POL00222758
POL00222758
-
De I oO itte e STRICTLY PRIVATE AND CONFIDENTIAL
Horizon: Desktop Review of Assurance
Sources and Key Control Features
Draft for discussion
23 May 2014
A
This report and the work connected therewith are subject to the Terms and Conditions of the engagement letter dated 09
April 2014 between Post Office Limited and Deloitte LLP. The report is produced for the General Counsel of Post Office Ltd,
solely for the use of Post Office Limited for the purpose of assessing assurance sources and the design of certain controls
relating to the Horizon system. Its contents should not be quoted or referred to in whole or in part without our prior written
consent, except as required by law. Deloitte LLP will accept no responsibility to any third party, as the report has not been
prepared, and is not intended for any other purpose
DRAFT: Version 16
SUBJECT TO LEGAL PRIVILEGE
Contents
6
Executive Summary
Introduction
Approach
Understanding the Horizon Processing Environment
Assessment of Assurance Sources
Matters for Consideration
Appendix 1: IT Provision Assurance Source Mapping and Gap Analysis
Appendix 2: Assurance Schedule over Horizon Features
Appendix 3: Inventory of Documentation Reviewed
Appendix 4: Engagement Letter
Appendix 5: Change Order 01
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
19
25
29
35
38
56
61
70
POL00222758
POL00222758
1 Executive Summary
Context
As outlined to us by the Post Office Limited (“POL”) litigation team, “ POL is responding to allegations from Sub-
postmasters that the “Horizon” IT system used to record transactions in POL branches is defective andthat the
processes associated with it are inadequate (e.g. that it may be the source and/or cause of branch losses). POL is
committed to ensuring and demonstrating that the current Horizon system is robust and operates with integrity,
within an appropriate control framework.“
POL is confident that Horizon and its associated control activities deliver a robust processing envirament through
three mechanisms: POL have designed features directy into Horizon to exert control; POL operates IT
management over Horizon; and POL have implemented controls into and around the business processes makng
use of Horizon. Collectively these three approaches of inherent systems design, ongoing systems management
and business process control are designed to deliva a Horizon processing environment which operates wth
integrity.
Since its implementation in branches, POL has commissioned or has received a number of pieces of work relating
to the Horizon processing environment, to provide comfort over its integrity. This work, referred to in our report as
the “Assurance Work”, provides documented assertiors relating to aspects of the design and operation of the
Horizon processing environment. The Assurance Workincludes IT project documents; operational policies and
procedures; internal and external investigations and reviews; independent audits; and emails confirming otherwise
verbal assertions.
Deloitte has been appointed to:
consider whether this Assurance Work appropriately covers key risks relating to the integrity of the
processing environment,
* to extract from the Assurance Work an initial schedule of the Horizon Features’,
e to raise suggestions for potential improvements inthe assurance provision.
* “Horizon Features” is a term we have introduced b represent those features of the Horizon processing environment, including IT management
and business use controls, which provide that:
© movements in Branch ledgers have the full ownershp and visibility of sub-postmasters; and
* audit trails kept by the system are complete and acurate.
Summary of Approach Key assertions requiring assurance, to underpin confidence in processing integrity
We have structured our work around the po
key control assertions shown in the
diagram (right), which has been agreed
with POL. We consider these to be key ee
matters that POL should control in order to “yesocom
gain comfort over the integrity of
processing.
We have considered POL's three design
approaches when evaluating the
Assurance Work.
© Dees LP 2014
DRAFT FINDINGS SUBJECT TO CHANGE + RIOR NOHFIGATION-
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
A key element of the approach was to identify the Horizon Features. POL did not have an existing document that
could be described as representing the Horizon Features in a demonstrably complete way, therefore we have
drawn out an initial view of the Horizon Features from the underlying documentation and considered Assurance
Work relating to them (Appendix 2) for the purposes of this review.
As communicated to us by management, we have also considered the following 5 key control objectives during our
activities to identify Horizon Features:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports froma complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters ofall centrally generated transactions processed to their
Branch ledgers.
These key control objectives are an important subset ofthe overall set of key control assertions highlighted in the
diagram above.
We have grouped the Assurance Work provided to us into three areas, corresponding to POL’s three mechanisms
of exerting control over the processing environment, as follows:
e System Baseline Assurance Work: This aims to provide comfort that the original Horizon implementation
and other changes performed under formal projects were well governed (compared to Deloitte project
management methodologies) and that detailed testing was performed against agreed business
requirements. Such activity would verify that the system was, at that point in time, fit for purpose and
implemented as intended. This assessment considers the point when the system and processes are
created.
e IT Provision Assurance Work: This aims to provide comfort that the IT management activities required to
run the Horizon system with integrity are designed andoperating effectively. Such activity verifies that key
day-to-day IT management activities (e.g. security, IT operations and system changes) are appropriately
governed and controlled.
e System Usage Assurance Work: This assurance aims to provide comfort that the controls in and around
the business processes which make use of the Horizon systen are appropriately designed, in place and
operating as intended.
Our work has been performed as a desktop review of documentation made available and has neither tested the
quality, completeness or accuracy of the Assurance Work provided to us or tested any controls relating to the
Horizon processing environment.
Summary of Observations
Substantial Horizon-related system documentation exists, comparable to that typically seen in organisations of a
similar scale where IT activities are outsourced and prmal assurance activities are not mandated. Some
organisations are externally mandated to have a greater level of end-to-end, risk orientated documentation and
testing, e.g. in financial services. POL is not so mandated.
Based on our review of the available documentation, our key observations are:
e The extensive Horizon system documentation is structured from a technical rather than a risk and controls
perspective and provides an understanding of the Hofzon Features. POL should conduct a formal
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
assessment to identify a complete set of Horizon Features that respond to POL's control objectives.
e The integrity of the Audit Store is designed to be preserved by a system of “digital seals” and “digita
signatures”. This feature underpins the ability to confirm the completeness and accuracy of data kept in the
Audit Store, and that of subsequent reports generated from the Audit Store. These digital seals and digital
signatures are both key components in the Horizon Features which are both validated during the extraction
process from the Audit Store.
e POLis relying on the Horizon Features being implemented and operating as described. Whilst our review
focussed on the design of the Horizon Features, the Assurance Work we have assessed does not
completely test these features for implementation and operating effectiveness. Only those Horizon
Features relating to IT Provision have been validated and tested by independent third parties. In additon,
during the course of our engagement, one of the Horzon Features has been discovered by POL to not be
implemented as expected.
e Business use (process) documentation is not complete orup to date, by some years in cases. As part of
completing or updating the documentation of Horizon Features, all relevant business uses should be
identified and evaluated from a control objectives perspective to identify potential additional matters being
relied upon.
e Pre 2010 Baseline Assurance Work could not be provided by POL. This Assurance Work is required to
evaluate the comfort that the system was originally built and tested to specific business requirements. The
implementation in 2010 of HNG-X is asserted by POL to have not significantly impacted the design of the
Horizon Features.
e Governing controls over key, day-to-day IT managementactivities have been independently tested and
opined by Ernst and Young (since 2012) to a recognisedassurance standard (ISAE3402).
e Anumber of third party systems are used by Horizon a a day-to-day operational basis. Documentation
asserts that these interactions do not impact on the Horizon Features.
Scope Limitations
Our work has been subject to the following exclusions:
e Only matters relating to the Horizon Features within the Horizon processing environment have been
considered during our review;
e We have not provided a legal or any other opinion as to the completeness and accuracy of processing of
Horizon at any point throughout the work;
e We have not had direct contact with any third parties other than named contacts that you have provided to
us (Appendix 3);
e We have not verified or tested any information provided directly by you, or directly or indirectly by third
parties (the schedule of information received is in Appendix 3);
e We have not reviewed any contractual provisions in place between you and third parties;
e Our work was limited by significant gaps existing inthe information available, relating to both the granularity
of information and the existence of the Horizon Features over the entire timeline of operation of Horizon.
The effect of which is that there are in gaps within what we are able to comment upon over this timeline.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Our findings below are written in the context of the information available, which relates to the current
system;
e An event occurred in 2010 which required the use of the exceptional Balancing Transaction process in
Horizon to correct a Sub-postmasters position from a technical issue. Information has not been provided on
the circumstances that lead to this system issue and how the issue was identified. It is assumed that verbal
assertions received from Fujitsu that this was the only time this process has been used hold true;
e We have not tested any of the Horizon Features; and
e We have not validated or commented on the quality of the Assurance Work supplied to us.
Our work was also based on the following assumptions:
« The documents provided are a complete and accurate representation of the Horizon design. We therefore
cannot comment as to whether the Horizon Features described below are complete nor whether other
processes or mechanisms exist which would need considerdion in the context of the Matters.
e All changes made after the initial implementation have been properly approved, tested and validated as not
undermining the Horizon Features i.e. that the system's controls have retained their integrity throughout
and thus the controls identified within the documentation have been consistent over the system's lifetime.
e The assertions received relating to the major upgrade of Horizon in 2010 not materially changing the
design of the Horizon Features hold true.
e The cryptographic keys underpinning the digital signatures in Horizon have not been compromised.
« The mechanisms for issuing cryptographic keys for signirg baskets is secure and authenticates requests to
prevent unauthorised provision of keys.
e Fraud or collusion to undermine or work around the Horizon Features has not occurred, in particular within
database administrator and security teams in Fujitsu.
e Assertions made by POL and Fujitsu staff have been accepted as accurate without corroboration or
verification.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
2 Introduction
Introduction
The Horizon system has been used by POL since 1995. During this time it has processed many millions of
transactions across thousands of branches. Horizon is accredited by Payment Card Industry Data Security
Standard (PCI DSS) and 1SO27001. It is currently used by more than 68,000 users across 11,500 POL branches
and is administered by Fujitsu as part of a managed service agreement. It is a key operational system for POL and
integrity of processing on the system is crucial to the day-to-day operations of the business.
POL is responding to allegations that the Horizon processing environment, used to record transactions in POL
branches, is defective and/or that the processes associded with it are inadequate.
In order to respond better to the allegations (which have been, and will in all likelihood continue to be, advanced in
the Courts), POL management want to demonstrate that the Horizon processing environment is robust and
operates with integrity, within an appropriate contrd framework.
In particular, management at POL has highlighted two key statements they would like to assess their comfort over
in response to the allegations, being:
1. That Sub-postmasters have full ownership and visbility of all records in their Branch ledger; and
2. That the Branch ledger records are kept by the systemwith integrity and full audit trail.
These statements have then been further sub-dividedinto the following statements:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports froma complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters ofall centrally generated transactions processed to their
Branch ledgers.
POL management have previously either been provided with or commissioned work (including independent
assurance reviews) into matters relating to Horizon’s operating environment and processing integrity. Documents
outlined in Appendix 3 have been provided to us andconsidered as part of the planning and delivery of our review.
Objectives and Activities Undertaken
The purpose of this report is to provide, based upon the information made available to us by you, an independently
produced summary of the Assurance Work undertaken overyour current day Horizon processing environment and
make recommendations on further work that could be done to enhance these assurance sources.
The work we have performed to produce this report has included:
« Obtaining an understanding of the Allegations; POLs key risks in and internal controls over the Horizon
processing environment relevant to the integrity of processing; the measures in place to record and
preserve the integrity of system audit trails and other background matters that we may deem necessary to
complete our review;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
e Obtaining an understanding of the key differences between the current Horizon processing environment,
and the system which this replaced (here-to referred to as the “Legacy System’);
e Reviewing, understanding and consolidating the Assuance Work (e.g.: investigations, assurance activities
and remediation actions) which POL or third parties have undertaken;
« Holding discussions with relevant members of POL staff and other key stakeholders;
e Reviewing project documentation relating to the 2010 implementation of Horizon, in order to compare the
nature and extent of project governance and documentaton with Deloitte's good practice project
management methodology;
e Preparing an initial schedule of Horizon Features ard assessing the level of comfort over these, provided
by POL’s Assurance Work (including the use of a specialit to assess the design of the Audit Store’s
tamper proof mechanisms); and
« Recommend further activities that management could undertake to improve the assurance provision.
Scope limitations and assumptions are outlined in the Executive Summary above.
Understanding of Historical Issues and Concerns
As an initial step, in building the requisite understanding required of the historical context leading to this review, we
have reviewed the documentation provided by POL in order to understand the history of issues and concerns which
have been raised in relation to the system.
From the documents provided, we have identified the following matters which have helped to provide us with a high
level understanding of the nature and extent of the potential concerns with the Horizon processing envirorment,
and thus focus our work in certain higher risk areas:
Branch 14 Issue - Involved a processing error where historic accounting entries in the 2010/11 financial year were
replicated in accounts for 2011/12 and 2012/13.
Branch 62 Issue - Involved a Receipts and Payments mismatch in Horizon when discrepancies were moved into
the local suspense account (this is an account which aggegates all discrepancies into a single gain or loss for a
branch trading period).
Falkirk Issue - The Falkirk Anomaly occurred when cash or stock was transferred between stock units.
Spot Review Bible — This outlines a sequence of matters raised during the work performed by Second Sight over
the allegations raised over the Horizon system, and summary commentary on 10 issues within.
Lepton Detailed Spot Review Information (included within Spot Check Bible) — Detailed documentation has
also been provided in relation to Spot Review 1. The issue raised was that a Sub-postmaster will not be notified
about automatic reversals of transactions when not comected to the data centre.
Reflecting on the nature and substance of these issues, and documentation relating to their follow-up and
resolution, we have understood the importance of the audit trail to provide evidence relating to disparities between
Sub-postmaster accounts of events and subsequent investigations, based on audit trail evidence, by POL/Fujtsu.
As a result of the above understanding, our work relating to IT Provision and System Usage Assurance Work paid
particular (but not exclusive) focus on Information System Operations (IT environment processing), and business
processes controlling relevant key data flows (the key data flow for our assessment being that of the complete and
accurate transmission of data from the Counter systemat the Branch to the Branch Database and subsequently
into the Audit Store).
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
3 Approach
In the absence of POL’s own holistic risk assessment rdating to the Horizon processing environment, key to our
assessment of sources of assurance has been the formulation of an initial “risk universe”, against which coverage
of the associated risks by the relevant sources of assurance can be assessed (“mapped”).
We have considered this risk universe across three key aeas:
1. Control objectives and risks relating to the ‘System Baseline’.
2. Control objectives and risks relating to ‘IT Provision’.
3. Control objectives and risks relating to ‘System Usage’.
Risks relating to the System Baseline — these are risks that the original implementation project and other
changes performed under formal projects were not conducted in line with good project management practices, and
that detailed testing was not performed against agreed business requirements. These risks are governedand
controlled outside of day-to-day system operating procedures. Controls which mitigate these risks are often
referred to as “Project Controls” and “Inherent System Controls” (those designed and built into the IT system).
