
Aa Update / Create documentation formalised all key adjustment and reporting processes in operation over
Documentation I Horizon in the FSC: Identify and document all key activities in the FSC relating to both adjustment processing to
of all Horizon Sub-Postmaster ledgers and to the control activities that ensure that transactional data visible to Sub-Postmasters is
end vapor fully reconciled to the Audit Store's ‘high integrity’ copy of Branch Ledger transactions. Use this exercise to verify the
processes in I completeness and appropriateness of Horizon Features so far identified from verbal assertions, and then perform
the FSC I implementation esting (per A2 above) of such controls. Cano Oy reQrncoen
KK de Pr uer Crore —
RAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGES . x i oa
:
I
POL00107160
POL00107160
O1 Te c32e 3 —
Wher Ss.
Actions that will integrate knowledge obtained from this work into the Future System Requirements
project. (___S faA Pranmoy —_—S ws Tate —_
Produce Future System Requirements Document: Produce a schedule of key system requirements that any
Bt future Horizon replacement platform should deliver against, as an underpinning baseline for the integrity of
Produce I processing. This schedule would outline key control objectives, with current day control activities / Horizon Features
requirements I afd /or other examples cited to show how such control objectives could be addressed in any future system. The
for future ‘schedule should include matters that will support the delivery of such design confidence in efficient ways, and
replacement of I viding foundations for preventative, detective and monitoring contol activities. It could also highlight key
System I questions for POL to consider, such as the longevity of data head in the Audit Store and the type of cryptographic
mechanisms applied to the system.
Qe & q
Actions that may help POL move towards a more holistic programme of Assurance Des we -
This area is the more significant piece of work recommended in a broad context for POL to consider as a result of
our assessment.
The development of such a holistic assurance programme should be seen as a ‘strategic’ response to the issues
raised. If delivered successfully it will bring assurance benefits beyond the confines of assuring the integrity of
processing within Horizon.
Whilst not raised specifically below, such an exercise would first require the appointment of a role in POL who
would be responsible for the coordination of assurance across the whole organisation and the reporting of key
areas where assurance provision could be improved (a “Head of Assurance”). This would ensure that POL
Management and the Board have the ability to map, coordinate and assess assurance sources (and their quality)
on an ongoing basis for the organisation. pwnweoe \go —__ a
i IZ
c Risk Workshop’: Conduct an exercise with key stakeholders in POL, including those in charge of Governance, to
; create a baseline understanding of risk and risk management concepts; share examples of how similar organisations
wousk, op manage, define and control key risks; and obtain suggestions and consensus as to if, where and how POL could
become a more “Risk Intelligent” organisation and reporting of risk and assurance matters could be improved.
Construct Risk and Control Framework: Extend and confirm the completeness of the Horizon Features which are
designed to exert control over the Horizon processing environment. The framework can be used to prioritise key
Construct Risk I areas for improvement (including clarifications / the removal of ambiguity in existing sources) and embed agreed
and Control
c2
Framework I changes in current assurance sources. A key component for the construction of this risk and control framework is the
initial information produced as part of our analysis and reproduced in Appendix 2. This Framework could be
extended to cover POL's overall risk and control framework, not just those areas relevant to Horizon processing.
Test Controls: Once the framework is verified as complete, key controls can be identified and evidence based Qe
63 testing performed to validate that they are operating effectively. Such operating effectiveness work could be
Test performed on a sustained basis and could be delivered by an independent party in line with a recognised assurance” sae)
Controls standard. In addition, this exercise can be used to feedback on the design of the control environment so that it can
be optimised (i.e. maximise coverage of key risks, with minimal duplication).
cs Sustain Assurance Delivery and Implement More Proactive Monitoring": The longer term assurance map can
be designed to sustain assurance delivery for POL over key risks. This may include a transition to a more proactively
ote monitored control environment (‘continuous controls monitoring’), where automated alerts are generated if certain
testing key behaviours in the system are identified, \sov> Ga Goma >
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
33
POL00107160
POL00107160
Notes:
"Risk Workshop: Risk appetite statements may be considered as part of this exercise, but are typically found by
key stakeholders to be a different area to understand. Such statements are effectively matters which help an
organisation to avoid imprecise or open statements relating to risk, which do not assist with the effective
management of responses to such risks. Statements are mechanisms that also help management to define
parameters relating to risk, against which key decisions and escalation activities can be performed.
‘Key risk indicators’ are often a tool used by management, and those in charge of Governance, in these areas.
Whilst POL needs to consider their own risk statements and indicators, some examples of those that may be
worthy of consideration in relation to the integrity of processing in Horizon could include:
* The number of allegations or concerns raised by Sub-postmasters during a defined period;
e® The number and value of adjustment postings being performed by FSC
e The use of balancing transactions
* The number of security incidents on the Horizon system during a defined period;
e The value of unreconciled differences between systems / ledgers
* The number and nature of errors or exceptions in processing; and
¢ Key controls found to not to be operating effectively in a period.
The above are not exhaustive and key risk indicators need to be considered thoroughly in response to the
particular risks and controls which are required in response to the risk universes formulated over the Horizon
processing environment.
Sustain Assurance Delivery and Implement more Proactive Monitoring: Benefits of these activities could
include:
* Minimising duplication in the control framework, and the assurance activities there-on;
« Support targeted assurance provision in the context of existing or potential future allegations;
e Provide more measureable benchmarks of performance against other organisations;
« Underpin further efficiencies in the assurance provision, for example the automation of existing manual
controls; .
e — Incentivise ongoing improvement in both the processes and the assurance provision, by highlighting
deficiencies on a timely basis and reporting these directly back to those business or outsourced
owners who need to take a remediation or corrective action; and
* Support the maintenance of the completeness of documentation over the Horizon Features.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
ry
&
I ee
Appendix 1: IT Provision Assurance Source Mapping and Gap
Analysis
The mapping below outlines the more detailed IT Provision assurance mapping against IT Provision risks, as summarised in Section 4:
18027001 Statement Coverage
Environmental Risk
of Applicability Rating
‘A.10 Communications and
Operations Management
Data converted from legacy systems
or previous versions introduces data
ISAE3402 Section
Coverage
Rating
Requirement 6: Develop
Coverage
Rating
Operations or accessed in a timely manner Management
when there is a loss of data.
4.8.6 Major Incident.
Process
4.8.7 Security Incident
Process
Change ‘i 4 A.12 Information Systems 4.8.10 Change i ntal
errors if the conversion transfers am and maintain secure
é A , Devel ure
Management incl, redundant, beat, o Acquistion, Development Management systems and applications.
‘10 Communications and
Inappropriate changes are made to I Operations Management
system software (e.g., operating 12. Information Systems. Requirement 6: Develop
Change ant system, network, change- Acquisition, Development Mone, change and maintain secure
i management software, access- and Maintenance e systems and applications.
control software).
‘A.10 Communications and
Operations Management
Inappropriate changes are made to_I A.12 Information Systems Requirement 6: Develop
Change I the database structure and Acquisition, Development net change and maintain secure
lanagement I relationships between the data. and Maintenance 9 systems and applications.
‘A.10 Communications and 4.8.2 Backup
Operations Management 4.85 Incident
Financial data cannot be recovered I A.14 Business Continuity Management Information System
Operations not within
scope for PCIDSS review.
DRAFT FINDINGS.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
35
POL00107160
POL00107160
fs : 1SO27001 Statement Coverage . overage Coverage
Environmental Risk hare eis ISAE3402 Section COVeraB PCIDSS Hed
of Applicability Rating Rating Rating
‘A.10 Communications and "
< 4.8.3 Job Schedulin
Operations Management 4.8.4 Availabilty and
Capacity Management
Enaior pbs rout femora, 4.8.5 Incident Information System
Operations incomplete, or unauthorized * Management Operations not within
processing of ‘date. 4.8.6 Major Incident scope for PCIDSS review.
. Process
4.8.7 Security Incident
Process
A.11 Access Control
‘ Requirement 3: Protect
Inappropriate changes are made 4.8.12 Access to stored cardholder data,
Security y a throug) databases, data files, and Requirement 6: Develop
means other than application programs and maintain secure
transactions. systems and applications.
; A.10 Communications and
Inappropriate changes are made to. I Operations Management
Application systems or programs I A,12_ Information Systems
that contain relevant automated ‘Acquisition, Development ey en Requirement 6: Develop
Security controls (ie., configurable settings, I and Maintenance Management and maintain secure
automated algorithms, automated 9 systems and applications.
calculations, and automated data
extraction) andior report logic.
Individuals gain inappropriate access saan Resources
to equipment in the data centre and AQ Physi i Requirement 9: Restrict
’ u : .9 Physical & 4.8. Physical and s
Security exploit such access to circumvent F physical access to
logical access controls and gain Environmental Security Environmental Controls cardholder data.
inappropriate access to systems.
A.11 Access Control
Syste ot adequatel ;
caatgured or updated to restrict 4.8.10 Change Requirement 6: Develop
Security system access to proper Mana ernent and maintain secure
ystem ac properly 9 systems and applications.
authorized and appropriate users.
Rat Aooess Control
ess Control Requirement 6: Develop
‘The network does not adequately 4.8.9 Networks and maintain secure
, prevent unauthorized users from 4.8.10 Change systems and applications.
Securit
y gaining inappropriate access to Management Requirement 11: Regularly
information systems. 4.8.11 Security test security systems and
processes.
