RMG00000083
RMG00000083
ROYAL MAIL GROUP EXECUTIVE SUMMARY
Audit and Risk Committee
Date of ARC: 8'" December 2011
Subject: UPDATE ON POST OFFICE LIMITED HORIZON CONTROLS
AND RELATIONSHIP WITH FUJITSU
Author/Sponsor: Chris Day
Contributors / Presenters: Chris Day with Lesley Sewell and Rod Ismay
Decision Guidance Noting
For: x
REFERENCE PREVIOUS ACTION POINT:
BACKGROUND AND CONTENT:
This paper sets out the controls that operate around the Post Office Limited (POL)
Horizon system, the relationship with Fujitsu and why POL is able to rely on these
controls in the light of:
a. IT control issues identified at last year’s audit; and
b. (as an unrelated matter) challenges by former subpostmasters against
the integrity of the Horizon platform
RECOMMENDATION (if decision required)
No decision required
Additional presentation: ¥ES/NO
RMG00000083
RMG00000083
S Drive: Holdings Board/template/executive summary(4)
RMG00000083
RMG00000083
Royal Mail - Strictly Confidential
PLEASE DO NOT CIRCULATE FURTHER
ARC(11)54b
Royal Mail Holdings plc - Audit and Risk Committee
UPDATE ON POST OFFICE LIMITED HORIZON CONTROLS
AND RELATIONSHIP WITH FUJITSU
Purpose of paper
1. This paper sets out the controls that operate around the Post Office Limited
(POL) Horizon system, the relationship with Fujitsu and why POL is able to rely
on these controls in the light of:
a. IT control issues identified at last year’s audit; and
b. (as an unrelated matter) challenges by former subpostmasters against the
integrity of the Horizon platform.
Background
2. IT controls and SAS70 assurance
a. Unlike other RMG IT suppliers, Fujitsu does not have a SAS70 or equivalent
report on its controls, and the consequence of this is that Ernst & Young (EY)
needs to do full testing of all systems which are integral to the financial results
as part of the RMG annual audit process. A number of IT control issues were
identified during the 2010-11 year end audit, which were largely centred on
Fujitsu. Overall EY was satisfied that the control systems were reliable, but
they made certain recommendations in the management letter following the
audit for improvements which have been implemented. The IT control issues
identified during the audit did not relate to the integrity of accounting data in
the system. Rather, EY made recommendations about the documentation
and authorisation of changes to systems and about opportunities for
streamlined assurance.
3. Horizon challenges
a. POL has, over the years, had to dismiss and prosecute a number of
subpostmasters and Crown staff, and/or taken debt recovery action, following
financial losses in branches. A small number of these have defended the
claims on the basis that they were not guilty of the charges made but that
Horizon was faulty. In addition a small number of claims have recently been
intimated by former subpostmasters, seeking compensation for wrongful
termination of their contracts, on the basis that the losses giving rise to the
termination of their contracts were the product of flaws in Horizon.
Historic relationship with Fujitsu
4. Fujitsu Services provides a fully managed service to support the Horizon Online
system. This includes: help desk, support for the hardware installed in branch,
support for the branch network, hosting the application and support and
development for the Horizon Online application. Horizon Online is the application,
which supports branch operations. It combines point of sale, mails, banking and
front office of government functions. POL also has Supply Chain, Finance and
Accounting and MI hosted in the Fujitsu Data Centres.
5. The initial Horizon 1994 contract was let as a Private Finance Initiative with the
then DSS Benefits Agency. The first pilot branches went live in 1996 and full roll
out was completed in 1999. The DWP withdrew from the contract, and there were
a number of significant changes made to the contract and service, such as
implementing Network Banking in 2004/5.
1
RMG00000083
RMG00000083
Royal Mail - Strictly Confidential
PLEASE DO NOT CIRCULATE FURTHER
In 2006 the contract was renegotiated again to significantly reduce the cost of the
service. This required migration from the original Horizon to Horizon Online,
which was functionally equivalent, but with new systems architecture. This took
£50m pa from costs and provided a strategic platform for the future. Horizon
Online was implemented in 2010.
