WBON0000282
WBON0000282
From: Johann Appel ! GRO
To:
>, "Lucy Bremner"
O ~ +, Andrew Parsons
Ce: O
c } Mark Underwood]
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial [WBDUK-
AC.FID27032497]
Date: Fri, 2 Nov 2018 13:14:37 +0000
Importance: Normal
Inline-Images: image015.png; image016.png; image017.png; image018.png; image019.jpg;
image020.jpg; image021.jpg; image022.jpg; image023.jpg; image024.jpg; image025.png;
image026.png; image002.jpg
Hi Lucy,
Further to Angela’s message below, we were unable to locate the relevant documents prior to 2011 at Post
Office. We have requested RMG to search for the relevant documents in their archives and we are chasing
daily. When is the absolute final date by which you need an answer?
Best regards,
Johann
Johann Appel
Head of Internal Audit
Ground Floor
20 Finsbury Street
LONDON EC2Y 9AQ
From: Angela Van-Den-Bogerd
Sent: 30 October 2018 19:42
To: Lucy Bremner {)
Ce: Johann Appel.
Rodric Williams 4_- GRO i
Mark Underwood1
‘Subject: FW: URGENT PLEASE- information needed for GLO Horizon issues Trial [WBDUK-
AC.FID27032497]
WBD_000152.000001
WBON0000282
WBON0000282
Hi Lucy
Johann is now able to respond to the Credence points and will do so as a matter of urgency.
Having read the documents you attached I question the appropriateness of not disclosing the attached 2012
documents? In particular the HNGX comments by E&Y. Cc’d to Rod for his view also.
Thanks,
Angela
1° Floor, Ty Brwydran,
° Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
Swansea SA7 9FJ
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
From: Lucy Bremner [mailto!_
Sent: 29 October 2018 14:55 _ .
To Angela Van-Den-Bogerd < GRO >; Johann Appel
f >; Mark Underwood! ¢ RO ~ >; Andrew
Parsons <
Ce: Jonathan Gribben GRO
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial [WBDUK-
AC.FID27032497]
WBD_000152.000002
WBON0000282
WBON0000282
Angela, Johann,
Thanks for your email and apologies I missed your call earlier. We have the following documents (they have not been
disclosed as it stands):
1, 2012
« POL IT Management Letter Final Draft 12/06/12; and
« POL Control themes and observations document (unsigned and contains POL comments). I understand from
looking at correspondence that the control observations report represents the overall document (and appears to
have been used from 2012 onwards) that the E&Y finance team produced.
2. 2013
POL IT Management Letter response 31/05/15; and
« POL Control themes and observations document (signed final version).
There is no specific mention of credence in these documents and my understanding is that this is because of the 2011
current year update comments which states: "Application not in audit scope for FY11. Therefore, we are not able to
comment on whether management has fully addressed our comment as raised in the year prior".
Kind regards,
Lucy
Lucy Bremner
Associate
Womble Bond Dickinson (UK) LLP
‘Stay informed: sign up to our e-alerts
WOMBLE womblebonddickinson.com
BOND
DICKINSON ¥®
From: Angela Van-Den-Bogerd [mailto! GRO i
Sent: 29 October 2018 14:48. ~~
To: Johann Appel; Lucy Bremner; Mark Underwood1; Andrew Parsons
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial
WBD_000152.000003
WBON0000282
WBON0000282
Thanks Johann
Mark — do we have anything in the Sparrow archives?
Andy — does this ring any bells?
Thanks,
Angela
1 Floor,Ty Brwydran,
& Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
Swansea SA7 9FJ
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
From: Johann Appel
Sent: 29 October 2018 14:04
To: Angela Van-Den-Bogerd < GRO ___; Lucy Bremner
GRO j
‘Subjects RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial
WBD_000152.000004
WBON0000282
WBON0000282
Hi Angela,
Lisa and I are working through subsequent ARC and Board minutes, but the details are limited and Lisa have
not yet found the noting papers referred to. I have also asked Finance if they have a copy of the EY
management letter for 2012 as this may provide more information.
