POL00117611
POLO0117611
Deloitte. a
(P.O. Box 500)
2 Hardman Street
Manchester M60 2AT
Mr Chris Aujard
Post Office Ltd
148 Old Street
London
ECIV 9HQ
9" April 2014
Dear Sirs
STRICTLY PRIVATE AND CONFIDENTIAL
PRIVILEGED IN CONTEMPLATION OF LITIGATION
We are pleased to set out for your approval the arrangements under which we propose to assist Post
Office Ltd “POL” or “You”). We understand that You are responding to allegations that the
“Horizon HNG-X” IT system, used to record transactions in Post Office branches, is defective and/or
that the processes associated with it are inadequate (the “Allegations”),
In order to respond better to the Allegations, You require services from us, as outlined in paragraph
2(b) below. These arrangements are set out in this letter together with the enclosed Terms of Business
and appendices.
So that we are able to assist You effectively, please ensure that You have considered fully all of the
terms and conditions set out in this letter and its enclosures and that You are satisfied that the scope of
our Services described below is sufficient for Your needs.
1 Scope and objectives
In order to respond better to the Allegations {which have been, and will in all likelihood continue to
be, advanced in the courts), You want to demonstrate that the Horizon HNG-X system is robust and
operates with integrity, within an appropriate control framework. In response to this, You have either
been provided with or commissioned a number of independent assurance reviews into matters relating
to Horizon HNG-X’s operating environment and processing integrity.
The purpose of seeking input from Deloitte LLP (UK) (“Deloitte”) is to provide, based upon the
information made available to us by You, an independently produced summary of the assurance and
other work undertaken, over your current day Horizon HNG-X system, for presentation to and
discussion with the POL Board (“Part 1 work”).
We understand that the input provided by Deloitte will inform Your decisions relating to potential
areas of additional work that You may choose to commission to respond better to the Allegations, and
that we may be involved in the delivery of such additional work (“Part 2 work”) under either a Change
Order or separate Engagement.
You have asked us to provide the Services set out in Section 2 below and to prepare the report
described in Section 2(d). (the “Purpose”).
Deloitte LLP is atited tablty partnership registered in England and Wales with registered number 0303675 and its
‘egistered office at 2 New Steet Square, London ECAA 382, United Kingdom,
G G
Deloitte LLP i the United Kingdom member fim of Deloitte Touche Tohmatsu Limited (*DTTL', @ UK pevate company limited
bby guarantee, whose member fiams are legally separate and independent entities. Pease see wwow.deloiite.co.ulvabout for a
detailed description of the legal structure af DFTL and its rember fis
official professional services prover
‘Member of Deloitte Touche Tohmatsu Limited 40 the Olymple and Paralympic Games
POL00117611
POLO0117611
Deloitte
We understand that any work being undertaken by us in accordance with this engagement letter is
being undertaken in relation to ongoing litigation and/or potential future litigation, and hence is subject
to legal professional privilege.
In addition, this matter is strictly confidential. Save as permitted under Section 4 of our terms of
business, no information relating to this matter, or our work for it, will be disclosed to any third party
without mutual written consent.
You have advised us that all correspondence and all preparatory papers for any report we might make
are legally privileged, as they are being prepared in relation to ongoing litigation and linked to the
provision of legal advice. Outside of the Engagement Team, or other Deloitte Partners and employees
necessary for us to deliver our work, we will therefore take.reasonable skill and care to identify papers,
memoranda, correspondence and other materials prepared by us as being “Legally Privileged and
Confidential” (or bear equivalent wording) and that they are circulated through Rodric Williams, Your
Litigation Lawyer.
2 Our Services and responsibilities
(a) Our Engagement Team
It is our intention that Gareth James will be the Partner responsible to You for the Services described
in this letter, unless otherwise agreed with You (such agreement not-to be unreasonably withheld or
delayed). David Noon, our Service Line Leader with overall responsibility for the services we provide
to You, will also be available as required.
Chris Lauder, a Director within our Governance and Controls team, will lead the delivery of our
Services to You, together with Mark Westbrook and Charlotte Desourdy, both Senior Managers. They
will establish direct working relationships with the appropriate people working on the Client Team.
Gareth, Chris, Mark and Charlotte will be supported by Tom Scampion, Partner, who has particular
experience in performing work and preparing reports under similar circumstances; and other members
of our team as required,
We understand that You do not require any of our team to be available to act as a named expert
witness. Should this be required, we would need to agree a separate engagement letter for those
Services and Deliverables.
Together they comprise the “Engagement Team”.
For the purposes of this engagement, we are advised that the client team at POL will consist of Lesley
Sewell, Chief Information Officer, Chris Aujard, General Counsel; Belinda Crowe, Programme
Director; Julie George, Head of Information Security (deputising for Lesley Sewell if absent); and
Rodric Williams, Post Office Ltd Litigation Lawyer. The client team will report on this engagement to
Paula Vennells, Chief Executive. We note that we will be advised of any future changes to the client
team.
Together they comprise the “Client Team”.
(b) Services
Part 1 of our Services will provide the following:
* Obtain an understanding of the Allegations; the key risks in and internal controls over the
Horizon HNG-X processing environment relevant to the integrity of processing; the measures
in place to record and preserve the integrity of system audit trails and other background
matters that we may deem necessary to complete our Deliverable,
Page 2 of 18
POL00117611
POLO0117611
Deloitte
* Obtain an understanding of the key differences between the current Horizon HNG-X
processing environment, and the system which this replaced (here-to referred to as the “legacy
Horizon system”),
e Review, understand and consolidate the corresponding investigations, assurance activities and
remediation actions which You or third parties have undertaken (see Appendix I for the
“Sources of Information” known to be within scope at this stage) focussing on three primary
areas:
o Work that has been performed to assure the design and operation of key control
activities that created and preserve the integrity of processing across the Horizon
HNG-X environment (the Audit Store);
o Work that has been performed to assure the design and operation of key control
activities that created and preserve the integrity of interfaces with the DVLA third
party system and the Horizon HNG-X environment;
o Investigations and actions that have been taken in response to the thematic findings of
Second Sight, as outlined in Your supplied document “POL Summary of Second Sight
anomalies” (see Appendix 1),
« Hold discussions with relevant members of Your staff and other key stakeholders as pre-
agreed with You, to deliver the work outlined above;
e Prepare the Deliverable outlined in section 2(d) below;
e Attend twice weekly meetings or conference calls with Your Client Team, to explain our
approach, status of work and the commentary within our Deliverable; and
e Carry out any other work required by You which is reasonably incidental to the above.
You do not require Deloitte to comment on or test the quality of the assurance work performed, nor
opine on its adequacy, sufficiency or conclusions, or the integrity of the Horizon HNG-X processing
environment (nor the legacy Horizon system).
As engagement requirements are discussed, clarified and agreed further, we will outline the additional
scope and timeline for such work via the Change Order process as set out in Appendix 2. Any Part 2
work You require us to perform will be agreed under these Change Order processes. This may include,
but will not be limited to:
e Testing on data held within the system audit trails, to assess (for example) conclusions
previously drawn by Fujitsu into the extent of known deficiencies;
e Assessment and profiling of system audit trails, to look for characteristics of and trends in
unusual behaviours in the system transactional core;
e Enquiry into and testing of the nature and extent of unit, system and user acceptance testing of
the Horizon HNG-X processing environment, during its implementation;
e More detailed consideration as to any aspects of the internal control environment which
operate over the current Horizon HNG-X processing environment which were not in place or
operating over the legacy Horizon system.
« Understand the nature and extent of interfaces with other third party systems and test the
operating integrity of dataflows to and from certain of these systems; and
Page 3 of 18
POL00117611
POLO0117611
Deloitte
© Testing of responses to thematic concerns raised by other independent reviews.
‘The scope of our services and any deliverables will be limited solely to the Services and Deliverables
set out in this Contract. We will make no representations in respect of and will not consider any other
aspect.
Our work will be performed through a combination of desk based inspection of documentation,
corroborative enquiry and through third party provided evidence or contact, as agreed between You
and us.
(c) Our responsibilities
In performing the Services, we will be responsible for:
© undertaking the procedures as necessary to produce our deliverables; and
© confirming the factual accuracy of our report with You.
You agree that other than as set out in the Services section above, we will not audit or otherwise test or
verify the information given to us in the course of the Services. In particular, unless otherwise
instructed by You to do so, we will not perform or re-perform any assurance work that has tested and
concluded on the design, implementation and operational effectiveness of any internal controls over
the Horizon processing environment.
Our work will be limited by the time and the information available. Whilst we will report our findings
in accordance with the agreed scope of work having considered the information provided to us in the
course of carrying out the Services, additional information that You may regard as relevant may exist
that is not provided to (and therefore not considered by) us. Accordingly, our Deliverable(s) and our
work should not be relied upon as being comprehensive in such respects. We accept no responsibility
for matters not covered by or omitted from our Deliverable(s) due to the specific nature of our work
instructions from You.
In particular, we note that, in certain respects, we will be reliant on the integrity of those people whom
we interview, and that our ability to corroborate and test what we have been told may be limited by the
available information.
We shall discuss with You any difficulties we encounter with completing our work should any
problems arise.
You acknowledge that You are responsible for establishing and maintaining an effective internal
control system that reduces the likelihood that errors or irregularities will occur and remain
undetected; however, it does not eliminate that possibility. Nothing in our work guarantees that errors
or irregularities will not occur, nor is it designed to detect any such errors or irregularities should they
occur.
The scope of our Services and our responsibilities will not involve us in performing the work
necessary for the purpose of providing, neither shall we provide, any assurance on the reliability,
proper compilation or clerical accuracy of any plan, budget, projection or forecast (“prospective
financial information”) nor the reasonableness of the underlying assumptions. Since any prospective
financial information relates to the future, it may be affected by unforeseen events. Actual results are
likely to be different from those projected because events and circumstances frequently do not occur as
expected, and those differences may be material.
Page 4 of 18
POL00117611
POLO0117611
Deloitte
(d) Format and use of the Deloitte Deliverables
The format and timing of the reports (the “Deliverables”) issued by us will be agreed with You. The
content of such Deliverables is expected to be an executive summary and a written report, as follows:
Executive Summary:
A summary of our objectives, approach, work performed and observations, suitable for Board
presentation and discussion in their meeting on the 30 April 2014 (noting any key outstanding
points, if applicable, and subject to the accuracy of our assumptions and the fulfilment of
Your responsibilities, below);
Written Report:
.
Introduction — reconfirming the context of our appointment and the scope of work performed.
Our Approach — outlining the procedures we have adopted in the delivery of our work, those
documents reviewed and the individuals we have interviewed;
Understanding the Horizon HNG-X Processing Environment — based on the documentation
provided to us, provide an overview:
© Relating to the Technical processing environment ~ envisaged to be a description of
technical matters of the Horizon HNG-X system, consisting of, where information is
provided to us:
= key statistics relating to the processing environment and its range of functions (as
stipulated by Fujitsu), including the design and operation of the data integrity
protocols (the Audit Store);
= key matters relating to its network architecture, internal and external interfaces,
software components, hardware components;
= key matters relating to its history, including the timing of its implementation, the
nature of Governing responsibilities over this project and the key enhancements
that Horizon HNG-X delivered compared to the legacy Horizon system; and
= key responsibilities relating to the current operation of the Horizon HNG-X
processing environment, including change control, security management, system
operations (including error handling procedures, follow-up and resolution), end-
user support and system recovery, and assurance responsibilities over these key
controls.
o Relating to the User environment — envisaged to be a description of the usage
environment of the Horizon HNG-X system, consisting of, where information is
provided to us:
= a description of the types of users in the system and the physical environments in
which Horizon HNG-X is accessible;
= the types of transactions processed by the system and, at a reasonable level, how
the integrity of these transactions is verified and preserved;
= how more than daily, weekly, monthly, quarterly and annual reconciliation
processes operate and how variances and/or errors are handled;
= the nature of key workarounds and other ad hoc processes that are commonly
adopted by users; and
= _asummary of the categories of the alleged defects in Horizon HNG-X,
An Assurance Map - showing those sources of Your assurance which You have shared with
us and the areas of key risk relating to the integrity of processing that these were designed to
assure;
Page 5 of 18
POL00117611
POLO0117611
Deloitte
¢ Matters for Consideration - an assessment of Your Assurance Map in the context of Your
objectives and significant matters we have observed during our work that we recommend You
consider further.
Any Deliverable should not be copied, referred to or quoted to any other party, except in the context of
Your defence of the Allegations, or be used for any other purpose. We draw Your attention to clause 5
of the enclosed Terms of Business that sets out the conditions under which the Deliverables will be
provided to You. .
In the event that You wish to share our Deliverable with third parties, we may consent to such a course
subject to us receiving ‘hold harmless’ undertakings (or their equivalent). These procedures notify
them that:
. the disclosure to them will not create any duty, liability or responsibility whatsoever to
them in relation to our Deliverable or any of its contents;
. the Deliverable was not prepared for their use or with their needs or interests in mind; and
. they should keep our Deliverable confidential and not copy or circulate our Deliverable, or
any extracts of them, to any third party without our express written permission.
We understand that You are unlikely to make any public announcements which would refer to our
work. If this situation changes however, You agree that You will not make any such public
announcement(s) on this matter referring to Deloitte or our work in any way without providing prior
notification of the wording of any public announcement to us and without our prior written consent to
such wording, such consent will not be withheld unreasonably.
3 Client Responsibilities and Assumptions
{a) Client Responsibilities
In connection with the provision of the Services, we refer You to clause 3 of the enclosed Terms of
Business. These confirm Your responsibility for the provision of information and decision-making in
connection with the Services we are to provide. In addition, our delivery of the Services is dependent
upon Your completion of the following:
¢ You acknowledge and agree that our performance of the Services is dependent on the timely and
effective completion of Your own activities and responsibilities in connection with this
engagement, as well as timely decisions and approvals by You;
© You agree to making available to us all information You deem relevant to this review;
e You agree to providing timely access to relevant personnel in order for us to obtain sufficient
information to inform our understanding and report;
© Unless we are otherwise instructed, You agree to carrying out all contact with third parties;
* You agree to providing a nominated point of contact for us throughout the work;
« You agree to provide a room for our team and secure storage facilities for paperwork, if required,
at 148 Old Street, London; and
¢ You agree to assess the Deliverable we provide to You, to determine the most appropriate courses
of action for You.
Page 6 of 18
POL00117611
POLO0117611
Deloitte
You acknowledge and agree that our performance of the Services is dependent on the timely and
effective completion of Your own activities and responsibilities in connection with this engagement,
as well as timely decisions and approvals by You.
The responsibilities set out above and those contained in clause 3 of the Terms of Business are
together referred to in this Contract as the “Client Responsibilities”.
(b) Assumptions
The Services, Charges (as set out in Section 4 below) and timetable are based upon the following
assumptions, representations and information supplied by You (“Assumptions”).
¢ Horizon HNG-X is also knows as Horizon Online in Your organisation. We will refer to the
processing environment as Horizon HNG-X through-out our work. The system which Horizon
HNG-X replaced will be referred to as “the legacy Horizon system”.
© Only matters relating to the Horizon HNG-X processing environment will be considered in our
review. We will not consider any information relating to the legacy Horizon system, with the
exception of that necessary for us to obtain an understanding of key enhancements that the
Horizon HNG-X delivered when it was implemented,
© Deloitte will not provide a legal or any other opinion at any point throughout the work;
¢ That sufficient information is available on a timely basis regarding the scope of Services and
Deliverables for us to be able to carry out our work;
© That all pertinent information relating to the nature of the Allegations against You has been
provided to us such that we are fully aware of the detail of the Allegations;
© Unless otherwise instructed, that Deloitte staff will have no direct contact with any third parties
other than named Fujitsu contacts that You provide to us;
© The individuals we may need to interview will be available to us for sufficient time for us to
perform our work during the period of our assessment and third parties can be contacted on a
timely basis by You to request further information should this be required;
© Deloitte will not verify or test any information provided directly by You, or indirectly by third
parties via You;
© Deloitte will adopt a time limited approach to our work, operating to key milestone dates
dependent on the accuracy of our assumptions and the fulfilment of Your responsibilities, above;
and
* Deloitte will not review any contractual provisions in place between You and third parties.
(c) Client contacts
We understand that Rodric Williams, Litigation Lawyer, will be Your nominated point of contact and
that requests for information and documentation should be copied to Belinda Crowe.
Page 7 of 18
POL00117611
POLO0117611
Deloitte
4 Our Charges
We will base our charges upon the actual time and materials incurred, plus out-of-pocket expenses and
applicable value added tax. The billing rates we will apply match those of previous specialist advisory
work which we have performed for You in 2013.
We estimate that the Part 1 work will take 15 days of senior time to deliver. To provide some certainty
over our fees, we will cap our total fee for Part 1 work at £50,000 (plus VAT and out of pocket
expenses). Charges for work done under a Change Order will be based on the rate card below (in
addition to this fee cap for the Part 1 work), unless otherwise agreed.
Grade Advisory Rate /hr
Partner £630
Director £540
Senior Manager £430
Manager £400
Senior Consultant £310
Consultant £185
Analyst £145
If during the course of our work, or Change Order there-under, a need for ancillary specialist services
not specified in this Contract is identified, agreement to their use and related charges will be obtained
before any expenditure is incurred.
5 Terms of Business and Liability Provisions
The enclosed Terms of Business form an integral part of the Contract between us and Your attention is
drawn to them. You agree that for the purpose of clause 6 of these Terms of Business, our aggregate
liability arising from or in any way in connection with the Services shall not exceed £750,000.
6 Variations
If You or we wish to request or recommend any addition, modification or other change to the Services
or performance required under this Contract, we each agree to follow the change control procedures
described in Appendix 2.
Page 8 of 18
POL00117611
POLO0117611
Acknowledgement and acceptance
Deloitte
We appreciate the opportunity to be of service to You and look forward to working with You on this
assignment. You can be assured that it will receive our close attention.
If, having considered the provisions of this Contract You conclude that they are reasonable in the
context of all the factors relating to our proposed appointment and You wish to engage us on these I
terms, please let us have Your written agreement to these arrangements by signing and returning to us I
the enclosed copy of this letter.
Yours faithfully
Deloitte LLP
Post Office Ltd agrees to the appointment of Deloitte LLP on and subject to the terms of the
Contract set out in this Engagement Letter and its enclosures.
G)
A
O
Signed:
Duly authorised for and ain of Post A.
Printed Name: h vey wy A I
( *CeunsA
Position: re nd vor err 5S .