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
36
mee eM oe et em ee he me ewe ee eee eee eee eee el
Security
Environmental Risk
Users have access privileges
beyond those necessary to perform
their assigned duties, which may
create improper segregation of
duties.
1S027001 Statement
of Applicability
‘A8 Human Resources
Security
A114 Access Control
Coverage
Rating
ISAE3402 Section
4.8.11 Security
4.8.12 Access to
databases, data files, and
programs
Coverage
Rating
Coverage
Rating
Requirement 7: Restrict
access to cardholder data
by business need-to-know.
Requirement 12: Maintain
a policy that addresses
information security for
employees and
contractors.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
37
POL00107160
POL00107160
Appendix 2: Assurance Schedule over Horizon Features
We present below a schedule of the Assurance Work and sources we have identified which relate to certain groups of Horizon Features.
We have structured these in line with our three areas of assessment (System Baseline, IT Provision and System Usage), as defined in our report.
We have also recorded our assessment of the level of comfort that POL has over that Horizon Feature, defined as:
« “Significant” means we have seen Assurance Work that delivers comfort through evidence based testing by independent parties.
« “Partial” means we have seen Assurance Work in the form of descriptions in formal documentation, but no testing of implementation or operating effectiveness.
« “Limited” means we have seen Assurance Work that documents verbal assertions we received during our work.
e “None” means that Assurance Work has not yet been provided to us.
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
38
eR Renee ee eee eee eee eee eee
System Baseline
Baseline
Key Assertion
re. Processing
Integrity
The system was
fit for purpose
and worked as
intended when
first put in?
I Description of feature
The design of key elements of the
Horizon system relevant to the
integrity of auditing and capturing
transactions was formally agreed and
signed off prior to systems
deployment.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Baseline I The system was I Traceability Matrices have been No information provided. Preventative Manual
fit for purpose documented, implemented and
and worked as periodically reviewed to ensure that
intended when business requirement documents
first put in? have been regularly reviewed against
project progress.
Baseline I The system was I During the initial implementation of No information provided. Preventative Manual
fit for purpose —_I, the software, Key Project Governance
and worked as mechanisms were put in place to
intended when I ensure the:
first put in? Working Group
Steering Group/Project board
Requirements Review Group
Baseline I Major changes Traceability Matrices have been No information provided. Preventative Manual
since documented, implemented and
implementation I periodically reviewed to ensure that
have not business requirement documents
impacted the have been regularly reviewed against
system. project progress.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Level of
haa
POL00107160
POL00107160
39
POL00107160
POLO0107160__
Key Assertion
re. Processing
Integrity
Baseline I, Major changes
since
implementation
have not
impacted the
system.
Description of feature
Key Project Governance mechanisms
have been enacted and operated over
significant changes to the system since
implementation. Examples of such
mechanisms include:
- Working Group
- Steering Group/Project board
- Requirements Review Group
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Baseline I The system was
fit for purpose
and worked as
intended when
first put in.
Prior to implementation into the live
environment (and in some cases post)
acceptance criteria in relation to key
system elements important for
auditing and capturing transactions
were formally agreed and signed off.
For Audit Store Baseline:
Example acceptance criteria
document entitled Acceptance
Report 20070917BL01.13WIP
(note no sign off of .
acceptance criteria is included
within this document).
For 2011 Horizon
Implementation (BRDB
Baseline):
Testing plans were provided in
the document 'Copy of IT
Health Check 23-07-2009.xIs',
a Risk Assessment of the
project has been provided in
"Security All Risk Extract
090928 v2.xls' and Migration
instructions have also been
provided in the document
‘Migration_ Instructions.pdf'.
Also a report by third party
consultancy firm Wipro has
Preventative
Manual
Level of
Comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
_ SRR eee eee ee eee eee ee eee eee eee eee
40
Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
been provided to demonstrate
the project was delivered as
planned in the document
‘Horizon : Performance Test
Audit Post Office Limited (
POL)'.
For 2012 Data Strategy
Foundation (External Feeds
Baseline):
- Example acceptance criteria
document entitled CFD New
Requirements v1.11.xls (note
no sign off of acceptance
criteria is included within this
document). Additionally, an
example of a designed, and
reviewed Migration Strategy,
titled ‘Migration Strategy CFD
v0.4’, was provided, in
addition to a Test Report,
‘POLTSTREPOO10 - CFD E2E
Test Report v0 1’,
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Level of
Comfort
POL00107160
POL00107160
Baseline I The system was I The testing of key elements of the For 2011 HNG-X Preventative Manual Partial
fit for purpose system important for the auditing and I Implementation:
and worked as capturing of transactions was formally
intended when agreed and signed off and then For 2012 Data Strategy
first put in? delivered against. Foundation:
- Test Strategy Document
entitled 'Acceptance Testing
Strategy’ - authorised version
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
a
POL00107160
POL00107160
Key Assertion I Description of feature Assurance Work Source Control Type Control Method Level of
re. Processing (Preventative / (Manual / Comfort
Integrity Detective / Automated / IT
Monitoring) Dependent
Manual)
dated 10/11/2011.
- Test Exit Report entitled
‘Client File Delivery Report E2E
- Exit Test Report’, draft
version 0.1 dated 06/01/2012.
Baseline I Major changes Sign off for design of significant 2005 Design Proposal Preventative Manual Partial
since change is formalised and documented. I ASDPRO27.doc
implementation 2005 Audit Centera API
have not Implementation
impacted the DELLDO26.doc
system. 2002 Change Proposal
CP3240.rtf
2004 Change Proposal
CP4021.rtf
Baseline I Major changes Acceptance criteria related to key 2002 Acceptance Test Preventative Manual Partial
since areas such as the branch database and I Specification IAACSO02.doc
implementation I audit store.
have not
impacted the
system.
Baseline I Major changes Test Strategy and Execution have 2003 Acceptance Test Report Manual Partial
since been documented and signed off, and I IAACROO3.doc Preventative
implementation I provide an adequate audit trail for the
have not testing of key system features such as
impacted the the Audit Store and Branch Database.
system.
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Sere e eRe eRe RO ee,
42
Description of feature
Key Assertion
re. Processing
Integrity
Independent Assurance over design of
HNG-X system by Gartner.
Baseline I Major changes
since
implementation
have not
impacted the
system.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
POL00107160
POL00107160
Level of
Comfort
Low
Major changes Programmes and projects affecting
since the Horizon system are controlled and
implementation I governed using an established change
have not methodology.
impacted the
system.
Baseline
Harmony Delivery Lifecycle
document
Preventative
Manual
Partial
Major changes Independent Assurance report over
since testing procedures has been obtained.
implementation
have not
impacted the
system.
Baseline
Wipro performance testing
report.
Preventative
Manual
Significant
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
43
POL00107160
POL00107160
IT Provision Assurance
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Automated Comfort
Detective / / \T Dependent
Monitoring) Manual)
Provision I IT supporting Management have ISMF Minutes Preventative Partial
processes are well established forums to FJS Security Report
controlled. oversee the performance of
third party IT providers.
Provision I IT supporting POL has documented end POL End User Preventative Manual Partial
processes are well user control considerations I Considerations
controlled. to supplement third party Document
service provider controls
assurance reports
Provision I IT supporting Third party assurance ISAE3402 Report Preventative Manual Significant
processes are well reports are in place to PCIDSS Report
controlled. ensure the overall control of
the IT environment,
including: ISAE 3402 reports,
PCIDSS compliance report
and 1SO27001 certified
accreditation.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
44
Usage Assurance
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
POL00107160
POL00107160
Usage Counter transactions I Only baskets that balance to I Horizon Online Data Preventative Automated Partial
are recorded £0 can be accepted by the Integrity_POL
completely, accurately I central database (double document.
and ona timely basis I entry concept exists).
centrally.
Usage Counter transactions Digital Signature is applied’ I Horizon Online Data Preventative Automated Partial
are recorded to each transaction basket Integrity_POL
completely, accurately I at the point of counter document.
and ona timely basis I inception to prevent
centrally. downstream tampering.
Usage Counter transactions I Transactional Verbal confirmation Detective Automated Partial
are recorded Acknowledgement and from Rod Ismay and
completely, accurately I manual review process. Jane Smith in Finance
and ona timely basis Shared Services.
centrally.
Usage Counter transactions I Sequential numbering is Horizon Online Data Preventative Automated Partial
are recorded ° applied to each counter Integrity_ POL
completely, accurately I basket prior to digital document.
and ona timely basis signature application to
centrally. provide a 'baked in'
sequence check.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
45
POL00107160
POL00107160
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Counter transactions I Oracle commit and roll-back I Horizon Online Data Preventative Automated Partial
are recorded process is atomic (i.e. either I Integrity_ POL
completely, accurately I a complete transaction is document.
and ona timely basis I posted or nothing is
centrally. posted).
Usage Counter transactions A fall back mobile link is in Horizon Online Data Preventative Automated Partial
are recorded place to ensure that if Integrity_ POL
completely, accurately I transactions are still document.
and ona timely basis I processed in a timely
centrally. manner
Usage Counter transactions I A private cryptographic key I Horizon Online Data Preventative Automated Partial
are recorded is securely established for Integrity_ POL
completely, accurately I each transmitted basket. document.
and ona timely basis
centrally.
Usage Directly posted Formalised change control Email communication I Preventative Manual Partial
transactions, such as approval and monitoring from John Simpkins
"Balancing process over the usage of dated 15/05/2014,
Transactions", are Balancing Transactions articulating control
visible and approved. design around this
process.
