Challenges as to the Integrity of Horizon
Challenges have arisen many times since Horizon was introduced but POL
has consistently been able to tackle the facts of the branch transaction logs
and defend the integrity of Horizon.
Unfortunately we have not been able to put a lid on general speculation and
media discussion.
“Blaming the system” has been a fall back for many subpostmasters whom we
have said owe us money and/or whom we have suspended. Subsequent
letters to MPs and the press have also been a frequent next step.
We have considered obtaining independent expert reports ourselves as a pro-
active action to prevent future claims, but we have to date decided that this
would not stop speculation. We have as a company decided to defend each
case on its facts rather than obtain what would be an expensive opinion
which would be heavily caveated and have no assurance of preventing
claims.
Mark has responded on many of Dave’s questions already, but to add to that
please note:
How robust is horizon?
As Mark has said the system has been built with many controls
which we can rely on. Our view, which has been upheld in cases
(except Alderley Edge) is that the subpostmaster or their staff
did have their hands in the till and have tried to blame the
system.
The “Castleton” case had a strong opinion from the judge which
did appear to have brought an end to the claims for some years.
But this year the judge in the Alderley Edge case felt unable
to agree that POL’s systems were proven to be reliable. As
Mark has noted, the judge had issues about the quantum of the
loss and chose not to progress the case but he also said and
has been quoted in the press with “there are issues relating to
the Post Office computer system which I do not feel able to
judge”. That wording does risk reversing the benefits of the
judgment in the Castleton case and will no doubt be drawn on by
the facebook group.
Is it possible to mispost misallocate cash to the detriment of the
subpostmaster
Transactions in Horizon can only arise from action by the
subpostmaster or their staff. Transaction corrections sent by
P&BA have to be accepted by the branch and a core principle of
Horizon has been that there is no “back door” for anyone other
than the branch to allow entries in the system.
No claimants have been able to prove their allegations about
any entries, and we continue to believe that issues in cash
balances at branches only arise due to:
POL00424359
POL00424359
POL00424359
POL00424359
- theft of cash from the till
- falsification of claims about cash, cheques or savings
stamps despatched out of the branch
- intentional or unintentional errors in the values recorded
for transactions in Horizon
In all these situations the branch would be able at any point
in time to run a trial balance for their branch and to count
their cash and stock on hand. Indeed they are required to do
this at least monthly on a formal basis and would be expected
to deploy supervisory checks in the interim to assure POL about
the way in which they look after POL’s cash in their branch.
The subpostmaster contract requires them to look after our cash
and holds them accountable for its loss.
Is there any difference between horizon and hngx.
Mark has addressed this
When hngx froze during the early trials is there any evidence that
this caused misallocations?
Mark has addressed this
How do we treat discrepancies. Is there any exceptional circumstance
applied where we don't seek recovery of funds prosecution etc. I.E
are we heavy handed and disproportionate in our response.
We consider these to be dealt with fairly and I would suggest
there are two broad areas of them.
1. Branch discrepancies in the course of business.
Balancing issues may arise and there are formal processes for
branches to work with NBSC, P&BA and Contract Managers to
resolve these. P&BA has committed to turnaround times with the
Network to be fair to Subpostmasters and is adhering to these.
We make considered judgments in the event of unacceptable
arrears and there are many examples noted between us, Network,
NESP and Multiple Partners where we have taken a pragmatic and
sensitive view with the branch not to enforce a debt.
Our start point is definitely that the agent is contractually
obliged to make good to us, but we are sensitive and this was
endorsed in the NFSP Presidents comments at NFSP Conference
last year that P&BA and Service Delivery have the best tone of
voice and approach with subpostmasters. There was no hint of
heavy handedness.
Mervyn and his fellow ET have acknowledged several times that
we are even handed and they have willingly taken a hard line
with their members themselves on the back of our joint
relationship
2. Discrepancies leading to termination and prosecution
Again POL has a track record of applying contract terms but
being sensitive to the situation of the individual.
For better or worse there is actually a very live example right
now for the former agent of Wantage Post Office where POL has
waived what is an enforceable liability of over £50k on an
agent whose own employee was found guilty of theft.
We are always careful to identify individual circumstances and
to avoid setting precedents, but there is a track record of
balancing commerciality and compassion.
How many subs have we terminated on this basis in the last ten years
This is being summarised by Security
How many have we prosecuted. What is our success rate?
This is being summarised by Security
What external audit verifications have been made of horizon and hngx
There are limited tests on interfaces and on change control as
part of the audit, but no explicit statement as to the
integrity of Horizon. We have discussed the possibility of
such a dedicated review but it would be outside the statutory
audit and would be heavily caveated.