Date: 25 (14 j 2cit
Enclosures:
Appendix 1 — Sources of Information
Appendix 2 — Change Control Procedures
Appendix 3 — Template Change Order
Appendix 4 - Deloitte LLP Terms of Business, Consulting and Advisory Services
Page 9 of 18
POL00117611
POLO0117611
Deloitte
APPENDIX 1
ENGAGEMENT LETTER DATED 9 ApRiL 2014
SOURCES OF INFORMATION
For Part 1 work, we will use the following sources of information which have been provided by You:
lL
2.
3.
“Horizon Core Audit Process” which outlines how Horizon HNG-X has been designed to
operate;
“Draft Factfile” which deals with how POL uses Horizon HNG-X in the branch network;
“Description of Fujitsu’s System of IT Infrastructure Services supporting Post Office
Limited’s POLSAP and HNG-X applications” which outlines the environment in which
Horizon operates;
“Table of the deficiency themes” which outlines areas that underlie some of the allegations
that Horizon HNG-X is deficient;
“POL Summary of Second Sight anomalies” which is an internal POL summary of the
anomalies within Horizon HNG-X referring to para’s 6.4 to 6.10 of Second Sight’s July
2013 Report;
Fujitsu’s response on the “Local Suspense” / 14 Branch anomaly;
Fujitsu’s response on the “Receipts Payments” / 62 Branch anomaly;
The “Spot Review Bible”, which contains the ten “Spot Reviews” sent to POL and POL’s
responses (cf para 2.7 of Second Sight’s July 2013 Report);
Fujitsu’s “Horizon Data Integrity” document, which provides a technical description of the
measures built into Horizon HNG-X to ensure data integrity, including a description of
several failure scenarios, and descriptions as to how those measures apply in each case;
Fujitsu’s “Horizon Online Data Integrity for Post Office Ltd” document, which provides a
technical description of the measures that are built into Horizon HNG-X to ensure data
integrity and descriptions as to how those measures apply in each case;
Current Fujitsu POA 18027001 certification;
The associated Fujitsu POA ISMS Statement of Applicability;
The Post Office Horizon PCI DSS certificate;
The Post Office Horizon PCI DSS signed AOC;
The Post Office Horizon PCI DSS ROC;
The last 3 published Post Office ISMF minutes with Fujitsu; and
The last 3 Fujitsu Security Ops Reports
Additional documents may be provided by You as part of our engagement. The full list of information
sources will be disclosed in our Deliverable.
Page 10 of 18
POL00117611
POLO0117611
Deloitte
APPENDIX 2
ENGAGEMENT LETTER DATED 9 APRIL 2014
CHANGE CONTROL PROCEDURES
1 If at any time either party wishes to request or recommend any addition, modification or other
change to the Services or performance required under the Contract (a “Change”, the party
proposing the Change will submit a written request for the Change (a “Change Request”) to the
other party.
2 All Change Requests will require the authorisation in writing by the named person who has
signed the Engagement Letter for and on behalf of the Client, in the case of Change Requests
initiated by the Client or the Deloitte client service partner as specified in the Engagement Letter
in the case of Change Requests initiated by Deloitte.
3 Deloitte will investigate the implications for the Contract of implementing each Change
Request, and prepare and submit to the Client a proposed Change Order, in the form attached as
Appendix 3, in respect of such Change Request. If in a party’s judgement, the time to evaluate
and respond to one or more Change Requests, because of their magnitude, complexity or
frequency, may result in a delay in the Services, that party will notify the other party, The
parties will then need to agree an appropriate course of action.
4 The Client will notify Deloitte in writing of its decision as to whether or not it wishes to
implement the proposed Change as soon as reasonably practicable but in any event no later than
5 days (or such other period agreed by the parties) after receipt of the Change Order submitted
by Deloitte. Should the parties wish to proceed with the proposed Change, the Change Order
shall be signed by the named person who has signed the Engagement Letter for and on behalf of
the Client and the client service partner, or other authorised representatives (such signed
document being referred to as a “Change Order”).
5 Neither party is obliged to proceed with any proposed Change (and the related changes) and no
Change (and related changes) will be effective and enforceable against a party, unless and until a
Change Order for that Change is signed on behalf of both parties. Until the Change Order for
any proposed Change is signed, Deloitte will continue to perform and be paid for the Services as
if the Change had not been proposed.
6 Deloitte shall be entitled to charge for all reasonable costs and expenses incurred in connection
with investigating the implications of a Change Request, whether or not a Change Order is
signed in respect of such Change Request.
Page 11 of 18
ENGAGEMENT LETTER DATED 9 APRIL 2014
CHANGE ORDER NUMBER ___
Date
<Client Name and Address>
For the attention of <>
Dear Sirs
This Change Order (including any appendices, schedules, and/or attachments), records agreed changes to the
Contract between Deloitte LLP (“Deloitte” or “we”) and <> dated < >, as amended by prior agreed Change
Order(s) or amendments thereto. This Change Order constitutes the entire understanding and agreement
between the Client and Deloitte with respect to the changes set out in this document, supersedes all prior oral
and written communications with respect to such changes (including, but not limited to Change Requests), and
may only be amended in writing, signed by authorised representatives of both parties.
The section(s) of the Engagement Letter set forth below [and any earlier Change Order(s) or amendments
thereto] is/are hereby amended, effective as of [effective date of changes], by the following text:
1
Deloitte
POL00117611
POLO0117611
APPENDIX 3
Scope and objectives
Our Services and responsibilities
Client Responsibilities and Assumptions
Our Charges I
Consequential changes to the Contract
Page 12 of 18
POL00117611
POLO0117611
Deloitte
Except as expressly modified herein, all other terms and conditions of the Contract remain unchanged. Please
indicate Your agreement to the terms of this Change Order by signing and returning to Deloitte the enclosed
copy of this Change Order.
