POL00138364
POL00138364
=
De I fe) I tte e STRICTLY PRIVATE AND CONFIDENTIAL
HNG-X: Review of Assur ae >Sources
Board Update :
As at 16/5/14, subject toca
™~,
Deloitte Ref: Board Summary 160514 v7
SUBJECT TO LEGAL PRIVILEGE
POL00138364
POL00138364
Board Update at 16/5/14
Introduction
Our final report, to be issued on 23° May 2014, will contain further details on our approach, the matters we have
identified and those actions we recommend management consider which could provide further, evidenced-based
assurance to the Board.
In this document we use the term “Horizon Features”. This is a technical term referring to those features of the
system which provide that:
* movements in Branch ledgers have the full ownership and visibility of sub-postmasters; and
e audit trails kept by the system are complete and accurate.
Key Findings
Following the completion of our desktop review of documentation, supr “ented by ven. _sertions, our key
findings are that:
fo
e Nothing has come to our attention to suggest any deficien nificance in the design of the Horizon
Features. » \
* The implementation in 2010 of HNG-X did ~nact wie Horizon Features.
« Key day to day IT management activities are g, : controlled and (since 2012) independently tested to
recognised assurance standards, 4 \
e Substantial Horizon-related~ em “arvexists, comparable to that typically seen in similar
organisations where IT act. “and formal assurance activities are not mandated.
Some organisations are. exter!
“xdated to have agreater level of end to end, risk orientated
documentation are a: Al services. Post Office is not so mandated.
e =©Aswith cor Sa organi, ns, Post Office relies in many areas on the Horizon Features operating as
described. Fux sure’ sould be obtained by perbrming risk based testing of the Horizon Features
and fully documé, Mm usage.
e Documentation has not yet been located which relates t pre 2010 to provide assurance that the system
was originally built and tested to specific business requirements.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138364
POL00138364
Areas of Assessment
We assessed three main areas where we would expect assurance sources to be available, namely system
“Baseline”, “Provision” and “Usage” (as outlined bdow), and considered the questions in Appendix 1.
Our work was performed in the context of activities we see in other, similar non-regulated organisations. Our work
has been performed as a desktop review and thus hasnot tested the quality or accuracy of any of the assertions
made in documentation provided to us.
1. Assurance over the system baseline
Purpose:
This assurance aims to provide comfort that the original Horizon implementation and other changes performed
under formal projects were conducted in line with good project management practices “ad that detailed testing
was performed against agreed business requirements.Such activity would verify tr c system was, at that point
in time, fit for purpose and implemented as intended. <
Comments:
The documentation assessed shows that the 2010 HNG-X project w~ dlivered in line wn. Royal Mail's
“Harmony” Project Governance Methodology and that Wipro(an” qa” Alltancy) provided independent
assurance that this Project's approach to performance testing Wa ~ Z ‘Such project governance activities are
comparable to that which we would expect to see in similar, non-rey, “arganisations. Documentation coud not
be supplied which provides more direct comfort, at imp station, ove. vrizon Features.
We note that Fujitsu were planning independent work \s co /2012, but did not progress the review
following POL’s appointment of Second Sight. Some 0, vo Awd work for this review has assisted usin our
assessment. ——- \
2. Assurance over the system prov’
Purpose: /
This assurance aims to p~ “ort thy at activities required to run and use a system with integrity are
designed and operatir’” §—_-<CtiVe, \n activity verifies that key day to day IT management activities (eg: security,
IT operations and x “hanges) appropriately governed and controlled.
Comments:
Documentation relating to the vurrent day activities of IT and Fujitsu system provision adopts and delivers good
practise. A formal IT risk assessment has been performed and an IT control framework produced and
independently assured, under a recognised assurance stadard (ISAE 3402).
A number of third party systems are used by Horizon ona day to day operational basis. Documentation indicates
that such data flows do not significantly impact the Horizon Features and the Audit Store.
The Audit Store's integrity is preserved by a system of “digital seals”. This feature underpins the ability to confirm
the completeness and accuracy of data kept in the Audit Store, and that of subsequent reports generated from the
Audit Store.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138364
POL00138364
3. Assurance over system usage
Purpose:
This assurance aims to provide comfort that Horizon Features are designed appropriately, in place and operating
as intended.
Comments:
Detailed documentation relating to the system has been produced, largely by technical professionals familiarwith
the design of Horizon. Based on the documents we have seen, this work is extensive and contains information
relating to relevant Horizon Features. An assessmentfrom a risk perspective would be required to fully assure the
completeness of these features.
Verbal confirmation has been received that day-to-day processes are designed to m7” Na sub-postmaster
ownership and visibility of their Branch ledgers. As with similar, non-regulated oro + —_aons these wider business
use activities which relate to the integrity of processing are not always docume” “naintained in an up-to-date
form. ( ‘
\
We noted that both the verbally described and the documented proces™” ‘Yo not appe. ‘ve been
independently validated or tested. Post Office is therefore reliant on” —_Aorizon Features \perating as described
(an example was identified in our work where a contrd was notjr gen” 3 understood). Further assurance in
this area could be provided by testing the Horizon Features, outh ~ AAinal report.
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138364
POL00138364
Appendix 1
Horizon — Key Questions Underpinning Confidence in System Integrity
How do you know the system was fit
for purpose and worked as intended when first
How do you know if major changes since _
then have impacted the system? How do you know
that supporting IT
How do you know that everything from the processes are well
How do you know that
everything processed to
Branch Ledgers is
recorded accurately in How do you know
the Audit Store? that information
reported from the
Audit Store retains
original integrity ?
How do you know that
directly posted "Balancing
Transactions’ are visible
and approved? _
Local Branch
(Paystation /
Post & Go)
\ Huw do you know that
YY > DBAs or others granted
DBA access have not
< modified Branch
\ \ Database data?
\
Hon ou know that
fem used by yout
/ control contains all
ye) records?
Central
POL
Teams
How do you know that all
data posted from other
systems and teams is
I _\visible to and accepted by
sub post-masters?
© Deloitte LLP 2014
BOARD UPDATE AT 16/5/14 — Subject to completion of work and our final deliverable on 23/5/14
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Other than as stated below, this document is confidential and prepared solely for your informationand that of other
beneficiaries of our advice listed in our engagemert letter. Therefore you should not, refer to or useour name or
this document for any other purpose, disclose them or refer to them in any prospectusor other document, or make
them available or communicate them to any other paty. In any event, no other party is entitled to rey on our
document for any purpose whatsoever and thus we accept no liability to any other party who is shown orgains
access to this document
Deloitte LLP is a limited liability partnership regstered in England and Wales with registered numberOC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom
Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (‘DTTL"), a UK private
company limited by guarantee, whose member firms ae legally separate and independent entities, Pleasesee
www.deloitte.co.uk/about for a detaled description of the legal structure of DTTL andits member firms.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00138364
POL00138364