Usage Directly posted An audit trail log isin place I Email communication I Detective Manual Partial
transactions, such as to monitor the use of from John Simpkins
"Balancing balance transactions. The dated 15/05/2014,
Transactions", are log is monitored by an articulating control
visible and approved. I independent department design around this
that does not have access to I process.
the function.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
46
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Partial
POL00107160
POL00107160
Usage Branch Ledger JSNs are processed into the I Technical Design Preventative IT Dependent Manual
transactions are audit store and reviewed Document for Audit
recorded accurately in I when users access audit Extract Process -
the Audit Store. store information. The Audit I DESAPPHLDO029.
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Usage Branch Ledger Digital seals are in place to Technical Design Preventative Automated Partial
transactions are ensure that files are not Document for Audit
recorded accurately in I amended following load to Extract Process -
the Audit Store. the Audit Store DESAPPHLDO0029
Usage Branch Ledger The digital seal applied to Security Architecture I Preventative Automated Partial
transactions are the batched digital Document
recorded accurately in I signatures ensures that any I Network Architecture
the Audit Store. amendments to data leaves I Document
a traceable audit trail Cryptography
Architecture
Document
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
47
POL00107160
POL00107160
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Branch Ledger JSNs are processed into the j BRDB Technical Automated Partial
transactions are audit store and reviewed Design Document
recorded accurately in I when users access audit Audit Technical Design
the Audit Store. store information. The Audit I Document
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Usage Branch Ledger Formalised change control Email communication I Preventative Manual Partial
transactions are approval and monitoring from John Simpkins
recorded accurately in I process over the usage of dated 15/05/2014,
the Audit Store. Balancing Transactions and articulating
control design around
this process.
Usage Branch Ledger Audit trail monitoring the Email communication I Preventative Manual Partial
transactions are usage of balance from John Simpkins
recorded accurately in I transactions dated 15/05/2014
the Audit Store.
Usage Information from the I Logical access controls in Audit Store Preventative Automated Partial
Audit Store retains place over user Procedures
original integrity. management to ensure that
only appropriate staff have
access to extract
information from the audit
store
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
(ee
POL00107160
POL00107160
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Usage Information from the I Hardware controls are in Audit Store Preventative Automated Partial
Audit Store retains place to prevent the Procedures
original integrity. modification of data in the
Audit Store
Usage Information from the I JSNs are processed into the I Audit Store Detective Automated Partial
Audit Store retains audit store and reviewed Procedures
original integrity. when users access audit
store information. Audit
store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate. ‘
Usage information from the I The digital seal applied to Audit Store Detective Automated Partial
Audit Store retains the batch on data transfer is I Procedures
original integrity. checked back to the initial .
seal to ensure that hash
value has not been altered.
Usage Information from the I The integrity of the digital Audit Store Detective Automated Partial
Audit Store retains signature is checked for all Procedures
original integrity. baskets used in the extracts.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
49
POL00107160
POL00107160
Key Assertion re.
Processing Integrity
Description
Source
Level of
Comfort
Control Method
(Manual /
Automated / IT
Dependent Manual)
Control Type
(Preventative /
Detective /
Monitoring)
Usage Information from the I Exceptions identified in Audit Store Detective Automated Partial
Audit Store retains integrity checks on digital Procedures
original integrity. seals or signatures or in the
sequence check are formally
raised and handled as part
of day-to-day IT operational
processes within the Tivoli
Monitoring tool.
Usage The system used by 3 way match between Data Flow Diagram IT Dependent Manual I Partial
the Finance teams for I Branch Database, provided by Finance
control contains all Transaction file and POLSAP I (Jane Smith)
records load file
Usage Data posted from Amendments posted Transactional Preventative Automated Partial
other systems and centrally via transactional Corrections
teams is visible to and I corrections must be Procedural Evidence
accepted by sub post- I approved by sub-Post
masters Masters must be approved
before they can be applied
to the Branch Database
Usage Data posted from Amendments posted Branch Database Preventative Automated Partial
other systems and centrally via transactional Procedures
teams is visible to and I acknowledgements must be
accepted by sub post- I approved by sub-Post
masters Masters must be approved
before they can be applied
to the Branch Database
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
, See ne ee eee eee ee eee eee eee eee eee eee
50
Key Assertion re.
Processing Integrity
Data posted from
other systems and
teams is visible to and
accepted by sub post-
masters
Description
For any outstanding (non-
accepted) Transaction
Acknowledgement or
Transaction Corrections at
month end, a formal
resolution process exists
which enables non-accepted
items to be identified, held
in suspense and actively
investigated to the point of
resolution with the Sub-
postmaster. Business as
usual resolution activities
can be taken to conclude
outstanding items and have
them cleared down.
Source
Rod Ismay
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent Manual)
Manual
Level of
Comfort
Partial
POL00107160
POL00107160
Usage Data posted from Sub-postmasters have Branch Database Preventative IT Dependent Manual I Partial
other systems and access to view all Procedures
teams is visible to and I transactional records
accepted by sub post- I underpinning their current
masters accounting period’s ledgers.
This information is used to
support their daily branch
cash declarations and
reconciliation, their weekly
balance of cash and stock
reconciliation, and their
monthly trading period roll
over activities.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
51
POL00107160
POLO00107160
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Usage Data posted from All processes create an Branch Database Preventative IT Dependent Manual I Partial
other systems and identifiable transaction in Procedures
teams is visible to and I Horizon, with an audit trail
accepted by sub post- I to the originator in the
masters Finance Services team. This
transaction ID is protected
by the JSN, digital signature
and digital seal features.
Usage DBAs or others Sub post-master must Branch Database Preventative IT Dependent Manual I Partial
granted DBA access functionally approve the Procedures
have not modified Transactional
Branch Database data. I Acknowledgement file
produced by the POLSAP
system before items can be
processed through to the
branch database.
Usage DBAs or others Formalised change control Email communication I Preventative Manual Partial
granted DBA access approval and monitoring from John Simpkins
have not modified process over the usage of dated 15/05/2014,
Branch Database data. I Balancing Transactions and articulating
. control design around
this process.,
Usage DBAs or others ‘I Audit trail monitoring the Email communication I Preventative Manual Partial
granted DBA access usage of balance from John Simpkins
have not modified transactions dated 15/05/2014
Branch Database data.
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Saree ee eee e eee eee eee eee eee ee,
52
Key Assertion re.
Processing Integrity
DBAs or others
Description
Hardware controls are in
Source
Audit Store
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
Level of
Comfort
Partial
POL00107160
POL00107160
are recorded
completely, accurately
and ona timely basis
centrally?
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
monitoring processes are
defined and formalised. Any
issues or errors are reported
and responded to by Fujitsu
as part of day-to-day IT
Operational activities.
granted DBA access place to prevent the Procedures
have not modified modification of data in the
Branch Database data. I audit store
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated Partial
granted DBA access that would enable a person
have not modified to delete a digitally signed
Branch Database data. I basket are restricted to
authorised administrators at
Fujitsu.
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated Partial
granted DBA access that would enable a person
have not modified to create or amend a basket
Branch Database data. I and re-sign it with a ‘fake’
key, detectable if
appropriately checked, are
restricted to authorised
administrators at Fujitsu.
Usage Counter transactions I TWS scheduler and ISAE3402 Detective Automated Significant
53
POL00107160
POL00107160
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Counter transactions I Logical security access Security Architecture I Preventative Automated Significant
are recorded controls in place to Document reference -
completely, accurately I minimise the risk of ARCSECARCO003
and ona timely basis I inappropriate access to the I section 6.2 and
centrally counter software within ISAE3402, PCIDSS and
branch. 18027001 reports as
well.
Usage Branch Ledger Logical security access ISAE3402 report. Preventative Automated Significant
transactions are controls are in place in
recorded accurately in I relation to the Branch ‘
the Audit Store Database and audit store to
ensure that only
appropriate staff members
have access. Key
transactions and tables are
monitored and activity is
verified by an independent
third party. 1
Usage Branch Ledger Database access privileges ISAE3402 Preventative Automated Partial
- transactions are that would enable a person
recorded accurately in I to delete Audit Store data
the Audit Store are restricted to authorised
. administrators at Fujitsu.
