POL00138463
POL00138463
From: Chris Aujard[IMCEAEX-
O=MMS_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28F Y DIBOHF23SPDLT+29
_CN=RECIPIENTS_CN=CHRISTOPHER+20AA0452485-80B7-40D2-ADE7-
6FEFEAE19CC3F88@C72A47. ingest. local]
Sent: Fri 18/07/2014 1:28:20 PM (UTC)
To:
Subject: RE: Zebra - Key Points from the Meeting
Malcolm et al — Agreed, there is currently no need to go back to Deloitte. But just to be clear: a review is a review.
That said, the actions that arise out of a review need to be allocated appropriately. We will discuss on Monday at the
R&CC and consider next steps. Chris
From: Malcolm Zack
Sent: 18 July 2014 14:18
To: Julie George; David Mason; Rod Ismay; Chris Aujard
Subject: Re: Zebra - Key Points from the Meeting
The risk and compliance committee will review the paper on Monday. No committment needs to be made to Deloitte
at this point.
I have not taken ownership. This resides with Chris A and Lesley who initiated the review.
Next steps to be considered next week.
Sent from my Blackberry Wireless Handheld
From: Julie George
Sent: Friday, July 18, 2014 02:02 PM
To: Malcolm Zack; David Mason; Rod Ismay
Subject: FW: Zebra - Key Points from the Meeting
Hi,
Please see below from Deloitte, I have not agreed next steps, shall we meet up and discuss?
There are a number of things we will take forward ourselves but we need to establish where everything sits and
ownership overall — which I see as being an overall IA task, cascaded down to appropriate areas, and Rod has already
identified potential development areas in his function.
Jules
Julie George FBCS I Head of Information Security and Assurance Group
2” Floor, 148 Old Street, London, EC1V 9HQ
From: James, Gareth (UK - Manchester) I”
Sent: 18 July 2014 11:46
To: Julie George; Rodric Williams
POL00138463
POL00138463
Cc: Westbrook, Mark (UK - Manchester)
Subject: RE: Zebra - Key Points from the Meeting
Morning both — as per the vm’s I thought it worth re-sharing the notes below (in hindsight, it doesn’t really call out the
key outcome here, which is the response paper (if Rod can confirm that extracting information from section 6 into a
stand-alone non-privleged doc is ok?). I know you're both busy / knocking on holidays.. so if Mark can I can take
actions to help (at our investment), please do just ask.
Speak soon
Gareth
UK Futures
How can UK business drive growth?
www.deloitte.co.uk/ukfutures
IMPORTANT NOTICE
This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered offic
New Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK
company limited by guarantee, whose member firms are legally separate and independent entities, Please see www.deloitte.co.uk/about for a detailed description
of the legal structure of DTTL and its member firms.
This communication contains information which is cor may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the
intended recipient(s), please (1) notify it.security.uk{™ y forwarding this email and delete all copies from your system and (2) note that disclosure,
distribution, copying or use of this communication is strictly prohibited. Email communications cannot be guaranteed to be secure or free from error or viruses. All
emails sent to or from a Deloitte UK email account are securely archived and stored by an external supplier within the European Union
To the extent permitted by law, Deloitte LLP does not accept any liability for use of or reliance on the contents of this email by any person save by the intended
recipient(s) to the extent agreed in a Deloitte LLP engagement contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.
From: James, Gareth (UK - Manchester)
Sent: 02 July 2014 23:16
To: Julie George; Rodric Williams!
L GRO Malcolm Zack
Cc: Westbrook, Mark (UK - Manchester)
Subject: Zebra - Key Points from the Meeting
i; Rod Ismay - Post Office Ltd
All,
Thanks for your time today. Notes that Mark and I took away on what we heard from you are below, which hopefully
will be helpful to get the response paper started. Do let us know if you’d like any further supportive help on this.
Gareth
Actions
Deloitte to reflect Rod (W) feedback on v16, then provide editable version of the document so that section 6 text can
be extracted to help shape the response paper.
Rod (W) to confirm if Section 6 also needs re-shaping into a standalone, non-privileged deliverable (eg: Sparrow
references removed).
POL00138463
POL00138463
Julie to have discussion with David on Section C recommendations.
Gareth and Mark to progress meeting with relevant members of POL in relation to Section B. Julie to be invited if not
already.
Thoughts on Individual Sections:
A1 - Detailed review of balancing transactions use — Rodric keen to progress work on this. Focused piece ona
particular area of risk aiming to identify underlying root causes that can trigger the need for these, and procedures in
place for initiating, approving, performing, monitoring them. To potentially include identification and testing of key
controls (and how assurance sustained).
A2 - Verification work over key Horizon Features — Features identified in the Board report proposed as a ‘minimum
baseline’ that needs testing validation. Workshop could be organised to (a) decide if any additional key features
should be added (eg: 3 way system reconciliation activities in Fujitsu / matters relating to Centera hardware); (b)
agree how items are best tested, and by whom (c) produce a testing plan / roadmap. It was agreed that different
parties could perform this work, short term and longer term (eg: internal audit / Deloitte / via ISAE 3402 ).
A3 — Analytic testing on Audit Store Data —- Three stage approach likely most appropriate — (1) Discovery exercise by
Deloitte SMEs, looking at feasibility of data extraction and handling with Fujitsu and helping put some cost estimates
to stage (2) and (3); (2) performing a pilot on a small extract of data (3 months?), exploring what scope POL could
achieve and what is likely to add most value / be most insightful (from various perspective — Sparrow; Future System;
Ongoing Risk/Control monitoring); (3) Scaling up over full 6 year data history — added benefit that this helps provide
insight over the pre HGN-X processing environment, as year 5 and 6 of the data will be from pre 2010 (old Horizon
system). This will help provide evidence that assertions re: the ‘pre’ world not being that different from the ‘current’
world can be formally supported.
A4-—FSC Process documentation + system reconciliation activities - Rod (I) saw significant validity in this area, and
value in documentation for future system too supported by Julie. Rod was not convinced by the need to look at
manual reconciliation controls between systems, as reliance should be placed on IT operations. See A2 above on
discovery/testing of this key control.
B1—Agreement that most of the A and C activities above and below have value from a future system perspective and
matters need to be joined up to deliver this ‘through and into’ the project team. In particular the future system
project needs to consider future system assurance requirements, and how the IT Assurance needs of POL are best
setup (organisationally and scope wise). A meeting with the project team is progressing into diaries.
Section C — Not discussed at great length as David Mason needs engaging. Recognition to consider the principles of a
“Head of Assurance”, who role it is to bring together all sources of assurance across POL’s risk landscape into a single,
holistic picture for senior management. Page 33 matters to be picked up offline by David and Julie. Some discussion
around C3 and how this marries up to A2 and A3 — though recognition that all aspects of “A” actions have implications
for future, sustained assurance provision. Also query of how aspects of continuous / ongoing monitoring link into
Project Horace (sp?) and other endeavours in the business to better analytically monitor / alert to key risks.