POL00340338
POL00340338
POLSAP
System
Controls
Report: AR 12/037a
_
Follow Up Review of Key
System Controls in POLSAP
Post Office Limited
Assurance Review
March 2013
Internal Audit & Risk Management _—Te—
POL-BSFF-0166059
POL00340338
POL00340338
A EEA
Post Office Limited (POL) customer transactions are captured through the Horizon Electronic Point of Sale equipment in branches, with daily summaries
transmitted to the central accounting system, POLSAP. The translation process between the two systems is enabled by SAP Middleware. The POLSAP
‘system was implemented in 2005/06 and contains functionality to calculate branch balances (cash, stocks, suspense, debtors and creditors) and to settle
client balances.
The overall objective of the review was to assess the degree to which the issues raised in the 2011/12 Ernst & Young (E&Y) Management Letter regarding,
the POLSAP control environment have been addressed. Where actions have not been completed, or were completed part way through the financial year
2012/13, any existing compensating controls were also assessed.
‘The majority of the areas identified by E&Y as requiring improvement have been addressed by POL and third party suppliers. Three areas remain that
require further input from management to ensure that the recommended controls have been designed and fully implemented, specifically:
1. Change management: The policy is under development, but has not been formally agreed and communicated as at February 2013.
Implication: inconsistent changes may be undertaken within the system.
2. User administration: A regular review of POLSAP users in the Cash Centres with privileged system access (including access to create and change user
jated in December 2012 but was not performed throughout the whole financial year.
permissions) was
Implication: inappropriate access may have been obtained, leading to inappropriate activities being undertaken within the system.
2. Password parameters: Whilst 2 number of password parameters have been changed in line with the E&Y recommendations, the password parameter
for account lockout has not been strengthened.
Implication: Inappropriate access may be obtained, leading to inappropriate activities being undertaken within the system.
Conclusion: The majority of areas for improvement identified by ERY have been completed, or where areas for improvement had not been
implemented, it was either demonstrated that compensating controls have been in operation for the whole of the financial year 2012/13 or the risk
related to not implementing the proposed changes was accepted by the POL Risk and Compliance Committee. Three areas have been partially
implemented and require some further work to complete the recommendations. The findings, summarised on pages 3 ~ 7 have been shared with E&Y
and reflect the IA&RM assessment as at February 2013.
: Substantially Implemented.
Internal Audit & Risk Management
Confidential Page 2 of 9
POL-BSFF-0166059_0001
POL00340338
POL00340338
2
‘The summary findings from the review are noted below and represent the status of controls as at February 2013, Testing was performed from the
control remediation date. Where actions have not been completed, or were completed part way through the financial year 2012/13 any existing
‘compensating controls have been assessed from April 2012.
1 I Privileged Access: Considerthe I Nov2012 I Inspected the review of user access A review of generic and privileged
implementation of monitoring performed by management for both I accounts, including those operated by ()
controls to help ensure controls POL and third party users.on POLSAP. I third parties, commenced in November
operated by third party 2012 at the ISMF. This control has
suppliers are in place and in Due to the completion of this operated on a monthly basis since that
operation. recommendation during the year, date.
IA&RM inspected the review of
privileged POLSAP activity at the
Additionally, user and system accounts
with privileged access in POLSAP have
been reviewed at the ISMF since April
Information Security Management
Forum (ISMF) from April 2012 to
Febaisry2022. 2012. Consequently mitigating
controls have been operating
effectively during the year.
2. I Privileged Access: Where the N/A Reviewed the minutes from the Risk & I The risks associated with the decision
used to run scheduled jobs, POL 2012 and correspondence with E&Y in I not toimplement the E&Y
should consider creating system December 2012. recommendation, were accepted by
accounts with manual login to the Risk & Compliance Committee
promote accountability. (R&CC) in Noveriber 2012.