We have come across the following entry from the Board meeting of 12 Jan 2012. There are references to
two documents that might be helpful — a significant litigation report and a RMG internal audit report, both
appear to support the IT controls for Horizon. Lucy, are you aware of these documents?
POLB12/07 SIGNIFICANT LITIGATION REPORT
- Noting Paper (POLB(12)13)
(a) Les Owen asked for assurance that there was no substance to the
claims bought by subpostmasters which had featured in Private
Eye.
Susan Crichton explained that the subpostmasters were
challenging the integrity of the Horizon system. However the system
had been audited by RMG Internal Audit with the reports reviewed
by Deloittes. The audit report was very positive.
The Business has also won every criminal prosecution in which it
has used evidence based on the Horizon system's integrity.
ACTION: Susan Crichton suggested that she clear the audit report with the
Susan Crichton external lawyers and if it is possible to give the report privileged
status it would be circulate it to the Board.
Best regards,
Johann
Johann Appel
Head of Internal Audit
Ground Floor
20 Finsbury Street
LONDON EC2Y 9AQ
WBD_000152.000005
WBON0000282
WBON0000282
From: Angela Van-Den-Bogerd
Sent: 29 October 2018 13:44
To: Johann Appel ¢ poxnnn BRO, Lucy Bremner
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Tri:
Importance: High
Johann
Do we have the subsequent ARC minutes or updated actions so that we can see what became of the Chris
Day action?
Lucy - given that we provided the E&Y management letter for 2011 as part of our disclosure, did we also
provide the subsequent years management letters? If so, what reference to the findings in 2011 are made?
Thanks,
Angela
1° Floor, Ty Brwydran,
© Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
Swansea SA7 9FJ
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
WBD_000152.000006
WBON0000282
WBON0000282
From: Johann Appel
Sent: 29 October 2018 12:40
Ce: LisaToye = GRO >; Garry Hooton GRO
Subject: RE: URGENT PLEASE- Information needed for GLO Horizon issues Trial
Hi Angela
Below is an extract from EY’s audit results report for FY2012, which was submitted to the May 2012 ARC
(thanks Lisa for tracking this down). It states that the IT control environment has improved, but that more
work is required.
We noted that the IT general control environment for POLSAP and HNGX has improved in
comparison with 2010-11. However we observed that some of the control improvements had not
been fully implemented or embedded at the time of the audit and that there were some
remediation efforts that were not completely aligned with our expectations. There were also some
findings from the previous audit which require further work to close.
Since the completion of the IT audit, we have discussed our control observations with POL
and Fujitsu management, and are currently finalising our management letter which will
provide details of our findings, observations and agreed management actions.
Unfortunately there is not much detail and it refers to a management letter that was still to be finalised.
Below is an extract from the ARC minutes. Other than asking Fujitsu to provide a SAS70 certificate, there
were no other actions to address the remaining IT issues.
ce) IT
It was recognised that the IT controls in the business had improved and
that there had been a change in the governance and management of the
Fujitsu contract. The auditors found that the IT systems were insufficiently
effective to be fully relied upon for audit control purposes. However, through
adopting mitigating procedures, Ernst & Young had been able to rely on the
IT systems supporting the POL financial statements. It was noted that the
POL and Ernst & Young IT teams were working closely on an agreed plan of
further improvements in FY13.
It was recommended that the business insist that Fujitsu provide a
ACTION: Chris Day SAS70/ISA402 certificate to provide a transparent audit of their controls.
So we are still not clear on whether the control weaknesses in question were addressed. I suggest we ask
Finance if they have a copy of the final management letter for FY 12 to see what exactly the remaining IT
control issues were? Failing this we could ask EY for a copy. Any throughts?
WBD_000152.000007
WBON0000282
WBON0000282
Best regards,
Johann
Johann Appel
Head of Internal Audit
Ground Floor
20 Finsbury Street
LONDON EC2Y 9AQ
From: Angela Van-Den-Bogerd
Sent: 26 October 2
To: Johann Appel
Subject: RE: URGENT PLEASE.
>; Garry Hooton!’
formation needed for GLO Ho:
Thanks both
Appreciate your help.
Have a great weekend.