Yours faithfully,
Partner
Deloitte LLP
Agreed by Post Office Ltd:
Signed:
* For and on behalf of Post Office Ltd
Printed Name:
Position:
Date:
Page 13 of I8
Deloitte
POL00117611
POLO0117611
APPENDIX 4
ENGAGEMENT LETTER DATED 9 APRIL 2014
DELOITTE LLP - TERMS OF BUSINESS
DELOITTE LLP
TERMS OF BUSINESS
Consulting and Advisory Services
1 THE CONTRACT BETWEEN US
LL The whole of the contract between you (the “Client”, or “you")
and the UK limited liability partnership of Deloitte LLP (“Deloitte” or
“we") is described in the covering engagement letter, proposal and/or
statement of work and any appendices and enclosures thereto other
than these Terms of Business (“Engagement Letter”), and these Terms
of Business, (together the “Contract”). Nothing we discussed prior to
‘your signature of the Engagement Letter induced, nor forms part of,
the Contract (including but not limited to any confidentiality
agrcements which, if any, you agree are terminated hereby) unless itis
specifically set out in this Contract. No-one is authorised to agree any
variations in the Terms of Business or the Contract unless any
variations are documented and agreed in writing between us.
12 Ifwe have already started work (e.g. by gathering information,
project planning or giving initial advice) then you agree that this
Contract applies retrospectively from the start of our work.
1.3. The definitions set out in these Terms of Business, the
Engagement Letter and any appendices or enclosures shall have the
same meaning throughout this Contract. If there is a conflict between
these Terms of Business and the Engagement Letter, these Terms of
Business govern.
1.4 If any provision of this Contract is determined to be illegal,
void or unenforceable in whole or in part, such provision or the
affected part shall be deemed not to form part of this Contract but all
other provisions together with the remainder of the affected provision
shall remain in full force and effect.
1.5 Deloitte LLP is the United Kingdom member firm of Deloitte
Touche Tohmatsu Limited (“DTTL"). For the purpose of this
Contract, “Deloitte Parties” means all entities that are members of the
DTTL worldwide network and each of their subsidiaries,
predecessors, successors and assignees, and all partners, principals,
members, owners, directors, employees and agents of all such entities.
Deloitte LLP (which for these purposes includes reference to its
subsidiaries) uses the word “partner” in respect of its members and
certain of its senior employees in its dealings with you to describe,
respectively, a member and senior employee of Deloitte LLP in their
capacity as such, Deloitte LLP gives a number of its employees the
title of “director”, which denotes that they are senior employees and
not that they hold the office of director for the purposes of the
‘Companies Act 2006.
Contracting parties and assignment
1.6 This Contract is between you and Deloitte, You agree that your
relationship is solely with Deloitte as the entity contracting with you
to provide the Services, Notwithstanding the fact that certain Services
under the Contract may be carried out by personnel provided to
Deloitte from other Deloitte Partics through service or other
agreements, you agree that none of the Deloitte Parties (except
Deloitte) will have any liability to you and that you will not bring any
claim or proceedings of any nature (whether in contract, tort, breach
of statutory duty or otherwise and including, but not limited to, a
claiin for negligence) in any way in respect of or in connection with
this Contract against any of the Deloitte Parties (except Deloitte) or
any subcontractors that we may use to provide the Services. The
foregoing exclusion does not apply to any liability, claim or
proceeding founded on an allegation of fraud or other liability that
cannot be excluded under English lavy,
1.7 This Contract does not make either of us an agent or legal
representative of the other, nor does it create a partnership or joint
venture.
1.8 Neither of us may assign or otherwise transfer the benefit of
this Contract without the prior express written consent of the other,
save that we may assign the benefit of this Contract to any of the
Deloitte Parties, including any successor to our business. Further,
neither of us will directly nor indirectly agree to assign or transfer any
claim against the other arising out of this Contract to any other person.
Third party rights
1.9 No person who is not a party to this Contract other than the
Deloitte Parties and our subcontractors, if any, shall have any rights
under the Contracts (Rights of Third Parties) Act 1999 to enforce any
of its terms.
1.10 This Contract can be varied without any third party's consent.
2 OUR SERVICES AND RESPONSIBILITIES TO YOU
2.1. The scope of our services and any Deliverables to be provided
under this Contract together with our responsibilities for them
(together the “Services”) are as described in the Engagement Letter.
‘We will use all reasonable efforts to supply the Services in accordance
with any timetable referred to in the Engagement Letter or otherwise
specified by the parties. However, unless both parties specifically
agree otherwise in writing, all dates given by Deloitte or specified by
you for the supply of the Services are intended for planning and
estimating purposes only and are not contractually binding.
Engagement Team
2.2 Whilst we will attempt to comply with your request for
specific individuals, the appointment of all personnel to perform the
Services and the nature and duration of their assignment shall be made
as Deloitte considers appropriate, We may at any time replace or
reassign any personnel assigned by us to the Services; in such
circumstances we will endeavour to give you reasonable notice.
2.3 You will be responsible for ensuring that your staff involved
with this Contract have the appropriate skills and experience. If any
of your staff fail to perform as required, you will provide additional or
replacement staff as we may reasonably request.
Data Protection
2.4 In providing the Services to you or otherwise in connection
with the Services, we may:
(i) need to collect, hold and use information (e.g. contact
details) about identifiable individuals (“Data Subjects”). We
may also use such information as part of our client account
opening and general administration process (¢.g. in order to
carry out antiemoney laundering, conflict and financial checks
cor debt recovery). Information about a Data Subject may be
transferred to or accessible from DTTL or DTTL member
firms” offices around the world for these purposes or for the
purposes identified in the following paragraph. Should your
officers or employees enquire, please inform them that we may
hold information relating to them for these purposes; and
(i) occasionally contact a Data Subject with details of
‘events/seminars we are holding, or we may send a Data Subject
publications or newsletters, which we believe may be of
interest to him or her, If a Data Subject does not wish to
Page 14 of 18
Deloitte
receive this information, please let us know by informing the
partner responsible for the Services.
2.5 We reserve the right to monitor telephone calls and electronic
‘communications for the purposes of ensuring compliance with our
legal and regulatory obligations and internal policies.
2.6 In providing some of the Services to you we may be processing
information about Data Subjects on your behalf and thus act as a
“Data Processor” for the purposes of the Data Protection Act 1998. In
these circumstances, we will (i) only process personal data in
accordance with your lawful and reasonable instructions; and (ii)
comply with security obligations equivalent to those imposed on you,
1s Data Controller, by the seventh principle of that Act.
3 YOUR RESPONSIBILITIES
3.1 You are responsible for determining that the scope of the
Services is appropriate for your needs.
3.2 Our performance of the Services, the timetable, the level of our
Charges and any fee estimates each depend on the accuracy and
completeness of any assumptions set out in the Engagement Letter,
Please tell us if you believe any of these assumptions are unrealistic
for any reason.
3.3. You will give us all the information that is necessary for the
performance of the Services. In this context, you agree we shall not
be treated as being on notice of information given to us in the course
of previous engagements and so all information that is relevant to the
Services must be given directly to the engagement team even if the
same information has been given to us previously in the course of a
different contract or engagement, Please note that, other than as set
out in the Engagement Letter, we will not audit or otherwise test or
verify the information provided to us in the course of the Services
‘You agree that we shall be entitled to rely on all information provided
to us and on your decisions and approvals in connection with our
Services and to assume that all such information provided to us from
whatever sources is true, complete and not misleading. We will not
be responsible for the consequences of any information provided to us
in the course of the Services not being complete, accurate or current.
3.4 Where needed to assist us in performing the Services, you will
(i) take decisions and obtain management approvals promptly; (ii)
give us full and prompt access to your people and premises and those
of your affiliates and to your other advisors associated with the
engagement, together with all necessary administrative support; (ii)
obtain any approvals, licences and security clearances promptly
(including any relating to third parties, our personnel and any
subcontractors); and (iv) keep us promptly informed of any proposals
‘or developments in your business relevant to the Services.
3.5 You agree that you remain solely responsible for managing all
aspects of your business, for taking all decisions and operating all
accounting, intemal control or management information systems, This
includes applying your independent business judgement to evaluate
any advice or recommendations that we give you. You will be
responsible for deciding whether our recommendations make sense in
the context of your business, and whether you wish to rely on,
implement or act on them, including the actions necessary to realise
any expected benefits,
3.6 Where you are using third parties to provide information,
materials or other assistance in support of the Services, or you are
employing other suppliers whose work may affect our ability to
deliver the Services, you will be responsible for the management of
such persons and their performance, including the timeliness and
quality of their input and work.
3.7. You will also be responsible for paying the Charges in accordance
Legal advice
3.8 Our Services may be conducted alongside your legal advisers,
acting separately for you. To the extent they relate to our performance
of the Services, we may need (o review sections of draft agreements
prepared by your legal advisers but we are not qualified to provide
POL00117611
POLO0117611
legal advice. Any agreement is the product of negotiation between its
parties and you agree that it is your responsibility to obtain
appropriate legal advice and to decide whether in all the
circumstances you are prepared to accept any proposed agreement.
4 RESPONSIBILITIES TO EACH OTHER
Confidentiality
4.1 We each agree that where either of us is in possession of
information about the other that is by its nature confidential, or is
designated as such by the other (whether in writing or orally),
including this Contract (“Confidential Information”), we each
undertake to (i) keep it confidential; (ii) use i only in connection with
providing and receiving the Services; and (iii) not to disclose it to any
other person without the other’s prior written consent, ‘These
undertakings will not apply to any information that otherwise becomes
generally publicly available, was possessed prior to the
commencement of the Services (or prior to being designated as
Confidential Information), or is lawfully acquired from a third party
who is under no obligation of confidence or information which is or
has been independently developed by the recipient
4.2 We each will be entitled to disclose Confidential Information to
our legal advisors to protect our legitimate interests and to comply
with any legal, professional or regulatory requirement. You agree to
reimburse any costs we may incur in complying with any such
disclosure requirement relating to any of our Services to you imposed
in any proceedings or regulatory process not involving any substantive
claim or proceeding against us, provided that we notify you promptly
‘and, where reasonably or legally possible, prior to disclosure,
4.3 You agree that we may share Confidential Information with any
Deloitte Party and any subcontractors we use to provide the Services
(or more generally to support our office administration) on the
understanding that they will treat the information as Confidential
Information in accordance with the provisions of this Contract.
44 — Unless you tell us otherwise, we may in the performance of the
Services attend meetings to discuss your affairs with your other
advisers and may do so openly, free from any obligation to you of
confidentiality.
4,5 When offering our services to others we may disclose to them
that we have acted for you unless you instruct us to the contrary.
4.6 Nothing in this Contract will prevent or restrict any Deloitte
Party from providing services to other clients (including services
which are the same or similar to the Services) or using or sharing for
any purpose any knowledge, experience and skills used in, gained or
arising from performing the Services subject to the obligations of
confidentiality set out in clause 4.1 even if those other clients’
interests are in competition with your own. Equally, you agree that to
the extent that we possess information obtained under an obligation of
confidentiality to another client or other third party, we are not
obliged to disclose it to you or make use of it for your benefit,
however relevant it may be to the Services.
Confliets of interest
4.7 It is our practice, in appropriate circumstances, to check for
conflicts of interest before taking on engagements. Deloitte Parties
provide many different professional services to clients and we cannot
be certain that we will identify promptly all situations where there
may be a conflict with your interests. Please notify us promptly of any
potential conflict affecting this engagement of which you are, or
become, aware.
Electronic communications
48 We each agree that where appropriate we may communicate
with each other electronically over the intemet (including by way of e-
mail), Our personnel will also need access to our own systems and
data. You agree that you will (at your discretion) i) allow our
personnel to use a Deloitte Local Area Network at your premises; ii)
and/or provide our personnel with analogue dial-up connections or an
Ethernet connection to allow our hardware (typically Deloitte's laptop
computers used by members of the engagement team) to connect to
our network via your internet communications facilities. Further, in
order for our personne! to operate effectively and efficiently they may
Page 15 of 18
Deloitte
need access to your electronic data and also to your internet
communications facilities for the purpose of the engagement. We will
only access your internal networks, applications, data or other systems
through the terminal hardware or software you make available to us
for the purpose.
4.9 Access to your systems by our personnel will be subject to such
conditions as you at your sole discretion consider necessary to protect
the security and integrity of your data and systems. We each
recognise that the internet is inherently insecure and that data can
become corrupted, communications are not always delivered promptly
(or at all) and that other methods of communication may be
appropriate. Electronic communications are prone to contamination
by viruses. Each of us will be responsible for protecting our own
systems and interests and neither of us will be responsible to the other
‘on any basis (contract, tort or otherwise) for any ‘loss, damage or
omission in anyway arising from the use of electronic data (including
e-mail) as a form of communication or from our personnel’s access to
your networks, applications, data or other systems. Nothing in this
clause shall exclude any liability arising from the negligent addressing
of an email.
Staft
4,10 We each agree not to offer employment to or solicit the other's
personnel who within 6 months of such action has been involved
directly in the Services or otherwise connected to this Contract
(except where an individual responds directly to a general recruitment
campaign) nor use the services of any such personnel (either
independently or via a third party) for a period of 6 months from the
date that the individual concerned ceases to be permanently involved
with the Services.
5 DELIVERABLES
Drafts and oral discussions
5.1 In formulating our conclusions, we may discuss ideas with you
orally or show you drafts of the Deliverables (as specified in the
Engagement Letter) for your comment. We do this on the basis that
you will not rely on any drafts or oral comments or advice unless their
content is finalised and confirmed to you in writing in the final
Deliverables. Accordingly, we will not be responsible if you choose
to act, or refrain from acting, on the basis of any drafts or oral
comments or advice. If you want to rely or act on oral comments, or
advice, please let us know in order that we may deal with them in our
final Deliverables. Furthermore, for your convenience, the
Deliverables may be made available to you in draft or in electronic as
‘well as hard copy format, Multiple copies and versions of documents
may therefore exist in different media. In the casc of any discrepancy,
the signed hard copy of the final Deliverable is definitive,
5.2 Unless the Engagement Letter specifies other arrangements,
you agree that each Deliverable will be deemed accepted by you (and
our Services, or the relevant part of them, completed) when it is in its
final form or when you first make use of the Deliverable, whichever
first occurs.
Use of Deliverables
5.3. The Deliverables and any other advice we provide to you are
for your exclusive use and must be used solely for the purpose
described in the Engagement Letter. They must not be used for any
other purpose, recited or referred to in any document, copied or made
available (in whole or in part) to any other person without our prior
written express consent. You acknowledge that were you to do so
(and without limitation) this could expose us to a risk that a third party
who otherwise would not have access to the Deliverable (and/or
Confidential Information as defined in clause 4 above), might claim to
have relied upon the Deliverable (and/or Confidential Information) to
its detriment and might bring or threaten to bring an action, claim or
proceedings against us.
5.4 Save as expressly provided by the Engagement Letter, no
person other than you may rely on the Deliverables and/or information
derived from them and we accept no responsibility to any other person
to whom the Deliverables are shown or into whose hands they may
come.
POL00117611
POLO0117611
Post date events
5.5 We have no responsibility to update any Deliverable for events
‘occurring after completion of this Contract (which, unless provided
otherwise in the Engagement Letter, will be the date on which the
final Deliverable is delivered or signed), nor to monitor its continuing
relevance or suitability for your purposes.
‘Ownership and intellectual property
5.6 On payment of all of our Charges, you will acquire ownership
of the Deliverables in their tangible form and the right to use them
internally in your business, We will own and retain ownership of all
intellectual and other proprietary rights of any kind in the
Deliverables, our working papers (if any) and in all other reports,
materials, documentation, software, system interfaces, templates,
methodologies and processes and ideas and concepts and techniques
that we may use or develop in connection with this Contract (other
than materials provided to us by you in which you retain intellectual
and other proprietary rights), In circumstances where we may hold
certain documents on your behalf, you agree that we may destroy
them (together with any other documents related to the engagement)
at any time after 6 years from conclusion of the work to which those
documents relate,
5.7 You and we agree that neither of us will use the other's name,
trademarks, service marks, logos, trade names and/or branding
without prior written consent.
6 LIABILITY PROVISIONS
6.1 We will perform the Services with reasonable skill and
reasonable care.
6.2 Without prejudice to any defence which we may have, you
agree that we will not be liable to you for any loss, liability, damage,
cost, charge or expense of whatever nature and howsoever caused and
including interest (together “Losses”) unless and then only to the
‘extent that such Losses are finally determined to have resulted from
‘our breach of contract or negligence, subject always to the following
provisions:
62.1 We will not be liable for any Losses arising out of your use
of our Deliverables or our advice for a purpose other than as
set out in the Engagement Letter.
6.2.2 ” We will not be liable for Losses arising from the acts or
omissions of any person other than Deloitte or any
subcontractor (including any Deloitte Party) that we may use
to provide the Services.
623 We will not be liable for Losses arising as a result of the
provision of false, misleading or incomplete information or
documentation by, or the withholding or concealment or
misrepresentation of information or documentation, by any
person other than the Deloitte Parties unless and then only to
the extent that detection of such defect in the information or
documentation or such withholding, concealment or
misrepresentation should reasonably have been expected
because it was evident without further enquiry from the
information or documentation provided to us and expressly
required to be considered by us pursuant to the provision of
the Services.
624 Any liability which we may have to you under or
connection with this Contract for Losses suffered by you
shall (so far as permitted by law) be limited to such an
amount as is finally determined to be just and equitable,
having regard to the extent of responsibility for the Losses of
us, you, (including your directors, officers, employees or
agents), and any person other than us who is jointly or
severally liable to you for all or part of the same Losses,
provided always that Deloitte’s liability to you shall not
under any circumstances exceed in aggregate the amount set
out hereunder, Any limitation or exclusion or restriction on
the liability of any such other person under any jurisdiction,
whether arising under statute or contract or resulting from
death, bankruptey or insolvency, or any settlement of such
Page 16 of 18
Deloitte
liability agreed with you, shall be ignored for the purposes of
determining whether that other person is liable to you and the
extent of responsibility of that other person to you,
6.25 Our total liability of whatever nature, whether in contract,
tort (including, without limitation, negligence), under statute
or otherwise (0 you and to all other persons who we both
have agreed may have the benefit of and rely on our work on
the terms hereof, (you and they each a “Beneficiary”), for any
and all Losses arising from or in any way in connection with
this Contract shall not exceed the amount specified in the
Engagement Letter or, if no amount is specified there,
£500,000 (five hundred thousand pounds sterling).
62.6 Where there is more than one Beneficiary of the Services, the
limitation in this clause 62 on our total liability to all
Beneficiaries shall be apportioned by them amongst them. No
Beneficiary shall dispute or challenge the validity, operation
or enforceability of this clause on the grounds that no such
apportionment has been so agreed or on the ground that the
agreed share of the limitation amount so apportioned to any
Beneficiary is unreasonably low.
