POL00138271
POL00138271
=
De I fe) I tte e STRICTLY PRIVATE AND CONFIDENTIAL
HNG-X: Review of Assur ae’>Sources
Executive Summary( WY
Deloitte Ref: Board Summary v2
SUBJECT TO LEGAL PRIVILEGE
POL00138271
POL00138271
Executive Summary
Context
POL is committed to ensuring and demonstrating that the Horizon system (“HNG-X”) is robust and operates wth
integrity, within an appropriate control framework. Since its implementation in 2010/11, POL has commissioned a
number of pieces of assurance work relating to HNG-X and recently appointed Deloitte to consider whether ths
work appropriately covers key risks.
We have also been requested to raise suggestions for improvement in the assurance provision over the HNG-X
processing environment, leveraging our experience at ather organisations and knowledge of best practises.
Our work is near completion and thus this summary outlines our emerging conclusion” ‘ur final report, containing
additional context and detail, as well as recommendations for next steps, will be iss” _«f early May.
Sources of Assurance Reviewed 4 A
Sources of assurance from the following organisationshave been cons” od in our wi .
e Fujitsu, who designed, built and now operate HNG-X. 7 .
e Bureau Veritas, who perform ISO 27001 certification over PL ~ orks, including that of HNG-x.
e Information Risk Management (IRM) who accredit HNG-X to Pay ard Industry Data Security Standards.
y . N
e Ernst & Young, who produce an ISAE 3402 servic” ~~report ou .£ HNG-X processing environment.
e Internal audit, who perform risk based reviews wy Pow , ~
We structured our work around 3 main areas of risk, ah ~ _gfging findings below are aligned to these:
« Project Change Risks — relating” : \ignificy 5 changes that require formal project governance
structures. Our work focussed op” =,mp —zntation\ ANG-X in 2010/11.
¢ IT Environment Risks — relatin. Vv" 7 <édures supporting the general running of the system. Our
work focussed on assurance pro. ‘er Fujnsu’s activities.
¢ Specific Risks — relati~ —_ sem “sular or unique matters, specific to features of HNG-X. Our work
focussed on the inte’ ~ ‘er Sy Ms (DVLA) and the preservation of HNG-X audit trail (Audit Store).
Key Emerging By,
Project Change Risks.
Whilst no independent assurance has been provided ove these risks, subject to the provision of evidence to
support verbal assertions made by POL, the design and operation of project governance and control procedures for
the HNG-X implementation appears comparable to whatwe see at other organisations and what we would expect.
Subject to validation, assurance over project change iisks could be further strengthened through both greater
independent scrutiny during project activities and though post-implementation assessments.
We also note, for potential future reference, that such significant change projects are an opportunity toefficiently
capture and create the control and assurance frameworks for Specific Risks (which we refer to below), as well as
help to clarify key control descriptions to avoid potential downstream ambiguity.
DRAFT FINDINGS.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138271
POL00138271
IT Environment Risks:
Formally structured and independent assurance work hasbeen performed relating to these risks, in excess ofthe
benchmark we typically see in non-outsourced IT environments and in-line with benchmarks for an outsourced IT
processing environment such as HNG-X.
We identified one key area where we consider the assurance provision needs improvement — relating to the “end
user control considerations”, referenced in Section 6 o the ISAE 3402 report by Ernst & Young. Such matters are
important to consider, ensuring that the assurance provided by the ISAE 3402 is interpreted in the appropriate
context of controls within POL. We are not aware of such work being performed.
There are also opportunities for further enhancementin the quality and clarity of the assurance activities, including:
o Assurance Clarifications: clarifying certain text in the ISAE 3402 report will help remove potential ambiguity
for its interpretation. For example, clarifying data sources for sampling (eg: for change control testing}
improving alignment to POL policies and procedures (eg: requirement for unie” —_3ernames); stating sampe.
sizes used (eg: to underpin understanding of the frequency of the control 9” —_; and verifying that all
controls are tested to evidence (eg: control test 6.5in section 7 appears” ‘lied on verbal assertions
from Fujitsu staff). CONN
o Assurance Focus: a significant proportion of the assurance activi” Nae weighte. ds security
management risks. Once risk appetite is defined (see below) v ald. recommena, “at the balance of
assurance between this area and other important areas sv" s sy operations and change control, be
considered. This will help give confidence that optima lev ~ Ance are being provided across risks.
Specific Risks: i—~
Substantial work has been performed over risks in th, Yay. 7 ely by Fujitsu. They have produced
extensive and detailed documentation relating tothek, \siv_—_~__perating features of the HNG-X system,
using technically competent professionals, feiliar with\ em.
However, despite this significant prov” ory mation, <onsider this area to be where POL's assurance
sources would benefit most from fv atte” “Ask driven, independent challenge by risk assuraice
professionals to key Specific Risk a Worn ang to both the DVLA interface and the Audit Store, found
that whilst the level of underste>ding a ‘ated through documentation was excellent, evidenced based,
independent work to veriF~ “cont, dures and attestations has not been performed.
To support the appr” < unders\, jg of these fisks, and to support prioritisation of assurance activities, we
would recommend tha, xter’ —_/IT Environment Risk and Control framework (used in the ISAE 3402 above)
to cover more Specific Ra ‘ Atrols. Such an exercise would also enable a more automated and thus
efficient control design to be. —_sidered (for example, more proactive monitoring and alerting to key risk events).
Other matters:
We observed that the risk appetite of POL is yet to be defined, though we understand that an exercise is underway
with the ARC to achieve this. We consider this to be an important exercise for POL to perform, as it will help
underpin and better optimise the design of your control and assurance landscape (above) in the future.
We also note that little use of Internal Audit appears to have been made in key IT Risk areas — which may present
opportunity for POL to strengthen your response to Specific Risks, noted above.
DRAFT FINDINGS.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Other than as stated below, this docii~ént is confidential and prepared solely for your informationand that of other
beneficiaries of our advice listed in our engagemert letter. Therefore you should not, refer to or useour name or
this document for any other purpose, disclose themor refer to them in any prospectus or other documert, or make
them available or communicate them to any other paty. If this document contains details of an arrangement that
could result in a tax or National Insurance saving,no such conditions of confidentiality apply to thedetails of that
arrangement (for example, for the purpose of discussion with tax authorities). In any event, no otherparty is
entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any otter party who
is shown or gains access to this document.
Deloitte LLP is a limited liability partnership regstered in England and Wales with registered numberOC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (‘DTTL"), a UK private
company limited by guarantee, whose member firms ae legally separate and independent entities, Pleasesee
www.deloitte.co.uk/about for a detailed descriptionof the legal structure of DTTL and its member firms.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138271
POL00138271