POL00408699
POL00408699
Parsons, Andre
Sent: Fri 29/07/2016 8:08:26 AM (UTC)
To: Westbrook, Mark (UK - Manchester)I Keating, Lewis (UK -
Ce:
Subject: RE: Horizon questions [BD-4A.FID26859284]
Thanks Mark. We toyed with that extra sentence but then thought if it was very "normal" the question might be... well
why didn't POL / FJ know about it sooner? So we kept our powder dry on that one.
Ta
A
Andrew Parsons
Partner
Direct: [7-7 GRO I
Mobile: i. SEN
Follow Bond Dickinson:
Blin)
www.bonddickinson.com
From: Westbrook, Mark (UK - Manchester) [mailto
Sent: 29 July 2016 09:06
To: Parsons, Andrew; Keating, Lewis (UK - Leeds)
Cc: Mark Underwood1
Subject: RE: Horizon questions [BD-4A.FID26859284]
Gribben, Jonathan; Prime, Amy
Absolutely fine with this.
I don’t know if you could strengthen your position further in relation to 1.3.4 with wording to the effect of ‘....such
database access being a necessary requirement of IT administration and support of any IT system’. Or similar — to
(correctly) normalise it.
Mark
From: Parsons, Andrew [mailtot.
Sent: 28 July 2016 08:50
Manchester) <_ “k>; Keating, Lewis (UK - Leeds)
Cc: Mark Underwood] (}.
Jonathan ¢ GRO. i>; Prime, Amy ¢
Subject: RE: Horizon questions [BD-4A.FID26859284]
>; Gribben,
Thanks Mark.
We've slightly tweaked the "Remote Access" wording in our Letter to Freeths in relation to the Super Users point. New
POL00408699
POL00408699
wording below. Are you happy with this?
A
13 The majority of transactions that make up the branch accounts are generated in branch. There are however
four ways in which Post Office (or Fujitsu on Post Office's instruction) can influence those accounts:
[.]
1.3.4 Administer access to databases. Database and server access and edit permission is provided, within strict
controls (including logging user access), to a small, controlled number of specialist Fujitsu (not Post Office)
administrators. As far as we are currently aware, privileged administrator access has not been used to alter branch
transaction data. We are seeking further assurance from Fujitsu on this point.
Andrew Parsons
Partner
Follow Bond Dickinson:
¢
lin)
www.bonddickinson.com
From: Westbrook, Mark (UK - Manchester) [mailto}
Sent: 27 July 2016 18:10
To: Parsons, Andrew; Keating, Lewis (UK - Leeds)
Cc: Mark Underwood! (~~
Subject: RE: Horizon questions [I
Gribben, Jonathan
Hello all,
Please find attached the revised version of the report which I have now been authorised to release. Apologies for the
small delay, but one of your requests prompted some fairly in-depth conversations required on our side.
Hopefully the new code name is acceptable (!).
Many thanks,
Mark
From: Parsons, Andrew [mailt
Sent: 25 July 2016 13:33
To: Westbrook, Mark (UK - Manchester) <
I Keating, Lewis (UK - Leeds)
5
POL00408699
POL00408699
Jonathan <__ GRO Ss
Subject: RE: Horizon questions [BD-4A.FID26859284]
Mark, Lewis
Further to below, would you be able to supply an updated version of your Interim Report having made the small
amendments in the email below. We are holding off circulating the report insider POL until these points are tidied up
so it would be good to get these sorted sooner rather than later.
Thanks
Andy
Andrew Parsons
Partner
Direct:
Mobile:
Follow Bond Dickinson:
www.bonddickinson.com
IMPORTANT NOTICE
This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered office is 2, New Street,
Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ("DTTL”), a UK private company limited by
guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL
and its member firms.
This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended
recipient(s), please (1) notify it.security.uk by forwarding this email and delete all copies from your system and (2) note that disclosure, distribution, copying or
use of this communication is strictly prohibited. Email communications cannot be guaranteed to be secure or free from error or viruses. All emails sent to or from a Deloitte UK
email account are securely archived and stored by an external supplier within the European Union.
To the extent permitted by law, Deloitte LLP does not accept any liability for use of or reliance on the contents of this email by any person save by the intended recipient(s) to
the extent agreed in a Deloitte LLP engagement contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.
From: Parsons, Andrew
Sent: 19 July 2016 15:45
To: Westbrook, Mark (UK - Manchester) (oo mnnmnnmmm GRO 3; ‘Ikeating¢
Cc: Mark Underwood! (:
GRO _
); Gribben, Jonathan (GRO
Subject: Horizon questions [BD-4A.FID26859284]
Mark, Lewis
As promised, please find attached our questions on the Interim Report. We've not yet addressed Scope Area 8 as this
is not pressing at the moment — we'll come back to you separately on this.
Please could you review and confirm which questions are inside and outside your current scope of work. We can then
discuss whether / how to progress any of out of scope work.
We'd also be grateful if you could make the changes below and re-circulate the Interim Report. These are hopefully
non-controversial stylistic points.
POL00408699
POL00408699
e Generally — can we re-number the Scope Areas as 1, 2, 3 and 4 so that we break any connection to the QC
report?
e Page 5 & the Report Generally — can we remove the term ‘Sparrow’ and reference to it as a ‘code name’.
e Page 6 - table refers to QC — Please remove
e Page 7 — i) — could we use an alternative work to “embellish” - perhaps “advance” or “enhance”?
* Page 7 — under “Phase 1” - could we ask that Deloitte qualify that paragraph as the procedures to be
performed in relation to Scope area 8 are TBC.
« Page 8 - bottom of the page — could “risks” be changed to “Potential Risks’ (in the title & subsequent
paragraph). We're trying to avoid soundbites from being created, should the report ever make its way outside
of POL.
« Page 9 - above table refers to QC. Please remove
e Page 9 — change “key to risks” to “key to potential risks”
« Page 9 - Could we change the wording for each potential risk to the following:
= R1. If Horizon does not process transactions correctly and these are not identified and resolved, these
could lead to sub postmaster financial loss
= R2. If inappropriate transactions can be created centrally.....
= R3. If data flow to the audit store is not complete, accurate or valid, the conclusions...
= R4. If once data is in the audit store...
= RS. If suspense accounts are mismanaged....
« Page 9 - penultimate paragraph — could we please qualify “risks” with “Potential”
¢ Page 15 — First column title of the table references “QC” — please remove
* Page 21 — First column title of the table references “QC” — please remove
e Page 27 — First column title of the table references “QC” — please remove
e Page 35 — First column title of the table references “QC” — please remove
Kind regards
Andy
Andrew Parsons
Partner
Follow Bond Dickinson:
in)
www.bonddickinson.com
POL00408699
POL00408699
Please consider the environment! Do you need to print this email?
The information in this e-mail and any attachments is confidential and may be legally privileged and protected by law. markwestbrook{~
this e-mail and any attachments. If you are not markwestbrook! please notify andrew. parsons
copies. Unauthorised use, dissemination, distribution, publication or copying of this communication or attachments is prohibited and m
only is authorised to
soon as possible and delete any
¢ unlawful,
Any files attached to this e-mail will have been checked by us with virus detection software before transmission, Bond Dickinson LLP accepts no liability for any loss or damage
Which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it.
This email is sent by Bond Dickinson LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our registered office is 4 More
London Riverside, London, SEI 2AU, where a fist of members’ names is open to inspection. We use the term partner to refer to a member of the LLP. or an employee or
consultant who is of equivalent standing. Our VAT registration number is GB123393627,
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority