WITN10370171
WITN10370171
=
De lo itte e STRICTLY PRIVATE AND CONFIDENTIAL
Horizon: Desktop Review of Assurance
Sources and Key Control. I Reatyres
This report and the work connected therewith are subject to the Terms and Conditions of the engagement etter dated 09
April 2014 between Post Office Limited and Deloitte LP. The report is produced for the General Counsel of Post Office Ltd,
solely for the use of Post Office Limited for the purpose of assessing assurance sources and the design of certain controls
relating to the Horizon system. Its contents should not be quoted or referred to in whole or in part without our prior written
consent, except as required by law. Deloitte LLP will accept no responsibility to any third party, as the report has not been
prepared, and is not intended for any other purpose.
DRAFT: Version 10
SUBJECT TO LEGAL PRIVILEGE
Contents
1 Executive Summary
2 Introduction
3. Approach
4 Understanding the Horizon Processing Environment
5 Assessment of Assurance Sources
6 Matters for Consideration IN/
Appendix 1: IT Provision Assurance Source Mapping ahd Gap’Analysis
Appendix 2: Assurance Schedule over Horizon Features.
Appendix 3: Inventory of Documentation Reviewed
>
Appendix 4: Engagement Letter ~~. : /
<f ~ y
Appendix 5: Change Order 01 OL)
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
17
23
27
33
36
50
55
66
WITN10370171
WITN10370171
1 Executive Summary
Context
As outlined to us by the Post Office Limited (“POL”) litigation team, “ POL is responding to allegations from Sub-
postmasters that the “Horizon” IT system used to record transactions in POL branches is defective ancthat the
processes associated with it are inadequate (e.g. that it may be the source and/or cause of branch losses). POL is
committed to ensuring and demonstrating that the current Horizon system is robust and operates with integrity,
within an appropriate control framework. *
POL is confident that Horizon and its associated control activities deliver a robust procéssing environment through
three mechanisms: POL have designed features directly into Horizon to exert control; POL operates IT
management over Horizon; and POL have implemented controls into and around the businessprocesses making
use of Horizon. Collectively these three approaches of inherent systems de ign, angoing’systems management
and business process control are designed to deliver a Horizon processing enyifonment which operates with
integrity. /
Since its implementation in branches, POL has commssioned of has fecéived’a number of pieces of work relating
to the Horizon processing environment, to provide comfort over its integrity This work, referred to in our report as
the “Assurance Work”, provides documented assertions relating to aspects of.the design and operation cf the
Horizon processing environment. The Assurance Work includes. IT projact doctments; operational policies and
procedures; internal and external investigations and eviews: independent Audits; and emails confirming otherwise
verbal assertions. \ /
Deloitte has been appointed to: J \ /
. onsider whether this Assurgnte Work appropriately covers key risks relating to the integrity of the
processing environment, / oo
* 0 extract from the Assurance Work an initial scHedule of the Horizon Features’,
* — orraise suggestions for potential improvements in the assurance provision.
/
/ Nee
" “Horizon Features is a term we have introduc é¢ to represent those features of the Horizon pro cessing environment, including IT management
and business use controls, which provide\that:
I nef
+ ovements in Branch ledgers have the/ull ownership and visibility of sub-postmasters; and
* dit trails kept by the systemare complete and accurate.
Summary of Approach\/ Key assertions requiring assurance, to underpin confidence in processing integrity
‘ata aes ro wa Tat aso
We have structured our work around the
key control assertions shown in the
diagram (right), which has been agreed
with POL. We consider these to be key
matters that POL should control in order to Seece I SiSeeas
gain comfort over the integrity of Pe a
processing. = a
We have considered POL’s three design
approaches when evaluating the
Assurance Work.
LEGALLY PRIVILEGED ANO CONFOENTIL ebeametLPz014
DRAFT FINDINGS. —
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
A key element of the approach was to identify the Horizon Features. POL did not have an existing document that
could be described as representing the Horizon Features in a demonstrably complete way, therefore we have
drawn out an initial view of the Horizon Features from the underlying documentation and considered Assurance
Work relating to them (Appendix 2) for the purposes of this review.
We have grouped the Assurance Work provided to us into three areas, corresponding to POL's three mechanisms
of exerting control over the processing environment, as follows:
* System Baseline Assurance Work: This aims to provide comfort that the original Horizon implementation
and other changes performed under formal projects were well governed (compared to Deloitte project
management methodologies) and that detailed testing was performed against agreed business
requirements. Such activity would verify that the system was, at that point in time, fit for purpose and
implemented as intended. This assessnent considers the point when the system and processes are
created. TaN
* IT Provision Assurance Work: This aims to provide comfort that the iy management activities required to
run the Horizon system with integrity are designed and operating effedtively. Such activity verifies that key
day-to-day IT management activities (e.g.: security, IT operations and system changes) are appropriatdy
governed and controlled.
* System Usage Assurance Work: This assurance aimsto provide comfort that the controls in and around
the business processes which make use of the Horizon system are“appropriately designed, in place and
operating as intended.
Our work has been performed as a desktop review of decumentation. made évailable and has neither tested the
quality, completeness or accuracy of the Assurance Work Provided to us" ‘or tested any controls relating to the
Horizon processing ervironment.
Summary of Observations JS ‘ \
Substantial Horizon-related oyster Socuhetatioh exists,eomparable to that typically seen in organisations of a
similar scale where IT activities aré.outsourced and formal assurance activities are not mandated. Some
organisations are externally mandatet\to haveva greater level of end-to-end, risk orientated documentation and
testing, e.g.: in financial services. POLisnot so fnandated.
\Z
Based on our review mA thegavaiane documentation, our key observations are:
iN
° he extensive Horizon 1 system documentation is structured from a technical rather than a risk and controls
perspective and: provides an understanding of the Horizon Features. POL should conduct a formal
assessment to identity a complete set of Horizon Features that respond to POL’s control objectives.
* he integrity of the Audit Store is designed to be preserved by a system of “digital seals”. This feature
underpins the ability to confirm the completeness and accuracy of data kept in the Audit Store, and that of
subsequent reports generated from the Audit Store. These digital seals are key components in the Horizon
Features.