62.7 In no event shall we be liable to you, whether in contract,
statute, tort (including, without limitation, negligence). or
otherwise for (i) loss or damage incurred as a result of third
party claims; (ii) loss of profit, goodwill, business
opportunity or anticipated savings, loss of ot corruption to
data, loss of revenues or wasted management or staff time; or
(iii) incidental, special, punitive, exemplary, indirect or
consequential loss or damage; (together, “Excluded Losses")
which you may suffer, howsoever caused and whether or not
you or we knew, or ought to have known, that the Excluded
Losses would be likely to be suffered.
63 Deloitte neither owes nor accepts any duty to any person other
than you. No Deloitte Party shall be liable for any Losses suffered by
any other person caused by that or any other person’s use of or
reliance on our Deliverables or our advice.
64 Nothing in this Contract shall exclude, restrict (or prevent a
claim being brought in respect of) any liability. arising from fraud. or
other liabilities which cannot lawfully be limited or excluded.
Unless and then only to the extent they have been finally and
ly determined (including the conclusion of any appeal) to have
been cauised by the fraud of any of the Deloitte Parties, you agree to
indemnify and hold harmless the Deloitte Parties against all Losses
which they incur in the defence and settlement (including meeting any
judicially determined award of damages) of any demand, action, claim
‘or proceeding (a Claim") brought by any third party in any way
arising in connection with this Contract whether or not such Claim is
founded upon an allegation of our negligence,
6.6 Any claim or action brought by you under or connection with
this Contract must be brought within 24 months of the cause of action
arising.
7 CHARGES
7.1 We will render invoices in respect of the Services comp:
our fees, out-of-pocket expenses and any charges of specialists,
subcontractors and, advisers, plus applicable taxes including VAT
(together our “Charges”), ‘These will be in accordance with any
schedules set out in the Engagement Letter, Our fees are generally
calculated on the basis of the time and level of staff required to
conduct the Services during normal office hours, Other factors may
also be taken into account, including the use of our proprietary
expertise, technology and know how, the need to act rapidly or
exclusively or outside normal office hours or the importance,
complexity or monetary value of the matter concemed. Out-of-pocket
expenses will depend on the nature of the Services and where
appropriate, staff travelling and subsistence will be reimbursable in
accordance with our normal personnel polices.
7.2 Any estimate of the fees involved in the Services will be based
upon our assessment of the work involved, taking account of any
POL00117611
POLO0117611
assumptions set out in the Engagement Letter, Unless we have agreed
otherwise in the Engagement Letter, our fees may be adjusted if the
Services prove more complex or time consuming than expected. We
will let you know when we consider any estimate is likely to be
exceeded.
73 A fee estimate assumes that we will have full and prompt
access at all reasonable times to your premises, directors, staff and any
advisers relevant to the Services, It also assumes that you will provide
reasonable work space for our people without charge, as well as a
suitable office environment and facilities including occasional
secretarial support services, photocopying and computer facilities and
access to telephone, fax and modem communications,
74 Unless otherwise specified in the Engagement Letter, we will
invoice our Charges monthly in arrears and a final invoice on
completion of the Services. ‘These invoices are due for settlement
within 14 days of receipt. You agree that we are entitled to charge you
interest on overdue invoices at 2% over the prevailing Royal Baik of
Scotland ple base rate.
7.5 Wewill be entitled to receive all charges incurred up to the date
of termination of this Contract for any reason.
8 TERMINATION
8.1 We cach may terminate this Contract without notice in the
event that the other becomes the subject of insolvency proceedings or
calls any mecting of its creditors. Alternatively, either of us may
terminate this Contract at any time on 30 days’ written notice to the
other,
82 Should any action taken by you create a situation which
amounts to a professional conflict of interest under the rules of the
professional and/or regulatory bodies regulating the activities of the
Deloitte Parties, we may terminate this Contract without penalty on
written notice. ‘We will inform you as soon as reasonably practicable
of any situation that occurs that we become aware of that may create a
professional conflict which could result in termination in accordance
with this clause 8.2.
83 Any provisions of the Contract which either expressly, or by
their nature, extend beyond the expiry or termination of this Contract,
shall survive such expiration or termination,
9 GENERAL TERMS OF BUSINESS
Quality of Service
9.1 If, at any time, you believe our service to you could be
improved, or if you are dissatisfied with any aspect of our services
you should raise the matter with the partner responsible for providing
the Services to you, If you would prefer to discuss the matter with
someone other than that partner, or if you wish to make a complaint,
please call or write to Richard Punt, the firm’s Managing Partner,
Growth & Markets.
9.2 We will investigate all complaints. You have the right to take
any complaint up with the Institute of Chartered Accountants in
England and Wales (the ICAEW). You may obtain an explanation of
the mechanisms that operate in respect of a complaint to the ICAEW
at www.icaew.com/complaints or by writing to the ICAEW, To
contact the ICAEW write to the Professional Standards Office, Level
1, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9
2FZ,
Negotiation / mediation
9.3 We each agree that we will attempt in good faith to resolve any
dispute or claim arising out of or in connection with the, Contract
promptly through negotiations between your senior executives and our
management, If the matter is not resoived through negotiation then,
prior to the commencement of legal proceedings, we will each attempt
in good faith to resolve the dispute or claim by participating in an
Alternative Dispute Resolution (ADR) procedure which, if not
otherwise agreed, will be as recommended to us by the Centre for
Effective Dispute Resolution. If the matter has not been resolved by
an ADR procedure within 45 days of such procedure being
Page 17 of 18
Deloitte
commenced, then the matter may be dealt with through legal
proceedings.
Legal and other obligations
9.4 Nothing in this Contract precludes us from taking such steps as
are necessary in order to comply with any legal or regulatory
requirement or any professional or ethical rules of any relevant
professional body of which we or any of our partners or employees is,
at the time, a member.
POLO0117611
POLO0117611
Force majeure
9.5 Neither of us will be liable for any delays or failures in
performance or breach of contract due to events or circumstances
beyond our reasonable control.
Governing law sind jurisdiction
9.6 The Contract and our relationship (including all contractual and
non-contractual rights and obligations arising out of or relating
thereto) are governed by English law and the Courts of England and
Wales shall have exclusive jurisdiction to settle any dispute that may
arise in connection with this Contract and our relationship (including
all contractual and nion-contractual rights and obligations arising out
of or relating thereto).
Page 18 of 18