DRAFT FINDINGS
I STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE,
54
(eee eee
POL00107160
POL00107160
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
the Audit Store
Description Source
Database access privileges ISAE3402
that would enable a person
to create new entries, re-
sealing it with a valid
(publically available) ‘hash’
are restricted to authorised
administrators at Fujitsu.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
Level of
Comfort
Partial
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
55
POL00107160
POL00107160
Appendix 3: Inventory of Documentation Reviewed
The following documentation was reviewed during the course of our review:
Document I Docume cument Type
Number
1 Horizon Core Audit Process (Powerpoint) Other sources of comfort
2 Fact file (updated with SS comments) Other sources of comfort
3 ISAE3402 Report over Fujitsu managed service on Horizon Assurance
4 Centrally Generated Transactions document Other sources of comfort
5 POL Summary of Horizon Anomalies Referred to in Second Sight Report Assurance
6 Report on Local Suspense (14 Branch) Issue Other sources of comfort
7 Report on Receipts Payments (62 Branch) Issue Other sources of comfort
8 Spot Review Bible Other sources of comfort
9 Horizon Data Integrity Document Other sources of comfort
10 Horizon Data Integrity Document Other sources of comfort
14 Fujitsu 1SO27001 Certificate Assurance
12 1027001 Statement of Applicability produced by Fujitsu Assurance
13 PCI DSS Attestation of Compliance Assurance
14 PCI DSS Report by Bureau Veritas Assurance
15 ISMF Minutes for three months Other sources of comfort
16 Fujitsu Security Reports for three months Other sources of comfort
17 Fujitsu Information Security Management System (ISMS) Scope Other sources of comfort
18 Horizon Solution Architecture Outline Other sources of comfort
19 Post Office to Driving & Vehicle Licensing Agency Automated Payments Client File Interface document Other sources of comfort
20 DVLA Internal Web Service High Level Design document Other sources of comfort
241 Security All Risk Extract Other sources of comfort
22 Migration Overview Document for Horizon system Other sources of comfort
23 Horizon Technical Security Architecture Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
56
SenuenmRenmeHReHeHHRHeemeHeeeeeeeeeeeeaeaeeae eee ee ee ee
Documet Documet Document Type
Number
24 Solution Architecture Document Other sources of comfort
25 Batch Processing Overview Document Other sources of comfort
26 EMC Centera Acceptance Test Report - IAACROO3 Other sources of comfort
27 Centera Accepting Testing Specification - IAACSO02 Other sources of comfort
28 Application Interface Design - DELLDO26 Other sources of comfort
29 Audit Server Specification Design -TDDESO71 Other sources of comfort
30 Configuration Design - TDMANO06 Other sources of comfort
31 Configuration Design - TDMANOO9 Other sources of comfort
32 Centera star OS upgrade to version 2.4 design proposal Other sources of comfort
33 Centera star OS upgrade to version 2.4 design proposal Amendment -CP4021 Other sources of comfort
34 Centera star OS upgrade to version 2.4 design proposal Amendment -CP3241 Other sources of comfort
35 Exception.and Event Guide - TDMANO07 Other sources of comfort
36 Functional Separation - CRFSPOO6 Other sources of comfort
37 High Level Design - SDHLD001 Other sources of comfort
38 Audit Data Retrieval - SDHLDOO2 Other sources of comfort
39 Centera Migration HLD - TDIONO39 Other sources of comfort
40 Centera - High Level Test Plans - VIHTP014 Other sources of comfort
44 Horizon System Audit Manual - IAMANOOS Other sources of comfort
42 Low Level Design Document Other sources of comfort
43 Centera Operational Procedures - TDMANO08 Other sources of comfort
44 Centera - Performance Test Specification - TDLLTOO8 Other sources of comfort
45 Centera Support Guide - TOMANO17 Other sources of comfort
46 Centera Support Guide - TDMANO18 Other sources of comfort
47 Centera Test Report - VITRP029 Other sources of comfort
48 Centera User Guide - TDIMANOOS Other sources of comfort
49 Data Strategy Foundation - 04 - G149 Data Strategy Foundation - Client File Transfer - PODG Closure v2 0 Other sources of comfort
50 Data Strategy Foundation - CFD New Requirements v1.11 Other sources of comfort
51 Data Strategy Foundation - Data Strategy Foundation Test Strategy V1 0 Other sources of comfort
52 Data Strategy Foundation - Migration Strategy CFD v0.4 Other sources of comfort
53 Data Strategy Foundation - POLTSTREPOO10 - CFD E2E Test Report vO 1 Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
_ _ _POL00107160__
ee ee
57
POL00107160
POL00107160
jocument Type
Data Strategy Foundation - Revised business case CFD 24 11 10 Other sources of comfort
Horizon Technical Network Architecture - ARCNETARCO001 Other sources of comfort
Horizon Crypto Services High Level Design -DESSECHLDO002 Other sources of comfort
E2E data flows Other sources of comfort
idocs involving settlement Other sources of comfort
Process Management Systems Diagram (Version 14 - 24.10.2011) Other sources of comfort
AR11.005 - Horizon controls Other sources of comfort
AR12.050 - Horizon follow up Other sources of comfort
AR12.050a -Follow-up Horizon May2013 Other sources of comfort
Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL. Other sources of comfort
Horizon Operational and Support Services Requirements Other sources of comfort
ACCEPTANCE REPORT FOR DESIGN WALKTHROUGH EVENT DWO3 - SECURITY Other sources of comfort
Draft Deloitte Phase 2 Instructions (RDW 07 05 14)2 Other sources of comfort
Phase 2 - Areas of Focus diagram (DRAFT v1) Other sources of comfort
Project Zebra - Phase 2 Potential Next Steps v3 Other sources of comfort
REQAPPAIS1392v3.2.PayStation.ETL Other sources of comfort
a REQAPPAIS1391v2.1,PoGo.ETL. Other sources of comfort
72 Acceptance Report 20070917BL01.13WIP Other sources of comfort
73 All Streams Plan vsn 0.98 Other sources of comfort
74 BC PLA 001 v0.3 Other sources of comfort
7 BCO20 HNG PD Potential Risks and Issues Register v1.0 Other sources of comfort
76 Change Management Assessment Template Other sources of comfort
7 DES SEC HLD 0010 v 1.0 Other sources of comfort
78 Engagement Meeting Log Notes v1.2 Other sources of comfort
79 Gartner Report Findings 1.1 with Appendix Assurance
80 HARMONY Full Guide 1.14 Other sources of comfort
81 HARMONY Full Guide 1.14 Other sources of comfort
82 HNG Benefits Tracking in confidence May 08 final Other sources of comfort
83 HNG Board Report 080408 Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
58
Bh Wl Rl Mf 1 Gf @) fd Sf i mm i A om ew mo Me Mw me Me eee ee mee me ie
Do
84 HNG PID v1.3, Other sources of comfort
85 HNG Reqts Team Meeting 050606 Other sources of comfort
86 HNG Risk and Issues 070424LY Other sources of comfort
87 Horizon Testing Strategy - HXTSROO1 Other sources of comfort
88 In Touch report for HNG 080418a Other sources of comfort
89° In Touch Report for HNG 081205 Other sources of comfort
90 POL HNG IMP 002 v 1.0 Other sources of comfort
91 POL HNG REQ 014 Other sources of comfort
92 QRHO31 HNG Reqts PID vO.1f Other sources of comfort
93 ACCEPTANCE REPORT FOR Horizon ACCEPTANCE GATEWAY 11 & 2 - REQ GEN ACS 0001 v0.2 Other sources of comfort
94 Horizon GENERIC ACCEPTANCE PROCESS -REQGENPROO735 Other sources of comfort
95 Stakeholder Engagement Log_091218 Other sources of comfort
96 Test Report for the Integrity Testing of Horizon Data-centre Disaster Recovery —- Week Commencing 1st
September 2008 - SVMSDMREPOOOS Other sources of comfort
97 Wipro - Horizon : Performance Test Audit Post Office Limited ( POL) Assurance
98 DVLA Internal Web Service High Level Design - DESAPPHLD0012 Other sources of comfort
99 Audit Data Retrieval High Level Design - DESAPPHLD0029 Other sources of comfort
100 Audit Data Collection & Storage High Level Design - DESAPPHLD0030 Other sources of comfort
101 Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
102 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL -DEV
CNT CTP 0068 v 2.1 Other sources of comfort
103 DVLA AP Client File AIS . Other sources of comfort
104 Product Branch Accounting - Issuing Process for Transaction corrections v0.1 Other sources of comfort
105 Audit Data Collection and Storage High Level Design Other sources of comfort
106 Data Flow - Transaction Processing for client file delivery Other sources of comfort
107 Data Flow - NBSC Miskey Process - Network Banking Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
59
POL00107160
POL00107160
With the prior permission of POL, the following individuals were interviewed or consulted during the course of our review:
Contact Name Job Title / Role Organisation
Dave King Senior Technical Security Assurance Manager POL
Julie George Head of Information Security and Assurance Group POL
Rod Williams Litigation Lawyer POL
James Davidson I Fujitsu Primary Point of Contact Fujitsu
Pete Newsome Quality responsibility Fujitsu
Will Russell Regional Network Manager NT - South POL
Phil Norton Horizon Requirements responsibility Atos
James Brett Senior Test Manager — Post Office Account Atos
Bill Membery Requirements/Testing responsibility on Horizon Fujitsu
Gareth Jenkins Distinguished Engineer Fujitsu
Neil Crowther Senior Business Analyst POL
Matthew Lenton I Document Management responsibility Fujitsu
Rod Ismay Head of Finance Service Centre POL
Jane Smith AP Enquiry Team Leader, Finance Service Centre POL
Dave King Senior Technical Security Assurance Manager POL ~
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
60
un ne nk nh eh Ree ee ee ee eee ee eee eee ee ele ee
Appendix 4: Engagement Letter
Deloitte.
Ar Chass Ayan
Post Offce Ud
148005 Street
Lerten
Fev sng
* pps 2014
Desc
STRICTLY FRIVATE AND CONFIDENTIAL
IVILEGED,
We are pleated to st out for your approval the atrangements under wich we prove (9 estat Post
Office [1d (POL of “You"). We understand tht You are resgond:ng (9 ellezations that the
“Horiron HNG-X™ Mf ayaters wed to record transactions ia Pest Office beaches, is defective andor
‘Gat the processes cavoctated wit it are Laadegante (ihe “AUegstions").
In onder to respond beter to tho Allegations, You require services from us, as outlined in paragrap
21b) below These armegerents are se out In thls letzer roger with the enclosed Termx of Business
«nd eppenttces
So thst wo are abte to assist Yoo effectively, plense ensure that You have conskered fully a of the
irs aod colin set out ths lller ands enclonures and that You are susie that the scope of
i Services deverbed below is sfficient for Your needs.
