POL00362957 - Post Office LTF Board: Viability of introducing a SAS70 or equivalent audit report.

Evidence on official site

1

Post Office Ltd — Strictly Confidential

POLB(11)55
POST OFFICE LTD BOARD

Noting Paper Only
Viability of introducing a SAS70 or equivalent audit report
Purpose

The purpose of this paper is to provide an update on the analysis of the costs
and benefits of a SAS70 or equivalent audit approach.

Current Situation
2.1 Discussions are still ongoing between POL, Fujitsu and E&Y.

2.2\t is understood that Fujitsu have received an enquiry from one other
customer with respect to a SAS70 report and are now engaging a SAS70
expert to assist in identifying what would be required to suit both POL and
other customers. A 3-party meeting is scheduled early November to
determine the initial scope for their SAS70 report; POL will require the E&Y
Financial Audit control objectives as a minimum.

2.3 E&Y have provided POL with the ROM costs for undertaking a SAS70 report
on Fujitsu — cĀ£100k covering POL only functions and Shared Services within
the scope of their current Financial Audit; these costs will be reviewed once
the initial scope has been agreed.

2.4In parallel POL is undertaking a review of the benefits for establishing a
single POL IT and Security related audit framework that will be used to
manage the full suite of IT and Security related audits undertaken on POL
each year (i.e. PCI, LINK, ISO27001, ISO9001, E&Y Financial Audit),
providing clarity on what evidence exists and where. Expected benefits
include simplified and lower cost future audits and service management
being enabled to identify and drive service improvements.

2.5 A full report on the approach and costs for a SAS70 report on Fujitsu will be
provided for the December POL Board along with an update and early
recommendations on the single audit framework.

Recommendation
The POL Board is asked to note the joint approach being taken with Fujitsu and

E&Y in establishing a SAS70 or equivalent audit approach; and the wider review
of the benefits of implementing a single POL audit framework.

Mike Young
October 2011

POL00362957
POL00362957