Risks relating to IT Provision — these are risks that the underlying IT activities, necessary to provide a system
that can run and be used with integrity, are not designed and operating effectively. Such risks relate to key day-to-
day IT management activities, relating to security, IT operations and system changes. Controls which mitigate
these risks are often referred to as “General Computer Controls”. Our work focussed on assurance provided over
Fujitsu’s activities in these areas.
Risks over System Usage - these are risks that key features of Horizon and corresponding business use
activities (processes), aiming to prevent or detect matters that would impact the integrity of processing, are not
designed, in place or operating as intended. These are the more detailed risks in relation to particular aspects of
capturing and processing transactions across the Horizonprocessing environment. Controls which mitigate these
risks are often referred to as “End User Controls”, “Application Embedded Controls” and “Process Controls’. Our
work focussed on the internal dataflows within Horizon(Counter to Branch Database to Audit Store for example)
and we also considered the relevance of interfaces wih other systems such as the DVLA.
In the context of these three areas of risk we have performed knowledge gathering activities in order to understand
the Horizon processing environment in sufficient detail to identify specific risk areas and those Horizon Features
identified to exert control over these risks.
1. Approach to Understanding of System Baseline Risks
In considering Baseline risks we have considered pastiterations and changes to the Horizon IT system, including:
e Any that lead to changes to the Audit Store;
e The Horizon Implementation Programme in 2010-2011;
e The Data Strategy Foundation project in 2012 and 2013 (which updated the dataflows into Horizon from
certain third party transactional systems, including ‘Post and Go’, and ‘Paystation +’); and
e The original Horizon platform delivered in 1995.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
2. Approach to Understanding of IT Provision Risks
Our understanding of IT Provision risks has been fomulated through our understanding of the system via
documentation review and verbal discussion with supporting POL and Fujitsu SMEs. Due to the nature of the
System Provisioning risk areas, the formulation of this understanding has been mainly through interview wth
Fujitsu and POL security team members.
3. Approach to Understanding of System Usage Risks
Our understanding of System Usage risks has again been formulated through documentation review and verbal
discussion with supporting SME's to identify additionda support areas. Due to the nature of the System Usage risk
areas, the formulation of this understanding has been mainly through interview with Fujitsu, POL Finance Shared
Services and POL Security team members.
4. Approach to Consideration of the Horizon Features
In the formulation of our risk universes across the three areas highlighted in 1 - 3 above we have considered the 5
key matters relevant to the Horizon Features as instructed by management:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports froma complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters ofall centrally generated transactions processed to their
Branch ledgers.
5. Combining the Above
Following our assessment across these four areas, thediagram below (see overleaf) describes the key risks
identified within the Horizon processing environment. We have number coded the risks in the below with (1)
corresponding to Baseline Risks, (2) corresponding to IT Provision Risks, and (3) corresponding to System Usage
Risks.
This diagram thus represents the framework of key risks that need to be controlled by Horizon Features and
appropriately assured in order to provide the comfort required by POL management.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
10
Key assertions requiring assurance, to underpin confidence in processing integrity
“That major changes since implementation have not
impacted the design features adversely.
That assertions on
this diagram are
complete.
That supporting IT
‘That transactions from the Counter are
recorded completely, accurately and on a
{That the Audit Store &
“, That == posted] I complete and accurate
lancing Transactions” I record of Branch Ledger
and [I transactions,
Branch Database Centera Audit Server
aw
That data posted from
other systems and teams
is visible to and accepted
by sub post-masters.
original integrity.
processes are well
‘controlled.
That information
reported from the
Audit Store retains
That DBAS or others
granted DBA access
have not modified
ranch Database nor
Audit Store data
LEGALLY PRIVILEGED AND CONFIDENTIAL
© Deloitte LLP 2014
POL00222758
POL00222758
It can be observed that the majority of the risks identified are System Usage risks, which is expected based on the
complexity of the IT processing landscape and the diversity and volume of transactions being handled.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
1
POL00222758
POL00222758
Sources of Assurance Work relating to the Horizon Processing Environment
The diagram below summarises key examples of the Assurance Work reviewed and referred to as part of our
assessment.
END TO END Horizon PROCESSING ENVIRONMENT
System
IT Provisioning Risks System Usage Risks
Baseline Risks
du
3
a
2
5
Branch
Processing
(eg. FSC)
uonejuawiajduy)
Responsible for ‘Usage with integrity’ — Appropriat use
and delivery of processes using the Horizon IT sysem
Responsible for ‘Processing with
integrity’ — Provision of a reliable
system processing environment.
ISAE3402 Internal Audit Reporting
eo
Wipro Test
Strategy
Gap
Analysis and
Gartner
Report
When considering the sources of assurance over IT Provision Risks, System Usage Risks and System Baseline
Risks, a number of parties have been (and continue tobe), involved in performing work over the Horizon
processing environment which contributes to the overallassurance management has over the correct operation &
the system.
Assurance Work from the following organisations, in addition to information provided from POL, have been
identified and considered in our work:
* Fujitsu, who designed, built and now operate Horizon;
e Bureau Veritas, who perform 1SO27001 certification over Fujitsu’s networks, including that of Horizon;
e — Information Risk Management (IRM) who accredit Horizon to PCI DSS;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
12
POL00222758
POL00222758
e Ernst & Young, who produce an ISAE3402 service audibr report over the Horizon processing environment;
and
e Internal audit, who perform risk based reviews within POL.
In considering the Assurance Work provided to us by management during the course of this engagement we have
considered whether they constitute assurance provided under an assurance engagement, as defined by IFAC, or
are sources of information that provide comfort in other ways. For the purposes of clarifying the Assurance Work,
we have assigned each document received to one of twoclassifications, defined as follows:
“Assurance” —The Assurance Work has been provided under an assuranceengagement by an independent third
party, suitably qualified in the subject matter constituting the focus of the engagement to provide a valid opinion.
Sources of such assurance include:
e — Internal Audit functions;
e External Audit; and
e Other third party reviews, not involved in the original design nor day-to-day operation of the system
containing (a) a formal opinion, such as those performed in line with recognised standards, such as
ISAE3402 or (b) no formal opinion (i.e. a report based on evidence and facts without interpretation).
“Other Sources of Comfort” — The Assurance Work is either not produced by an independent party or by an
individual who is suitably qualified in assurance engagements, or both. Other sources of comfort include:
e IT Project Documentation;
« Operational Documentation, such as policies, procedures and process / system information produced by
functional teams;
« Reviews or investigations performed by outsourcers €.g. deep dives, diagnostics, spot reviews);
e Business peer group review teams and functions; and
e ‘Second line’ compliance teams.
In Appendix 3 we have documented all the Assurance Wark we received and added our classification of those
sources by these two categories.
Summary of Work Performed
Based upon the concepts outlined above we have performed the desktop based work below (further detail of which
is outlined in our Engagement Letter shown in Appendix 4). We have not performed any testing to validate the
information provided to us as part of our work.
Step 1: Analysis and Review
«¢ Activity 1. Documentation Review - We have reviewed a number of documents produced by several
different organisations in order to understand key matters relating to the Horizon system and the
Assurance Work available.
e Activity 2. Risk Universe Formulation - We have then, in the absence of a holistic risk assessment being
performed by POL and thus for the purposes of our assessment, created a risk universe based on our
experience of information processing systems encompassig the three primary risk areas previously
identified IT Provision, System Usage and Baseline Risks. The five key matters for consideration outlined
by management were also considered during this process
e Activity 3. Review of Assurance Work — The available documentation was reviewed in order to
understand the Assurance Work available to POL, agains each of the three identified risk areas.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
13
POL00222758
POL00222758
Step 2: Gap Analysis and Assessment
Based on the analysis in Step 1 we have produced:
« Activity 4. System Provisioning Assurance Assessments and Gap Analysis - Considering key
potential gaps or areas of ambiguity in the available assurance sources when considering the System
Provisioning risk universe.
e Activity 5. System Usage and Baseline Assurance Assessments and Gap Analysis — Assessing the
documentation relating to System Usage Risks and then performed deep dives into the following areas of
specific risk:
Horizon interfaces (including DVLA);
Branch Database;
Audit Store;
Horizon Implementation Project;
Audit Store Changes; and
Data Strategy Foundation project.
000000
e Activity 6. Peer Comparison to Assurance Available to Similar Organisations — We have assessed
the Assurance Work available to similar organisations over System Provisioning Risks (the area of risk
where a benchmark is most valid due to the level of information available from POL) and assessed
therefore whether POL has comparable levels of assurance.
Step 3: Reporting
The analysis and interpretation in Step 2 has allowed us to formulate:
e Activity 7. Produce an Assurance Schedule over Horizon Features, and Recommendations —
Mapping control assertions, Horizon Features and Assurance Work and reporting on the level of comfort
that we have assessed in each of these areas. Identification of the key considerations for management
arising from our analysis and plan of action to respond to these recommendations.
Amore detailed description of these activities performed follows.
Activity 1: Documentation Review
All of the documentation reviewed during the course of our review has been documented within Appendix 3. This
documentation can be divided into the following classfications:
e Technical documentation on the Operation of the Horizon System — Reviewed in order to gain a deeper
understanding on how the Horizon system works, how complex it is, and where we should be focusing
further efforts and analysis;
e Independent Third Party Assurance documentation — Ths documentation has been reviewed in order to
understand the existing assurance sources relevant tothe environment;
e Documentation of Historical Issues and Allegations in relation to the Horizon System — This documentation
has been reviewed in order to understand the background context and better position the IT Provision,
System Usage and Baseline System risk work performed over the environment; and
e Service Provider Analysis and Response to Issues — This documentation has been reviewed to gain an
understanding of the work performed by Fujitsu in investigating the issues raised, and how these will be
responded to.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
14
POL00222758
POL00222758
A number of individuals from POL have been interviewed during the course of formulating this report to supplement
our understanding from the provided documentation.
Activity 2: Risk Universe Formulation
System Baseline Risk Universe
The original implementation of Horizon in 1995, together with subsequent changes (whether routine via change
management processes, or large complex change programmes such as the Horizon system implementation in
2010-11), represent events affecting Baseline System Risk.
To assess these risks we have understood the historyof the Horizon system and selected three areas for more
detailed investigation including:
e Horizon Implementation;
e Data Strategy Foundation project; and
e Asample of changes to the Audit Store (subsequent to determining that this key risk area for the system
had been left largely untouched by the key implementation events highlighted in the previous two bullets).
For each of these change areas we have assessed the Assurance Work from a governance and control
perspective, and POL ability to take comfort that the Horizon system was fit for purpose at the time of the change
and operated in line with management intentions (through business requirements definitions and projecttesting
against these).
IT Provision Risk Universe
This risk universe was formulated from our prior experience of auditing and assuring information systems and
involved the identification of high level risks across three core areas:
e Information Security;
¢ — Information System Operations; and
« Change Management.
Once the IT Provisioning risk universe had been formuated a mapping of control objectives within the Assurance
Work was performed in order to assess coverage.
The three sources of assurance included within this mapping were:
e ISAE3402 report on the Horizon managed service;
« PCI DSS compliance report on Horizon; and
« 1$027001 Statement of Applicability.
System Usage Risk Universe
As POL has not conducted a holistic assessment of risk in this area, a full understanding and assessment of
assurance over the System Usage risk environment was na available for our review.
Instead we focussed our assessment on two key areas of rsk: those relating to the completeness and accuracy of
the Audit Store, the Branch Database and key system interfaces with a significant third party, such as the DVLA.
We sought to understand the Assurance Work that has been done against each of these areas.
This involved:
e Enquiry with relevant SMEs;
e Review of documentation;
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
15
POL00222758
POL00222758
e Formulation of a risk universe in these specific areas; and
e Understanding of existing assurance work over controlswhich mitigate these risks.
Horizon Features
Across each of the three risk universes we identified features within the processing environment that exert control
and provide that:
1. Horizon only allows complete baskets of transactions to be processed;
2. Baskets being communicated between Branch and Data Centre are not subject to tampering before being
copied to the Audit Store;
3. Baskets of transactions recorded to the Audit Store are complete and ‘digitally sealed’, to protect their
integrity and make it evident if they have been tampered with;
4. Horizon’s Audit Store maintains and reports froma complete and unchanged record of all sealed baskets;
and
5. Horizon provides visibility to Sub-postmasters ofall centrally generated transactions processed to their
Branch ledgers.
We refer to these identified features as the “Horizon Features” and identification of these features in response to
the matters for consideration listed above was a core component of our work.
Activity 3: Review of Assurance Work
With the background context of the three risk universes outlined within the previous section, we reviewed the
available Assurance Work in order to assess the coverage and nature of the comfort provided by the work.
The documentation reviewed during this stage has been listed within Appendix 3, as are the names of individuals
consulted in relation to our work.
Activity 4: System Provision Assurance Assessments and Gap Analysis
Once the System Provisioning risk universes had been formulated a mapping of control objectives within each of
the main assurance sources was performed in order toassess coverage. The three sources of assurance included
within this mapping were:
e ISAE3402 report on the Horizon managed service;
e PCI DSS compliance report on Horizon; and
e 1$027001 Statement of Applicability.
The results of this mapping exercise are summarised within Section 5 and reproduced, in detail, within Appendix 1.
In parallel to this assurance exercise we have also summarised key matters relating to each assurance source.
This involved considering the context and focus of the relevant Assurance Work and comparing these to the
context and focus that would be required for coverage of the key risks (this was in recognition of the risk that some
of the documents could be used or applied out of context from their original purpose).
Activity 5: System Usage and Baseline Assurance Assessments and Gap Analysis
Following our understanding of the system and histoiical issues the following areas were singled out asrelevant for
deeper analysis, and this approach was agreed with POL management:
1. Audit Store - The audit store has been used frequently in investigations by POL / Fujitsu and is used as
supporting evidence during legal proceedings. Therefce its integrity is paramount to responding to these
issues. However the audit store cannot be relied onin isolation, as its integrity is dependent upon the
correct processing of transactions by the wider Horizon system (upstream events if processed incorrectly
will be recorded incorrectly by the audit store).
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
16
POL00222758
POL00222758
2. Horizon interfaces (including DVLA) — Horizon is reliant on a significant number of batch processes and
online services (including interfaces with third partysystems) in order to function correctly. These routines
need to be functioning correctly and accurately for the tansactions processed by the system and ultimately
recorded in the audit trail to be reflective of the underlying commercial realities and business transactims
they pertain to represent.
3. Branch Database - The Branch Database is a key ‘staging post’ for data being transacted on counters
within individual branches prior to transmission onwards to the Audit Store. As data from branches in held
within the messaging journal table on this system for up to a day before being processed into the audit
store the security controls and processes protecting thé data whilst in temporary storage here are
paramount.