The original Horizon contract cost £150m pa, over the duration of the relationship
with Fujitsu this has been reduced to an operational cost with Fujitsu of £55m pa
which includes significantly increased scope. The contract has a provision for
periodic independent benchmarking of the contract and charges. Such an
exercise is in progress, with Gartner providing independent benchmark measures
against a number of comparable organisations. This covers Applications Support
Services, Branch Network Service, Service Desk and Data Centre. So far only
the Data Centre exercise is complete. The finding of this is that the cost to POL
of this service is 9.3% below market average.
Horizon system — process and controls
8.
Customer service
direct in Horizon
PayStation, ATM, I-~ y
Lottery, Post & Go)\, /
Assurance about the accounting control environment may be taken in terms of
the system, processes, training and support. This framework enables individual
post offices to record and supervise their transactions and balances locally. It
also enables oversight and intervention from central finance processing teams.
The accounting data flows and controls at each stage are summarised in the
diagram and table below.
Transaction
Corrections
POLSAP I _ESFS Group
LA Horizon “5, ystem G/L Systems,
\ Transaction Files to
Integrator ‘clients:
Key control points —_—_—_—__—_——__»
Access to Customer Control routines I Central finance I Intervention
Horizon transactions in branch controls processes
User creation Card driven Trial balances Data matching Cash supply
Secure IDs Barcodes Cash counts Reconciliations I Helpline calls
Passwords System pricing Batch cut offs Range checks Trainers
Physical access I Screen prompts I Period ends Trend analysis Surprise audit
Tagged txns Sequentials refs Investigations
Read only file Suspension
Receipting Appeals
10.
11.
12.
13.
14.
15.
16.
RMG00000083
RMG00000083
Royal Mail - Strictly Confidential
PLEASE DO NOT CIRCULATE FURTHER
At the branch level, the key controls centre on:
System access and audit trails of user activity;
Automation to minimise manual entries when recording transactions;
Training given to staff and help available from guides and helplines;
Cash balancing routines, end of day routines and supervisory checks;
Double entry system aligning cash and stock with payment flows.
epao7D
At the central oversight level the key controls include:
a. Branch cashflow targetry and variances against reported levels;
b. Range checks and trends in client creditors, cash and stock;
c. Reconciliation and matching of client data against Horizon data.
Horizon, and its users, are supported by robustly planned training material,
helpline contact centres, operational instruction manuals, induction training and
critically the ability to “call for help” if a branch is unsure about its situation. POL
has a demonstrable record of supportive interventions to help branches who
have positively appealed for help upon identifying an issue with how they
recorded transactions or with the existence of the expected amounts of cash.
Horizon is a double entry based accounting system which is supported by
training and helplines to enable colleagues in branches to maintain complete,
accurate and timely accounting records. There are well communicated
processes for recording transactions directly in Horizon and for updating it with
summaries of transactions performed in other customer facing technology in
branches such as ATMs. Branches are able to run trial balances at any time and
are required to do daily routines which enable them to detect keying errors locally
and which enable central accounting support teams to detect issues and
intervene.
Central teams in Finance and in Supply Chain monitor levels, trends and
variances of sensitive balances such as cash and cheques and can initiate
intervention ranging from advice and training through to audit, security visits and
staff suspensions.
The nature of the online business and clients’ requirements for daily transaction
reports mean that there are multiple data streams originating from post office
branches. These also are monitored by central teams and provide batch and
variance controls to prevent and detect issues in branch. Transaction corrections
are sent to branches where a keying error arises which the branch cannot correct
themselves. These can also have the effect of “invoicing” branches when there
are cash shortages which are not considered fraudulent.
There is also a constant feedback loop, such that issues identified by front line
users and back office support teams can be fed into updated training and helpline
support.
17.
18.
RMG00000083
RMG00000083
Royal Mail - Strictly Confidential
PLEASE DO NOT CIRCULATE FURTHER
The Horizon system is a secure application with demonstrable integrity. In the old
Horizon system this was achieved by:
a. Keeping copies of all transactions in multiple locations, both in the branch and
the data centre.
b. Every transaction has a unique sequential number and a ‘checksum’ value,
which protects against any missing transactions, data corruption or tampering.
c. Double entry accounting is applied to all financial transactions, recording sales
against methods of payment.
d. The integrity of transaction accounting is ensured by checking that all file
updates have completed successfully before a message that the transaction is
complete is presented to the counter clerk. If any update fails, an error
message is issued to the counter clerk and logged, and all of the transaction
is backed out.
e. An audit trail of all transactions is kept for seven years in a tamper proof
database.
f. Accontrol log of records written and deleted from the audit trail is maintained.