Angela
1 Floor, Ty Brwydran,
& Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
S SAT 9FJ
WBD_000152.000008
WBON0000282
WBON0000282
Confidential Information:
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
From: Johann Appel
Sent: 26 October 2018 14:43
To Angela Van-Den-Bogerd
4 GRO
Ce: Garry Hooton.
Underwood] ! GRO
Subject: RE: ‘URGENT PLEASE- Information wieealed for GLO Horizon issues Trial
; Catherine Hamilton
i Lucy Bremner
Angela,
As Garry has mentioned, this report precedes the existence of Post Office Internal Audit. In addition, we do
not routinely track actions raised by external audit.
I will contact CoSec to see if the ARC papers and minutes provide more information. I will also look at
subsequent EY reports to see if these findings were raised again in the following year.
Best regards,
Johann
Johann Appel
Head of Internal Audit
Ground Floor
20 Finsbury Street
LONDON EC2Y 9AQ
WBD_000152.000009
WBON0000282
WBON0000282
From: Angela Van-Den-Bogerd
Sent: 26 October 2018 1
GRO i>; Johann Appel
5 Mark
Ce: Garry Hooton
Underwood] <__
Subject: URGENT PLEASE- Information needed for GLO Horizon issues Trial
Importance: High
; Lucy Bremner <
Catherine, Johann,
As part of the Post Office litigation, WBD our external lawyers are drafting our witness statements with us in
response to allegations made by the other side. The one I need your help with in is respect of Jason Coyne,
the Claimants’ IT expert who refers to an audit document produced by E&Y in 2011 (see attached) which
identified issues with the credence application, namely weak change controls within the back end of the
systems allowing Logica developers (the third-party provider) to move their own uncontrolled changes into
the production environment. He goes on to say that "further documentation to approve fixes and patches
applied to Credence outside of the release process were lacking, therefore linking changes to issue tickets to
record the original request for the bug fix was not possible".
We need to understand whether these comments are correct and whether anything changed in light of the
report.
My expectation is that we as a business would have taken action as a result of these findings by E&Y and
would have documented what that action was. I understand from speaking with Garry that we didn’t have
own POL internal audit function at the time as this was within the Royal Mail group structures.
Mark Hotson has already provided some information (email below) but that is about current practices rather
than in 2011 following the E&Y report.
Could I ask that y« th consider the initial request from Lucy (first email in chain) and provide responses
from your respective areas that will help to provide an adequate response from us (POL) as part of the
evidence we provide to the Court.
As I’m sure you’ll understand this is urgent as we are on a court deadline to submit our witness statements
by 4pm on 13" November but we need to get our draft statements to our Counsel early next week. So could I
request that you give this your most urgent attention.
WBD_000152.000010
Any queries please come back to me in the first instance.
Thanks,
Angela
15' Floor,Ty Brwydran,
& Angela Van Den Bogerd
Business Improvement Director
Atlantic Close,Llansamlet
Swansea SA7 9FJ
Confidential Information:
WBON0000282
WBON0000282
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any
unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient please contact me by reply
email and destroy all copies of the original message.
From: Mark Hotson
Sent: 25 October 2018 18:56
To: Angela Van-Den-Bogerd <.
Ce: Somita Yogi <
Subject: Fwd: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Hi Angela,
Just picked your email exchange up with Lucy.
Please find enclosed the response that I provided her with earlier today.
Regards,
WBD_000152.000011
WBON0000282
WBON0000282
Mark
Get Outlook for Android
From: Mark Hotson
Sent: Thursday, October 25, 2018 11:17:24 AM
To: Lucy Bremner
Ce: Mark Underwood1; Jonathan Gribben
Subject: RE: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Morning Lucy,
Further to the below, I have discussed the attached document, specifically items referenced “12”, “13” and
“14”, internally and provide the following updates. These responses are based on current knowledge as those
consulted were also not employed by POL at the time when the audit report was written:
Generally, since the report was written there has been:
1. A change to the IT Supplier (from: CMG Logica to: Accenture).
2. An upgrade to the application (from: Business Objects v3.1 to: v4.1).
3. A re-platform of the underlying database (from: a mix of CMG Logica locally-hosted (non-
production) environment and a Fujitsu hosted (production) environment to: Microsoft Azure
cloud hosting for non-production and production.