4. Horizon Implementation Project — This change represented the largest single change tothe Horizon
system since implementation, and also the change implemented prior to adoption of the current major
release of the system, and so was considered of particular relevance to our overall understanding of
Baseline System risk.
5. Audit Store Changes — Our understanding of the HNG-X Implementation Project quickly highlighted that
this project had very little impact on the Audit Store itself. As a result we performed procedures to
understand some of the changes which had been made tothe Audit Store following its original
implementation.
6. Data Strategy Foundation Project — We determined during the course of our work that this was another
key implementation project in the recent history of the Horizon system of particular relevance to a sub-
group of the system interfaces on Horizon. This projectwas therefore also deemed key for our
understanding of system Baseline risk.
For each of the areas outlined in 1 - 6 above an assessment was made of the coverage and nature of the
Assurance Work provided.
For areas 1 - 3 (System Usage Risks) the functionality of the particular area was further understood and key
controls over the corresponding risks then sought.
For areas 4 - 6 (System Baseline Risks) we adopted a different approach, whereby the typical good practise
documentation requirements and project governance methods as stipulated by ‘Prince 2’ (amongst others) were
utilised as a baseline, and the approach to each of the sampled change initiatives assessed from the avaiable
documentation. This work was conducted through a mixture of verbal discussion and the receipt of supporting
evidence where applicable.
Activity 6: Peer Comparison to Assurance Available to Similar Organisations
As part of our analysis we have also assessed whether the IT Provision assurance POL has obtained is
proportionate to that provided to similar organisatons.
We have also considered the best practice approach outined by the COSO framework, as published by The
Committee of Sponsoring Organisations of the Treadway Commission, in formulating suggestions for potential
areas of improvement in the risk, control and assurance activities of POL.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
17
POL00222758
POL00222758
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment
The COSO Cube: Presents a framework for best practice
approaches to risk, controls and assurance activities.
Activity 7: Produce an Assurance Schedule over Horizon Features and raise
Recommendations and Plan of Action
We have written up our assurance schedule, which mapsthe Assurance Work to specific controls relating the
Horizon Processing Environment, and commented on the evel of comfort that the Assurance Work provides in
each area.
Our report also contains recommendations for management together with a suggested plan of action for
management consideration.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
18
POL00222758
POL00222758
4 Understanding the Horizon Processing
Environment
Overview of the Processing Environment
The Horizon IT system was designed specifically for POL, and therefore an understanding of its operations,
processing environment and configuration was requiredin order to fully quantify the risks applicable to the IT
components of the processing environment.
Horizon has been the main operational system of POL since 1995 and:
« Has a user base of 68,000 users;
¢ Terminals within 11,500 branches;
e Processes an average of 6 million transactions a day; and
e — Interfaces with over 20 third party systems.
As highlighted in our ‘Approach’ section above, we have categorised the risks posed on the system into three
distinct areas (System Baseline Risk, IT Provision Risk and System Usage Risk), and the remainder of this section
outlines our understanding of the IT system that underpins these.
System Baseline Risk
Horizon (HNG-X) Project
The change to the HNG-X system in 2010 was governed using Royal Mail's “Harmony” project methodology (the
governing project standard at the time). The projectsaw the phased implementation over 18 months of the HNG-X
solution (also known as “Horizon On-Line”). Individud POL Branches were migrated from the Legacy System to the
new HNG-X system, one by one.
No historical data was migrated, although six months of data was maintained within the Legacy System. Our review
of Assurance Work shows that a number of key controls were operated over the project, which was managed by
Fujitsu on behalf of POL. These included:
e POL signing off acceptance criteria;
e Aphased migration including a model office pilot; and
e Branch by branch reconciliation between opening balances on the new system and closing balances on the
legacy system.
Wipro, an independent third party, were commissioned to provide a report on the performance testing strategy
including gap analysis and recommendations, and Gartne provided an assessment of the overall system design
and strategy.
The benefits from the migration included the removal of transactional data being held at local branches levels and
this data instead being stored centrally within the data centres.
Data Strategy Foundation Project
The project focused on moving the Accounts Payable file feed which was initially received into Credence via
Transaction Integrator to processing via Fujitsu Horizon systems (i.e. not the Counter). The goal of the project was
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
19
POL00222758
POL00222758
to provide a longer term system solution which would provide complete reconciliation, resilience and disaster
recovery capabilities, as well as reduce the risk of cient withdrawal.
The POL strategic requirements to expand its offerings to other platforms beyond Horizon introduced the
requirement for a data integrator function. Originally POL approached Fujitsu Services to supply this service as
plans to incorporate an integrator service within the Horizon architecture were considered to represent a cean
solution. However, Fujitsu Services were unable to respond within the desired timescales as it would have diverted
their resources from key Horizon on-line delivery milestones.
POL therefore investigated alternative options, finally selecting the use of IBM datastage as the Transaction
Integrator. This was delivered as part of the POLMI project. Fujitsu Services then submitted a high level design
proposal for the provision of a service for processing client transaction files which would provide end-to-end data
validation / reconciliation, with resilience and DR (the incumbent IBM datastage solution did not provide resilience,
DR or end to end reconciliation, presenting a threatto relationships and future contracts).
Assurance Work provided included:
e Project overview document;
e Business Case;
e Weekly Project Meeting Committee Presentation;
e Business Requirements;
e Test Strategy;
e = Test Sign off; and
e Test Report.
Audit Store Changes
In assessing change risks in relation to the Audit Store, documentation has asserted that the recent significant
changes above did not result in significant changes tothe operation of the day-to-day Counter transaction flows or
the operation of the Audit Store.
To assess Baseline risk for the Audit Store the original implementation documentation for the Audit Store was
requested. Due to the data retention policy this documentation could not be provided and so a review of Fujitsu
provided documentation over subsequent changes over alarge period of the Audit Store’s history was performed.
In producing the diagram on page 9, we have considered the key System Baseline Risks in the context of two
control assertions below, which became the overall focus of our work in this System Baseline area:
e The Horizon Features were fit for purpose and worked as intended when first implemented; and
« Major changes since implementation have not significantly impacted the Horizon Features.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
20
POL00222758
POL00222758
IT Provision Risk
As part of our work, through review of documentation and discussions with subject matter experts in POL, we
familiarised ourselves with the topology and operatons of the Horizon IT system.
The systems documentation and understanding obtained (shown in summary in diagrams below) highlights the
complexity of the Horizon IT system and the level of data being transacted via batch and real-time data flow. This
volume and level of complexity in the data flows, including interactions with other systems, highlights the
importance of effective IT Provisioning controls to the integrity of the processing environment.
Exteel RAG Message based Gents Exemal web Sewees
External ssn
Systems I {vocaunmII aa. [ewe es oon I [ema] a RS
Data Juxlotsaion fuer 7 Network
Centre Persistent Store
nes II ocs II evs 5
‘ranch Access Layer
(Guentcaton, recovery and service routing)
Routng & Load Balancing (via CSMnetwork)
Branch
Estate [
Counters
Vern 4S
Diagram provided by Post Office Limited
The Horizon IT system is built in line with key principles that all data is held centrally within the data centre with the
exception of some standing data which is held locally within the branch. This centralisation principle applies to all
‘completed’ transactional data (known as “baskets”) andto the Audit Store.
To support this principle the network architecture of Horizon is formulated on:
« Data centre;
« WAN Services (connecting datacentres, POL central sites, and Fujitsu sites); and
¢ Branch Network.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
241
The diagram below provided by Fujitsu shows the high level IT system infrastructure:
3
Client Systems Post Office Systems Fujitsu Support Sites Test Sites
Worn data poh— Support WAN
pe Test Access
== Backup data pathe==
Support
MZ DMZ
ental LAN
ISecondary
Data
Centre
GPRSIEDGE Receiver
A c0ce 1 GPRS /26 Backup
JRouter & Dish
BroadBand vsAT °°
Mobi Branch
Branch Large Branch
‘Small Branch
NetLogical VisoDocument
04
The IT system is hosted on Bladeform technology with systems software being provided by:
Windows 2003 Server (Enterprise and Standard, 32Bit and 64Bit);
Red Hat Enterprise Linux (Release 4, 32Bit and 64Bit);
Solaris 10 (Discrete platforms only); and
ec eee
Windows XP, Windows 2000 and Microsoft NT operating systems for some legacy services.
POL00222758
POL00222758
A number of internal and external interfaces are necessary for the reliable day-to-day processing of the IT systems,
and hence the integrity of the Horizon Features which control these activities and interfaces; which is key tothe
effective operation of the overall system.
External interfaces include (not an exhaustive list):
e DVLA;
¢ Lottery; and
e Bank Payment Channels (Vocalink, e-pay, Streamline).
Internal Interfaces include (not an exhaustive list):
e Paystation;
« POL SAP
e Pay and Go; and
« ATMs
A number of batch processes also run in facilitating the successful processing by the system.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
22
POL00222758
POL00222758
Managing the processing of the real-time and batch processing environment is Tivoli Workflow Scheduler (TWS)
which is used to execute, monitor and handle exceptions within the processing environment. TWS is managed and
monitored by Fujitsu as part of the managed service contract between the two parties.
In producing the diagram on page 9, we have considered the IT Provisioning risks in the context of the folowing
assertion:
e Supporting IT management processes are well controled.
System Usage Risk
Responsibility for the administration of the system rests with Fujitsu who provide change control, security
management, system operations, and end-user support.
Responsibility for the effective usage of the system, including complaint and effective business processes, emains
the responsibility of POL.
The user base of Horizon can be subdivided into two core areas:
e Central Users — including Finance, and users at the Network Business Support Centre.
e Branch Users — Sub-postmasters and their staff who are processing shop floor transactions.
Outside of the POL user base, Fujitsu provide administration services, and hold service and super user account
privileges within the system.
Horizon supports the processing of a multitude of different transactions including:
e Purchases of goods;
Purchases of services (for example Lottery tickets ortax discs);
Payments to discharge customer debts (payment of mobile phone bills for example);
Refunds; and
Transaction corrections.
Several transaction mediums are accepted, for example:
« Cash;
* Credit and debit cards; and
« Cheques.
A number of controls are in place to support the integrity of transactional processing including:
e The Audit Store, a secure area of Horizon which pertdns to store all transactional information in
sequentially numbered records, along with key system events;
« Monitoring controls facilitated by Tivoli Workflow Scheduler and associated exception handling processes;
e Handshakes and call offs between systems include varios controls around the integrity of transmitted
data (such as digital signatures); and
e Backup communication routes between branches and the certral data centre (mobile technology).
Reconciliations are performed regularly both in branch and centrally. Key reconciliation processes carried out
include:
e Daily branch cash declaration and reconciliation to Haizon balances;
e Weekly balance of cash and stock and reconciliation to Haizon balances;
e Monthly trading period roll over (including resoluton of any suspense account issues rolling over from
weekly or daily reconciliations); and
e Central finance processes to reconcile central records b cash remitted to POL, cheques remitted to POL
etc.
In response to discrepancies as a result of these recaciliation processes investigations may be conducted by he
Finance Service Centre, and if required transactional corrections processed. These corrections are subject to
significant investigation and are subject to approvalby Sub-postmasters in the first instance.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
23
POL00222758
POL00222758
Workarounds are not usually required, the main workaraund being in relation to mobile connections from branch to
data centre in the event that the main connection to the central data centre cannot be utilised.
In producing the diagram on page 9, we have considered the primary System Usage risks in the context of the
questions posed within the scope of our work, and refined these risks into the following control assertions:
Transactions from the Counter are recorded completely, accurately and on a timely basis centrally;
Transactions processed to Branch Ledgers are recorded canpletely and accurately in the Audit Store;
Directly posted "Balancing Transactions" are visibleand approved;
Information reported from the Audit Store retains its original integrity;
Data posted from other systems and teams is visible to and accepted by sub post-masters; and
Database Administrators (DBAs) or others granted DBA access do not modify data directly.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
24
POL00222758
POL00222758
5 Assessment of Assurance Sources
IT Provision Risk Assurance Sources / Gap Analysis
For the IT Provision risks the existing assurance sources appear to provide a good level of coverage over the risk
universe associated with this area of the Horizon processing environment.
Our high-level analysis of this coverage against the three core risk areas is as follows:
Information Security Information System Change Management
Operations
1$027001 Statement of
Applicability
ISAE3402 Report
PCI DSS Report
Detailed analysis at an objective level is included within Appendix 1.
In considering this assessment, POL management should be cognisant of the inherent limitations of each report,
given the purpose for which it was written:
ations / Factors to Consider
1$027001 Statement of I This document has been produced by Fujitsu, limitirg its value from an independence perspective. It stould be
Applicability noted however that it is supported by an independert assessment of IS027001 compliance by Bureau Verits, an
accredited certification provider.
The main focus of 1S027001 is on security, althoughit does also focus (to a lesser degree) on the other core IT
Provision risk areas, Change Management and Informaion System Operations.
ISAE3402 Report This document has been produced by an independent third party, Ernst and Young. It hasgood coverage of all three
IT Provision risk areas, and is produced accordingto testing standards stipulated within the ISAE3402standard.
In relying on this report management has considered'Section 6 Complimentary User Entity Controls’ which
stipulates the controls that POL should be operatirg in addition to the controls at Fujitsu in order b complete the
control environment over Horizon.
PCI DSS Report The scope of the PCI DSS report is the narrowest of the three assurance reports. It is focused exclusively on the
security of cardholder data, and does not span theother two IT Provisioning risk areas to the degreeof the other
assurance sources. It provides minimal coverage inparticular of the Information Systems Operations System
Provisioning risk
Of note when considering coverage of IT Provision assurance sources is that the majority of the focus is over
Information Security, whereby based upon the historicalissues and allegations being levelled at the system,
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
25
POL00222758
POL00222758
Information System Operations and Change Managementwould appear to be higher risk areas in the context of
this particular piece of work.
Peer Comparison of IT Provision Assurance Available to Similar Organisations
Our comparison to peer organisations yielded the folbwing results:
Organisation Sector Sources of Assurance Regulatory Focus
Print Media External Audit N/A
‘Ad-hoc Risk Consultancy
Retail External Audit FCA (CCA)
Internal Audit
Retail External Audit FCA (CCA)
Internal Audit Loan Loss Provisioning Reporting
PCI DSS
Retail and payments processing External Audit FCA
Internal Audit
Government External Audit Data Protection
Internal Audit
PCI DSS
Risk
This highlights that the level of IT Provision Assurance Work that POL has performed is comparable to that in other
similar organisations which are not subject to risk and control regulatory requirements.
This should however also be interpreted in the context of the allegations being made against the Horizon
processing environment which may suggest that a higher level of assurance is warranted compared to these
similar organisational benchmarks.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
26
POL00222758
POL00222758
Baseline Risk Assurance Sources / Gap Analysis
Our assessment of Baseline Risk was based upon three core scope areas:
¢ Horizon Project;
e Data Strategy Foundation Project; and
e Audit Store Changes.
For each of these scope areas we queried relevant POL and Fujitsu personnel in order to understand the project
and change governance documentation available, and fom an assessment as to the project controls applied b
these change events, compared to Deloitte’s Project Management methodology.
Our findings are as follows:
Baseline Risk Assurance Work Information Provided
Area
Audit Store Changes to Horizon, such as the migration to HNG-x in 2010 involved minimal changes to the operation of the Audit Store. As
a result these large scale projects are of minimal interest with regards to establishing a Baseline Risk position in relation to the
design and functioning of Horizon Features relating to Audit Store.
‘Some small changes have been made to the Audit Stor e in more recent years. Samples of documentation correlating to
changes throughout the years the Audit Store had been in place were requested in order to understand whether these
changes to the system had been managed to good practise standards.
Further at the point of implementation of the Audit Store verbal representation was provided that a ‘Security Report’ was
produced which pertained to demonstrate that the functionality of the system was as designed. This would be a key piece of
Assurance Work, demonstrating the correct functionality of the Audit Store at that point in time, but it could not be located by
POL and thus could not be reviewed as part of our work.
HNG-X Implementation Detailed business and technical design documents ha ve been verbally represented to have been created during the delivery of
(2010) the project life cycle.
Detailed test plans, MI, Defect Management and other key testing artefacts were produced during the course of the project.
Several acceptance criteria related to the closure of testing defects. Examples of testing documentation have been provided to
our review team during the course of our work.
Migration checklists and instructions have been provided. These illustrate that site visits would be conducted during the
migration to support the Sub-postmaster with the migration and support the resolution of any queries.
We have been provided with verbal representation that detailed project acceptance criteria were agreed between Fujitsu and
POL, and then signed off during the lifecycle of the project. An example of such acceptance criteria in relation to Non-
Functional Requirements has been provided to us to support this verbal representation.
Data Strategy Foundation I Detailed business and technical design documents ha ve been verbally represented to have been created during the delivery of
Project the project life cycle.
Assurance Work was provided to demonstrate business scoping and approval of changes to be applied (including a benefits,
realisation and costings map), requirements tracker document, testing strategy plan, testing report plan and migration
summary documents. We were also provided with an example of the weekly reporting process at project close which
demonstrated the level of governance and oversight the project had from senior stakeholders.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
27
POL00222758
POL00222758
Summarising the work we have performed against Baseine risk we conclude that for each sampled change,
Assurance Work has been produced in accordance with defired change management or project methodologies.
We have not however been furnished with all key items of documentation we would have liked to review, due to the
availability of such documentation to POL, and much of the Assurance Work provided to us were confirmations of
verbal representations made during our work.
Further work will be required to perform a ‘deep dive’ review of project and change documentation on particular
high risk areas (for example the original implementation of the audit store, and acceptance criteria sign off for the
Branch Database commissioning as part of the Horizon HNG-X Implementation project), in order to provide
assurance that the system baseline position were appropriately implemented and tested (timeframes of such
positions varying depending on the component of the system under investigation).
Assessment of Assurance against System Usage Risk Areas
Our assessment in each of these areas is based upon nformation contained within system documentation from
Fujitsu and operational policy and procedure documentdion from the finance service centre, as well as emails
confirming verbal assertions we received during the caurse of our work.
No testing or independent sources of assurance were dentified over these System Usage risk areas.
Our understanding of the design of Horizon Features responding to key risks is a core output of our work and is
outlined within Appendix 2 where we have provided a documentary listing of all of the Horizon features.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
28
POL00222758
POL00222758
6 Matters for Consideration
In this section we set out our key matters for management consideration, further to the work we have perfomed
above.
We have structured this section as follows:
e Key Matters for Consideration, by Risk Area reviewed;
e Factors to Consider in Formulating an Action Plan; and
e Proposed Action Plan.
Key Matters for Consideration
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. Risk Appetite: During our work, only occasional linkage of work b the risk appetite of POL
was noted. Whilst not unusual in the consumer busiress sector, such articulation and
embedding of risk appetite assists with the delivey of better optimised and prioritised key
controls and assurance activities.
s
. Holistic Risk and Assurance Framework: A holistic, risk intelligent assessment relating ®
” the identification and mitigation of key risks to he integrity of processing should be
considered in order to validate the completeness ofthe Horizon Features referred to in our Nia
Gonetal work and thus provide a complete schedule of key cntrols that require assurance. Whilst
Assurance Work has been provided demonstrating the use of key forums for tracking the
risk environment surrounding Horizon (such as the hformation Security Management Forum
and Fujitsu Services Security Reports), these arent set up to specifically consider the
holistic risk and assurance framework necessary toenable an overall comment on the
design, implementation and operating effectivenessof the Horizon Features.
a. Project Governance: Governance procedures described to us (verbally) suggest that the
expected levels of business involvement in pre-go Ive system and user acceptance testing
is performed as part of system implementation projects over the Horizon IT system; and that
business users would be appropriately involved in sgning off of system requirements and
readiness to go-live (full system reconciliations). To supplement these verbal assurances,
management has provided us with samples of documentition from the three sampled
change areas (Horizon Implementation, Data Strategy Foundation, and Audit Store
changes). Despite these sources of evidence, management should consider whether further
2) investigations into sources of assurance from the aiginal Horizon implementation would be
worthwhile, given the importance of establishing awell-founded baseline position over the
System Horizon Features.
Baseline
Verbal
representations
Limited
. Audit Store Baseline: The implementation of Horizon HNG-X in 2010-11 wasasserted to documentation
not have had a significant impact on the Horizon Features. In particular no changes were
made to the Audit Store as a result of the implemertation. Therefore the ‘baseline’ position
for the Audit Store was established as being at theoriginal implementation of the Horizon IT
system. Key documentation around the baseline positon for the Audit Store has not been
able to be provided to us during the course of ourwork. We note that a security report was
verbally represented to us to have been commissionai during the original implementation of
the Audit Store, although this report could not belocated and provided to us.
s
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
29
Risk Area
(3)
i
Provision
Key Matters for Consideration
a. End User Entity Control Considerations: The ISAE3402 report requires interpretation in
the context of these controls at POL. They are outined in section 6 of the ISAE3402 report.
Without such analysis, the assurance provided by tle ISAE3402 is weakened. We are
aware that POL has nearly completed work in order b address such considerations.
s
. Assurance Clarifications: In the context of detailed testing and assurance pocedures,
there are areas of the ISAE3402 report which would benefit from further clarification, in order
to remove the risk of ambiguity from its interpretaion, and overlaps with other sources of
assurance that may be performed. For example:
© the report does not state from where populations d data tested in samples were
obtained and thus how exposed conclusions may be 6 internal fraud or deliberate
override of control (e.g. for change management testing, were samples picked from the
population in the secure Audit Store, or from anotter source?);
othe report does not draw out certain key featuresin the control design, which we would
assume are present, for example, control objective 4.8.11 (relating to access to the
system being restricted to appropriate users) doesnot explicitly state and test that users
must have and use their own unique username, thus inderpinning audit trail integrity;
and controls relating to the management of administator access could be more specific
as to the extent and nature of the design of contrds and testing performed
© the report is not explicit in the sample sizes usal for testing; and
othe report contains tests which could be strengthened, for example, control test 6.5 in
section 7 appears to test through discussion with personnel only, without clarifying if
anything was done to corroborate such verbal assertons.
°
Internal Audit Work - Internal audit work conducted highlights progress h responding to
and closing down issues in relation to internal audt risks, but a number of issues remain
outstanding. Internal audit have also not done anyspecific assurance work over the
allegations being raised on the Horizon system andPOL's response to the issues raised.
POL00222758
POL00222758
Nature of
Assurance
Work
Extensive
documentation
Independent
testing
(4)
System
Usage
»
Risk Driven Considerations: The current documentation over System Usage Risks has
been largely written in response to key incidents events, by non-independent parties and
from operational perspectives. Whilst detailed, itis also not written from a risk and
assurance perspective and is rarely evidential in ts content.
s
Risk and Control Framework: There are areas where an understanding of the design and
nature of operations relating to System Usage Risksis available, but the design,
implementation and operating effectiveness ofkey controls has not been aggregated into a
risk driven framework nor formally assured through evidence based testing. Further, the
ability of documentation to fully support information relating to the detailed design of controls
relating to System Usage Risks is unclear (e.g. whist JSNs are sequential is there a
systems operations control which checks the completeness of this sequence proactively’).
The Schedule of Assurance over Horizon Features wehave formulated as part of our work
(and documented in Appendix 2) provides a basis forsuch a risk and control framework, as
well as targeted testing over key controls. Managerrent should consider enhancing their
assurance provision by verifying the completeness ¢ this schedule, and conducting
implementation and operating effectiveness testing of the key controls there-in.
°
Interfaces - DVLA: Whilst environmental risk relating to system operatons is largely
assured in the ISAE3402, we note that no evidence d specific or detailed testing or
assurance work has been carried out over System Usage Risks relating to the DVLA
interface (both IT and business in nature). We notethat many interfaces observed do not
relate directly with the Horizon Features in scope for this review, but we recommend that
such activities be considered for inclusion in theoverall risk and control framework relating
to the Horizon processing environment.
d. Audit Store: We observed the following:
© It isnot clear from the documentation we have been provided whether POL has agreed
that the current capturing of certain, key system events, is complete and appropriate for
potential governance and investigation needs;
© We have not identified controls which formally report, review and consider the impact
and resolution of any exceptions identified duringthe Audit Store extraction process, nor
reconcile the data from other reporting systems inthe business to those data sets
contained within the Audit Store ;
Partial
Documentation
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
30
POL00222758
POL00222758
Nature of
Risk Area Key Matters for Consideration Assurance
Work
© Investigatory work on the Audit Store has all beenperformed by Fujitsu who, whilst
technically qualified, do not constitute an indeperdent or risk experienced party for
assurance driven purposes. POL could consider doingmore independent analysis of
Audit Store historic data to verify that it is recaded in line with expected characteristics;
and
© From the documentation we have reviewed, controlsto assess that the digital signature
is valid and verify that there is a complete sequerce of JSNs are retrospective. No
proactive checks were documented which describe the performance of such verifications
prior to the copying of data to the Audit Store.
e. Proactive monitoring of key System Usage Risks: The current assurance environment
appears to be “reactive” in nature, with exceptionsin processing triggering diagnostic and
remediation activity only when reported. It would appear that no use is being made of the
Audit Store, for proactive monitoring of unusual orexceptional system events potentially
worthy of further investigation and action.
f. Hardware controls over the Audit Store: The Centera EMC devices used to host Audit
Store data have not been configured in the most seaire EC+ configuration. As a result
system administrators on these boxes may be able toprocess changes to the data stored
within the Audit Store, if other alternative software controls around digital seals, and key
management are not adequately segregated from Centaa box administration staff.
Privileged access to the cryptographic solution araind digital signatures, and publically
available formulas on MDS hashed digital seals woul! potentially allow privileged users at
Fujitsu to delete a legitimate sealed file, and reacement with a ‘fake’ file in an undetectable
manner.
g. Branch Database: We observed the following in relation to the BranchDatabase being:
© Amethod for posting ‘Balancing Transactions’ was observed from technical
documentation which allows for posting of additiond transactions centrally without the
requirement for these transactions to be accepted by Sub-postmasters (as ‘Transaction
Acknowledgements’ and ‘Transaction Corrections’ require). Whilst an audit trail is
asserted to be in place over these functions, evidence of testing of these features is not
available;
© Processes around Transaction Acknowledgements and Transaction Corrections are
subject to out of date documentation, or in the case of Transaction acknowledgements,
no documentation at all. Such documentation shouldbe produced or brought up to date;
© For ‘Balancing Transactions’, ‘Transaction Acknowledgments’, and ‘Transaction
Corrections’ we did not identify controls to routirely monitor all centrally initiated
transactions to verify that they are all initiatedand actioned through known and
governed processes, or controls to reconcile and check data sources which underpin
current period transactional reporting for Subpostmasters to the Audit Store record of
such activity;
© Security on the Branch Database around the ‘Messagng Journal table’ is a key area of
risk due to branch transactional data being held onthis table for up to a day before being
written to the Audit Store. It was unclear from thedocumentation reviewed whether
specific assurance work had been carried out in th area; and
© Controls that would detect when a person with authorised privileged access used such
access to send a ‘fake’ basket into the digital siging process could not be evidenced to
exist.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
34
POL00222758
POL00222758
Recommendations
We have identified three areas where POL should consider further actions to strengthen the quality and nature of
assurance in place over the Horizon system.
These are actions that may:
e Further support Project Sparrow;
e Integrate knowledge obtained from this work into the Future System Requirements project; and
e Help POL to move towards a more holistic Programme of Assurance.
We have aligned each of the actions we would recommend to POL management to one of these areas, and we
present these below.
Actions that may further support Project Sparrow
at Perform a detailed review of Balancing Transaction use: Instruct a suitably qualified party (independent of
Investigation I Fultsu)t0 camry out a review ofthe circumstancesleading upto the need to use the Balancing Transation
of Balancing I functionality in Horizon, including an assessment d the communications with the relevant Sub-Post master prior to
Transactions I any adjustment being made to their ledgers. This wak should include a more detailed walkthrough of the current day
Use in 2010
“Balancing Transaction’ policies, procedures and key controls, making recommendations for improvement
Az
Verification I Perform implementation testing of Horizon Features: Instruct a suitably qualified party (independent d Fujitsu) to
Work that I carry out implementation testing of the Horizon Fedures (or a selection of key Horizon Features) idertified in this,
Horizon
Features are I ‘@P0rt. The work should aim to provide POL with confort that the Horizon Features extracted from docurentation are
Implemented I actually designed and implemented exactly as descrbed in that documentation
as Described
Analytical Testing of Historic Transactions: Audit Store documentation asserts that the system contains seven
years of Branch transactions, and a number of system event activities. In addition, a number of asserfons relating to
re data integrity, record / field structure and key cantrol features (such as sequencing of JSN) are made in
documentation, but have never been validated by paties outside of Fujitsu. With modem day technologes, the
etn ot analytic profiling and testing of such Big Data set is likely to be feasible, thus POL should consider instructing a
Historic party independent of Fujitsu to perform independentrisk analytics on an extract of all Audit Store data to verify that
Transactions I (a) key characteristics are seen in the data as expected and (b) what other matters / exceptions / indghts can
potentially be derived. This exercise would also povide valuable insight into those Horizon Featuresthat could be
automatically monitored as part of the optimised rék and control environment described below.