How difficult is it to rectify human errors to rebalance the till?
So long as there is a timely alert then it is not a problem.
But this can depend on:
- how effectively subpostmasters supervise their staff and do
checks
- how honest a subpostmaster is in declaring issues around
physical existence of cash and stock in the branch
- the effectiveness of conversations between branches, NBSC
and P&BA and the competence of the branch staff to run their
operation
What training does each user receive to use the system.
Mark has commented on this
There is a facebook group of protestors online. What are they saying
and what are we doing to ensure this does not harm the business?
The former Head of Change & IS had several meetings with MPs to
allay their fears about Horizon, but as noted above it is hard
to stop public speculation. This is the challenge we have to
tackle.
Suggest we need input from lynn keith woollard rod and leslie as a
minimum.
POL00424359
POL00424359
POL00424359
POL00424359
From: Mark Burley
Sent: 22 July 2010 11:55
To: Mike Young; Sue Huggins
Cc: Nick Beal; Philippa J Wright; Michele Graves; Mike Moores
Subject: RE: Urgent channel 4 horizon isssue
Mike / Sue
I have added some specific comments against the questions from David
Smith below and would also note the following:
1. The point about the system being designed to retain integrity
even when it fails is important as we could never claim, the
system does not fail.
2. I am aware of 3 court cases - Cleveleys (Subpostmistress
dismissed in 2001 - not long after Horizon introduced) (we
settled out of court £187.5k as the expert for the SPMR
produced a report which showed how Horizon could have caused
the error. This could have been refuted with the audit trail
but for some reason, this wasn’t used / requested by our
experts). Castleton where we presented a copy of the audit log
to the Subpostmasters solicitor who promptly agreed there was
no substance to the SPMR’s claim and advised him to settle the
debt. The solicitor was sacked by the Subpostmaster who
proceeded to court, lost the case and liability of £300k but
declared himself bankrupt. The judge decided there was “no
flaw” in the Horizon system and “the logic of the system is
correct” and “the conclusion is inescapable that the Horizon
system was working properly in all material aspects”. Alderley
edge - £45k shortage (at audit) but judge dismissed case as
unable to prove exact amount. However judge did not deem an
investigation of the system was necessary (primarily it would
appear as he deemed it would be costly and therefore not a good
use of taxpayers money).
3. None of the Subpostmasters dismissed for discrepancies have -
to my knowledge - produced any hard evidence. However in the
past POL hasn’t always tabled the evidence from the audit logs.
There are examples of human error discrepancies being
‘rectified’ several months / years later.
5. Computer Weekly ran an article in 2009 and another more
recently picking up on the Justice for Subpostmasters Alliance
(a group of Subpostmasters who are becoming more vocal about
their claims that horizon has caused faults)
6. S4C ran a programme on the issue in 2009 (although I have not
managed to see this)
There has been several flag cases over the years
8. There is a website - www.jfsa.org.uk - which has a lot of info
and some cases. I think it would be useful to examine the cases
and check up our position as we should be able to identify some
of the actual people involved from the history on the case
files.
POL00424359
POL00424359
9. I believe that the Group have a solicitor engaged who is
working on a no win no fee basis (however I cannot substantiate
this). I also believe there is an expert working with them who
has requested information under the ‘Freedom of Information
(FOI) Act’. Again, I do not have any specifics on this.
10. My view - 3 reasons for shortage - Subpostmaster has
hands in till; one of assistants has hands in till or (in most
cases of a discrepancy) there is a human accounting error -
some of which may be picked up over time.
Sorry there is a lot (especially with the extra bits below in red) -
hope it helps. Happy to get involved in any other aspect, e.g. to
help with point ‘8’ above.
Mark Burley
Head of Projects (IT)
Banner St Wing
148 Old St
London
ECIV 9HQ
Mike Young
: 22 July 2010 09:08
To: Mark Burley
Subject: FW: Urgent channel 4 horizon isssue
Mark
FYI
Mike
Mike Young
Chief Technology & Services Officer
148 Old St, London, EC1V_9HQ
Mob:
-Original Message-
From: David Y Smith
Sent: 21 July 2010 19:04
To: Mike Young; Sue Huggins; Mike Moores
Subject: Urgent channel 4 horizon isssue
All
Further to yesterdays complaint around horizon from oliver and a
parliamentary question to ed davey from priti patel on the same issue
we have today been notified tha c4 will run a news item on the same
issue. This may be all the same group of people and may also just be
a function of the new roll out. However.