“12 - Credence (back end) change process”
e “Developers at Logica, the third party provider of application development and support for Credence,
had access rights to the production environment and the database that would permit developers to
move their own changes into the production environment.”
* “Documentation to approve fixes and patches that are applied to Credence outside of the release
process does not always exist. We were advised by Logica personnel that for a sample of four changes
selected evidence of approval to move into production did not exist and that it would not be possible to
link the changes to problem tickets to record the original request for the fix / patch.”
All changes* are under the control of Accenture and are subject to a robust Change Management
process. *These changes include: fixes — planned and emergency, project changes and security changes.
Each change is subject to approval at the “CAB” (Change Approval Board)
Further to this, as the hosting is now Microsoft Azure the implementation of patches and fixes are
subject to Microsoft security best practices.
WBD_000152.000012
WBON0000282
WBON0000282
“13 - Credence (front end) change process”
e = “During our walkthrough of user administration of the front end of Credence we noted several users with
administrator rights, including some generic users (this is noted below as a separate point). These users
have the access rights to create and amend reports, including those which may be relied upon for audit
evidence. These users can change report design, and processing without documented request, test or
approval.”
e “When users have the rights to change reports that are used by the business for reconciliation, exception
reporting or other processing, there is the risk that the reports are manipulated either intentionally or
accidentally.”
Users with administrator rights now purely carry out administrator tasks only, i.e. no reports are created
or amended by users with such rights.
In addition, a Power App has been implemented which logs and controls requests for change (new and
existing reports) carried out by POL personnel. Similarly, requests for changes/new reports that are
assigned to Atos information Services are logged and controlled via the Atos Service Catalogue.
“14 - Credence (front end) configuration”
“We noted several control weakness in Credence front end user administration and security configuration:
1. The password configuration is not aligned with network settings or those settings required by Post Office. We
noted:
a. there isno minimum password length
b. Password complexity rules are not applied
c. users are not required to change their password
d. password history is not retained
e. idle session time-outs are not in place”
The below screenshot provides the current (as at 25/10/2018) Business Objects Central Management Console
enterprise settings relating to passwords — this addresses the above:
WBD_000152.000013
WBON0000282
WBON0000282
Enterprise
Password Restrictions
[Enforce mixed-case passwords
[O Enforce numeral in passwords
(1) Enforce special character in passwords
[ Must contain at least N characters where NN is: 6
User Restrictions
[Must change password every N day(s): 30
[& The system cannot reuse the N most recent passwords): 3
[Must wait N minute(s) to change password: s
Logon Restrictions,
[Disable account after N failed attempts to log on: 10
Reset failed logon count after N minute(s): s
Re-enable account after N minute(s): s
Synchronize Data Source Credentials with Log On
Enable and update user's Data Source Credentials at logon time
Trusted Authentication
1] Trusted Authentication is enabled
No shared secret available. New d Secret] Download Shared SecretI
Shared Secret Validity Period (days):
Trusted logon request is timeout after N milisecond(s) (0 means no limit):
Update] Reset]
e = “There are three generic administrator accounts without specific users assigned to these accounts. One of
the three accounts has not been used since April 2009.”
Only 1 full Administrator account remains which is used for administrative activities only by the POL
Credence Administrator.
e “The process for requesting and granting user access rights to Credence does not maintain documentation
to record evidence of request or approval of access rights.”
This activity is now governed and controlled by the IT Service Desk. Service tickets are used to log and
control requests.
e = “There is no process in place for the revocation of user access rights when a user separates from the
organisation or moves to a new role no longer requiring access rights to Credence.”
Housekeeping is actively performed on a regular basis and redundant user accounts are terminated
accordingly.
With regards,
Mark
WBD_000152.000014
WBON0000282
WBON0000282
Mark Hotson
Senior Data & Process Specialist
Hen
@&
Winner of the
Global Postal Award
for Customer West Bars,
Experience CHESTERFIELD
Data Centre of Excellence
Not Future Walk,
Derbyshire, S49 1PF
Annual Leave Advanced Notification:
24" December 18 — 11" January 19
From: Mark Hotson
Sent: 24 October 2018
To: 'Lucy Bremner! GRO ee
Ce: Mark Underwood! < _ nn. GRO +; Jonathan Gribben
: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Whilst I am more than willing to try and help I wasn’t working in POL in 2011!