1 Seopenndobjectives
In onder to respond better to the Allegations (which have been, sod wall al Lehtood continue ts
be, edvancel in the cowsts, You want to demiecstate (at the Horizon HING-X sysice Is robust and
‘peatca wh inegnty, thin an appropriate conérl framework. In response (0th, You Inve either
‘been provided ynth ee ccenmissoned a nember of mndependenesszrance reviews into maersreloing
{sHorizon IING-X's operating eavironmect ond processing itegy
‘The purpose of seeking inpot fm Deloi“e LLP (UK) CDetoi"» is te provide, based upon the
leformation made availa to ur by You, ma ndepedealy produced sumary ofthe awsursnce and
‘lber werk undertaken, over your current day Horo HNG-X sysem, for presentation to
Adscussion wth the POL Board (Patt 1 work")
We understand thatthe lepet provided ty Delstte will inform Your decisoes relating ta potent
arexs of adisonal work iS3t You may chgote to corunision to respond beiter tothe Alegssons, ard
{Cat we ay be volved sa the delve of soch ada work (Par 2 wok) ender ether a Change
Onder or aperste Lngagemeat
‘You have arked us to provide tbe Services act out In Section 2 below and 40 prepare the report
eser-bed un Section 2(0). (toe "Purpose"?
Deloitte.
We understand that any work being rndertaken by us in accordance with this enzagemert letter is
‘being undertaken in relation to ongoing Lsigation andor potentis ater algstion, and hence Us sect
to eal professional privilege
{In adinon, ths matter is strictly confidential. Save as
tastes 0 lfm relight, of oor wk Fr wl Be lost ay pay
without uta wien coment
You ae adned shat orypondcnce ud prepay pps ay epee mgt he
so legally privileged, as ey are being prepored fa relation to ongoing liugaton and licked to.
provi ofegal nie, Ove othe Engagane Tex er ote Dele Punen and ences
necessary forus to deliver our work, we wil therefore take season=blo skill sad are ta idently papers,
siemorsada, correspondence and other metals prepared by ws as being “Legally Privileged snd
ontdral (or bear eqaent weiing ett ye cheutdroues Rede Willams, Yer
gation Lawyer.
2 QurServicevund respons
(2) Our Eegarement Tow,
iat nr tat Gare Jes wl be th Parr reponse You fhe Src deed
inthis Teter, unless agpoed with You (such agreement not to be
eyed Dend Nown eur Sere Lie Laser eh oneal agen ty ft errs me ne
10 You, valalso be avaiable as regaiod.
Chris Lauder, » Director witha our Goveranee and Contras tenn, wil end the delivery of our
Servicsto You, tops wih Mark Westbrook and Ctarlate Desouny, both Senior Maokgerm. They
el el ce wertng anti wi the wrote peopl wkng on the Clee! Tenn
Gareth, Chris, Mark and Charlate will be supprted by Tori Seamplon, Parmer, who baa particule
cexperlence in performing work und prepaieg reports ures lcumistances, and oer meinbers
‘of ou tear a8 requ
We understand that You do not require any of our team to be available to act as 2 named expert
yatness. Should this be required, we WouR! need to agree a separate engagement kiter for owe
Services and Det verabies
“Together they comyine the “Kagagemenl Tenm™
orth purposes ofthis engazement, we are aad thatthe elert fara et POL wick eonast of Lestey
Sewell, Chief tsfornation Officer; Chris Aufard, General Coursel, Delnda Crowe, Programme
Draco ue Geo ea of maton Seay (Cputing fr Lesley Sewel i abu end
Rodele Walliams, Post Office Lid Litization Lawyer The cient team will eogagereat to
Pauls Venelly, Cie xeetive. We note Gat we wl be advised of ny Yture changes tote een
team.
‘Togetverthey comprise tho “Cllent Tear”,
(W) Services
Port {of our Services witl provi he following:
+ Obtain an understanding ofthe Alezations: the key risks én and ireenat conols over the
Horlzon HING-X processing environere relevant o the integrity of processing the meseures
tn place to recont and preserve the incesty of syserh aut tails oe ober background
mtr that we may deem necessary to complete ave Deine
Pope 2 of 18
POL00107160
POL00107160
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
61
POL00107160
POL00107160
Deloitte.
+ Obiain an understanding of the Key differences between the current Horizon HING-X
processing envwarent ad the sim whieh hn replaced (het refered ts the “eeaey
Horizen system"),
Review, understand tad consotidare the corresponding invectigations, asserance actives and
remediation actlons which You o¢ third pasties have undertaken (see Appendix 1 for the
*Soutecs of Information” known to be wishin scope at this stage) focussing on three primary
areas:
© Work that has been performed to assure the design and eperation of key control
sctwvities Wat erested ond preserve the integrity of processing ccre2s the Horizon
HING-X env.toamet (tbo Audit See,
°
Work that has been performed to essure the design and eperation of key control
ctivities that crested and preserwo the rategnly of interfaces with te DVLA third
party system aad the Horizon IING-X environments
(© lavestigaions and actions that havo been taken fo response lo tte thematic findings of
Second Sight, a8 octimed in Yocs supplied document “POL Suimary of Secocd Sight
anomalies" (sce Append 1).
+ Mold ducussions with relevent members of Your staff nat! ether key stakeholders as pre-
greed with You, to deliver the work ociined above;
‘+ Prepare the Deliverable outlined in section 2(d) below,
Attend twice weekly meetings of cosference calls yath Your Client Team, to explain our
approach, status of work and the commentary withia our Del. verabte, ad
© Cary out aay other work required by You wich i reasonably incidental fo the sbove,
‘You do not rogue Deloss to comzrest on or tet the quality of the assurmnce work performed, noe
‘opine on its adequacy, suffcleaey or conctuslors, or the inegsty OF the Hlorion HING-X processing
envlronsent (north legacy Horizon sytem).
Ascngagemect requirements ee discussed, clarified and epreed funher, we wll out the aklivonal
4sc0pe sad timelne Tor such work via the Change Order process as set out in Appendix 2. Any Part 2
‘work You require us to perform wal be agreed tnder these Change Onder processes. This may inetude,
but will oct be lexed tor
Testing on data held
previously draven by Fey
the systema cud:t trai, to assess (for exemple) conclusions.
Eto the entert of known deficiencies,
Assessment and profit of system ax truly, 19 look for ehsraetgristies of end trends in
urusual behaviours in the systems trazsoctionsl core,
Lnqziy ito aod toting of the nature and extent of en, system and user acceptance testing of
the Horizon HINO-X processicg environment, daring ws imoplersenxtom,
Mocs derailed consideration a3 to any aspects of the intemal control environment which
‘operas over the evmeet Horizoa IING-X processing enviror:nect which were notin place oF
‘operating over tho leszy Horizon system.
Understand the nature and extent of j
‘operating ilegyy of datatlows to end from
fees with othe Ibied party systenss and test the
in ofthese systeras, and
Pred of 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
‘© Testing of responses to thematic coxcems raised by ether indeperidert reviews,
“The scope of our services snd ary deliverabtes will be limited sotly tothe Services and De‘iverables
set out in this Contmet, We will riske no represectations in respect of and will not cousiéer any other
aspect,
‘Ger work vill be performed through a coc:biestion of desk based inspection of documentation,
corroborative exgulry and through thal pany provided evidence or contact, as azreed between YOu
asd us.
© One responsibilities
In performing the Services, wo willbe response for:
‘+ undertaking the procedures as necessary to prodoce our celivetates, suid
‘+ confirming the frtusl cevracy of our report with You.
‘You agree that oer than asset out in the Serviees section ove, we wall not aut oraterwise test o¢
‘verify the faformation given to us ia the course of the Services. Ix particular, ealess otherwise
{instructed by You to do $0, we wall not perform o re-perform aay nssurance work that has tested and
concluded on the design, implementation and operational effectiveness of any internal controls over
the Horizon processing environment.
‘Our work will be limuted by the time and the Information available, Whilst we will report out findings
accondance with the tgreed scope of work having considered the information provided to us i the
‘course of carrying oct the Services, add.cons} information that You may regard ea relevant nay exist
‘hat is not provided (6 (and therefore not consklered by) us, Accordingly, our Detiverable(a) and our
work should not be relied upon as being comprehensive in such respects, We eceept no responsibilty
for maciers not covered by or omitted frors our Dehverable(s) de tothe spesifis mature of our work
istrvtions from Yow.
In particular, wo note that, ka cextaia respects, we will bo reliant on the integrity of thone
wo etervien, ad tt our bilty to coerorts and test wht we Rave been told may be fi
{fille Information
We shatl digeuss wet You an
problems arise,
difficulties we encounter wich completing our work should any
You acknowlcdze that You are responsible for establishing end maintaining an effocuive intemal
control sysicm that reduces the likelihood thst errors of inegatarties will occur and remain
undetected: however 1 does not ersinats that possibity. Nothing in owe werk Ruaraatees that errors
‘oF iregulsities will rot oceur, nor Is i desigaed to derect any such errors or iegularities should they
‘oceur.
The scope of our Services and o:r resporsitilties will pot involve us in performing the work
necessary for the purpose of providing, neither shall we provide, any assurance on the reliability,
proper compltstion oF clerical accuracy of any plan, budget, projection oF forecast ("prospective
finanelal information") nor the of the underying Since any prospective
{iranelal inforeastion felates to te futore, K esy be affected by unforeseea events, Actual resuite ase
Lukely to be different from those projected because events end circumstances frequerily do not occur as
‘expected, and those éiferences may be rstria
Doge Sof 8
62
Deloitte.
(2) Format an use of the Deloitte Deliverubles
‘The foemst and timing ofthe reports (the “Detiverables") issued by ts will be agreed wath You. The
‘content of och Dchverables 1s expectad to been excecitve stmary end a wniten report, as flows:
Execute Stanmrry
# Asanmary of our ebyectves, approach, work performed aad ons, ss able for Board
presentation aad discussion in theisreceting 2 the 30 Apeil 2014 (notirg any hey outstanding
points, of eppteable, ond subject to the accuracy of cur assurzphvons aad the fulfmeat of
‘Yor respoas.tilites, below),
Writen Report:
‘© Inuoduction ~ reconfirming the context of our nppoletment and the scope of work performed,
© Our Appeosch ~ outisisg the procedures we have adopted In he delivery of our work, those
docu reviewed andthe Lxlyiests wetave islewet
© Uedersisnding the Monsen ING-X Processing Eavironnect ~ based on the document
provided to 5, provids an evervicw:
© Relsting to the Techical processing environment - envisazed to be a éescription of
techrieat ruatiens of the Herizon ING-X system, consisting of, where information Is
provided to es
= key statistics relating to the processing environment and is range of fenetions (as
stpetsted by Fu,te, eluding the design and operction ef the dsla exegnty
protocols (the Auda Store),
key marers relating to its network architecture, Internal nad extemal inverfuees,
software componers, hardware eorsporerts,
+key maters relvtng to its history, including the timisg ef is Impleraentstion, the
nature of Govering resporsibilities over this project and the key enbsncemests
that Horizon IING-X eetivered compared to the legacy Hocizon system and
key responsibilities relating to the eumert operation ef the Horizon TING-X
processing eaviroament, ineludieg ehsnge conirol, xecunty managsnient, system
‘eperstions (inctadizg error handisxg proceduces, fotlow-ap and resolution), end-
set upport aad system recovery, and assurance respomubilities over these key
controls.
Relating to the User envirocmest - cavisazed to be 0 cesnplion of the uszce
exvircrment of the Honzen HNG-X system, consisting ef, where taforcation is
prowied toes
1 description ofthe types of users in the system end
whie’s Horizon HING>X is accessible,
1 types of transsctions processed by the system mud, at a reasoanble level, how
the ntegrity of these transsetions is verified and pres
= how more then datly, weekly, monthly, quarterly and enrust reconcihation
‘epercte and how variances and/or errors are bandled,
theatre of key won a oer ed oc process tat are commonly
adopted by users. 29
= Ttaay oft enor of elle fein iron NOX
ion
°
physical environments in
+ An Assurance Map - showing those sources of Your esserance mbich You bave atsred wth
lus and the areas of key Hsk relating to the ictegrity of processing tat these were designed to
Assan,
Page 5 of th
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
+ Matters for Coasideraion + en assessarent of Your Assurance Msp in the coatext of Your
‘objectives and slgificant rsters wo have observed durig our work thet we recorxmend You
consider ferter.
‘Any Detiverable should not be copied, referred to or qxoted to eny other party, except is the context of
‘Your defence ofthe Allegaticrs, ar be used for eny exhet perpose, We daw Your attention to clause 5
Of the enclosed Tem:s of Business that sets out the cond.ions under which the Deliverables wil be
provided to You,
{In the event that You wish to share our Deliverable with third parties, we may concerto such a course
subfect to us receiving *hold harmless? endentakitgs (or their equivalent), Thete procedures notify
them thet
+ the dictosun 49 them wall not create any dry, Inbiy or rexporstby weatoever to
‘thom in elation to our Deliverable or eny of fis conte
+ the Deliverable was not prepared for ihr use or with thet moods or interests fa mind, ard
+ they should keep our Deliverable confidential and not copy or circclse otr Deliverabe, or
aay extracts of them, to any third pasty wathout our express writen permission.
We understand that You are valikely to make any public annoccemente which weald refer to our
work. If this situation changes however, You ezieo thst You wall not make any such public
sanouneemien!(s) on this mtterreferrig to Deloitte or otr werk in any way wichout providing prior
notification ofthe wondick of eny pablic exnounce=rent to tks and without our prior wniten consent 10
such Wording, seth concert will not bo wittheld erzeasonably,
3 Clkent Rexponsibitities and Assumptions
(a) Client Responsibilities
In cocreetion with the provision of the Services, we refer You to clause 3 of te enclosed Terms of I
Business These confira Your respocsisilay forthe provislon of inforeation aad decision
corineetion with the Services we are to provide. Ia addition, our delivery of the Services is dependent
tupen Your completion of the foliowins:
. and agree thet our perforadce of to Services is dependert on the timely sid
eficctive competion of Your own activities and recponsibiites in connection wih this
engagement, xt well as timely decisions und approvals by You,
information You deem celevart to this review,
© Youngree to making aval
‘+ You agree to providing timely access to relevant personnel in onder for us to obtazt sufTsient
Information to Inform our understanding acl report,
# Unters we are otherwise instiucted, You apzee to carrying ort all contact with tint parties;
4+ You agree to provid.ag « nominated pots of contiet for us throuzhout the work,
+ You agree to provide a oo for oer tesin and severe storage Fcittes for peperwork. reqcired,
st 148 O84 Street, London, and =
‘+ Yow ogres to usxess the Deliverabie we provide to Yous, to detsetne the rast appropiate courses
of action for You.
Pope of 8
POL00107160
POL00107160
63
POL00107160
POL00107160
Deloitte. Deloitte.
You acknowledge ani nzree that our performace of the Services (s dependeat on the timely and 4 Our Charges
effselive coraplcien of Your oWn activities end resporsiliies in connection with tis enzagemect,
ae ell ax tiely decisions ond approvals by Vou. We wil base cer curses upon he atc tine ud teria incumed plus outapocketeapense aod
applieabte value edded tax The billing razes wo wil epply atch Chose of previous specslst advisory
“The responsibihties set ost above and these contained In elsese 3 of the Terms of usiess sre ‘work which we have performed for Youn 2013.
tacether refered to fa this Contact a the “Cllent ResponsTltes”
We etimate thet the Part 1 work wil take 15 days of senior tine to deliver. To provide sore certainly
() Assumptions cover our fees, we wll cap our total (ce for Part 1 work at £50,000 (pius VAT an oct of pocket
expenses), Charger for work dove uailer a Chazge Onler will be based on the rate cant below (la
The Services, Charges (set ut fa Section d below) and tiznetable are based upon the folowing dition to this fee cap forthe Past 1 work), ures otherwise agreed.
assumptions reprezentationt ard infermation spied by You (“Assumptions”)
+ Movizon HIKG-X fs also hnows as Horizon Oxtae in Your organisation. We will refer ta the Grade ‘Advisory Rate hr
procesung envirormest as Horan HING-X throuph-oct eur work ‘The system whieh Horizon fee I ee I
TING-X replaced snll be refere to as “the legacy Horizon systees”, 7
+ oly mers resting 10 the Horizon HING: ing cavitorment will be considered in ocr Sealoe Masaper 2430
review We wil not eonzidcr aay infonnation relatig to the legacy Horizon system, with the Marazer £300
exception of that necexeary for us to obiain an understanding ef key erhancements that Ce Senor Consol
Honzon 1ING-X delivered when twas implemented, nice Conese te
4 Delotze ll not provide « legal or any ether option st any point throughout the work: Avalyst £145
THe sucker Informon It available on a taely bass reganing tbe seape of Services and If darag the courze ef our work, or Change Onder thereunder, w need for aacillay specialist services
Delaverales fous toe abe to eamy oct or work, not specified In tha Contract ka Kentfied, sgzcement ta thle use and related charges will be obtxned
Defore any expenditures locumred.
+6 That all pertinent information relating to the eatuze of the Allegations nzainst You fas besn
provided fo cs such thst we er fully aso ofthe detail ef the Abpations; 5 Terms of Business and Liability Provisions
«Unis othenwiu lestctsd, that Deloiae staff will have no direet contact with say third partes “Tho enclosed Tem: of Business form an i:egral port ofthe Coriract between us and Your attention is
Mh thon eavcd Fujita cotacts that You provide tou drawn t thers. You agree thst fr the purpate of elause 6 ofthese Tenax of Hines, otxagprcpale
other than pared Fujuss coctoes thst You provide tous; Tay asa om ort any oy in conan wi te Serles all nt exceed £73000.
+The ledaviduats we misy reed to fazervlew will be availabe to us for sufficient time for us to
perform our work during the period of our assessment and thin! parties can be centected on w 6 Variations
- You to request fi a his be guid,
tsnely basis by You torequcsfsberieformston shoul iis be rex If You or we wish to request or recommend any addition, modification or otter ehangs to tho Services
+ Deolts wall not verify or tet eny Sfomation povided dreety by You, o indice by tind or performance required under ths Conse, we each agre to fellow the charge coatol procedstes
panes via You, described In Appendix 2
+ Defoiste will adopt a time kimited epproach to our work, opemmting to key milestone dates
dependent oa he seuacy of our asrptons and te fulimet of Yoorrespenabltics, above,
and
+ Deloize wll not review any corrects provisions fa place between You sad tht partes
(©) Client contacts
‘Wo understd that Redric Walliams, Lilgtion Lawyer, wil be Your norsinated pent of contact a
that requests for information aud Jocumentation Soul be copiz! to Belinda Crowe.