° OL is relying on the Horizon Features being implemented and operating as described. Whilst our review
focussed on the design of the Horizon Features, the Assurance Work we have assessed does not
completely test these features for implementation and operating effectiveness. Only those Horizon
Features relating to IT Provisioning have been validated and tested. In addition, during the course d our
engagement, one of the Horizon Features not so tested has been discovered by POL to not be
implemented as expected.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Scope Limitations
Our work has been subject to the following exclusions:
WITN10370171
WITN10370171
usiness use (process) documentation is not complete or up to date, by some years in cases. As part of
completing or updating the documentation of Horizon Features, all relevant business uses should be
identified and evaluated from a control objectives perspective to identify potential addition matters being
relied upon.
re 2010 Assurance Work has not yet been located by POL. This Assurance Work is required to evaluate
the comfort that the system was originally built and tested to specific business requirements. The
implementation in 2010 of HNG-X is asserted by POL to have not significantly impacted the design of the
Horizon Features.
overning controls over key, day-to-day IT management activities have been independently tested and
opined by Ernst and Young (since 2012) toa recognised assurance standard (ISAE3402).
number of third party systems are used by Horizon on a day-to-day operational basis Documentation
asserts that these interactions do not impact on the Horizon Features. °
4/4 Ss “
nly matters relating to the Horizon Features within the Horizon processing ervironment have been
considered during our review: ' /
e have not provided a legal or any other opinion ‘as.to the Cimpleteness and accuracy of processing of
Horizon at any point throughout the work; (
e have not had direct contact with any third herte/other ten named contacts that you have provided to
us (Appendix 3); y—\
e have not verified or tested 4 any ‘information proyided directly by you, or directly or indirectly by third
parties (the schedule of information received is in ‘Appendix 3);
\
e have not reviewed any contractual provisions in place between you and third parties;
e have re enon the Hovzon Features; and
e have not validated commented on the quality of the Assurance Work supplied to us.
4
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
2 Introduction
Introduction
The Horizon system has been used by POL since 1995. Duting this time it has processed many millions of
transactions across thousands of branches. Horizon is accredited by Payment Card Industry Data Security
Standard (PCI DSS) and 1S027001. It is currently used by more than 68,000 users across 11,500 POL branches
and is administered by Fujitsu as part of a managed service agreement. It is a key operational system for POL and
integrity of processing on the system is crucial to the day-to-day operations of the business.
POL is responding to allegations that the Horizon processing environment, used to record,transactions in POL
branches, is defective and/or that the processes associated with it are inadequate“
In order to respond better to the allegations (which have been, and will in alltikelihood continue to be, advanced in
the Courts), POL management want to demonstrate that the Horizon proces g environment i is robust and
operates with integrity, within an appropriate control framework.
A
In particular, management at POL has highlighted two key staterrients they ‘would like to assess their comfort ower
in response to the allegations, being: . ¢
1. That Sub-postmasters have full ownership and visibility of all Fecords in their Branch ledger; and
2. That the Branch ledger records are kept by the system with integrity dnd full audit trail.
\ \
tS 2
POL management have previously either been provided with or commissioned work (including independent
assurance reviews) into matters relating to Horizon's operating environment and processing integrity. Documents
outlined in Appendix 3 have been provided tous and considered as part of the planning and delivery of our review.
<f ~ y
Objectives and Activities Untiertaken
The purpose of this rept is to provide) based dipon the information made available to us by you, an independently
produced summary,6f the Assurance Work undertaken over your current day Horizon processing environment and
make revommendations on further ‘work that could be done to enhance these assurance sources.
The work we have performed to produce this report has included:
. btaining an understanding of the Allegations; POL’s key risks in and internal controls over the Horizon
processing environment relevant to the integrity of processing; the measures in place to recordand
preserve the integrity of system audit trails and other background matters that we may deem necessary to
complete our review;
. btaining an understanding of the key differences between the current Horizon processing environment,
and the system which this replaced (here-to referred to as the “Legacy System”);
. eviewing, understanding and consolidating the Assurance Work (e.
and remediation actions) which POL or third parties have undertaken;
investigations, assurance activities
. olding discussions with relevant members of POL staff and other key stakeholders:
. eviewing project documentation relating to the 2010 mplementation of Horizon, in order to compare the
nature and extent of p roject governance and documentation with Deloitte's good practice project
management methodology;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
. reparing an initial schedule of Horizon Features and assessing the level of comfort over these, provided
by POL’s Assurance W ork (including the use of a specialist to assess the design of the Audit Store's
tamper proof mechanisms); and
* ecommend further activities that management could undertake to improve the assurance provision.
Scope limitations are outlined in the Executive Summary above.
Understanding of Historical Issues and Concerns
As an initial step, in building the requisite understanding required of the historical context leading tc this review, we
have reviewed the documentation provided by POL in order to understand the history of issues and concerns which
have been raised in relation to the system.
From the documents provided, we have identified the following matters which have helped to provide us with a high
level understanding of the nature and extent of the potential concerns with the Horizon pfocessing environment,
and thus focus our work in certain higher risk areas:
Branch 14 Issue - Involved a processing error where historic accounting ented in the: 2010/14 financial year were
replicated in accounts for 2011/12 and 2012/13.
Branch 62 Issue - Involved a Receipts and Payments mismatch’in Horizon when discrepancies were moved into
the local suspense account (this is an account which aggregates ‘all discrepancies into a single gain or loss fora
branch trading period).
Falkirk Issue - The Falkirk Anomaly occurred when Cash.or stock Was. transferred between stock units.
\ Y
Spot Review Bible — This outlines a sequence of matters raised duririg the work performed by Second Sight over
the allegations raised over the Horizon system, and surymary commentary on 10 issues within.
Lepton Detailed Spot Review inortation I included within ‘Spot Check Bible) — Detailed documentation has
also been provided in relation to Spot Review 1. The issué raised was that a Sub-postmaster will not be notified
about automatic reversals oftransaétions when not cofnected to the data centre.
Reflecting on the nature and substance ofthese’ issues, and documentation relating to their follow-up and
resolution, we have understood the importanée of the audit trail to provide evidence relating to disparities between
Sub-postmaster aceounts ofevents and subsequent investigations, based on audit trail evidence, by POL/Fujitsu.
As a result of the above vadorengi, our work relating to IT Provision and System Usage Assurance Work paid
particular (but not exclusive) focus on Information System Operations (IT environment processing), and business
processes controlling relevant key data flows (the key data flow for our assessment being that of the complete and
accurate transmission of data from the Counter system at the Branch to the Branch Database and subsequently
into the Audit Store).
