POL00137294
POL00137294
From: Paula VennellsI GRO al
Sent: Sat 02/03/2013 8:25:06 AM (UTC).
To:
GRO} Sarah
Subject: Re: Management Control Audit - SAS70 for Fujitsu
Goodness - "you may remember..." Is a little mild?!
I am scarred! I remember very vividly the discussions at the RMHB trying to convince Donald and Paul Murray
that we would resolve this with Fujitsu. At least 10% of my grey hairs are down to this one!
So, I am delighted! Thank you Lesley very much indeed. Please also pass on my appreciation to whoever led in
your team with Fujitsu.
As I was in fairly frequent contact with Duncan at the time, if you don't mind I would like to drop Him a note.
Could you draft me something?
Thank you again - really well done.
Paula
Sent from my iPad
On 1 Mar 2013, at 20:54, "Chris M Day" +. + wrote:
Thanks Lesley - good result. I spoke to Angus Grant today who confirmed that this and IT
controls generally are looking in much better shape than a year ago, and that he's not currently
anticipating any MLPs or further cost overruns - which makes me doubly happy!
Thanks also to Sarah & team for their work in this area.
Chris
Sent from my iPhone
On 1 Mar 2013, at 17:06, "Lesley J Sewell" b wrote:
Paula, Chris, Susan
You may remember some of the challenges we had with the last Management Control
Audit which E&Y completed for Fujitsu and our drive towards a SAS70 (now International
Standard on Assurance Engagements (ISAE 3402)) control framework — this was a particular
challenge and we were committed to get to this outcome as part of this year’s audit
approach.
We agreed, and at Fujitsu’s cost, that they would separately engage Ernst & Young to
endorse their IT controls and to produce an ISAE 3402 report. This provides a description of
their total IT support processes and controls operated in managing the Post Office Account
for Horizon on-line and POLSAP. The good news is that Ernst & Young have undertaken this
review and have endorsed these controls.
This is very exciting and positive news for the Post Office. In all of the control objectives
tested by Ernst & Young, a total of 65 individual objectives, there was only one deviation
discovered, that required a minor adjustment to a password policy. Which meant the
outcome was a report with no deviations at all in the Fujitsu environment. This was
endorsed independently by Ernst & Young.
This will feed into our annual Management and Control audit for IT, and I met with our
external auditors yesterday who were extremely pleased with the outcome. Our auditors
are now engaging within Post Office to ensure that the compensating and complimentary
controls operated within the Post Office environment are indeed in place and operating
effectively to match those in Fujitsu. This is underway and the field work is on-going which
is due to complete by early March.
Credit needs to be given to Fujitsu who funded this exercise, and whose controls were
tested and passed by Ernst & Young. This is a really positive step for the Post Office as not
only does it show the controls in place for Horizon and POLSAP are of good standard, it
should also reduce the time and cost of future audits.
I have passed Post Office’s thanks to Fujitsu for supporting this activity.
Allin all a very positive outcome.
Regards
Lesley
Lesley J Sewell
Chief Information Officer
<image001.png>
148 Old Street. LONDON, EC1V
Direct: _ i
“postoffice.co"uk
@postofficenews
<image002.png>
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorised review, use, disclosure or
distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
POL00137294
POL00137294