POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
ENGAGEMENT LETTER DATED 9" Apri 2014
CHANGE ORDER NUMBER 02 (VERSION 1)
11 March 2016
Post Office Limited
Finsbury Dials
20 Finsbury Street
EC2Y 9AQ
For the attention of Jane MacLeod
Dear Sirs
This Change Order (including any appendices, schedules, and/or attachments), records agreed
changes to the Contract between Deloitte LLP (“Deloitte” or “we”) and Post Office Limited
(POL” or “you”) dated 9°" April 2014, as amended by prior agreed Change Order(s) or
amendments thereto. This Change Order constitutes the entire understanding and agreement
between the Client and Deloitte with respect to the changes set out in this document,
supersedes all prior oral and written communications with respect to such changes (including,
but not limited to Change Requests), and may only be amended in writing, signed by
authorised representatives of both parties.
The section(s) of the Engagement Letter set forth below and Change Order Number 01
(Version 2) are hereby amended, effective as of 11 March 2016, by the following text:
1 Project scope, objectives and background
Background
POL continues to respond to allegations that the “Horizon” IT system used to record
transactions in POL branches is defective and the processes associated with it are inadequate
(the “Allegations”). As part of this activity, POL’s Chairman Tim Parker instructed Jonathan
Swift QC to review and advise him on the work POL had already taken in the 2010-2015
period (including the work undertaken by Deloitte pursuant to the Engagement Letter and
Change Order Number 01 (Version 2)), and if there were gaps in that work, whether further
action can reasonably now be taken to respond to the Allegations.
Deloitte is now asked to undertake the work described in this Change Order Number 02 in
order to support and inform the advice that Jonathan Swift QC is providing to POL’s
Chairman, and to assist POL respond to the Allegations which continue to be the subject of
threatened litigation.
Scope and Objective
This first phase of work will constitute ‘Phase 0’, the ‘Discovery Phase’, whereby Deloitte
will perform initial enquiries and investigations across four scope areas named by POL and
identify procedures which POL may wish to undertake for each scope area.
© Deloitte LLP Page I
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
The objective of the ‘Discovery Phase’ is to ratify the procedures into an agreed statement of
work which can be undertaken in Phase 1, the ‘Delivery Phase’.
This Change Order (including its commercial terms) relates to the ‘Discovery Phase’ / Phase
0 only. The Delivery Phase / Phase 1 will be the subject of a separate engagement letter or
further Change Order as is necessary.
2
Timetable
We are planning to operate in accordance to the following timetable:
Our Services and responsibilities
Phase = es Completion Tie
0. Discovery Phase Initial engagement activities 18" March 2016
such as review of
documentation, discussions
with Fujitsu and POL’s
financial processing team,
and high level data gathering
to allow the core procedures
to be identified and defined.
1. Delivery Phase Execute the core procedures 13" May 2016
(and selected optional
procedures) against each of the
four scope areas.
Scope Areas
The four “Scope Areas” specified by POL are:
Scope Area # I QC’s Advice - z ee Proposal = xe
3 POL consider instructing a suitably “qualified POL will instruct Deloitte to
party to carry out an analysis of the relevant I determine whether such an
transaction logs for branches within the Scheme I analysis/review is feasible, and
to confirm, insofar as possible, whether any I if it is, to provide an indication
bugs in the Horizon system are revealed by the I of the cost, time and process
dataset which caused discrepancies in the I that would be incurred.
accounting position for any of those branches.
4 POL instruct a suitably qualified party to carry I POL will instruct Deloitte to
use.
out a full review of the use of Balancing
Transactions throughout the lifetime of the
Horizon system, insofar as possible, to
independently confirm from Horizon system
records the number and circumstance of their
determine whether such an
analysis/review is feasible, and
if it is, to provide an indication
of the cost, time and process
that would be incurred.
© Deloitte LLP
Page 2
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
Scope Area # I QC’s Advice cS Proposal —
5 POL instruct a suitably qualified party to carry I POL will instruct Deloitie to
out a full review of the controls over the user I undertake this review,
and capability of authorised Fujitsu personnel I throughout the lifetime of the
to create, amend or delete baskets within a I Horizon system, insofar as is
sealed audit store throughout the lifetime of the I possible.
Horizon system, insofar as possible.
8 POL commission forensic accountants to I POL will commission Deloitte
review the unmatched balances on POL’sI to review any unmatched
general suspense account to explain the I balances on POL’s Suspense
relationship (or lack thereof) with branch I Account.
discrepancies and the extent to which those
balances can be attributed to and repaid to
specific branches.
Approach
In general the procedures required during the ‘Discovery Phase’ to achieve clarity on the
further procedures required for each Scope Area will be: es
i) Review relevant documentation.
ii) Interview relevant stakeholders.
There are a number of further procedures which could be performed for each Scope Area.