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
3 Approach
In the absence of POL’s own holistic risk assessment relating to the Horizon processing environment, key to our
assessment of sources of assurance has been the formulation of an initial “risk universe”, against which coverage
of the associated risks by the relevant sources of assurance can be assessed (“mapped”).
We have considered this risk universe across three key areas:
1. Control objectives and risks relating to the ‘System Baseline’.
2. Control objectives and risks relating to ‘IT Provision’.
3. Control objectives and risks relating to ‘System Usage’.
Risks relating to the System Baseline — these are risks that the original implementation project and other
changes performed under formal projects were not conducted in line with good py Proj ct management practices, and
that detailed testing was not performed against agreed business requirements: These,risks are governed and
controlled outside of day-to-day system operating procedures. Controis which mitigate these fisks are often
referred to as “Project Controls” and “Inherent Systen Controls” {tose designed and built into the IT system).
Risks relating to IT Provision — these are risks that the underlying IT activities, necessary to provide a system
that can run and be used with integrity, are not desgned -and operati effectively. Such risks relate to key day-to-
day IT management activities, relating to security, IT operations-and onitem 1 changes. Controls which mitigate
these risks are often referred to as “General Computer Coptcols”. Our' Werk’ ‘focussed on assurance provided over
Fujitsu's activities in these areas. \ /
Risks over System Usage - these are risks that key features of Horizon and corresponding business use
activities (processes), aiming to prevent. or detect matters thatwould impact the integrity of processing, are not
designed, in place or operating as intended. ‘These are the more detailed risks in relation to particular aspects of
capturing and processing transactions across the. Horizon processing environment. Controls which mitigate these
risks are often referred to as “End User. Controls’, “Application Embedded Controls’ and “Process Controls’. Our
work focussed on the internal dataflows within Horizon (Counter to Branch Database to Audit Store for example)
and we also considered the- relevance Of interfaces with other systems such as the DVLA.
In the context of these three areas of risk we have performed knowedge gathering activities in order to understand
the Horizon processing erwironment in sufficient detail to identify specific risk areas and those Horizon Features
identified to exert control over thesé risks
1. Approach to Understanding of System Baseline Risks
In considering Baseline risks we have considered past iterations and changes to the Horizon IT system, including:
. ny that lead to changes to the Audit Store;
° he Horizon Implementation Programme in 2010-2011;
° he Data Strategy Foundation proect in 2012 and 2013 (which updated the dataflows into Horizon from
certain third party transactional systems, including ‘Post and Go’, and ‘Paystation +’); and
° he original Horizon platform delivered in 1995.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
2. Approach to Understanding of IT Provision Risks
Our understanding of IT Provision risks has been formulated through our understanding of the system via
documentation review and verbal discussion with surporting POL and Fujitsu SMEs. Due to the nature of the
System Provisioning risk areas, the formulation of this understanding has been mainly through interview with
Fujitsu and POL security team members.
3. Approach to Understanding of System Usage Risks
WITN10370171
WITN10370171
Our understanding of System Usage risks has again been formulated through documentation review and verbal
discussion with supporting SME's to identify additional support areas. Due to the nature of the System Usage risk
areas, the formulation of this understanding has been mainly through interview with Fujitsu, POL Finance Shared
Services and POL Security team members.
Combining the Above
Horizon processing ervironment. We have number coded the risks in the b
responding to Baseline
Following our assessment across these three areas, the diagram below eae the oon identified within the
Risks, (2) corresponding to IT Provision Risks, and (3) corresponding to System
ik)
ww,
This diagram thus represents the framework of key risks that need fo be‘conffolled by Horizon Features and
appropriately assured in order to provide the comfort required by POL ‘mana!
N\
ment.
Key assertions requiring assurance, to underpin. confietogh in processing integrity
‘That the system was fitfor purpose and I
__ impacted the design features adversely
That assertions on
this diagram are
That transaction® fromthe Counter are
I recorded completely, accurately andion a I
[That the Audit Store i
I complete and acour
fecord ofBraneh Leda
transacti
Lecsi Branch
(€systation/
Post & Go)
j7 sorting IT I
processes are well I
controled. I
[That information
reported from the
I Audit Store retains
‘That DBAs or others
granted DBA access
have not modified
ranch Database nor
Audit Store data.
hat data posted from
‘other systems and teams
Is visible to and accepted
ub
LEGALLY PRIVILEGED AND CONFIDENTIAL, © Deloitte LLP 2014
It can be observed that the majority of the risks identified are System Usage risks, which is expected based on the
complexity of the IT processing landscape and the diversity and volume of transactions being handled.
DRAFT FINDINGS.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
Sources of Assurance Work relating to the Horizon Processing Environment
The diagram below summarises key examples of the Assurance Work reviewed and referred to as part of our
assessment.
END TO END Horizon PROCESSING ENVIRONMENT
System
‘System Usage Risks
Baseline Risks
Non
e Branch
Branch
Processing
Proce
(SPMR)
»
3
5
s
8
Fa
a
a
5
2
2
3
a
§
8
s
2
3
Bursse:
Jo Asenyep 40} aiqisuodse: wee) eloig uoneyeWweldu,
uopejuewedu
Wipro Test ISAE3S02 intemal Audit Reporting
Strategy
Gap
Technical Documentation
Analysis and
Gartner
Report '$027001
Example Assurance
Sources
When considering the sources of assurance over IT Provision Risks, System Usage Risks and System Baseline
Risks, a number of parties have been (and continue to be), involved in performing work over the Horizon
processing environment which contributes to the overall assurance management has over the correct operation of
the system.
Assurance Work from the following organisations, in addition to information provided from POL, have been
identified and considered in our work:
. ujitsu, who designed, built and now operate Horizon;
° ureau Veritas, who perform 1SO27001 certification over Fujitsu's networks, including that of Horizon;
* — nformation Risk Management (IRM) who accredit Horizon to PCI DSS;
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
10
WITN10370171
WITN10370171
* mst & Young, who produce an ISAE3402 service auditor report over the Horizon processing environment;
and
* — nternal audit, who perform risk based reviews within POL.