Sue Huggins will lead our response via Mary to the specific request.
But I want an internal investigation under Mike Moores lead please
over the next week on the following.
How robust is horizon?
POL00424359
POL00424359
Horizon is very robust against our Business rules but like any
computer system it relies on accuracy of entry from the user although
where possible controls are put in place to remove / reduce the risk
of error. For example, if a transaction can only be sold in multiples
of £5, then the system will not allow an entry of say £6.
Additionally like any computer system, it can fail, e.g. in the event
of a power cut. However the system is designed to retain integrity
even when it fails. One of the key controls here is to allocate every
transaction with a unique incrementing sequence number.
Once data is captured, data is replicated across all counters in a
branch (a single counter position branch has two disc drives) and to
the Fujitsu Data centre where it is again copied. Horizon does this
once the ‘basket is settled’. The system uses standard double entry
book keeping, i.e. for every transaction, there is a corresponding
entry against a method of payment.
In the Data Centre, a copy of the data is posted to the Audit file
where it is retained for 7 years. Data in the audit file is sealed
with a ‘checksum’ which is held separately to ensure that it has not
been tampered with or corrupted.
Although the transactions are not committed until the ‘basket’ is
settled, special rules apply to any transactions in the basket which
have effectively already been committed such as banking and Automated
Payment transactions. Again these are designed to maintain integrity.
Is it possible to mispost misallocate cash to the detriment of the
Subpostmaster
It is possible to enter an incorrect value that ultimately results in
a discrepancy when the Subpostmaster completes their accounts. For
example, entering a bank deposit as £100 instead of £10 will result
in the Subpostmaster recording a £90 loss (all other things being
equal). As mentioned above, controls are put in place where possible
to reduce or remove the likelihood of this. In some cases, an error
like this will at some point be recovered but this depends on the
type of transaction and potentially the integrity of the customer,
i.e. with the banking deposit example, unless the customer declares
the error, there is little likelihood of it being discovered and the
Subpostmaster would be liable. An error of this type is no different
to bank systems.
In summary the system will post the transaction as indicated by the
Subpostmaster when manual input is required.
Where the transaction is fully automated, there is no evidence to
suggest it could ever be misallocated. In theory it is impossible
therefore (providing the Subpostmaster follows the instructions on
the screen)
Is there any difference between horizon and hngx.
There are some significant difference in where data is stored (HNGx
stores no data at the counters) but the principles around integrity
remain in place as does the audit log. Importantly, when a branch
migrates to HNGx it will have 2 audit logs - one for Horizon and a
separate one for Horizon.
When hngx froze during the early trials is there any evidence that
this caused misallocations?
POL00424359
POL00424359
There is no evidence this caused misallocations. However there is
some evidence that branches may have had discrepancies as a result of
not following the system prompts / instructions. Had they followed
the instructions accurately, no branch should have had a discrepancy
from a freeze. HNGx has been built as Horizon; namely to retain
integrity even in the event of failure.
How do we treat discrepancies. Is there any exceptional circumstance
applied where we don't seek recovery of funds prosecution etc. I.E
are we heavy handed and disproportionate in our response.
How many subs have we terminated on this basis in the last ten years
How many have we prosecuted. What is our success rate?
What external audit verifications have been made of horizon and hngx
There have been a number of reviews of both systems by Gartner and
other technology companies. I am not aware of one that explicitly
focussed on integrity. However in addition testing of both systems
has been extremely vigilant - over 25,000 separate and unique tests
(many of which were run more than once) run over 18 months using
approximately 8,000 mandays.
How difficult is it to rectify human errors to rebalance the till?
Ranges from very easy to not possible without external intervention.
What training does each user receive to use the system.
Originally users on Horizon received an extensive training course at
the end of which they had to take a test which until they passed they
would not be able to use the system (although almost impossible to
enforce).
For HNGx, the majority of transactions and back office functions have
not changed - the main changes are the User Interface and to a degree
the Postal Services (although users have deemed this easier). We
provide extensive pre go-live materials including web-site; training
manuals, etc and then supplement this with an in-branch migration
support on the day of and the day after migration. The Migration
support will take the Subpostmaster through key areas and address any
concerns. We have been measuring satisfaction with the training and
support provided for HNGx and the following summarises the results to
date (i.e. from start of pilot):
* 91% were happy they had the support needed during migration and
that the training enabled them to adequately prepare for HNG
There is a facebook group of protestors online. What are they saying
and what are we doing to ensure this does not harm the business?
Suggest we need input from lynn keith woollard rod and leslie as a
minimum.
Thanks
Dave