Aa Update / Create documentation formalised all key adustment and reporting processes in operation over
Documentation I Horizon in the FSC: Identify and document all key activities in the FSCrelating to both adjustment processing to
of all Horizon Sub-Postmaster ledgers and to the control activities that ensure that transactional data visible to Suw-Postmasters is
adjustment
and reporting I ftlly reconciled to the Audit Store's ‘high integty’ copy of Branch Ledger transactions. Use this exercise to verify the
processes in I completeness and appropriateness of Horizon Features so far identified from verbal assertions, and then perform
the FSC
implementation testing (per A2 above) of such contnls.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
32
POL00222758
POL00222758
Actions that will integrate knowledge obtained from this work into the Future System Requirements
project.
Produce Future System Requirements Document: Produce a schedule of key system requirements thatany
Bd future Horizon replacement platform should deliveragainst, as an underpinning baseline for the integity of
Produce _I processing. This schedule would outline key controlobjectives, with current day control activities /Horizon Features
baseline
requirements I 2nd /or other examples cited to show how such contol objectives could be addressed in any future systm. The
for future I schedule should include matters that will support he delivery of such design confidence in efficientways, and
‘ae providing foundations for preventative, detective ad monitoring control activities. It could also highlight key
system questions for POL to consider, such as the longeviy of data head in the Audit Store and the type of ayptographic
mechanisms applied to the system.
Actions that may help POL move towards a more holistic programme of Assurance
This area is the more significant piece of work recommended in a broad context for POL to consider as a result of
our assessment.
The development of such a holistic assurance programmeshould be seen as a ‘strategic’ response to the issues
raised. If delivered successfully it will bring assurance benefits beyond the confines of assuring the integrity of
processing within Horizon.
Whilst not raised specifically below, such an exercise would first require the appointment of a role in POL who
would be responsible for the coordination of assurarce across the whole organisation and the reporting ofkey
areas where assurance provision could be improved (a ‘Head of Assurance”). This would ensure that POL
Management and the Board have the ability to map, coordinate and assess assurance sources (and their quality)
on an ongoing basis for the organisation.
Risk Workshop": Conduct an exercise with key stakeholders in POL, including those in charge of Governance, to
ca
create a baseline understanding of risk and risk management concepts; share examples of how similar organisations
we an - manage, define and control key risks; and obtain suggestions and consensus as to if, where and how POL could
become a more “Risk Intelligent” organisation and eporting of risk and assurance matters could be improved.
Construct Risk and Control Framework: Extend and confirm the completeness of the HorizonFeatures which are
c2
designed to exert control over the Horizon processing environment. The framework can be used to priortise key
Construct Risk I areas for improvement (including clarifications / he removal of ambiguity in existing sources) and enbed agreed
and Control I changes in current assurance sources. A key component for the construction of this risk and control famework is the
Framework
initial information produced as part of our analysé and reproduced in Appendix 2. This Framework cou be
extended to cover POL’s overall risk and control famework, not just those areas relevant to Horizon processing
Test Controls: Once the framework is verified as complete, key cortrols can be identified and evidence based
c3 testing performed to validate that they are operating effectively. Such operating effectiveness work could be
Test performed on a sustained basis and could be delivered by an independent party in line with a recognised assurance
Controls standard. In addition, this exercise can be used tofeedback on the design of the control environmentso that it can
be optimised (i.e. maximise coverage of key risks,with minimal duplication),
cs Sustain Assurance Delivery and Implement More Proactive Monitoring’: The longer term assurance map can
i be designed to sustain assurance delivery for POL wer key risks. This may include a transition to a more proactively
Sean, monitored control environment (‘continuous controlsmonitoring”), where automated alerts are generated if certain
testing key behaviours in the system are identified.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
33
POL00222758
POL00222758
Notes:
‘Risk Workshop: Risk appetite statements may be considered as part of this exercise, but are typically found by
key stakeholders to be a different area to understand. Such statements are effectively matters which help an
organisation to avoid imprecise or open statements relating to risk, which do not assist with the effective
management of responses to such risks. Statements are mechanisms that also help management to define
parameters relating to risk, against which key decisions and escalation activities can be performed.
‘Key risk indicators’ are often a tool used by management, and those in charge of Governance, in these areas.
Whilst POL needs to consider their own risk statements and indicators, some examples of those that may be
worthy of consideration in relation to the integrity of processing in Horizon could include:
« The number of allegations or concerns raised by Sub-postmasters during a defined period;
e The number and value of adjustment postings being performed by FSC
e The use of balancing transactions
e The number of security incidents on the Horizon systemduring a defined period;
e The value of unreconciled differences between systems / ledgers
e The number and nature of errors or exceptions in processing; and
e Key controls found to not to be operating effectively in a period.
The above are not exhaustive and key risk indicators need to be considered thoroughly in response to the
particular risks and controls which are required in response to the risk universes formulated over the Horizon
processing environment.
Sustain Assurance Delivery and Implement more Proactive Monitoring: Benefits of these activities could
include:
e Minimising duplication in the control framework, andthe assurance activities there-on;
e Support targeted assurance provision in the contextof existing or potential future allegations;
e Provide more measureable benchmarks of performance against other organisations;
e Underpin further efficiencies in the assurance provéion, for example the automation of existing manual
controls;
e — Incentivise ongoing improvement in both the processes and the assurance provision, by highlighting
deficiencies on a timely basis and reporting these directly back to those business or outsourced
owners who need to take a remediation or corrective action; and
e Support the maintenance of the completeness of documentation over the Horizon Features.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
34
POL00222758
POL00222758
Appendix 1: IT Provision Assurance Source Mapping and Gap
Analysis
The mapping below outlines the more detailed IT Provision assurance mapping against IT Provision risks, as summarised in Section 4:
18027001 Statement Coverage icarsany section _COVeraBE ae Coverage
of Applicability Rating Rating Rating
‘A.10 Communications and
Operations Management
Environmental Risk
Data converted from legacy systems
or previous versions introduces data
Requirement 6: Develop
Change A.12 Information Systems 4.8.10 Change
Management I €7ors i the conversion transfefs Acquisition, Development Management pee meng myer
incomplete, redundant, obsolete, or I 374 maintenance systems and applications.
inaccurate data
‘%-10 Communications and
Inappropriate changes are made to I Operations Management
Change system software (e.g., operating A.12 Information Systems Geqoeheue Requirement 6: Develop
iad system, network, change- Acquisition, Development Mena elias and maintain secure
= management software, access- and Maintenance 2 systems and applications.
control software),
‘K-10 Communications and
Operations Management
Inappropriate changes are made to I A-12 Information Systems Requirement 6: Develop
nage ent I the database structure and Acquisition, Development Scot” and maintain secure
a9) relationships between the data and Maintenance 9 systems and applications.
‘®-10 Communications and
Operations Management
Financial data cannot be recovered I A.14 Business Continuity
Operations I or accessed in a timely manner Management
when there is a loss of data.
48.2 Backup
4.8.5 Incident
Management
4.8.6 Major Incident
Process
4.8.7 Security Incident
Process
Information System
Operations not within
scope for PCIDSS review.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
15027001 Statement Coverage Coverage Coverage
bie rage ISAE3402 Section ae PCIDSS s
of Applicability Rating Rating Rating
A.10 Communications and 4.8.3 Job Scheduling
‘Cperations Menegement 4.8.4 Availability and
Capacity Management
48.5 Incident
Environmental Risk
Production systems, programs,
and/or jobs result in inaccurate, Information System
Operations I or Management Operations not within
plete, or unauthorized
rocoeana ottaia 4.8. Major inckdent scope for PCIDSS review.
4.8.7 Security Incident
Process
AAt Access Control
Requirement 3: Protect
pn smh 4.8.12 Access to stored cardholder data
Security reane ichier then acheaica 9! databases, data files, and Requirement 6: Develop
enaaaticre PP programs and maintain secure
‘ systems and applications.
; ‘A-10 Communications and
Inappropriate changes are made to I Operations Management
Application systems or programs A.12 Information Systems
that contain relevant automated Acquisition, Development Lato cRenss. Requirement 6: Develop
Security controls (i.., configurable settings, I and Maintenance 9 and maintain secure
automated algorithms, automated Management
calculations, and automated data
extraction) and/or report logic.
systems and applications.
. . " A.8 Human Resources
Individuals gain inappropriate access I Security
to equipment inthe data centre and I j.'9 physical &
Security exploit such access tocircumvent I Environmental Security
logical access controls and gain
inappropriate access to systems.
Requirement 9: Restrict
physical access to
cardholder data.
4.8.1 Physical and
Environmental Controls
‘A.11 Access Control
Systems are not adequately :
Seca configured or updated to restrict 4.8.10 Change Requirement’: Develop
curity and maintain secure
system access to properly Management Shines and aaniestoné
authorized and appropriate users.
ATT Access Control
Requirement 6: Develop
The network does not adequately 4.8.9 Networks and maintain secure
aca prevent unauthorized users from 4.8.10 Change systems and applications
gaining inappropriate access to
information systems.
Management
48.11 Security
Requirement 11: Regularly
test security systems and
processes.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Environmental Risk
Users have access privileges
beyond those necessary to perform
their assigned duties, which may
create improper segregation of
duties.
18027001 Statement
of Applicability
A.8 Human Resources
Security
A.11 Access Control
Coverage
Rating
ISAE3402 Section
48.11 Security
4.8.12 Access to
databases, data files, and
programs
Coverage
Rating
POL00222758
POL00222758
Coverage
PCIDSS
Rating
Requirement 7: Restrict
access to cardholder data
by business need-to-know.
Requirement 12: Maintain
a policy that addresses
information security for
employees and
contractors.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
37
POL00222758
POL00222758
Appendix 2: Assurance Schedule over Horizon Features
We present below a schedule of the Assurance Work andsources we have identified which relate to certain groups of Horizon Features.
We have structured these in line with our three areas of assessment (System Baseline, IT Provision and System Usage), as defined in our report.
We have also recorded our assessment of the level of comfort that POL has over that Horizon Feature, defined as:
“Significant” means we have seen Assurance Work that delivers comfot through evidence based testing by independent partes.
“Partial” means we have seen Assurance Work in the form of desciiptions in formal documentation, but no testing of implementation or operating effectiveness.
“Limited” means we have seen Assurance Work that documents verbd assertions we received during our work.
“None” means that Assurance Work has not yet been provided b us.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
System Baseline
Baseline
Key Assertion
re. Processing
Integrity
The system was
fit for purpose
and worked as
intended when
first put in?
Description of feature
The design of key elements of the
Horizon system relevant to the
integrity of auditing and capturing
transactions was formally agreed and
signed off prior to systems
deployment.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Level of
Comfort
Baseline I The system was _ I Traceability Matrices have been No information provided. Preventative Manual
fit for purpose documented, implemented and
and worked as periodically reviewed to ensure that
intended when business requirement documents.
first put in? have been regularly reviewed against
project progress.
Baseline I The system was I During the initial implementation of No information provided. Preventative Manual
fit for purpose the software, Key Project Governance
and worked as I mechanisms were put in place to
intended when ensure the:
first put in? Working Group
Steering Group/Project board
Requirements Review Group
Baseline I Major changes Traceability Matrices have been No information provided. Preventative Manual
since documented, implemented and
implementation I periodically reviewed to ensure that
have not business requirement documents
impacted the have been regularly reviewed against
system. project progress.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
39
Key Assertion
re. Processing
Integrity
Baseline I Major changes
since
implementation
have not
impacted the
system.
Description of feature
Key Project Governance mechanisms
have been enacted and operated over
significant changes to the system since
implementation. Examples of such
mechanisms include:
- Working Group
- Steering Group/Project board
- Requirements Review Group
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Baseline I The system was
fit for purpose
and worked as
intended when
first put in.
Prior to implementation into the live
environment (and in some cases post)
acceptance criteria in relation to key
system elements important for
auditing and capturing transactions
were formally agreed and signed off.
For Audit Store Baseline:
Example acceptance criteria
document entitled Acceptance
Report 20070917BL01.13WIP
(note no sign off of
acceptance criteria is included
within this document).
For 2011 Horizon
Implementation (BRDB
Baseline):
Testing plans were provided in
the document ‘Copy of IT
Health Check 23-07-2009.xIs',
a Risk Assessment of the
project has been provided in
‘Security All Risk Extract
090928 v2.xls' and Migration
instructions have also been
provided in the document
'Migration_ Instructions.pdf'.
Also a report by third party
consultancy firm Wipro has
Preventative
Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Level of
Comfort
Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
Control Type
(Preventative /
Detective /
Monitoring)
Control Method
(Manual /
Automated / IT
Dependent
POL00222758
POL00222758
Level of
Comfort
been provided to demonstrate
the project was delivered as
planned in the document
‘Horizon : Performance Test
Audit Post Office Limited (
POL)’.
For 2012 Data Strategy
Foundation (External Feeds
Baseline):
- Example acceptance criteria
document entitled CFD New
Requirements v1.11.xls (note
no sign off of acceptance
criteria is included within this
document). Additionally, an
example of a designed, and
reviewed Migration Strategy,
titled ‘Migration Strategy CFD
v0.4’, was provided, in
addition to a Test Report,
‘POLTSTREPOO10 - CFD E2E
Test Report v0 1’.
Manual)
Baseline
The system was
fit for purpose
and worked as
intended when
first put in?
The testing of key elements of the
system important for the auditing and
capturing of transactions was formally
agreed and signed off and then
delivered against.
For 2011 HNG-X
Implementation:
For 2012 Data Strategy
Foundation:
- Test Strategy Document
entitled 'Acceptance Testing
Strategy’ - authorised version
Preventative
Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
“1
POL00222758
POL00222758
Key Assertion Description of feature Assurance Work Source Control Type Control Method Level of
re. Processing (Preventative / (Manual / Comfort
Integrity Detective / Automated / IT
Monitoring) Dependent
Manual)
dated 10/11/2011.
- Test Exit Report entitled
‘Client File Delivery Report E2E
- Exit Test Report’, draft
version 0.1 dated 06/01/2012.
Baseline I Major changes Sign off for design of significant 2005 Design Proposal Preventative Manual
since change is formalised and documented. I ASDPRO27.doc
implementation 2005 Audit Centera API
have not Implementation
impacted the DELLDO26.doc
system. 2002 Change Proposal
CP3240.rtf
2004 Change Proposal
CP4021.rtf
Baseline I Major changes Acceptance criteria related to key 2002 Acceptance Test Preventative Manual
since areas such as the branch database and I Specification IAACSO02.doc
implementation I audit store.
have not
impacted the
system.
Baseline I Major changes Test Strategy and Execution have 2003 Acceptance Test Report Manual
since been documented and signed off, and I IAACROO3.doc Preventative
implementation I provide an adequate audit trail for the
have not testing of key system features such as
impacted the the Audit Store and Branch Database.
system.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
42
Baseline
Key Assertion
re. Processing
Integrity
Major changes
since
implementation
have not
impacted the
system.
Description of feature
Independent Assurance over design of
HNG-X system by Gartner.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Baseline
Major changes
since
implementation
have not
impacted the
system.
Programmes and projects affecting
the Horizon system are controlled and
governed using an established change
methodology.
Harmony Delivery Lifecycle
document
Preventative
Manual
Baseline
Major changes
since
implementation
have not
impacted the
system.
Independent Assurance report over
testing procedures has been obtained.
Wipro performance testing
report.
Preventative
Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Level of
Comfort
IT Provision Assurance
Provision
Key Assertion re.
Processing Integrity
IT supporting
Description
Management have
ISMF Minutes
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual / Automated
/\T Dependent
the IT environment,
including: ISAE 3402 reports,
PCIDSS compliance report
and ISO27001 certified
accreditation.
processes are well established forums to FJS Security Report
controlled. oversee the performance of
third party IT providers.
Provision I IT supporting POL has documented end POL End User Preventative
processes are well user control considerations Considerations
controlled. to supplement third party Document
service provider controls
assurance reports
Provision I IT supporting Third party assurance ISAE3402 Report Preventative
processes are well reports are in place to PCIDSS Report
controlled. ensure the overall control of
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Level of
Comfort
Usage Assurance
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
completely, accurately
and ona timely basis
centrally.
Description
Only baskets that balance to
£0 can be accepted by the
central database (double
entry concept exists).
Source
Horizon Online Data
Integrity_POL
document.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Automated
Usage Counter transactions Digital Signature is applied Horizon Online Data Preventative Automated
are recorded to each transaction basket Integrity_POL
completely, accurately I at the point of counter document.
and ona timely basis inception to prevent
centrally. downstream tampering.
Usage Counter transactions I Transactional Verbal confirmation Detective Automated
are recorded Acknowledgement and from Rod Ismay and
completely, accurately I manual review process. Jane Smith in Finance
and ona timely basis Shared Services.
centrally.
Usage Counter transactions Sequential numbering is Horizon Online Data Preventative Automated
are recorded
completely, accurately
and ona timely basis
centrally.
applied to each counter
basket prior to digital
signature application to
provide a ‘baked in’
sequence check.
Integrity_ POL
document.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
completely, accurately
and ona timely basis
Description
Oracle commit and roll-back
process is atomic (i.e. either
a complete transaction is
posted or nothing is
Source
Horizon Online Data
Integrity_ POL
document.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent Manual)
Automated
centrally. posted).
Usage Counter transactions A fall back mobile link is in Horizon Online Data Preventative Automated
are recorded place to ensure that if Integrity_ POL
completely, accurately I transactions are still document.
and ona timely basis processed in a timely
centrally. manner
Usage Counter transactions A private cryptographic key I Horizon Online Data Preventative Automated
are recorded is securely established for Integrity_ POL
completely, accurately I each transmitted basket. document.
and ona timely basis
centrally.
Usage Directly posted Formalised change control Email communication I Preventative Manual
transactions, such as approval and monitoring from John Simpkins
“Balancing process over the usage of dated 15/05/2014,
Transactions", are Balancing Transactions articulating control
visible and approved. design around this
process.
Usage Directly posted An audit trail log is in place Email communication I Detective Manual
transactions, such as
“Balancing
Transactions", are
visible and approved.
to monitor the use of
balance transactions. The
log is monitored by an
independent department
that does not have access to
the function.
from John Simpkins
dated 15/05/2014,
articulating control
design around this
process.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Level of
Comfort
Usage
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
the Audit Store.
Description
JSNs are processed into the
audit store and reviewed
when users access audit
store information. The Audit
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Source
Technical Design
Document for Audit
Extract Process -
DESAPPHLDO029.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
IT Dependent Manual
Usage Branch Ledger Digital seals are in place to Technical Design Preventative Automated
transactions are ensure that files are not Document for Audit
recorded accurately in I amended following load to Extract Process -
the Audit Store. the Audit Store DESAPPHLD0029
Usage Branch Ledger The digital seal applied to Security Architecture I Preventative Automated
transactions are
recorded accurately in
the Audit Store.
the batched digital
signatures ensures that any
amendments to data leaves
a traceable audit trail
Document
Network Architecture
Document
Cryptography
Architecture
Document
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
47
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
POL00222758
POL00222758
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Usage Branch Ledger JSNs are processed into the I BRDB Technical Automated
transactions are audit store and reviewed Design Document
recorded accurately in I when users access audit Audit Technical Design
the Audit Store. store information. The Audit I Document
Store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Usage Branch Ledger Formalised change control Email communication I Preventative Manual
transactions are approval and monitoring from John Simpkins
recorded accurately in I process over the usage of dated 15/05/2014,
the Audit Store. Balancing Transactions and articulating
control design around
this process.
Usage Branch Ledger Audit trail monitoring the Email communication I Preventative Manual
transactions are usage of balance from John Simpkins
recorded accurately in I transactions dated 15/05/2014
the Audit Store.
Usage Information from the I Logical access controls in Audit Store Preventative Automated
Audit Store retains place over user Procedures
original integrity.
management to ensure that
only appropriate staff have
access to extract
information from the audit
store
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Information from the I Hardware controls are in Audit Store Preventative Automated
Audit Store retains place to prevent the Procedures
original integrity. modification of data in the
Audit Store
Usage Information from the I JSNs are processed into the I Audit Store Detective Automated
Audit Store retains audit store and reviewed Procedures
original integrity. when users access audit
store information. Audit
store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Usage Information from the I The digital seal applied to Audit Store Detective Automated
Audit Store retains the batch on data transfer is I Procedures
original integrity. checked back to the initial
seal to ensure that hash
value has not been altered.
Usage Information from the I The integrity of the digital Audit Store Detective Automated
Audit Store retains signature is checked for all Procedures
original integrity. baskets used in the extracts.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
49
Usage
Key Assertion re.
Processing Integrity
Information from the
Audit Store retains
original integrity.
Description
Exceptions identified in
integrity checks on digital
seals or signatures or in the
sequence check are formally
raised and handled as part
of day-to-day IT operational
processes within the Tivoli
Monitoring tool.
POL00222758
POL00222758
Control Method
(Manual /
Automated / IT
Dependent Manual)
Source Level of
Comfort
Control Type
(Preventative /
Detective /
Monitoring)
Audit Store
Procedures
Detective Automated
Usage The system used by 3 way match between Data Flow Diagram IT Dependent Manual
the Finance teams for I Branch Database, provided by Finance
control contains all Transaction file and POLSAP I (Jane Smith)
records load file
Usage Data posted from Amendments posted Transactional Preventative Automated
other systems and centrally via transactional Corrections
teams is visible to and I corrections must be Procedural Evidence
accepted by sub post- I approved by sub-Post
masters Masters must be approved
before they can be applied
to the Branch Database
Usage Data posted from Amendments posted Branch Database Preventative Automated
other systems and
teams is visible to and
accepted by sub post-
masters
centrally via transactional
acknowledgements must be
approved by sub-Post
Masters must be approved
before they can be applied
to the Branch Database
Procedures
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Usage
Key Assertion re.
Processing Integrity
Data posted from
other systems and
teams is visible to and
accepted by sub post-
masters
Description
For any outstanding (non-
accepted) Transaction
Acknowledgement or
Transaction Corrections at
month end, a formal
resolution process exists
which enables non-accepted
items to be identified, held
in suspense and actively
investigated to the point of
resolution with the Sub-
postmaster. Business as
usual resolution activities
can be taken to conclude
outstanding items and have
them cleared down.
Source
Rod Ismay
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method
(Manual /
Automated / IT
Dependent Manual)
Level of
Comfort
Manual
Usage
Data posted from
other systems and
teams is visible to and
accepted by sub post-
masters
Sub-postmasters have
access to view all
transactional records
underpinning their current
accounting period’s ledgers.
This information is used to
support their daily branch
cash declarations and
reconciliation, their weekly
balance of cash and stock
reconciliation, and their
monthly trading period roll
over activities.
Branch Database
Procedures
Preventative
IT Dependent Manual
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
51
POL00222758
POL00222758
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Comfort
Detective / Automated / IT
Monitoring) Dependent Manual)
Usage Data posted from All processes create an Branch Database Preventative IT Dependent Manual
other systems and identifiable transaction in Procedures
teams is visible to and _I Horizon, with an audit trail
accepted by sub post- I to the originator in the
masters Finance Services team. This
transaction ID is protected
by the JSN, digital signature
and digital seal features.
Usage DBAs or others Sub post-master must Branch Database Preventative IT Dependent Manual
granted DBA access functionally approve the Procedures
have not modified Transactional
Branch Database data. I Acknowledgement file
produced by the POLSAP.
system before items can be
processed through to the
branch database.
Usage DBAs or others Formalised change control Email communication I Preventative Manual
granted DBA access approval and monitoring from John Simpkins
have not modified process over the usage of dated 15/05/2014,
Branch Database data. I Balancing Transactions and articulating
control design around
this process.,
Usage DBAs or others Audit trail monitoring the Email communication I Preventative Manual
granted DBA access usage of balance from John Simpkins
have not modified transactions dated 15/05/2014
Branch Database data.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
52
Key Assertion re.
Processing Integrity
DBAs or others
Description
Hardware controls are in
Source
Audit Store
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Automated
granted DBA access place to prevent the Procedures
have not modified modification of data in the
Branch Database data. I audit store
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated
granted DBA access that would enable a person
have not modified to delete a digitally signed
Branch Database data. I basket are restricted to
authorised administrators at
Fujitsu.
Usage DBAs or others Database access privileges ISAE3402 Preventative Automated
granted DBA access that would enable a person
have not modified to create or amend a basket
Branch Database data. I and re-sign it with a ‘fake’
key, detectable if
appropriately checked, are
restricted to authorised
administrators at Fujitsu.
Usage Counter transactions I TWS scheduler and ISAE3402 Detective Automated
are recorded
completely, accurately
and ona timely basis
centrally?
monitoring processes are
defined and formalised. Any
issues or errors are reported
and responded to by Fujitsu
as part of day-to-day IT
Operational activities.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
53
Key Assertion re.
Processing Integrity
Description
Source
Control Type
(Preventative /
Detective /
Monitoring)
POL00222758
POL00222758
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Usage Counter transactions Logical security access Security Architecture Preventative Automated
are recorded controls in place to Document reference -
completely, accurately I minimise the risk of ARCSECARCO003
and ona timely basis inappropriate access tothe I section 6.2 and
centrally counter software within ISAE3402, PCIDSS and
branch. 1SO027001 reports as
well.
Usage Branch Ledger Logical security access ISAE3402 report. Preventative Automated
transactions are controls are in place in
recorded accurately in I relation to the Branch
the Audit Store Database and audit store to
ensure that only
appropriate staff members
have access. Key
transactions and tables are
monitored and activity is
verified by an independent
third party.
Usage Branch Ledger Database access privileges ISAE3402 Preventative Automated
transactions are
recorded accurately in
the Audit Store
that would enable a person
to delete Audit Store data
are restricted to authorised
administrators at Fujitsu.