In considering the Assurance Work provided to us by management during the course of this engagement we have
considered whether they constitute assurance provided under an assurance engagement, as defined by IFAC, or
are sources of information that provide comfort in other ways. For the purposes of clarifying the Assurance Work,
we have assigned each document received to one of two classifications, defined as follows:
“Assurance” -The Assurance Work has been provided under an assurance engagement by an independent third
party, suitably qualified in the subject matter constituting the focus of the engagement to provide a valid opinion.
Sources of such assurance include:
* — nternal Audit functions;
. xternal Audit; and , .
. ther third party reviews, not involved in the original design nor day-to-day operation of the system
containing (a) a formal opinion, such asthose performed in line with recognised standards, such as
ISAE3402 or (b) no formal opinion (i.e. a report based on evidence ana facts without interpretation).
SN
“Other Sources of Comfort” -The Assurance Work is either not prodyeea bya an independent party or by an
individual who is suitably qualified in assurance encagements, or both. Other Sgurees of comfort include:
* — T Project Documentation;
. perational Documentation, such as policies, Procedures and process / system information produced by
functional teams; /
* eviews or investigations performed by outsourcers (e.g.: deer. dives, “diagnostics, spot reviews);
. usiness peer group review teams and functions; and>
* Second line’ compliance teams. - “ aa
—-~ ¢
In Appendix 3 we have documented all the Assurance Work we received and added our classification of those
sources by these two categories. / J
V
Summary of Work Performed <
\
Based upon the concepts outlined aboye we have performed the desktop based work below (further detail of which
is outlined in our Engagement Letter shown in Appendix 4). We have not performed any testing to validate the
information prove o us ke! Assurance Work.
Step 1: Analysis and Review
* Activity 1. Documentation Review -We have reviewed a number of documents produced by several
different organisations in order to understand key matters relating to the Horizon system and the
Assurance Work available.
* Activity 2. Risk Universe Formulation - We have then, in the absence of a holistic risk assessment being
performed by POL and thus for the purposes of our assessment, created a risk universe based on our
experience of information processing systems encompassing the three primary risk areas previously
identified IT Provision, System Usage and Baseline Risks.
* Activity 3. Review of Assurance Work — The available documentation was reviewed in order to
understand the Assurance Work available to POL, against each of the three identified risk areas.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
11
WITN10370171
WITN10370171
Step 2: Gap Analysis and Assessment
Based on the analysis in Step 1 we have produced:
* Activity 4. System Provisi ig Assurance Assessments and Gap Analysis - Considering key
potential gaps or areas of ambiguity in the available assurance sources when considering the System
Provisioning risk universe.
* Activity 5. System Usage and Baseline Assurance Assessments and Gap Analysis — Assessing the
documentation relating to System Usage Risks and then performed deep dives into the following areas of
specific risk:
Horizon interfaces (including DVLA);
Branch Database;
Audit Store;
Horizon Implementation Project;
Audit Store Changes; and /
Data Strategy Foundation project. <
cooco°0
* Activity 6. Peer Comparison to Assurance Availableto iS obeataton —We have assessed
the Assurance Work available to similar organisations ove! “System Provisioning Risks (the area of risk
where a benchmark is most valid due to the leyerof information available from POL) and assessed
therefore whether POL has comparable levels of assurarice.. —
Step 3: Reporting we /
The analysis and interpretation in Step 2 has allowed us tg formulate:
* Activity 8. Produce an Assurance Schedule over Horizon Features, and Recommendations —
Mapping control assertions, Horizon Features and Assurance Work and reporting on the level of comfort
that we have assessed in each ofthese, areas. Identification of the key considerations for management
arising me ir analysis, and plan of action to respond to these recommendations.
Amore detailed coon arhese aglivities performed follows.
Activity 1: Documentation Review
All of the documentation reviewed during the course of our review has been documented within Appendix 3. This
documentation can be divided into the following classifications:
. echnical Documentation on the Operation of the Horizon System — Reviewed in order to gain a deeper
understanding on how the Horizon system works, how complex it is, and where we should be focusing
further efforts and analysis;
* — ndependent Third Party Assurance documentation — This documentation has been reviewed in order to
understand the existing assurance sources relevant to the environment;
. ocumentation of Historical Issues and Allegations in relation to the Horizon System — This documentation
has been reviewed in order to understand the background context and better position the IT Provision,
System Usage and Baseline Risk work performed over the environment; and
. ervice Provider Analysis and Response to Issues — This documentation has been reviewed to gain an
understanding of the work performed by Fujitsu in investigating the issues raised, and how these will be
responded to.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
12
WITN10370171
WITN10370171
A number of individuals from POL have been interviewed during the course of formulating this report to supplement
our understanding from the provided documentation.
Activity 2: Risk Universe Formulation
System Baseline Risk Universe
The original implementation of Horizon in 1995, together with subsequent changes (whether routine via change
management processes, or large complex change programmes such as the Horizon system implementation in
2010-11), represent events affecting Baseline System Risk.
To assess these risks we have understood the history of the Horizon system and selected three areas for more
detailed investigation including:
. orizon Implementation; \
. ata Strategy Foundation project; and
. sample of changes to the Audit Store (subsequentto determining that this key. risk area for the system
had been left largely untouched by the key implementation events ts blanjonied in the previous two bullets).
For each of these change areas we have assessed the Assurance Wore from a governance and contro!
perspective, and POL ability to take comfort that the Horizon system was fi fit{Or.purpose at the time of the change
and operated in line with management intentions (through businéss requifements definitions and project testing
against these).
IT Provision Risk Universe ~ ; ?
This risk universe was formulated from our prior experience of-auditing and assuring information systems and
involved the identification of high level risks across three core areas: “
* — nformation Security;
* _ nformation System Operations;
* hange Management. < vo 4
Once the IT Provisioning risk universe had been formulated a mapping of control objectives within the Assurance
Work was performed inorder to assess, coverage.
The three sources Stassurance ingludget within this mapping were:
Ny,
* —SAE3402 report ‘on the Horizon managed sewice;
. cIDSS compliance. report on Horizon; and
* $027001 Statement of Applicability.
The results of this mapping exercise are summarised within Section 5 and reproduced, in detail, within Appendix 1.
In parallel to this assurance exercise we have also summarised key matters relating to each assurance source.
This involved considering the context and focus of the relevant Assurance Work and comparing these to the
context and focus that would be required for coverage of the key risks (this was in recognition of the risk that some
of the documents could be used or applied out d context from their original purpose).
The results of this analysis are also included within Section 5.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
13
WITN10370171
WITN10370171
System Usage Risk Universe
As POL has not conducted a holistic assessment of risk in this area, a full understanding and assessrrent of
assurance over the System Usage risk environment was not available for our review.
Instead we focussed our assessment on two key areas of risk: those relating to the completeness and accuracy of
the Audit Store, the Branch Database and key system interfaces with a significant third party, such as the DVLA.
We sought to understand the Assurance Work that has been done against each of these areas.
This involved:
. nquiry with relevant SMEs;
° eview of documentation;
. ormulation of a risk universe in these specific areas; and
. nderstanding of existing assurance work over controls which mitigate these’ fisks.
7
Horizon Features :
Across each of the three risk universes we identified features within the processing Bnvirontient that exert control
and provide that:
. ovements in Branch ledgers having the full ammannta hake su sotncons and
* _ udit trails being kept by the system are complete and accurate. <
We refer to these identified features as the “Horizon Features". \ ?
Activity 3: Review of Assurance Work
With the background context of the three risk Universes\outlined within the previous section, we reviewed the
available Assurance Work in order to assess the cpverage and nature of the comfort provided by the work.
The documentation reviewed during this Sabo has been jted within Appendix 3, as are the names of individuals
consulted in relation to our work. \ < /
- \
\
\ \
Activity 4: System Provision Assurance Assessments and Gap Analysis
Once the System ‘ovisioning risk universes had been formulated a mapping of control objectives within each of
the main assurance Sources was performed in order to assess coverage. The three sources of assurance included
within this mapping were»
* — SAE3402 report on thié Horizon managed sewice:
+ CIDSS compliance report on Horizon; and
* §027001 Statement of Applicability.
The results of this mapping exercise are summarised within Section 5 and reproduced in detail within Appendix 1.
Activity 5: System Usage and Baseline Assurance Assessments and Gap Analysis
Following our understanding of the system and historical issues the following areas were singled out as relevant for
deeper analysis, and this approach was agreed with POL management:
1. Audit Store — The audit store has been used frequently in investigations by POL / Fujitsu and is used as
supporting evidence during legal proceedings. Therebre its integrity is paramount to responding to these
issues. However the audit store cannot be relied on in isolation, as its integrity is dependent upon the
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
14
WITN10370171
WITN10370171
correct processing of transactions by the wder Horizon system (upstream events if processed incorrectly
will be recorded incorrectly by the audit store).
2. Horizon interfaces (including DVLA) — Horizon is reliant on a significant number of batch processes and
online services (including interfaces with third party systems) in order to function correctly. These routines
need to be functioning correctly and accurately for the transactions processed by the system and ultimately
recorded in the audit trail to be reflective of the underlying commercial realities and business transactions
they pertain to represent.
3. Branch Database — The Branch Database is a key ‘staging post' for data being transacted on counters
within individual branches prior to transmission onvards to the Audit Store. As data from branches in held
within the messaging journal table on this system for up to a day before being processed into the audit
store the security controls and processes protecting this data whilst in temporary storage here are
paramount. oN
4. Horizon Implementation Project — This change represented the largest single change tothe Horizon
system since implementation, and also the change implemented priof to adoptiormof the current major
release of the system, and so was considered of particular relevance tovour’ syerall Understanding a
system Baseline risk. /
5. Audit Store Changes — Our understanding of the HNG-X Impteméntation Project quickly highlighted that
this project had very little impact on the Audit Store itselfAs a resuft we performed procedures to
understand some of the changes which had been made to the Audit Store following its original
implementation. L
6. Data Strategy Foundation Project -We determined ‘during t - course of our work that this was another
key implementation project in the recent history of the Horizon system of particular relevance to a sub-
group of the system interfaces on’Horizon, This ‘project was therefore also deemed key for our
understanding of system Baseline, risk.
For each of the areas outlined in K eaove an. an assossrfent was made of the coverage and nature of the
Assurance Work provided. — - \ \
For areas 1-3 (System Osage Rtara) hs qgebralty of the particular area was further understood and key
controls over the carresponding nis Tisks then sought.
For areas 4 - 6 (System Baseline Risks) we adopted a different approach, whereby the typical good practise
documentation requirements and pfoject governance methods as stipulated by ‘Prince 2’ (amongst others) were
utilised as a baseline, and the.approach to each of the sampled change initiatives assessed from the available
documentation. This work was conducted through a mixture of verbal discussion and the receipt of supporting
evidence where applicable.
Activity 6: Peer Comparison to Assurance Available to Similar Organisations
As part of our analysis we have also assessed whether the IT Provision assurance POL has obtained is
proportionate to that provided to similar organisations.
We have also considered the best practice approach outined by the COSO framework, as published by The
Committee of Sponsoring Organisations of the Treadway Commission, in formulating suggestions for potential
areas of improvement in the risk, control and assurance activities of POL.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
15
WITN10370171
WITN10370171
Monitoring
information and Communication
Control Activities
Risk Assessment
Control Environment
The COSO Cube: Presents a framework for best practice
approaches to risk, controls and assurance activities.
Activity 8: Produce an Assurance Schedule over Horizon Features andNaise
Recommendations and Plan of Action
We have written up our assurance schedule, which maps the Assi and Wo (0 specific controls relating the
Horizon Processing Environment, and commented on the level Of comfort that the Assurance Work provides in
each area.
Our report also contains recommendations for mana: ment toget
management consideration.
a suggested plan of action for
WS
VY
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
16
WITN10370171
WITN10370171
4 Understanding the Horizon Processing
Environment
Overview of the Processing Environment
The Horizon IT system was designed specifically for POL, and therefore an understanding of its operations,
processing environment and configuration was required in order to fully quantify the risks applicable to the IT
components of the processing environment.
Horizon has been the main operational system of POL since 1995 and:
° as a user base of 68,000 users;
* — erminals within 11,500 branches;
. rocesses an average of 6 million transactions a day; and
* — nterfaces with over 20 third party systems.
As highlighted in our ‘Approach’ section above, we have categorised thé risks posed on the system into three
distinct areas (System Baseline Risk, IT Provisioning Risk and System Usagé Risk), and the remainder of this
section outlines our understanding of the IT system that underpins these.
System Baseline Risk
Horizon (HNG-X) Project \
The change to the HNG-X system in 2010’was gdverned using Royal Mail's “Harmony” project methodology (the
governing project standard at the time). The-prdect saw the pHased implementation over 18 months of the HNG-X
solution (also known as “Horizon On-Line”), Individual POL Branches were migrated fromthe Legacy System to the
new HNG-X system, one by one. \. . - C
\ \
\
No historical data was migrated, although six months of data was maintained within the Legacy System. Our review
of Assurance Work shows thata number of key controls were operated over the project, which was managed by
Fujitsu on behalf of POL. These included:
. OL signing offaccep' ee cfiteria;
. phased migration including a model office pilot; and
. ranch by branch recondliation between opening balances on the new system and closing balances on the
legacy system.
Wipro, an independent third party, were commissioned to provide a report on the performance testing strategy
including gap analysis and recommendations.
The benefits from the migration included the removal of transactional data being held at local branches levels and
this data instead being stored centrally within the data centres.
Data Strategy Foundation Project
The project focused on moving the Accounts Payable file feed which was initially received into Credence via
Transaction Integrator to processing via Fujitsu Horizon systems (i.e. not the Counter). The goal of the project was
to provide a longer term system solution which would provide complete reconciliation, resilience and disaster
recovery capabilities, as well as reduce the risk d client withdrawal.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
17
WITN10370171
WITN10370171
The POL strategic requirements to expand its offerings to other platforms beyond Horizon introduced the
requirement for a data integrator function. Originally POL approached Fujitsu Services to supply this service as
plans to incorporate an integrator service within the Horizon architecture were considered to represent a clean
solution. However, Fujitsu Services were unable to respond within the desired timescales as it would have diverted
their resources from key Horizon ondine delivery milestones.
POL therefore investigated alternative options, finally selecting the use of IBM datastage as the Transaction
Integrator. This was delivered as part of the POLMI project. Fujitsu Services then submitted a high level design
proposal for the provision of a service for processing client transaction files which would provide end-to-end data
validation / reconciliation, with resilience and DR (the incumbent IBM datastage solution did not provide resilience,
DR or end to end reconciliation, presenting a threat to relationships and future contracts).
Assurance Work provided included:
. roject overview document;
° usiness Case;
° eekly Project Meeting Committee Presentation;
. usiness Requirements;
. est Strategy;
. est Sign off; and
° est Report.
Audit Store Changes
In assessing change risks in relation to the Audit Storé, documentation has asserted that the recent significant
changes above did not result in significant changes to the operation of the day-to-day Counter transaction flows nor
the operation of the Audit Store. \ / “
To assess Baseline risk for the Audit Storé the original imnplententation documentation for the Audit Store was
requested. Due to the data retention policy ‘this dgcurrentation could not be provided and so a review of Fujitsu
provided documentation over subséquent changes over atarge period of the Audit Store’s history was performed.
\ <
In producing the diagram on page-9, we have considered the key System Baseline Risks in the context of two
control assertions below, which became the. overall focus of our work in this System Baseline area:
. he Horizon Features were fit for purpose and worked as intended when first implemented; and
* _ ajor changes since implementation have not significantly impacted the Horizon Features.
\
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
18
WITN10370171
WITN10370171
IT Provision Risk
As part of our work, through review of documentation and discussions with subject matter experts in POL, we
familiarised ourselves with the topology and operations of the Horizon IT system.
The systems documentation and understanding obtained (shown in summary in diagrams below) highlights the
complexity of the Horizon IT system and the level of data being transacted via batch and real-time data flow. This
volume and level of complexity in the data flows, including interactions with other systems, highlights the
importance of effective IT Provisioning controls to the integrity of the processing environment.
=/ = ee
\
wranen acces nye: V7
(Ausnanscaton. coven ghd saree rou
2 . a
Branch
Estate
Diagram provided by Post —“~)
) J
The Horizon IT systems built intine with key principles that all data is held centrally within the data centre with the
exception of some standing data which is heldlocally within the branch. This centralisation principle applies to all
‘completed’ transactional data (kfown as “baskets”) and to the Audit Store.
To support this principle the network architecture of Horizon is formulated on:
. ata centre;
. AN Services (connecting datacentres, POL central stes, and Fujitsu sites); and
* ranch Network.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
19
WITN10370171
WITN10370171
The diagram below, provided by Fujitsu shows the hgh level IT system infrastructure:
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
20
WITN10370171
WITN10370171
Managing the processing of the real-time and batch processing environment is Tivoli Workflow Scheduler (TWS)
which is used to execute, monitor and handle exceptions within the processing environment. TWS is managed and
monitored by Fujitsu as part of the managed service contract between the two parties.
In producing the diagram on page 9, we have considered the IT Provisioning risks in the context of the assertions
below:
. upporting IT management processes are well controlled.
System Usage Risk
Responsibility for the administration of the system rests with Fujitsu who provide change control, security
management, system operations, and end-user support.
Responsibility for the effective usage of the system, including complaint and effective business processes, remains
the responsibility of POL. Jn
The user base of Horizon can be subdivided into two core areas:
. entral Users — including Finance, and users at the Network Businéss: Sdpport Centre.
. ranch Users — Sub-postmasters and their staff who are processing shop floor. ransastions.
Outside of the POL user base, Fujitsu provide administration services And hold service and super user account
privileges within the system. a LZ
Horizon supports the processing of a multitude of different transactions including:
. urchases of goods;
urchases of services (for example Lottery fickets.or tax discs);
ayments to discharge customer debts (payment of Mobile phorie bills for example);
efunds; and v
ransaction corrections =~
Several transaction mediums are accepted, for example:
* ash; oe >
* — redit and debit cards; and 7
. heques. . \
J SN S
A number of controls ayein place to support the integrity of transactional processing including:
. he Audit, tore secure area of H orizon which pertains to store all transactional information in
sequentially numberes records, aong with key system events;
* — onitoring controls facilitated by Tivoli Workflow Scheduler and associated exception handling processes;
. andshakes and‘call offs between systems include various controls around the integrity of transmitted
data (such as digitalsignatures); and
. ackup communication routes between branches and the certral data centre (mobile technology).
Reconciliations are performed regularly both in branch and centrally. Key reconciliation processes carried out
include:
. aily branch cash declaration and reconciliation to Hcrizon balances;
° eekly balance of cash and stock and reconciliation to Horizon balances;
. onthly trading period roll over (including resolution of any suspense account issues rolling over from
weekly or daily reconciliations); and
. entral finance processes to reconcile central records to cash remitted to POL, cheques remitted to POL
etc.
In response to discrepancies as a result of these reconciliation processes investigations may be conducted by the
Finance Service Centre, and if required transactional corrections processed. These corrections are subject to
significant investigation and are subject to approval by Sub-postmasters in the first instance.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
21
WITN10370171
WITN10370171
Workarounds are not usually required, the main workaround being in relation to mobile connections from branch to
data centre in the event that the main connection to the central data centre cannot be utilised.
In producing the diagram on page 9, we have considered the primary System Usage risks in the context of the
questions posed within the scope of our work, and refined these risks into the following control assertions:
ransactions from the Counter are recorded completely, accurately and on a timely basis centrally;
ransactions processed to Branch Ledgers are recorded campletely and accurately in the Audit Store;
irectly posted “Balancing Transactions" are visible and approved;
nformation reported from the Audit Store retains its original integrity;
ata posted from other systems and teams is visible to and accepted by sub post-masters; and
atabase Administrators (DBAs) or others granted DBA access do not modify data directly.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
22
WITN10370171
WITN10370171
5 Assessment of Assurance Sources
IT Provision Risk Assurance Sources / Gap Analysis
For the IT Provision risks the existing assurance sources appear to provide a good level of coverage over the risk
universe associated with this area of the Horizon processing environment.
Our high-level analysis of this coverage against the three core risk areas is as follows:
Information Security Information System Change Management
Operations
1$027001 Statement of
Applicability
ISAE3402 Report
PCI DSS Report
\ . >
In considering this assessment, POL management should be Cognisant of the inherent limitations of each report,
given the purpose for which it was written: -— \
\
Report Limitations / Factors to Consider whilst Utilising
1027001 Statement of I This document has been proquc'ed-by Fujfsu, limiting is value from an independence perspective. It should be
Applicability noted however:nat iti supported by an independent assessment of 8027001 compliance by Bureau Veritas, an
accrédited certification provid
Yo
The hain focus of 1802700" i on secur, although i does also focus (too lesser degree) on the ther core
even ta risk areas, Change Management and Information System Operations.
ISAE3402 Report This documentfas been produc ed by an independent third party, Emst and Young. thas good coverage of all three
System Prdvisioning risk areas, and is produc ed according to testing standards stipulated within the ISAE3402
standard.
in relying on this report management has considered ‘Section 6 Complimentary Us er Entity Controls’ which
stipulates the controls that POL should be operating in addition to the controls at Fujitsu in order to complete the
control environment over Horizon.
PCI DSS Report ‘The PCI DSS The sc ope of the PCI DSS -eport is the narrowest of the three assurance reports. It is focused
exclusively on the security of cardholder data, and does not span the other two IT Provisioning risk a reas to the
degree of the other assurance sources. It provides minimal coverage in particular of the Information Systems
Operations System Provisioning risk.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
23
WITN10370171
WITN10370171
Of note when considering coverage of IT Provisioning assurance sources is that the majority of the focus is over
Information Security, whereby based upon the historica issues and allegations being levelled at the system,
Information System Operations and Change Management would appear to be higher risk areas in the context of
this particular piece of work.
Peer Comparison of IT Provisioning Assurance Available to Similar Organisations
Our comparison to peer organisations yielded the following results:
Organisation Sector Sources of Assurance Regulatory Focus
Print Media = E xternal Audit N/A
Ad-hoc Risk Consultancy
Retail External Audit FCA (CCA)
Internal Audit fy
Retail External Audit rent /*
Internal Audit 36an L9ss Provisioning
eoe
PCI DSS: J 4
Retail and payments processing External Audit FCA /
Internal Audit
Government External Audit \ NX Data Protection
Internal Audit \ —I4
Pcipss VA
Risk /
This highlights that the level of IT. Provision Assurance Work that POL has performed is comparable to those in
other similar organisations which aré-not'subjectto risk and control regulatory requirements.
This should however also ‘be interpreted in the context of the allegations being made against the Horizon
processing environment which may suggest that a higher level of assurance is warranted compared to these
similar organisational benchmarks.
\
\
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
24
WITN10370171
WITN10370171
Baseline Risk Assurance Sources / Gap Analysis
Our assessment of Baseline Risk was based upon three core scope areas:
. orizon Project;
. ata Strategy Foundation Project; and
. udit Store Changes.
For each of these scope areas we queried relevant POL and Fujitsu personnel in order to understand the project
and change governance documentation available, and form an assessment as to the project controls applied to
these change events, compared to Deloitte's Project Management methodology.
Our findings are as follows:
Baseline Risk Assurance Work Information Provided
Area
‘Audit Store Changes to Horizon, such as the migration to HNG-X in 2010 involved migifmal changes to th&operation of the Audit Store. As
pores
a result these large scale pr ojects are of minimal interest with regards te establishing >
aseline Rhgk position in relation to the
design and functioning of Horizon Feat ures relating to Audit Storé.
‘Some small changes have been made to the Audit Stor edn more réceht years. Samples of documentation co rrelating to
changes throughout the years the Audit Store had been in place were réquested in order to obtain Assurance Work that these
changes to the system had been manag ed to gaod practise stafidards.
Further at the point of implementation of the Audit Store verbal represehtation was provided that a ‘Security Report’ was
Assurance Work, demonstrating the correct fynctional ity-6f the Audit Store at that point in time, but it could not be located by
POL and thus could not beréviewed as part ofiour wofk.
HNG-X Implementation Detailed business ahd tecfinicay desigh documtentgita ve been verbally represented to have been created during the delivery of
(2010) the project life cyee. -
Detailed test plan3\Mll, Defect Management and other key testing artefacts were produced during the course of the project.
SeVeral acceptance criteria rélategfo the clos ure of testing defects. Exa mples of testing documentation have been provided to
our réyiew teariduring the course of our w ork.
I ) I
\ /
ration checklists afd instructions have been provided. These ilustrate that site visits w ould be conducted during the
mrtiggte support the Sub-postmaster with the migration and support the resolution of any queries.