Page of 8 Pose bof 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
64
em mm mm Me ee ne eee eee ee eee eee eee ee ee ee
Deloitte.
Acknowledgement and ncceptance
We appeeclate the epportiety to be of service to You aad took forward to working with You on this
assignment You ena be assed that It will rocive our close attention
If, Raving considered tho provisions of this Coctract You conclude that they ore reasonsbte fa the
‘context of sll the foctors relating to ocr propoced mppointinert and You wish to engage us on these
terms, please let us have Your writen agreement to these arrangements by slgging end returning 19 es
the enclosed copy of Is leter
Yours fathfity
Deloitte LLP
Post Office L10 agrees to the appolatment of Deloitte LLLP on and subject tothe terms of tho
Contract set out in =~ 7
Duly actors for
Pranced Narxe
Passion:
Date
Enclosures.
Appendix I - Sources of information
Appendix 2 ~ Change Conte! Procedures
‘Appendix 3 ~ Temple Changs
“Appendix 4 « Deloitte LLP Terns of Business, Coesulting nd Advisory Servises
Poze 9 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
APPENDIX 1
ENGAGEMENT LETTER DATED 9 APRIL 2014
SOURCES OF INFORMATION
For Part I work, we will use the follwing sourcca of formation which have been provided by You
1
2
3.
u
2
1B.
Mw
15
16.
17
“Horizon Core Avdit Process” which outlines how Herizen TING-X has been designed 19
persis,
“Draft Factfile” which deals with bow POL, uses Horizon HING-X in the branch netwoeky
“Description of Fujitsu's System of IT Infrastructure Services supportirg Post Office
Limted’s POLSAP nod HING-X applications” which outlines the enviroaztent in which
Horezan operates
“Table of tie Uefitency themes” whi’
outlines areas thst uaderte sore of the allegations
anomakes™ wich Is an istemtal POL sumaeary of the
Trizon HING-X referring to pera's 6 10 610 of Second Sig's July
2013 Report,
Fujitsu's response on the “Locst Suspense” 14 Branch anomaly,
Fujitsu's response on tho “Receipts Payments" / 62 Branch anomaly,
The “Spot Review Bits which contains tet "Spot Reviews” srt to POL end POL's
pone (ef parn 2.7 of Secor Sights Jly 2013 Report),
Fujitu's “Horizon Dee legs" document, whi povies atcha devepton ofthe
measures bust into Horizon HNG-X to ensure doca integnty, inclading « description of
several failure seeaanos, and descriptions as to how those rmeasures apply kn excl case,
Fujitsu's “Horizon Online Data Integrity for Post Office Lid” dacursert, which provides a
fechaisal description of to measures that are but lato Horizan HNG-X t9 ensue data
integsity and descriptions ns to bow those mear:res apply n each
Current Fujitss POA 1$027001 certification,
The associated Fuss POA ISMS Sta:ervent of Appticsilty,
‘The Post Office Hlontzon PCL DSS cert-fieats,
The Post Office Horizon PCI DSS signed AOC,
‘The Post Office Horizon PC DSS ROC
“The last 3 published Port Office ISMF minutes with Fujitsy and
‘The last 3 Fujitsu Security Ops Reports
‘Additional docurents may be provided by You as part of oer engagement. The full lut of information
sources will be disclosed in our Detverable,
Pose 10ef 18
POL00107160
POL00107160
65
Deloitte.
APPENDIX 2
ENGAGennT Leer DATED 9 APRIL 2014
CHANGE CONTROL PROCEDURES:
1
fat any tite either porty wishes to request or recommend any sition, modification or other
hangs to the Services or performance reqcined ureler the Cortrset {0 “Change”, the party
proposiag the Change will submit a writen request forthe Changs (a "Chanze Request") tothe
‘other party
All Chaoge Reques:s will require the authorsation in waiting by the named person who has
signed the Exgacerent Letter for and on beh iy In te ease of Chargo Requests
rechated by the Gliest or the Deloitte client service partner ns specified in te Engagement Letter
nthe exse of Cheage Reqaess insted by Detonte.
Deloitte wil investizste the iniplications for the Corsract of implementing each Chant
Rejuest, ad prepare and subet to the Chest a proposed Chance Order, en the form atached as
Appenesx 3, in respect of such Chango Request. IT ia & psity’s adgement, the lime wo evaluate
tad respond to one or more Change because of their magnitude, complexity of
frequency, may result in a delay in the Services, thal perty will netfy the ether perty. The
parties wal then need tongree en ezprogriste coureo of action
‘The Client will notify Delolte Ia writing of its decision as to whether oF tot Tt withes 40
Irsplemtert the proposed Change as soon ak reasonably practicable but fa any event no h
5 days (or such other period agreed by the parties) aicr receipt of the Charge Onder submitted
by Delonte Should the partes wash ta proceed with the propased Change, the Change Order
stall be signed by the named person who Fas signed the Engagement Letter for ard on behalf oF
the Chent aad ie chent serviee partice, or other authorised presertztives (such signed
document being referred tons a*“Change Order").
Nether party is obtiged to proceed with any proposed Change (and the related changes) and 0
‘Ckange (and relied ckanges) will be effective end enforceable agaist w perty, ealess end until a
‘Change Onler for that Chango i signed on bebalf of both partes. Until the Change Onder for
sy proposed Change i signed, Detoltte will consi to perform and be pald for the Services as
ifthe Change had not been proposed.
Detoitte shall be entitled tu chasge for wll reasonable costs and expenses facered In connection
with investigating the implications of « Change Request, whether o¢ not a Change Order is
signed in respect of such Chaage Request,
Page Hef 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
APPENDIX 3
ENGAGEMENT Letrer DATED 9 APRIL 2014
‘Cuanar: Oxnex Nutone
Dae
Client Name und Addsess>
For the attention of <>
Dear Sits
“This Changs Order (inclading any appendices, schestates, and’or atsehmerts) reconls agreed charges t9 the
Contmet between Deloize LLP (“Deloitte” or “we") and <> dated < >, as armended by prior agreed Change
Order(s) or amendments thereto This Change Onler const ofire onderstanding tod agrecent
between the Client and Deloitic with respect 10 the changes se nt, sipersedes all poe ost
and written conimusieations with respect to seeh changes (inetuding. but not
ray only be arnended in wait, slgned by authorised representatives of both perties,
‘The section(s) of the Engagement Leiter set forth below (end any cetlier Change Onder(s) oF amenlments
thereto] ivare hereby amended. effective as of (effective J3:0 of changes}, by the following text.
1 Scope und objectives,
2 OnrServicesand responsibitities
3 Client Responsibilities and Assumptions
4 Our Charges
S Consequential changes (o the Contract
Pose Hof 18
POL00107160
POLO0107160
66
POL00107160
POL00107160
' Deloitte, howged Deloitte.
cpt a expres ont remain eel ease
undisste Your agreement to the terms of this Change ‘retumiing £0 Deloitte the enclosed ENAGEMReT LerrerDATED9 Arutt.2014 APPENDIX 4
sopy ofthis Change Order. DELOITTE LLP - TERMS OF BUSINESS
Yours fauthfally,
Partner
Defoltte LLP 1 umcosmucrennwases
15 Thawsele sf fe gure btw 4s fae "Clan 0)
preening of Ge nx Set Bake 2 paw a
=
‘Agreed by Past Office Lad
Neat of os may mano cares Hin he ne
Saved: — Sve toe may ungn Ge bene af Ka Comet yf
Friaoe Paring Icecream © oar oben. Twn
For ead en beScIfof Pest Office Lut se egw ht ayo NER BI
10 Tae cent en vane at ay pe ai
2 OFRSERVICTS AND MrsroNEUMILETIES TO YOR
21 Toe soaps cet mre snd ay Dera tbe
fn, fos Cr eer mis aed tee for et
eerste oe bet Dan Sayer cto
rege sof 18 Page tof 18
DRAFT FINDINGS °
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
. 67
POL00107160
POL00107160
Deloitte. Deloitte.