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
the Audit Store
Description Source
Database access privileges ISAE3402
that would enable a person
to create new entries, re-
sealing it with a valid
(publically available) ‘hash’
are restricted to authorised
administrators at Fujitsu.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
POL00222758
POL00222758
Control Method Level of
(Manual / Comfort
Automated / IT
Dependent Manual)
Automated
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
55
POL00222758
POL00222758
Appendix 3: Inventory of Documentation Reviewed
The following documentation was reviewed during thecourse of our review:
Document Document cument Type
Number
1 Horizon Core Audit Process (Powerpoint) Other sources of comfort
2 Fact file (updated with SS comments) Other sources of comfort
) ISAE3402 Report over Fujitsu managed service on Horizon Assurance
4 Centrally Generated Transactions document Other sources of comfort
5 POL Summary of Horizon Anomalies Referred to in Second Sight Report Assurance
6 Report on Local Suspense (14 Branch) Issue Other sources of comfort
4 Report on Receipts Payments (62 Branch) Issue Other sources of comfort
8 Spot Review Bible Other sources of comfort
9 Horizon Data Integrity Document Other sources of comfort
10 Horizon Data Integrity Document Other sources of comfort
11 Fujitsu 1S027001 Certificate Assurance
12 1S027001 Statement of Applicability produced by Fujitsu Assurance
13 PCI DSS Attestation of Compliance Assurance
14 PCI DSS Report by Bureau Veritas Assurance
15 ISMF Minutes for three months Other sources of comfort
16 Fujitsu Security Reports for three months Other sources of comfort
17 Fujitsu Information Security Management System (ISMS) Scope Other sources of comfort
18 Horizon Solution Architecture Outline Other sources of comfort
19 Post Office to Driving & Vehicle Licensing Agency Automated Payments Client File Interface document Other sources of comfort
20 DVLA Internal Web Service High Level Design document Other sources of comfort
21 Security All Risk Extract Other sources of comfort
22 Migration Overview Document for Horizon system Other sources of comfort
23 Horizon Technical Security Architecture Other sources of comfort
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Document Document cument Type
Number
24 Solution Architecture Document Other sources of comfort
25 Batch Processing Overview Document Other sources of comfort
26 EMC Centera Acceptance Test Report - IAACROO3 Other sources of comfort
27 Centera Accepting Testing Specification - IAACSO02 Other sources of comfort
28 Application Interface Design - DELLD026 Other sources of comfort
29 Audit Server Specification Design -TDDESO71 Other sources of comfort
30 Configuration Design - TDMANOO6 Other sources of comfort
31 Configuration Design - TDMANO09 Other sources of comfort
32 Centera star OS upgrade to version 2.4 design proposal Other sources of comfort
33 Centera star OS upgrade to version 2.4 design proposal Amendment -CP4021 Other sources of comfort
34 Centera star OS upgrade to version 2.4 design proposal Amendment -CP3241 Other sources of comfort
35 Exception and Event Guide - TDMANOO7 Other sources of comfort
36 Functional Separation - CRFSPOO6 Other sources of comfort
37 High Level Design - SDHLD001 Other sources of comfort
38 Audit Data Retrieval - SDHLD002 Other sources of comfort
39 Centera Migration HLD - TDION039 Other sources of comfort
40 Centera - High Level Test Plans - VIHTP014 Other sources of comfort
41 Horizon System Audit Manual - IAMANO05 Other sources of comfort
42 Low Level Design Document Other sources of comfort
43 Centera Operational Procedures - TDMANO08 Other sources of comfort
44 Centera - Performance Test Specification - TDLLTO08 Other sources of comfort
45 Centera Support Guide - TDMANO17 Other sources of comfort
46 Centera Support Guide - TDMANO18 Other sources of comfort
47 Centera Test Report - VITRPO29 Other sources of comfort
48 Centera User Guide - TDMANO05 Other sources of comfort
49 Data Strategy Foundation - 04 - G149 Data Strategy Foundation - Client File Transfer - PODG Closure v2 0 Other sources of comfort
50 Data Strategy Foundation - CFD New Requirements v1.11 Other sources of comfort
51 Data Strategy Foundation - Data Strategy Foundation Test Strategy V10 Other sources of comfort
82 Data Strategy Foundation - Migration Strategy CFD W.4 Other sources of comfort
53 Data Strategy Foundation - POLTSTREPOO10 - CFD E2ETest Report vO 1 Other sources of comfort
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
57
POL00222758
POL00222758
Document Document
Number
54 Data Strategy Foundation - Revised business case CFD 24 11 10 Other sources of comfort
55 Horizon Technical Network Architecture - ARCNETARCO001 Other sources of comfort
56 Horizon Crypto Services High Level Design -DESSECHLD0002 Other sources of comfort
37 E2E data flows Other sources of comfort
58 idocs involving settlement Other sources of comfort
59 Process Management Systems Diagram (Version 14 - 24.10.2011) Other sources of comfort
60 AR11.005 - Horizon controls Other sources of comfort
61 AR12.050 - Horizon follow up Other sources of comfort
62 AR12.050a -Follow-up Horizon May2013 Other sources of comfort
63 Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
64 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL Other sources of comfort
65 Horizon Operational and Support Services Requirements Other sources of comfort
66 ACCEPTANCE REPORT FOR DESIGN WALKTHROUGH EVENT DWO3- SECURITY Other sources of comfort
67 Draft Deloitte Phase 2 Instructions (RDW 07 05 14)2 Other sources of comfort
68 Phase 2 - Areas of Focus diagram (DRAFT v1) Other sources of comfort
69 Project Zebra - Phase 2 Potential Next Steps v3 Other sources of comfort
70 REQAPPAIS1392v3.2.PayStation.ETL Other sources of comfort
a REQAPPAIS1391V2.1.P0Go.ETL. Other sources of comfort
72 Acceptance Report 20070917BL01.13WIP Other sources of comfort
73 All Streams Plan vsn 0.98 Other sources of comfort
v4 BC PLA 001 v 0.3 Other sources of comfort
i BC020 HNG PD Potential Risks and Issues Register v1.0 Other sources of comfort
76 Change Management Assessment Template Other sources of comfort
7 DES SEC HLD 0010 v 1.0 Other sources of comfort
78 Engagement Meeting Log Notes v1.2 Other sources of comfort
79 Gartner Report Findings 1.1 with Appendix Assurance
80 HARMONY Full Guide 1.1a Other sources of comfort
81 HARMONY Full Guide 1.1a Other sources of comfort
82 HNG Benefits Tracking in confidence May 08 final Other sources of comfort
83 Other sources of comfort
HNG Board Report 080408
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Document Document
Number
84 HNG PID v1.3 Other sources of comfort
85 HNG Reqts Team Meeting 050606 Other sources of comfort
86 HNG Risk and Issues 070424LY Other sources of comfort
87 Horizon Testing Strategy - HXTSROO1 Other sources of comfort
88 In Touch report for HNG 080418a Other sources of comfort
89 In Touch Report for HNG 081205. Other sources of comfort
90 POL HNG IMP 002 v 1.0 Other sources of comfort
91 POL HNG REQ 014 Other sources of comfort
92 QRHO31 HNG Reqts PID v0.1f Other sources of comfort
93 ACCEPTANCE REPORT FOR Horizon ACCEPTANCE GATEWAY 1 & 2 - REQ GEN ACS 0001 v0.2 Other sources of comfort
94 Horizon GENERIC ACCEPTANCE PROCESS -REQGENPROO735 Other sources of comfort
95 Stakeholder Engagement Log_091218 Other sources of comfort
96 Test Report for the Integrity Testing of Horizon Data-centre Disaster Recovery - Week Commencing 1st
September 2008 - SVMSDMREPO00S Other sources of comfort
97 Wipro - Horizon : Performance Test Audit Post Office Limited ( POL) Assurance
98 DVLA Internal Web Service High Level Design - DESAPPHLD0012 Other sources of comfort
99 Audit Data Retrieval High Level Design - DESAPPHLD0029 Other sources of comfort
100 Audit Data Collection & Storage High Level Design - DESAPPHLD0030 Other sources of comfort
101 Horizon Counter Application High Level Design - DESAPPHLD0047 Other sources of comfort
102 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL -DEV
CNT CTP 0068 v2.1 Other sources of comfort
103 DVLA AP Client File AIS Other sources of comfort
104 Product Branch Accounting - Issuing Process for Transaction corrections v0.1 Other sources of comfort
105 Audit Data Collection and Storage High Level Design Other sources of comfort
106 Data Flow - Transaction Processing for client file delivery Other sources of comfort
107 Other sources of comfort
Data Flow - NBSC Miskey Process - Network Banking
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
59
With the prior permission of POL, the following indviduals were interviewed or consulted during the course of our review:
Contact Name
Job Title / Role
Organisation
Dave King Senior Technical Security Assurance Manager POL
Julie George Head of Information Security and Assurance Group POL
Rod Williams Litigation Lawyer POL
James Davidson I Fujitsu Primary Point of Contact Fujitsu
Pete Newsome Quality responsibility Fujitsu
Will Russell Regional Network Manager NT - South POL
Phil Norton Horizon Requirements responsibility Atos
James Brett Senior Test Manager — Post Office Account Atos
Bill Membery Requirements/Testing responsibility on Horizon Fujitsu
Gareth Jenkins Distinguished Engineer Fujitsu
Neil Crowther Senior Business Analyst POL
Matthew Lenton I Document Management responsibility Fujitsu
Rod Ismay Head of Finance Service Centre POL
Jane Smith AP Enquiry Team Leader, Finance Service Centre POL
Dave King Senior Technical Security Assurance Manager POL
DRAFT FINDINGS SUBJECT TO CHANGE WITHOUT PRIOR NOTIFICATION.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
Appendix 4: Engagement Letter
P Ageit2014
‘Dear Sies
‘STRICTLY PRIVATE AND CONFIDENTIAL
We are pleased 1 set ut fr your approval the arrangements under which we propose to aust Post
Office Lad POL" o¢ “You") We understand that You are responding 10 allegations that the
“Horizon HING-X" IT system, used to record transactions in Post fice branches, is defective andlor
‘that the provesesassotaled with are iadequate (the “Allegations”
In onder to respond beter to the Allegations, You require services from ws, as outlined in paragraph
2(0) below. These arrangements are set out inthis leer together with the enclosed Terms of Business
and appeniices
‘So that we are able to ast You effectively, please ensure that You have conskered fully al of the
terms and conditions set oat 0 the letter and ts enclonures and that You are satisfied thatthe scope of
‘ur Services described bem 18 wufset for Vour need
1 Scope ad objectives
tn onder to respond better to the Allegations (which have been, and will in all itelibood coetinve to
the
{e Horton TING. X's operating eneiomment and prccesing ite
Tae rages of cing wt fm Dutton LLP (UK) COceta bt poh bend een
10 8 by
‘ther work undertaken, over your current day Horizon HNG-X system, for presentation to and
discussion with the POL Board “Part I work”)
‘We understand thatthe ioput provided by Deloitte will wnform Your decisions relating to potential
areas of additional work tht You may choose to commission Wo respond betir to the Allegations, and
‘that we may be involved inthe delivery of such additional work ("Part 2 work”) under either a Change
‘Onder or separate Engagernent
‘You have asked us to provide the Services set out in Section 2 below and to prepare the report
described in Section 2(4), (he “Purpone”).
DRAFT FINDINGS
Deloitte.
We that any work being
[i.Stetrace psn ion wer pul gaon dean eon
10 bea professional privilege.
In addition, this matter i strictly confidential Save as permitted under Section 4 of our terms of
‘business, mo infoemation relating to this mater or our work fori, wil be disclosed to any hid party
‘sth mut writen coment
Yon have adie ws at coven nd rp apr ty pert we might make
Tigao I
“Legally od
Condens (erberoylon werd) el ty oe crecand rough Rae Wire, You
tigation Lawyer
2 Ow Services and responsibilities
(2) Our Engagement Team
1a gt ttn at Carhart Pari rpnse Yow th Seve dvd
inthis eter, unless greed with You (auch ‘tt
(pets Deva Neon sr Sor Lis Lao hovel mapuniy be as mou oe poils
to Vou, will abo be availabe a required.
‘hr Lend,» Dims win or everene ad Cote tam, wil ad dave of ot
We wnderstand that You do not require any of our team to be availble to act as a named expert
winess. Should this be required, we woul! need fo agree a separate engagement letter for thove
‘Seretes and Deinerables
“Together they comprise the “Eagagement Team”
oe the purposes of this engagement, we are advised thatthe client team at POL wil comsist of Lesley
‘Sewoll, Chi Information Officer; Chris Awjard, Geveral Cownse; Belinda Crowe,
(0) Services
Part I of ow Services wil provide the following:
Chain on mdesadig of tn Aeon, the bye nda entas ovr
oriaoe HNG-X relevant tothe intesty of
i yacs wo rest ed pore Gr mney of ram matt ue en eae Natal
‘matters that we may deem necessary t complete our Deliverable
Pope 2f 18
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
POL00222758
POL00222758
61
© Obtain an ‘of the key differen the curent HNG-X
processing environment, and the system which tha replaced (here-to referred to as the “legacy
Horiaon system”).
corresponding investigations, assurance activities and
remediation actions which You or third parties have undertaken (see Appendix 1 for the
“Sources of Information” known to be within scope at this stage) focussing on three primary
areas
© Work that has been performed to assure the design and operation of key control
‘Activites that created and preserve the integrity of processing across the Horizon
HING-X enviroament (the Audit Store},
© Work that has been performed to assure the design and operation of key control
that created and the integrity of I ‘with the DVLA tind
‘party system and the Horizon HNG-X environment;
(© Investigations and actions that have been taken in response to the thematic findings of
Second Sight, as outlined in Your supplied document “POI. Summary of Second Sight
anomalies” (sce Appendix !).
'* Hold discussions with relevant members of Your staff and other key stakcholders as pre-
‘agreed with You, to deliver the work outlined above;
“+ Prepare the Deliverable owned in section 2) below:
© Attend twice weekly meetings or conference calls with Your Client Team, to explain our
approach, status of work and the commentary within our Deliverable, and
© Carry out any other work required by You which is rensonably incidental to the above.
ns oe ee Deis eee test the quality of the assurance work performed, nor
‘opine on its adequacy, sufficiency (oF the integrity of the HINO-X
SSvbcemnent (cr he heey Firion pete.
‘As engagement requirements are discussed, clarified and agreed further, we will outline the aditional
‘scope and timeline for such work via the Change Order process as set out in Appendix 2. Any Part 2
‘work You require us to perform will be agreed under these Change Order processes. This may include,
‘but will not be lmited to:
© Testing on dats held within the system audit trails, to assess (for example) conclusions
previously drawn by Fujitsu into the extent of known deficiencies,
© Assessment and profiling of system audit trails, to look for characteristics of and tends in
‘unusual behaviours in the system transactional core,
‘© Enquiry into and testing of the nature and extent of wait, system and user acceptance testing of
the I MING-X during its i
‘+ More detailed consideration as to any aspects of the internal control environment which
‘operate over the current Horizon HING-X processing eaviroament which were not in place or
‘operating over the legacy Horizoe system,
ou the nature and extent of with other third party and test the
‘operating integrity of dataflows to and from certain of these systems; and
Pages of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
© Testing of to themanc raved by other independent
‘The scope of our services and any deliverables will be limited solely to the Services and Deliverables.
‘ct out in this Contract. We will make no representations in respect of and will not consider any ether
aspect,
‘Our work will be performed through combination of desk based inspection of documentation,
‘corroborative enguity and through thied party provided evidence of comtact, as agreed between You
and os.
(©) Our responsibilities
In performing the Services, we will be responsible for
'¢ undertaking the procedures as necessary to produce ovr deliverables, and
‘© confirming the factual accuracy of our report with You.
‘You agree that other than as set out in the Services section above, we will not audit or otherwise test of
verify the information given to us in the course of the Services. In particular, unless otherwise
imamate by You Goo, wo wl at puto or -puomn cay comune work te es tt nd
tation and
of any internal over
Senotes poomiapeontanat
‘Oue work will be limited by the time and the information available. Whilst we will report our findings
im accordance withthe agreed scope of work having considered the information in the
‘course of carrying out the Services, additional information that You may regard as relevant may exist
that is not provided to (and therefore not considered by) ws. Accordingly, epepe et
‘work should not be relied upon as being comprehensive in sach respects. We accept no responsibility,
fir moments coved ty or ond Lom car Debvonbleg@ dont Ge teste ete ofr ook
instructions from You.
{In particular, we aot that, in certain respects, we will be reliant cn the integrity of thone people whom
we interview, and that our ability to corroborate and test what we have been tok! may be limited by the
available information
We shall discuss with You any difficulties we encounter with completing our work should any
problems arise.
‘You acknowledge that You are responsible for establishing and maintaining an effective internal
‘control system that reduces the likelihood that rors or imegularities will occur and remain
undetected: however, it does not eliminate that possiblity. Nothing in our work guarantees that rors
for regularities will not occur, nor is it dewigned to detect any such errors or irregularities should they
‘The scope of our Services and our responsibilities will not involve ws in performing the work
financial information relates to the future, it way be affected by unforeseen events. Actual results are
likely tobe different from those projected because events and circumstances frequently do mot occur as
‘expected, and those differences may be material
Page 4 of 8
POL00222758
POL00222758
Deloitte.
(@) Format and use of the Detoite Deliverables
‘The format and timing of the reports (the “Deliverables” issued by us will be agreed with You. The
content of such Deliverables is expected to be an executive summary and a writen report, as follows:
Executive Summary:
© A summary of our objectives, approach, work performed and observations suitable for Board
presentation
‘and discussion n their meeting on the 30 April 2014 (noting any hey outstanding
points, if applicable, and subject to the accuracy of oar assumptions and the fulfilment of
‘Your responsibilities, below),
Written Report:
‘+ Introduction - reconfirming the context of our appointment and the scope of work performed.