We have already identified some likely core and optional procedures in each Scope Area,
which would be likely to form the nucleus of the work proposed for the subsequent Phase 1.
Not all of these procedures will necessarily be required, and Phase 0 will allow decisions to
be made around which of these should be adopted.
In the table below we have set out a more granular presentation with the work steps for
Phase 0 together with the likely further procedures against each Scope Area, divided into
‘core’ and ‘optional’ based upon our current expectations of the relative merits of such
further procedures.
© Deloitte LLP Page 3
Private and Confidential - Subject to Legal Privilege
POL00240675
POL00240675
Scope Area
“ork Steps (for Phase 0)*
I Anticipated Further Procedures for Phase 1**
N/A — General procedures not
linked to a specific Scope Area.
Re-familiarisation with original Sparrow report.
Re-familiarisation with Second Sight reports.
Preliminary workshops/meetings in order to ascertain
relevant individuals to perform further Phase 0
procedures.
Obtain data and branch references for all cases at issue.
Initial Fujitsu engagement (likely POL led with Deloitte
support).
Scope Area 3: POL consider
instructing a suitably qualified
party to carry out an analysis of
the relevant transaction logs for
branches within the Scheme to
confirm, insofar as possible,
whether any bugs in the
Horizon system are revealed by
the dataset which caused
discrepancies in the accounting
position for any of those
branches.
Review Fujitsu technical documents pertaining to
transactions recording in Horizon (HNG-X and legacy
Horizon if possible).
Interview with relevant Fujitsu staff with understanding
of the throughput of transactions from branch database to
the Audit Store and intermediate locations, considering
Transaction Log Proposed Procedures:
a)
Obtain audit store extracts for one relevant branch for
the time period available on the system and perform
pilot data analytics.
Additional Optional Transaction Log Procedures:
the internal integrity check Horizon performs by b)
transaction.
Obtain data dictionary or equivalent for relevant areas of c)
the Horizon database and review.
Review existing population of extracted data available
and assess feasibility of further data analytics.
Formulation of data analytics proposed approach and data
request (if feasibility study is favourable),
Perform further data analytics on wider population based
on success of pilot on one particular case.
Perform controls review of relevant controls on
transaction log procedures.
Scope Area 4: POL instruct a
Review existing Horizon documentation (HNG-X)
Balancing Transaction Proposed Procedures:
suitably qualified party to carry around the operation of Balancing Transactions. a) Perform site visit(s) to Fujitsu in Bracknell in order to
out a full review of the use of I2. Interview with relevant Fujitsu staff with understanding walkthrough the operation of the controls over
Balancing Transactions of Balancing Transactions to determine the history of Balancing Transactions.
throughout the lifetime of the their usage, and the controls over their operation. b) Test identified controls around Balancing Transactions
Horizon system, insofar as I3. Interview with relevant Fujitsu staff in order to perform including the following:
possible, to independently preliminary assessment over the feasibility to perform a. Authorisation for balancing transactions. I
confirm from Horizon system analytics procedures over the history of balancing b. Controls over access to amend or delete the I
records the number and transactions. audit trail of Balancing Transactions usage.
circumstance of their use. 4. Formulation of relevant controls population and test plan. c. Logical access rights on the system in order to
5. Formulation of data analytics proposed approach and data perform Balancing Transactions.
request (if feasibility study is favourable). c) Perform analytics procedures over the usage of
© Deloitte LLP
Page 4
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
Scope Area
I [Work Steps (for Phase 0)*
__I Anticipated Further Procedures for Phase 1**
balancing transactions from identified logs.
Additional Optional Balancing Transaction Procedures:
a) Review existing legacy-Horizon documentation around
the operation of Balancing Transactions.
b) Catalogue and document identified controls around
Balancing Transactions on the legacy version of
Horizon.
Scope Area 5: POL instruct a
suitably qualified party to carry
out a full review of the controls
over the user and capability of
authorised Fujitsu personnel to
create, amend or delete baskets
within a sealed audit store
1. Review existing documentation around the operation and
controls surrounding the Audit Store data.
2. Conduct interviews with relevant Fujitsu stakeholders
around controls and processes in relation to the creating,
amending or deleting of Audit Store baskets by means
other than in branches.
3. Formulation of relevant controls population and test plan.
Scope Area 5: Audit Store Proposed Procedures:
a) Test Controls over access to create, amend or delete
baskets within the Audit Store Environment.
b) Use data processing to summarise the baskets affected
by this capability for the branches at issue.
Additional Optional Audit Store Procedures:
throughout the lifetime of the I4. Establish if baskets created, amended or deleted can be a) Validate extraction process of data for investigation as a
Horizon system, insofar as amended from the audit store. result of the allegations.
possible. 5. Understand the length of time audit store baskets remain b) Review controls around data extract from audit store and
available. custody of that data once outside of Horizon.