I'll come back to you in the morning after I’ve had some conversations internally.
Regards,
Mark
2017 Winner of the Mark Hotson
Global Postal Award Senior Data & Process Specialist
for Customer
WBD_000152.000015
WBON0000282
WBON0000282
® Data Centre of Excellence
Not Future Walk,
West Bars,
Experience CHESTERFIELD
Derbyshire, S49 1PF
24" December 18 — 11" January 19
From: Lucy Bremner [mai
Sent: 24 October 20
To: Mark Hotson < SRO.
GRO Jonathan Gribben [
Subject: Horizon issues - witness evidence [WBDUK-AC.FID27032497]
Dear Mark,
As part of the Post Office litigation we are drafting witness statements in response to allegations made by the other
side. I have been in contact with Paul Smith, who has pointed me in your direction in relation to one of the issues we
need to respond to.
Jason Coyne, the Claimants’ IT expert, refers to an audit document produced by E&Y in 2011 (see attached) which
identified issues with the credence application, namely weak change controls within the back end of the systems
allowing Logica developers (the third-party provider) to move their own uncontrolled changes into the production
environment. He goes on to say that "further documentation to approve fixes and patches applied to Credence outside
of the release process were lacking, therefore linking changes to issue tickets to record the original request for the bug
fix was not possible".
We need to understand whether these comments are correct and whether anything changed in light of the report.
As we need this information urgently, can you let me know if you are the right person to answer this and if so, can we
set up a call for later today/tomorrow morning to discuss?
Kind regards,
WBD_000152.000016
WBON0000282
WBON0000282
Lucy
Lucy Bremner
Associate
Womble Bond Dickinson (UK) LLP
erga
‘Stay informed: sign up to our e-alerts
WOMBLE womblebonddickinson.com
BOND
DICKINSON v fin)
Please consider the environment! Do you need to print this email?
only is authorised to
sd and protected by law. mark.hotson
ail and any attachments. If you are not mark,hotsor, please notify Juey.bremnerg
Unauthorised use, dissemination, distribution, publication or copying of this communication or attachments is prohibited and may be unlawful, Information about how we use
The information in this e-mail and any attachments is confidential and
be legally privi
GRO
soon as possibl
access this ¢
and delete any copies.
personal data is in our Privaey Policy, on our website.
Any files attached to this e-mail will have been checked by us with virus detection software before transmission. Womble Bond Dickinson (UK) LLP accepts no liability for
any loss or damage which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it.
‘This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our
office is 4 More London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the tem parner to refer toa member ofthe LLP, or an
(Our VAT registration number is GB12. 7.
employee or consultant who is of equivalent standi
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (International) Limited, which consists of independent and autonomous law firms providing
services in the US, the UK, and elsewhere around the world. Each Womble Bond Dickinson entity is a separate legal entity and is not responsible for the acts or omissions of,
nor can bind or obligate, another Womble Bond Dickinson entity. Womble Bond Dickinson (International) Limited does not practice law. Please se
www.womblebonddickinson.convlegal notices for further details,
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority
JS ISIS ISIE SI ISISISI I ISIE SIOIGISIS ICISISI ICICI ICICI ICICI I SIO CCCI KC ACI A CIR ACAI OK CA Ho ae
This email and any attachments are confidential and intended for the addressee only. If you are not the
named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this
communication. If you have received this in error, please contact the sender by reply email and then delete
this email from your system. Any views or opinions expressed within this email are solely those of the
sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury
Dials, 20 Finsbury Street, London EC2Y 9AQ.
AE SSE SSSA SIGS SEES SSIES I GEGISICI ARI ICI CICK ACI CK AICI ACAI A a aaa ocak ok a ae ak o
“Post Office Limited is committed to protecting your privacy. Information about how we do this can be
found on our website at www.postoffice.co.uk/privacy”
WBD_000152.000017