+ Ow = outlining the we have ln the delivery of our work, those
documents reviewed and the individuals we have interviewed,
© Understanding the HNG-X = based on the documentation
[provided to vs, provide an overview:
(© Relating to the Technical ~ envisaged to be a description of
Prrcening environment
technical maters of the Horizon HING-X system, consisting of, where information is
provided to us
+ Sry of sepals th lege defects la Heron HNG-X,
+ An Assurance Map - showing those sources of Your assurance which You have shared with
1 andthe areas of hey risk relating tothe integrity of processing that these were designed to
assure,
Page Sof 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
© Matters for Consideration - an assessment of Your Assurance Map in the context of Your
‘objectives and significant matters we have observed during our work that we recommend You
scons further
Deliverable should not be copied, referred to or quoted to any other party, except inthe context of
‘Your defence of the Allegations, or be used for any other purpose. We draw Your attention to clause S
of the enclosed Terms of Business that sets out the conditions under which the Deliverables will be
provided to You
In the event that You wish to share our Deliverable with thi parties, we may consent to such a course
Pertdl “hold ings (oF their 0), These notify
‘+ the disclosure to them will not create any duty, liability or responsibility whatsoever to
‘them in relation to our Deliverable or any of its contents;
‘+ the Deliverable was not prepared for their use or with their needs or interests in mind: and
* they should keep our De and wot copy oF ‘our Dek o
ny extracts of them, to any third party without our express writen permission,
We understand that You are unlikely 10 make any public announcements which would refer to our
‘work. If this situation changes however, You agree that You will not make any such public
anpouncement(s) on this matter referring to Deloitie or our work in any way without providing prior
‘notification ofthe wording of any public announcement to us and without our prior writen consent to
such wording, such consent will not he withheld unreasonably.
3 Client Responsibilities and Assumptions
(2) Client Responsibilities
tn cxmmeton wth he provision of hn Servim, wo rete You wo che 3 ofthe ectned Terms of
Business. These confirm Your responsiblity for the provision of information and
with the ‘we are to provide. In ‘our delivery of the is
‘upon Your completion of the following:
© You edge and agree thet our per of the is gt on the timely and
‘engagernent, as well astimety decisions and approvals by You,
'* You agree to making available to ws all information You deem relevant to this review;
‘+ You agree to providing timely access to relevant personne! in order for us to obtain sufficient
{information to inform our understanding and report;
'* Unless we are otherwise instructed, You agree to carrying out all contact with third parties;
'* You agree o providing a nominated point of contact for us throughout the work,
‘+ You agree to provide « room for our team and secure storage facilities for paperwork, if required,
at 148 OW Street, London: and
+ You agree to assess the Deliverable we provide to You, to determine the most appropriate courses
of action for You.
Pome of 8
POL00222758
POL00222758
Deloitte.
You exige and agree that or pe is rt on the timely and
Camaive cxngion of Yor oun sxbsabe cad mopautsinss ts comaton Wis ls capes,
‘as well at timely decisions and approvals by You.
‘The responsibilities set out above and those contained in clause 3 of the Terms of Business are
together referred to inthis Contract as the “Client Respomsiilities”
©) Assumptions
The Services, Charges (as set out in Section 4 below) and timetable are based upon the following
assumptions, representations and information supplied by You (“Assumptions”).
+ Herizon HING-X is abo knows as Horizon Online ia Your organisation. We will veer to the
processing environment as Horizon HNG-X through-out our work. The sytem which Horizon
HING-X replaced willbe referred to as "the legacy Horizoa system,
© Only matters to the HING-X processing will be in ow
crv, Wo fl ont cose my Ifemasion rating eto Igy Herta sytem, wth
ry for ws to obtain an of hey that the
Foon HNO aaered chs teas gloom,
‘+ Defoitte will not provide & legal or any other opinion at ny point throughout the work;
‘© That sufficient information is available on a timely basis regarding the scope of Services and
[Deliverables for us to be able to carry out our work;
* That ll pertinent information relating to the nature of the Allegations against You has been
‘Provided to us such that we are fully aware of the detail of the Allegations;
‘© Unless otherwise instructed, that Delite staff will have no direct contact with any thind partion
‘other than named Fujita contacts that Vou provide to wx;
‘© The individuals we may need to interview will be available © ws for sufficion time for ws to
perform our work during the periad of our assessment and thind parties can he contacted oc &
timely basis by You to request further information should this be required
Delo will not verify or test any information provided directly by You, or indirectly by third
partes via Yous
© Deloitte will adopt time limited approach to our work, operating to key milestone dates
agentes on eo cnc of creampie ent inst of Voss spent, shows
‘© Deloitte will nat review any contractual provisions in place between You and thint parties
(©) Client contacts
‘We earn at Rote Willams Lipton Lavy, wil be You nominated pint of ented
that shoubd be copied to Crowe.
Page 7 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
4 Our Charges
‘We will base our changes upon the actual time and materials incurred, ples out-of-pocket expenses and
applicable value added tax. The billing rates we will apply match those of previous specialist alvisory
‘work which we have performed for You in 2013.
‘We estimate that the Part 1 work will tke 15 days of senior time to deliver, To provide some certainty
‘over our fees, we will cap our total fee for Part I work at £50,000 (plus VAT and out of pocket
‘expenses). Charges for work done under a Change Order will be based on the rate card below (in
‘eddition to this fee cap for the Part I work) unless otherwise agreed.
Grade ater I
Partner 630
Director £540
Sennor Manager 50
= eee.
Consahast B10
Constant I __ cas
Analyst eis
1M during the course of our work, or Change Order there-under, a need for ancillary specialist services
‘not specified im this Contract is wentified, agreement to their use and related changes will be obtarned
before any expenditure is incurred.
5S Terms of Business and Liability Provisions
‘The enclosed Terms of Business form an integral pat of the Contract between us and Your attention i
‘drawn to them. You agree that for the purpose of clause 6 of these Terms of Business, our aggregate
liability arising from or in any way in connection with the Services shail not exceed £750,000.
6 Variations
1 You or we wish to request or recommend any addition, modification or other change to the Services
(+ performance requued under this Contract, we each agree to fllow the change contro! procedures
described in Appendix 2
Page bof
POL00222758
POL00222758
Deloitte.
Acknowledgement and acceptance.
We appreciate the opportunity 10 be of service to You and look forward to working with You oa this
‘assignment. You cam be assured that it will receive our close attention.
If, having considered the provisions of this Contract You conclude that they are reasonable in the
context of all the factors relating to our proposed appointmcat and You wish to engage us on these
terms, please let us have Your written agreement to these arrangements by signing and returning to us
the enclosed copy of this leter.
Post Office Ltd agrees to the appointment of Deloitte LLP on and subject to the terms of the
Contract set out in this Engagement Letter and its enclosures.
Appendix I Source of Information
‘Appendix 2 ~ Change Control Procedures
‘Appendix 3 ~ Template Change Order
‘Appendix 4 - Delite LLLP Terms of Business, Consulting and Advisory Services
Page 9 of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
ENGAGEMENT Lerner DATED 9 Arnit 2014
SOURCES OF INFORMATION
For Part I work, we will use the following sources of information which have been provided by You
1. “Horiaoa Core Audit Process” which outlines how Horizon HING-X has been designed to
‘operate,
2. “Draft Factfile” which deals with how POL uses Horizon HING-X in the branch network;
3. “Description of Fujitsu's System of IT Infrastructure Services supporting Post Office
Limited's POLSAP and HNG-X applications” which outlines the environment in which
Horizon operates;
4. “Table of the deficiency themes” which outlines areas that underlie some ofthe allegations
‘that Horizon HNG-X is deficient,
5. “POL Summary of Second Sight anomalies” which is an internal POL summary of the
‘anomalies within Horizon HING-X referring to para's 6.4 to 6.10 of Second Sight's July
2013 Report
6. Fujitsu's response on the “Local Suspense” / 14 Brunch anomaly;
7. Fujitsu's response on the “Receipts Payments” / 62 Branch anomaly:
The “Spot Review Bible”, which contains the ten “Spot Reviews” sent to POL and POL's
responses (cf para 2.7 of Second Sight’s July 2013 Report),
lorizoe
imtepty ant descriptions as to how those measeres apply in ach case,
11. Curent Fujitsu POA 18027001 cerifiation;
12. The associated Fujitsu POA ISMS Statement of Applicability;
13. The Post Office Horizon PCI DSS certificate;
14. The Post Office Horizoa PCI DSS signed AOC;
15. The Post Office Horizoe PCI DSS ROC
16. The ln 3 published Post Office [SME minutes with Fujita, and
17. The las 3 Fajisu Security Ops Reports
‘Additional documents may be provided by You as part of our engagement. The full list of information
Deliverable.
sourves will be disclosed in out
Page 10 of 8
POL00222758
POL00222758
POL00222758
POL00222758
Deloitte Deloitte.
APPENDIX 2
CHANGE CONTROL PROCEDURES ENGAGEMENT Lerren DATED 9 APRIL 2014
APPENDIX 3
1 If-at any time either party wishes to request or recommend any addition, modification or other baad
performance
may only be amended in writing, signed by authorised representatives of both partios
‘The section(s) of the Engagement Letter set forth below {and any carlier Change Orders) oF amendments
thereto] sare hereby amended, effective asf effective date of changes], by the following text
1 Scope and objectives
2 Our Services and responsibilities
3 Client Responsibilities and Assumptions
any proposed Change is signed, Deloitte will continue to perform and be paid forthe Services as
‘the Change hae act been proposed 4 CwChege
(6 Deloitte shall be entitle to charge forall reasonable costs and expenses incurred in consection .
with investigating the implications of « Change Request, whether or not a Change Order is © Consequential changes to the Contrast
signed in respect of ach Change Request
Page Hof 8 lal
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
xcept av expressly modified herein, all other terms and conditions ofthe Contract remain unchanged Please
indicate Your agreement to the terms of this Change Order by signing and returning to Deloitte the enclosed
copy of this Change Order.
‘Yours faithfully,
Deloitte LLP
Agreed by Post Office Lid:
For and on behalf of Post Office Lid
Printed Name
Page 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
ENGAGEMENT Lerren DATED 9 Arait 2014
DELOITTE LLP - TERMS OF BUSINESS:
POL00222758
POL00222758
APPENDIX 4
H
i
[
I
if
67
POL00222758
POL00222758
Hal HEQERIE Woof Gt ng
1 ce f
ee
Hy
val Hf nyt bl ao
Hii ~—/ Hal
is iit
‘aE a
nue H wil
a i i, i dis
TinSeisidlt slatll ui
Hote :
ili aL
il sti til ‘it
He ait rit
ae i r f
Hi 1 i I il
a i
i il ft i pi
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
DRAFT FINDINGS
POL00222758
POL00222758
Tote roy ted
A
iii tlt il
eR L
A
li i i
i il i vi air 4
Page 18 of 18
Page 17 of 18
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
DRAFT FINDINGS
Appendix 5: Change Order 01
Deloitte.
ENGAGEMENT LETTER DATED 09 APRIL 2014
CHANGE ORDER NUMBER O1 (VERSION 2)
6 May 2004
‘ Orders) amendeents
Order constitutes the enite understanding an agreemce between the Client and Delote with respect
{to the changes set out inthis document, supersedes all prior oral and writen communications with
respect to such changes ( that not limited to Change ) and may only be in
eting signed by muthorined representatives of oth parties.
‘The section(s) ofthe Engagement Letter set forth below are hereby amended, effective as of 06 May
2014. bythe following text,
1 Project scope and objectives
Your project scope ad obctives remain a described within our engngeeat keer dated
09 Ape 2014 —
2 Our Services and responsibilities
(Owe services within 2(0) of our contract dated 09 April 2014 will be amended 10 inchate the two
following extension reas:
‘Esteasiow Arce
‘Debotte will contacto review further supplied documectaton relating tothe 2010 implementation of
{INO-X and te ay poe heaton pied ty FOL; ee, comer the tre
extent of project on with the Deoitie will
iets evcw of coments toa ond hw Wants anc esos sad Aad Start
Aeateres ofthe system were impacted by the implemertatoe.
{Im addition Deoite will assess documentation relating to signo(T of business reguircmcats as well as
the project's testing strategies and testing assurance peviionI
Deloite wit «description of oor Findings ad ecotnmendations from th
Delon i ions « dr appronch, findings is work
Deloitte.
Extension Arce 2:
Deloite wil review father documentation rbing the specie design fetes ofthe processing
crore wiichae mci oe plac fo wap i ey bet I
1. Tha post mata hae flower sty of leon in the Hench edger
2 ‘That the Branch er recone hp hy thes wth intgry nd fl a all.
Debit will produce a schedule of these specific design featres,Hentifed only though desktop
review of documentation proved by Post Offic, and use this to asess whether the existence of the
spcelic design feature has boon tested andor aired. Deloitte sl comment the 2 point above in
this context.
Delite wil not on the quality of ind wil ot perform any
oF operating effectiveness testing.
Detote's work, stl ase on desktop review prosedires, will ako ince:
* Corutoron wih an propre Ost pec owiehe Ant S's trp ont
. eg eit cg nok me ify re ih ip
the contol design features.
+ Mghghing ese Sign sures where farther implementation or oping fetneness
testing should be considered by POI. to provide further assurance to the Board
Deloitte will integrate a description of our approach, findings and recommendations from this work
into our delnerabe
In xddtion to the above areas of addtional service, Delite will support the delivery of ongoing
‘project update mectngs with POL, stakchokers prepare « Board Update document (marked as Deaf)
‘a clone of our work on the Tuesday 13° May 2014 and Friday 16° May 2014.
4 Our Charges
‘Que tine charges for this addkional work wil be charged on a time and materials based, in line with
the rte card shown ie our orginal Fagagement Later.
5) Consequential changes tothe Contract
xcept es expressly modified herein. al other term amd conditions ofthe Contract remain unchanged
Please indicate your agreement to th term ofthis Change Onder by signing aa returning to Debitte
the enclosed copy ofthis Change Order
conser
POL00222758
POL00222758
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
70
POL00222758
POL00222758
Deloitte
Gareth James
Partner
Deloitte LLP
Agreed by Post Office Limi
Signed: H
—
For and on behalf of Post Office Limited:
Printed Name: Cras Ave
Position: Genenat. Covnser.
Date 15-04 -20/4
eee LP
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
71
POL00222758
POL00222758
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below The matters
raised in this report are only those which came toour attention during the course of our work and arenot
necessarily a comprehensive statement of all the weaknesses that may exist or all improvements that mght be
made. Any recommendations made for improvements stould be assessed by you for their full impact befor they
are implemented.
Deloitte LLP
London
May 2014
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kirgdom
member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private company limited by guarantee, whose
member firms are legally separate and independent antities. Please see www.deloitte.co.uk/about for adetailed
description of the legal structure of DTTL and its member firms.
@014 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership regstered in England and Wales with registered numberOC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.