6. Determine if baskets relevant to the branches at issue can c) Review relevant ‘environment’ controls which would
be identified. allow subversion of the ‘specific’ Audit Store controls.
7. Formulate whether such audit store baskets for post
masters subject to the complaint could be identified. _I
Scope Area 8: POL I We understand that transactions in suspense accounts largely I Scope Area 8: Suspense Account Proposed Procedures:
commission forensic I represent the end of a process that has sought to resolve the a) Test the relevant controls.
accountants to review the I issues and not the beginning. As such we propose identifying
unmatched balances on POL’s
general suspense account to
explain the relationship (or lack
thereof) with branch.
discrepancies and the extent to
which those balances can be
attributed to and repaid to
an approach that considers how POL handle imbalances from
the point they arise, through Suspense, and on to write-off.
1. Review Second Sight report and
understanding of the various complaints.
Review Central Finance team’s analysis as to the different
classifications and main utilisations of the suspense
obtain/renew
2.
b) Perform procedures such as review of service desk
platform or historical process documents, to assure that
the suspense account process has remained relatively
constant for the period under investigation.
Review a sample of relevant transactions to support and
compliment the controls work.
°)
Additional Optional Suspense Account Procedures:
© Deloitte LLP
Page 5
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
ScopeArea I Work Steps (for Phase 0)* __I Anticipated Further Procedures for Phase 1** I
specific branches. account. a) Review suspense account processes and controls for
3. Determine which suspense account classifications are Suspense account areas deemed less relevant to
more likely to be aligned with post master complaints. complaint submission
4. Conduct interviews and review relevant documentation, b) Perform analytics procedures over the current suspense I
together with process walkthroughs in order to understand account population of transactions in order to highlight I
the relevant suspense account processes. items of interest.
5. Formulation of relevant controls population and test plan.
* NOTE: Whilst it is our intent to conduct the procedures listed within this column, as our understanding develops we may (under your
direction) perform alternate or additional procedures, using the governance mechanisms described below to control that delivery.
** NOTE: Suggested procedures only for illustrative purposes, and will be subject to revision as a result of the knowledge and direction gained
from Phase 0. None of the procedures highlighted in this column are planned for delivery as part of Phase 0 and so are outside the scope defined
by this change order.
© Deloitte LLP Page 6
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
Governance for ‘Phase 0’
Whilst we have highlighted in the table above a number of procedures which we could perform in
Phase 1, we believe a certain amount of flexibility in formulating the statement of work will result in
the optimum result for POL. To ensure this flexibility whilst allowing sufficient oversight by POL we
propose that weekly status meetings are held and used to discuss the direction of the work, and any
deviance from the proposed procedures highlighted above.
Deliverables
Our deliverable for Phase 0 will be a statement of work setting out the proposed scope and approach to
Phase 1.
Usage of our Deliverables
For the avoidance of doubt, our deliverables, are for the use and review of POL only, and are not
permitted to be shared with any other third party without Deloitte’s prior written consent.
3 Client Responsibilities and project assumptions
Assumptions
We have made the following assumptions in constructing the budget in this Change Note which, if not
correct, could impact the scope, timing and potentially the cost of this engagement. They are:
1. Sufficient meetings can be obtained within Fujitsu during the course of planned fieldwork;
2. Sufficient meetings can be obtained within POL Finance teams during the course of planned fieldwork;
3. Access to relevant reports and data can be granted and facilitated during the course of planned fieldwork.
4 Our Charges
Rate card
We will conduct our services under the rate card previously used under Project Sparrow but discounted
by 12.5% for both Phases 0 and 1, being:
Grade sst—i‘ii*iL Advisory Rate Shr
Partner £551
Director £473
Senior Manager £376
Manager £350
Senior Consultant £271
Consultant £162
Analyst £127 _
© Deloitte LLP Page7
POL00240675
POL00240675
Private and Confidential - Subject to Legal Privilege
Proposed Budget for Phase 0 - Discovery Phase
We envisage a senior team mix for this phase of the work as set out below:
Andrew Whitton Partner £4,408 3 £13,224
Mark Westbrook Senior Manager £3,008 6 £18,048
Sam Bartlett Senior Manager £3,008 5 £15,040
Lewis Keating Assistant Manager £2,168 6 £13,008
Total oe oe 20 _ £59,320
5 Consequential changes to the Contract
Except as expressly modified herein, all other terms and conditions of the Contract remain unchanged.
Please indicate your agreement to the terms of this Change Order by signing and returning to Deloitte
the enclosed copy of this Change Order.
Yours faithfully,
Andrew Whitton
Partner
Deloitte LLP
Agreed by Post. Office Limited:.
Signed: I Jane MacLeod
Printed Name: <lAwe Maebiior
Position: Govorah Counsel
Date: a Hower toll 7
© Deloitte LLP Page 8