Key
Control implemented as recommended for the whole financial year / Control implemented part way through the year but with
‘compensating controls in place prior to implementation / Risks of not implementing recommendation accepted by the POL R&CC.
oO Control implementation in progress but not fully completed / Control implemented part way through the yes
Internal Audit & Risk Management
Confidential Page 3 0f9
POL-BSFF-0166059_0002
POL00340338
POL00340338
Privileged Access: Review the Nov 2012 I Assessed the review of user access ‘A review of generic and privileged
need to grant the existing level of performed by management forboth —_I accounts, including those operated by ()
access for POLSAP accounts POL and third party users on Horizon. I third parties, commenced in November
specifically associated with 2012 at the ISMF. This control has
SAP_ALL, SAP_NEW in production Due to the completion of this ‘operated on a monthly basis since this
Wrivinesd Aczenn/Consiocrs Nov2012 I recommendation during the year, date.
Favied of pitlaged access) IABRM inspected the review of ‘Additionally, system and user accounts ()
determine the level granted is privileged Horizon activity at the ISMF I with privileged access in POLSAP have
appropriate and revoka where from April 2012 to February 2013. been reviewed at the ISMF since April
not. 2012. Consequently mitigating controls
have been operating effectively during
the year.
User Administration: Strengthen June I Reviewed the documented POLSAP The user admin process in Cash Centres
the existing user administration 2012 I user administration process and the has been designed and implemented @
process for cash centres to ensure communication of this process to Cash I since 1 April 2012. However, due to
that 1) documentation is retained, Centre Managers. the observation made in the earlier
2) cash centre managers are made IA&RM POLSAP audit report,
aware of the process to follow, Point 3) of the E&Y recommendation _I_ management were required to re-
and 3) consider the was tested as noted in area 6 of this. I ‘communicate this process to ensure
implementation of moni report below. cash centre managers are aware of the
controls. process. The process was re-
communicated to Cash Centre
‘Managers in June 2012.
User Administration: Implement I Dec2012 I Assessed the review of user access ‘Acontrol to monitor the activities of
‘@ monitoring process around
privileged users (cash centre
SU01) where the admin process is
controlled by third party
suppliers.
performed by management for both
POL and third party users on POLSAP.
privileged users in POLSAP, including
Cash Centre users with access to create
and amend user permissions (by means
of POLSAP transaction SUO1) was
introduced in December 2012. This
control was not in place prior to this
date.
Confidential
Internal Audit & Risk Management
Page 4 of 9
POL-BSFF-0166059_0003
POL00340338
POL00340338
7 I User Administration: Strengthen I Nov2012 I Reviewed the ‘The risks associated with the decision
the revocation process of Compliance Committee in November I tocontinue with existing controls, and
employees that are terminated or 2012 and correspondence with E&Y in I not to implement the E&Y
no longer require access to December 2012. recommendation, were accepted by
POLSAP or Horizon. Consider a tie the R&C in November 2012,
in with Human Resources.
8 I Change Management: POL to Nov 2012 I Reviewed recent communicationsto I All functional and role based changes
increase their involvement in the the POL testingteam for compliance. I on POLSAP from the sample tested
change management process, were communicated to the POL testing
specifically user testing of team prior to implementation to
maintenance fixes, The change ensure that appropriate testing can be
management policy should performed,
describe this and definitions and
responsibilities of all parties,
involved should be described.
9 I Change Management: Implement an Reviewed the current version of the POL management are in the process of
monitoring controls to ensure 2013/14 I Change Management Policy. drafting a Change Management Policy
controls are operated by third and this is currently in version 0.3. Itis
party suppliers. the intention of management that the
policy will define the overalll change
management process.
10 I Periodic User Access Reviewsand I Nov 2012 I Assessed the review of user access A review of privileged and generic user
‘Monitoring Controls: Consider performed by management for both _I accounts on POLSAP was carried out in
the implementation of a periodic POL and third party userson POLSAP. I October 2012 and signed off in
review of appropriateness and November at the ISME.
segregation of duty issues. Due to the completion of this
recommendation during the year,
IA&RM inspected the review of
privileged POLSAP activity at the ISMF
from April 2012 to February 2013.
Internal Audit & Risk Management
Page 5 of 9
POL-BSFF-0166059_0004
POL00340338
POL00340338
Remediat
date
ummary Findi
(continued)
What was found
Rating
the Royal Mail Group (RM)
security policy to ensure it meets
recommended password settings
and consider having one single
policy document for password
guidelines for both POLSAP and
Horizon,
POL and third party users and
reviewed the recommendation status.
Reviewed the minutes from the
November POL Risk & Compliance
Committee.
maintained for POLSAPand Horizon,
which were assessed and updated
during periodic management reviews.
‘The risks of having two separate
policies rather than one joint policy as
recommended by E&Y were accepted
by the POL R&C in November 2012.
11 I Generic Privileged Accounts: N/A I Assessed the review of generic POL management have confirmed that,
Consider a review of generic privileged accounts performed by POL I privileged generic accounts are ())
privileged accounts to determine management for both POLand third I controlled and will not be replaced
if these accounts can be replaced party users. with individual accounts.
by individual user accounts. The risks associated with this decision
Due to the completion of this were accepted by the POL Risk &
recommendation part way through the I Compliance Committee in November
‘year, JARRM assessed the review of 2012.
privileged POLSAP activity at the ISM
from April 2012 to February 2013.
Reviewed the minutes from the
November POL Risk & Compliance
Committee.
12 I Password Parameters: Review N/A I Reviewed the password policy covering I Separate security policies were
Internal Audit & Risk Management
Page 6 of 9
POL-BSFF-0166059_0005
POL00340338
POL00340338
Remediation
uummary peeks What was done What was found
13 I Password parameters - Configure aa Reviewed the RSPARAM report from I The password parameter for account
all network, application and 2013/14 I POLSAP to inspect password lockout (rdisp/gui_auto_logout) is oO
supporting infrastructure parameters that had been configured I configured to 3,600 seconds (60
‘components in line with the ‘on the system. minutes). The recommended setting
policy. from E&Y was 1,800 seconds (30
minutes).
(Cone Internal Audit & Risk Management —_—"
Confide Page 7 of 9
POL-BSFF-0166059_0006
POL00340338
POL00340338
ee
User Administration
1. Implement a control to monitor Cash Centre users with privileged access to the system, to include access to POLSAP transaction code SUO1.
Priority 2 (March 2013 - Completed)
Change Management
2. Complete the POLSAP change management policy, ensure that it reflects the existing process, and obtain senior management approval
before communicating this to key system users. Priority 2 (March 2013 — Andy J Jones)
3. Assign an appropriate manager to be responsible for the end-to-end POLSAP change management process for all functional and role
changes within the system. Priority 2 (Completed)
Change Management
4, Review the requirement to strengthen the automatic password lockout controls and initiate changes as necessary. Priority 2 (March 2013
= Mark R Pearce)
No. of Implementation
Importance __actions_Completed__by Mar 13
Priority 1 - : -
Priority 2 4 2 2
(Cone Internal Audit & Risk Management
Confide Page 8 of 9
POL-BSFF-0166059_0007
POL00340338
POL00340338
i _ EEE
Susan Barton, Strategy Director Derek k Foster, Internal Audit & Risk Management Director, RMG
‘Susan Crichton, Legal and Compliance Director Justin Thornton, Head of Risk and Assurance, RMG
Christopher Day, Chief Financial Officer Ernst & Young, External Auditors
Kevin Gilliand, Network and Sales Director
‘Andy J Jones, Quality and Standards Manager
Mark R Pearce, Head of Information Security
Lesley J Sewell, Chief Information Officer
Paula Vennells, Chief Executive
Malcolm Zack, Head of Internal Audit
Internal Audit & Risk Management
Confidential Page 9 of 9
POL-BSFF-0166059_0008