Horizon Online uses the same techniques, other than that no electronic business
data is stored in the branch and it is all stored in the Data Centre.
As a result of the process and controls in place, POL is fully confident in the
Horizon computer system operating in its branches. This accounting system, and
the processes around it, enable our branches to maintain accurate and reliable
accounts.
IT audit of Horizon system
19.
20.
21.
22.
Horizon is audited annually by EY as part of the financial year end audit of Royal
Mail Group, including POL. The audit work leading up to the 2010-11 audit,
which related to Horizon Online, identified certain weaknesses relating to the IT
control environment. However, after additional control testing, EY confirmed that
they were able to place reliance on the existing systems controls. Nevertheless,
they suggested certain improvements which could be made, mainly relating to
access. There were ten key findings, four high, three medium, and three low
priorities, all of which Fujitsu and POL have addressed.
Next year's EY audit will commence towards the end of January 2012, although a
number of preliminary meetings have already been held to plan and scope the
audit. The target date for the delivery of the final audit report is end March 2012.
Fujitsu Services have committed to covering the cost to implement a SAS70
approach for POL for 2012-13 with EY carrying out this work so we expect a
reduction in audit costs for 2012-13. The activities completed during the 2011-12
audit will provide the foundations for a SAS70. EY has ratified the approach we
have taken for this year's audit and the planning is underway for the 2012-13
audits.
It should also be possible to extend the scope of the SAS70 to cover the other
audits that are carried out (i.e. PCI, VocaLink, 1S0270001 etc) similarly reducing
the effort and cost required to support these audits.
RMG00000083
RMG00000083
Royal Mail - Strictly Confidential
PLEASE DO NOT CIRCULATE FURTHER
Former sub-postmasters — challenges to Ho: in
23. POL has, over the years, had to dismiss and prosecute a number of sub-
postmasters and Crown staff, following financial losses in branches. A small
number of these have defended the prosecution on the basis that they were not
guilty of the charges made but that Horizon was faulty. Some former
subpostmasters have defended civil debt recovery action by POL on the same
basis.
24. Various lobby groups have been set up by former sub-postmasters and these
have at times received national media coverage and in some cases been taken
up by local MPs. Most recently, BBC East Anglia has run a news article about
this area and has subsequently advised RMG Press Office that a programme is
being considered for national broadcast. The regional programme interviewed
some former subpostmasters whose contracts POL had terminated and who
were critical of Horizon. They also interviewed a serving subpostmaster in the
journalist's village. He was adamant he did not have problems with Horizon.
25. The allegations to which POL is responding follow on from cases where
thousands of pounds were missing at audit. Due to the controls set out above,
POL does not believe the account balances against which the audits were
conducted were corrupt.
26. There are 4 broad strands of challenge. They are being dealt with as follows:
a. Prosecutions and civil debt recovery actions by POL where the defence claim
Horizon is flawed — these have consistently been won on the facts of the
Horizon transaction logs. Judges have spoken supportively of Horizon.
b. Threatened civil claims for damages against POL by several former sub-
postmasters including individuals who have pleaded guilty to false accounting
— but a year on, only 4 letters of claim have been received — of those, one is
now time barred and two are rebutted as the claimants previously pleaded
guilty in criminal prosecutions. POL will vigorously defend the final one if it
proceeds.
c. Freedom of Information Act requests, written parliamentary questions and
Flag Cases — POL has responded consistently and positively, including some
meetings with MPs. Nevertheless, certain former sub-postmasters find new
routes for the same allegations.
d. Media (Private Eye, The Grocer and regional TV) — whilst robust and
successful in court, POL has to date adopted a firm but low key response to
the media. Where detailed responses have been made, the media have lifted
soundbites whilst giving lengthy interviews to those making the allegations.
Media interest reflects “the popular underdog versus the public sector IT
system”.
Summary
27. The Audit and Risk Committee is asked to:
a. Note the contents of this paper.
Chris Day
December 2011