than asc bye sven pine SA
3 YOUR RINONSEITLETIES
31 Yow av rrenubie fa arming ate ani of
‘Sere ppp yur ae
32 Ourperemanee of 4 Seren, te inte See fe ‘So acon mh sy he dace ral he epageen
ge a oe mh re any tne 26 yas owt ncn he Mork Ym ae
‘ any mcomptore et ma be Be peck La Soman
‘hae who fou bdr ony of Be sre ea
ieee 42, Yowandwotsre tu nether oft wd ee oars ene,
ial sere mors, logon Rede nines ant tec
et be wen een
23. You 9 pie mat wenton aw nce 4
6 LARLY PxOYEIONS
(Rttxnuum of Serenen. Ios wet yor nove el at
61 _We wt per Serer wek rennet a
roouie ne
SGrot a witch hbk ooo yt fn
{Geet rw bet ee you oy
Sauron nant et ower eat
‘Sain ser Gogsto ner) wtb on oy fe Be
‘Stet att att Ey od ae te
‘Serve ond Oaniuey Liou tse pred oe Korn Cal yea ew earn may be pfomancy of
Shee portray comple wnt emening We wil ml Sentchoutedteebecs to Cie Jour Tay wo Yow Cor ar iraes comet weg, abet wees be Rg
Retwpsnntleke convents ofan icarnaton paved init advert mad muy deeply. het Pom ay SHED Ww yu Pome
‘a becouse ote Sones uate compe acne care eakinoney
S21 We it nat ede he soy Lome eine of yur ae
24 Wace needed et wm paring Sees, yout 4S WSen gout sever et we may ics en far Deaths uu vk foo pnp Wat
Gute aecooom ond chan mange sees Pompey.) Mat webu aed Younes oo bacon oa Cay ‘Stoutbede Faget eter
622, We wit ect be Hane Re Lois sees fern Be ms of
Seto ay rte ny
Sheen (acc nay DA pared
Spouenelewes pms war
‘aSceraninn? a(n) key wa prompey ened ofa eyo
tr eveapnae Inj hat vad fo Sanne (623) We wel ot by Bae a Lonet wg Aw pt o
aw of fan, melon or cept tren 3
ie 7 o be wehelaeg 67
tere cr oot cs err Ea err ou et 626 Any Nate thes we my Pave os poet oe be
einen se nei on eck to eyo Spee ead 6 Loe oe
iver be Server You al be ropa be Oe manage of (os bem peomed Tented no st
{Set pene md te porarmance ecnng fhe Het hd root i Paty econ to be pot ma cca,
qaiyeloee stanton reg gd te eto padi ltt Levey
‘oc you Grcdng Yow Given, afer, emptor
19. You it ahate rpenble fr png he Charge ont Total wy ice oer anon he pei a
sree Gree. ‘Srenty habe fou 4 aw pt of ae La,
femal yey Cal Doe's Ey tw yu a
Leqadadree $4 _sae m crety pone by Leen Lm trite ary ercimunoe eteed in eeeene Beamon
2 ur Soe may Be canned eng you Ia ase, {enon ter un yous lye Gt Dounce Wen cre A a eho Peron
oo
‘Terved oz ewan ces organ toy Soe ern Be ato any mh we pron uct ny eco,
{Srv Be Delacorte at yy ite whe sl
(pepe by yer Kes iy tw el pede coe
Pose 1S of 18 Page 160f tt
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
68
I, @EBaene ee eee eee Pee ee ee eee eee eee eee
Deloitte.
625 Ones ney of hameee wane, weer me ea
ssnemtim set me Be Poca Lc niet we hare ae
Eee ee ar Line ot i ey ade
Srvoe prove mere. concn oe camutng haw eed We
‘5 be yo Law wen eon ry arnt FS) 1B
ead
173A Sot eens sun Bat tw ve al and pout
ems decile tee yout roman, enh Twa ey
Uo sowuteicyi tem
74 ide chrome acd fe Dried ete we
se or Cert mat aa od fl reo
Trees we aw aoe
sae amare ‘Youre Calne wet ees eas yon
eco Fy wet pvilag Pe Ha of
Scdncchew oe
74 et onsen i a ed pe
Presto on Cont oy
‘8 TeRMnaTiON
AL We cach ay rete Sa Cote
‘reat EG Ce bre no lon
SEL iy meee xf recon Abana er of ty
‘ermhins on Cc a ry Une ot 3 dye wie PCED
one
Soa ou ten you a tin wc
42 eae pe ower nox aces iy yt ay pewter ait re a
‘Sa yea Da Doe Pty sa be able et La Tegb7 ween otk Wo wl ie Jou enoo
Phd heh Link Aral et Le cr dost traor sme fo rece
eaace sur Dott woe GO rela ac abc Cll rar ctmenstenmsctcance
‘ive ae
$4 Nokang bat Center wh ence, eet (Prev
a lng rene spect of say Dy arg orn ad
seers wie cae lay be mae me
463, Uatew ma fen ty 4 ext dey have ee Ht
ecaty etree Scceec tie apa ine
Aer rons se Cao tet mpi ty
Soy stata el ee soer monet
97 GENERAL TERS OF BLSIVESS.
Sees cna by Se Dard oy of fe Doe PPC, Yom .
~ Bates apse al Lacs Serie
Shek ey meat ae cence r Ca aay me ft eves Wb you cuit be
hf camer) ot ce ok th Cyn me Sale WhO ay MEE a PRE
‘posceang fa “Chore” hove by bey RD pory ry mty——_Jowabakl eB uta Wh pine rem ot Pog
Pe fn fae Cac whe [Be Semen po. Uf wont poe ib mae
Sundnd yor accra oo near ‘ ul putes yor uh ra
Eforcity Yo een wah
‘Se Canenctomat beng when 1 aa fe i OR
partes
7 cuaRces:
owe
Geman Maite
92 We wil regu a captions You har the He bo he
Instone wt Coote Ararotrt
tener OSE) preeey wendy Mt
‘torneo Moree wi beat Pm by Oe Com ft
{rcwre Depa Rechte fe war hat ot ben sl
22, Arrpuame ete kovert Gere betel ‘ova 43 ays af ck pee bg
yee ot manent Ba work ee ha Kat Of
Page If 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
Be pater ary BE dea wed ete let
Page 18 0G 18
POL00107160
POL00107160
69
POL00107160
POL00107160
Appendix 5: Change Order 01
Deloitte.
EGacuMENT LETTER DATED 09 APRIL2014
CHANGE ORDER NusRER OL (VERSION 2)
6 Miy 2014
Dew Siee
‘hls Change Order (including any appentiec, schedules, nodloratinconens) reconds soreed charges
tothe Coca between Debit LL Celie” or "WE nl Pst Oe PO." of Ve dated
09 Apeit 2014, as amended by pe Change Orders) or amendments thereto, ‘This Change
‘Orde antes the ene wording and wrcenent Between tc Clem sod Delete wih respect
to the changes set out inthis document, supersedes all prio oral and writen communications sich
respec o sch changes (inhling. bot not ited fo Canse Rees), and ry only be amend in
\weting signed by ouorised repreciitives ofboth pees
‘The section(s) ofthe Legngement Letter set forth below are hereby amended, effective as of 06 May
2014, ty the following text?
1 Yeojeet scope und objectives
‘Your peofct scope and objectives rersin as previously described within ovr engyeanent fetter dated
09 Apeil2014,
2 OurServices und respon
Our services wihlo 2(0) of eur cuntrct dxed 09 Apwil 2014 will bs amended 10 Inca the 19
following extension areas:
stemsbon Ae L
Detoite wal eoatin to review fertber supplied documentation relating (othe 2010 implementation of
1INO-X aod other key project documestation supplied by POL, fa onler to compare the naire nk
eaten of prefect governance and Jocurentalion With the Defolie methodology. The asseszment wall
Ineude m review of documents that outline if nel bow trnssctioral branch dntaflowes and Aut Store
‘features ofthe sysern wert Impacted bythe impiemertation,
In adgnion Debio wil assess documeiatin eating t0 signofTof business requirements a8 wel
{he projets testing telson tetig assurance provision
Deloitte wit inegmie a deseiption of our approach, findings aa recommendations from this work
nto our detwernbie.
corer
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
Extensa Aree 2
Debi wit view father desurmenatin elit the rife deg fates of he posing
‘svicooment which ore asserted fo be fn pice to underpin two hey objectives.
1, ‘That subpost masters have fell oumershp and visibity ofall recor i thei Branch ledger,
2 That the rane leper recon are kept bythe system WE integrand ata al
Deloste ill produce n schedule of tet spesife design fares, Wnt only trough dato
review of documentation provid by Post Office, and usc thi to ausess whether the existence ofthe
specie design feeture hs been ested andor essed, Deloite wil comment on the 2 polnt above tn
thiscontext.
‘oF documentation and wil not perform any ip
Detolte will not ‘on the qa
‘or operating effectiveness testing,
‘Delote's work, sil based on desktop review procedures wil also Include:
+ Conoboratin with an appropeate Deo specialist to valate the Auda Store's trop proof
rmecbanisens
+ Understanding key histori changes tn oder to assess If key evens which cool! have ince
the contol design features above.
+ ‘Tighligiting those design fextuces where father implementation or opsraling effectiveness
‘eeling should be consdered by POL to provide further assurance tothe Board,
Deloitte wi integrate a desertion of our approach, findings and recommendations (rm this work
Into our deliverable,
In addition to the above acess of adtlonsl service, Delite will support the delivery of ongoing
‘projet update mectinga with POL. stakshotlersprepaee » Bona Upeace document (mavked as Dro)
{5a cogs of our work on the Tueny [3 May 2014 ad Friday 16" Moy 2014.
4 Owe Charges:
‘Que tine charpes for this additonal work wil be charged on a tine and mates based, in tie with
theraleeard shown in our original Engagement Letter.
S Consequentiat ehanges tothe Contenct
[xcept es expressly modified heel all othe terms en conto ofthe Contract remain unctanged.
Pleas inleste your agreinent tothe terms ofthis Change Order by signing and returning 10 Debate
‘the enclosed copy ofthis Change Orde
coaster
70
Deloitte
Gareth James:
Partner
Deloitte LLP
Ageced by Post OF
Signed:
For and on behalf of Post Office limited:
Printed Name: Caras Avrae .
vostin —_ Genenat. Covnser.
Date: 15-04 20/4
obec tt?
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00107160
POL00107160
71
POL00107160
POL00107160
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters
raised in this report are only those which came to our attention during the course of our work and are not
necessarily a comprehensive statement of all the weaknesses that may exist or all improvements that might be
made. Any recommendations made for improvements should be assessed by you for their full impact before they
are implemented.
Deloitte LLP
London
May 2014
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kingdom
member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private company limited by guarantee, whose
member firms are legally separate and independent entities. Please see wwvw.deloitte.co.uk/about for a detailed
description of the legal structure of DTTL and its member firms.
© 2014 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
{I = 8