WBON0000458
WBON0000458
From: "Westbrook, Mark (UK - Manchester)" <_
To: "Parsons, Andrew" <<
Leeds)"
P
Pb, "Keating, Lewis (UK -
GRO "
'Gribben, Jonathan"
Prime, Amy"
1 GRO. a
Subject: RE: Horizon questions [BD-4A.FID26859284]
Date: Fri, 29 Jul 2016 08:06:07 +0000
Importance: Normal
Inline-Images: image001.jpg; image002.jpg; image003.jpg
Absolutely fine with this.
I don’t know if you could strengthen your position further in relation to 1.3.4 with wording to the effect of ‘....such
database access being a necessary requirement of IT administration and support of any IT system’. Or similar — to
(correctly) normalise it.
Mark
From: Parsons, Andre
Sent: 28 #
; Keating, Lewis (UK - Leeds)
Cc: Mark Underwood!
Jonathan} Prime, Amy <
Subject: RE: Horizon questions [BD-4A.FID26859284]
Gribben,
Thanks Mark.
We've slightly tweaked the "Remote Access" wording in our Letter to Freeths in relation to the Super Users point. New
wording below. Are you happy with this?
A
1.3 The majority of transactions that make up the branch accounts are generated in branch. There are
however four ways in which Post Office (or Fujitsu on Post Office's instruction) can influence those accounts:
[sll
1.3.4 Administer access to databases. Database and server access and edit permission is provided, within strict
controls (including logging user access), to a small, controlled number of specialist Fujitsu (not Post Office)
administrators. As far as we are currently aware, privileged administrator access has not been used to alter
branch transaction data. We are seeking further assurance from Fujitsu on this point.
Andrew Parsons
Partner
Follow Bond Dickinson:
WBD_000328.000001
WBON0000458
WBON0000458
BS ]inI
www.bonddickinson.com
From: Westbrook, Mark (UK - Manchester)! GRO i
Sent: 27 July 2016 18:10
To: Parsons, Andrew; Keating, Lewis (UK - Leeds)
Cc: Mark Underwood1:
Subject: RE: Horizon questions [BD-4A.FID26859284]
); Gribben, Jonathan
Hello all,
Please find attached the revised version of the report which I have now been authorised to release. Apologies for
the small delay, but one of your requests prompted some fairly in-depth conversations required on our side.
Hopefully the new code name is acceptable (!).
Many thanks,
Mark
From: Parsons, Andrew, GRO i
Sent: 25 July 2016 13:33
To: Westbrook, Mark (UK - Manchester) {
Cc: Mark Underwood! (} GRO >; Gribben,
Jonathan ¢ GRO i
Subject: RE: Horizon questions [BD-4A.FID26859284
; Keating, Lewis (UK - Leeds)
Mark, Lewis
Further to below, would you be able to supply an updated version of your Interim Report having made the small
amendments in the email below. We are holding off circulating the report insider POL until these points are tidied up
‘so it would be good to get these sorted sooner rather than later.
Thanks
Andy
Andrew Parsons
Partner
Follow Bond Dickinsor
6H
www.bonddickinson.com
IMPORTANT NOTICE
This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered office is 2, New
Street Square, London EC4A 382, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL"), a UK private company
limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal
structure of DTTL and its member firms.
WBD_000328.000002
WBON0000458
WBON0000458
This communication contains information which is confidential and may also be privileged. Its for the exclusive use of the intended recipient(s). If you are not the intended
recipients), please (1) notify it.security yy forwarding this email and delete all copies from your system and (2) note that disclosure, distribution, copying
or use of this communication is strictly prohibited. Email communications cannot be guaranteed to be secure or free from error or viruses. All emails sent to or from a
Deloitte UK email account are securely archived and stored by an external supplier within the European Union.
To the extent permitted by law, Deloitte LLP does not accept any liability for use of or reliance on the contents ofthis email by any person save by the intended recipient(s)
to the extent agreed in a Deloitte LLP engagement contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.
From: Parsons, Andrew
Sent: 19 July 2016 15:45 . -
To: Westbrook, Mark (UI } ‘Ikeating..
Cc: Mark Underwood1 GRO. }; Gribben, Jonathan (__
Subject: Horizon questions [BD-4A.FID26859284]
Mark, Lewis
As promised, please find attached our questions on the Interim Report. We've not yet addressed Scope Area 8 as this
is not pressing at the moment — we'll come back to you separately on this.
Please could you review and confirm which questions are inside and outside your current scope of work. We can then
discuss whether / how to progress any of out of scope work.
We'd also be grateful if you could make the changes below and re-circulate the Interim Report. These are hopefully
non-controversial stylistic points.
* Generally — can we re-number the Scope Areas as 1, 2, 3 and 4 so that we break any connection to the QC
report?
e Page 5 & the Report Generally — can we remove the term ‘Sparrow’ and reference to it as a ‘code name’.
« Page 6 - table refers to QC — Please remove
« — Page 7 — i) — could we use an alternative work to “embellish” - perhaps “advance” or “enhance”?
«Page 7 — under “Phase 1” — could we ask that Deloitte qualify that paragraph as the procedures to be
performed in relation to Scope area 8 are TBC.
« Page 8 — bottom of the page — could “risks” be changed to “Potential Risks” (in the title & subsequent
paragraph). We're trying to avoid soundbites from being created, should the report ever make its way outside
of POL.
e Page 9 — above table refers to QC. Please remove
e Page 9 — change “key to risks” to “key to potential risks”
« Page 9 — Could we change the wording for each potential risk to the following:
= R1. If Horizon does not process transactions correctly and these are not identified and resolved, these
could lead to sub postmaster financial loss
= R2. If inappropriate transactions can be created centrally.
= R3. If data flow to the audit store is not complete, accurate or valid, the conclusions. ...
= R4. If once data is in the audit store...
= R65. If suspense accounts are mismanaged...
« Page 9 — penultimate paragraph — could we please qualify “risks” with “Potential”
« Page 15 — First column title of the table references “QC” — please remove
« Page 21 — First column title of the table references “QC” — please remove
« Page 27 — First column title of the table references “QC” — please remove
« Page 35 — First column title of the table references “QC” — please remove
Kind regards
Andy
WBD_000328.000003
WBON0000458
WBON0000458
Andrew Parsons
Partner
Band Dicingor.
Direct: GRO
Mobile:
Follow Bond Dickinson:
Please consider the environment! Do you need to print this email?
‘The information in this e-mail and any attachments is confidential angLmay.be.Jeeally privileged and protected by law, markwestbrook GRO __tonly is authorised to
access this e-mail and any attachments. If you are not markwestbrook GRO} please notify andrew.parsoné- GRO. ~~ya8 S60 ASpossible and delete any
copies. Unauthorised use, dissemination, distribution, publication or Sopying oF this Communication or attachments is prohibited and Way be unlawful
es attached to this e-mail will have been checked by us with virus detection software before transmission. Bond Dickinson LLP accepts no liability for any loss or
which may be caused by software viruses and you should carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it.
This email is sent by Bond Dickinson LLP which is a limited liability partnership registered in England and Wales under number OC317661. Our registered office is 4 More
London Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the term partner to refer to a member of the LLP, or an employee or
consultant who is of equivalent standing. Our VAT registration number is GB123393627.
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority
WBD_000328.000004