We have been provided with verbal representation th at detailed project accepta nce criteria were agreed between Fujitsu and
POL, and then signed off during the lifecycle of th e project. An example of such accepta nce criteria in relation to Non
Functional Requirements has been provided to us to support this verbal representation,
Data Strategy Foundation I Detailed business and technical design documents ha ve been verbally represented to have been created during the delivery of,
Project the project life cycle,
Assurance Work was provided to demonstrate business scoping and approval of changes to be applied (including a benefits
realisation and costings ma p), requirements tracker document, testing strategy plan, testing report plan and migration
summary documents. We w ere also provided with an example of the weekly reporting process at project close which
demonstrated the level of governance and oversight the project had from senior stakehol ders.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
25
WITN10370171
WITN10370171
Summarising the work we have performed against Baseline risk we conclude that for each sampled change,
Assurance Work has been produced in accordance with defined change management or project methodologies.
We have not however been fumished with all key items of documentation we would like to review, due to the
availability of such documentation to POL, and much of the Assurance Work provided to us were confirmations of
verbal representations made during our work.
Further work will be required to perform ‘deep dive’ review of project and change documentation on particular high
risk areas (for example the original implementation of the audit store, and acceptance citeria sign off for the
Branch Database commissioning as part d the Horizon HNG-X Implementation project), in order to provide
assurance that the system baseline position were in place (timeframes of such positions varying depending on the
component of the system under investigation).
Assessment of Assurance against System Usage Risk Areas
Our assessment in each of these areas is that contained in system documentation from Fujitsu and operational
policy and procedure documentation fom the finance service centre, as well as efails Confirming verbal assertions
we received during the course of our work.
Our understanding of the design of controls responding to key risks
within Appendix 2. <
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
26
WITN10370171
WITN10370171
6 Matters for Consideration
In this section we set out our key matters for management consideration, further to the work we have performed
above.
We have structured this section as follows:
. ey Matters for Consideration, by Risk Area reviewed;
. actors to Consider in Formulating an Action Plan; and
. roposed Action Plan.
Key Matters for Consideration
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. Risk Appetite: During our work, only occasional linkage of work to the idk appetite of POL
was noted. Whilst not unusual in the c onsumér business sector, Such articulation and
embedding of risk appetite assists with the” ‘delivery of better optimised: nd prioritised key
controls and assurance activities.
Holistic Risk and Assur ance Framework’ A holistic, risk intelligent a ssessment relating to
” the identification and mitigation of key risks ta the integri of processing should be
considered in order to validate’the completenass of the Horizon Feat ures referred to in our Nia
work and thus provide a complete schédule of key controls that require assurance. Whilst
Assurance Work has beén provided demonstrating the’ use of key forums for tracking the
risk environment surrounding Horizon (suc-h.as theAnformation Security Management Forum
and Fujitsu Services Security Reports), these aren't set up to specifically consider the
holistic risk and asurance framework necessary to enable an overall comment on the
design, implementation and operating effectiveness of the Horizon Features
General
Project Governance: Governance procedures described to us (verbally) s uggest that the
expected fevels of business involvement in pre -go live system and user acceptance testing
Ǥ performed as part of system implementation projects over the Horizon IT system; and that
business users would be Appr opriately involved in s igning off of system requirements and
readiness to go-live (full ystem reconciliations). To supplement these verbal assurances,
management has provided us with s amples of documentation from the three sampled
change areas (Hosizon Implementation, Data Strategy Foundation, and Audit Store
changes). Despite these sources of evidence, management should consider whether further
(2) investigations into sources of assurance from the original Horizon implementation would be Verbal
worthwhile, given the im portance of establishing a well-founded baseline position over the tepresentations
System Horizon Features.
Limited
Baseline e
Audit Store Baseline: The implementation of Horizon HNG-X in 2010-11 was asserted to documentation
not have had a signific ant impact on the Horizon Features. In particular no changes were
made to the Audit Store as a result of the implemen tation. Therefore the ‘baseline’ position
for the Audit Store was established a s being at the original implementation o f the Horizon IT
system. Key documentation around the baseline position for the Audit Store has not been
able to be provided to us during the course of our work. We note that a security report was
verbally represented to us to have been commissioned during the original implementation of
the Audit Store, although this report could not be located and provided to us.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
27
WITN10370171
WITN10370171
Nature of
Risk Area Key Matters for Consideration Assurance
Work
a. Risk Appetite Assessment: Whilst work performed is comparable to that which we see at
other organisations, POL has not yet performed an exercise to assess coverage of key
controls and assurance work against their own ris k appetite.
End User Entity Control Considerations: The ISAE3402 report requires interpretation in
the context of these controls at POL. They are outlined in section 6 of the ISAE3402 report.
Without such analysis, the assurance provided by the ISAE3402 is weakened. W e are
aware that POL has nearly completed work in order to address such considerations.
Assurance Clarifications: in the context of detailed testing and assurance procedures,
there are areas of the ISAE3402 report which would benefit from further clarification, in order
to remove the risk of ambiguity from its inte rpretation, and overlaps with other sources of
assurance that may be performed. For example:
he report does not state from where populations of data tested in samples were”.
obtained and thus how expos ed conclusions may be to internal fraud or deliberate > Extensive
@) override of control (e.g. for change management te sting, were samples picked fromthe I documentation
population in the secure Audit Store, or from another source?);
IT
Provision
Independent
» he report does not draw out certain key features in the control design, which we would testing
assume are present, for example, control objective 4.8.11 (relating’to acoéss to the
system being restricted to appropriate us ers) does not explicitly’state and test tha t users
must have and use their own unique username, thus underpifning aut trail integrity;
and controls relating to the management of administrator access ‘could be more spacific
as to the extent and nature of the design of controls and testing performed
© he report is not explicit in the s ample sizes used fot testing ah
© he report contains tests which could be strengthe ned, Yor veoh cont test 6.5 in
section 7 appears to test through discussion with personnel only, without cla rifying if
anything was done to corroborate such vefbal assertions.
Internal Audit Work ~ Internal audit wor K conducted highligrts pr ogress in responding to
and closing down issues in relation to intemal auditrisks, but a number of issues remain
outstanding, Internal audit have als o not done any, spetific assurance work over the
allegations being raised on the Horizon system and POL yfespénse to the issues raised.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
28
Risk Area
(4)
System
Usage
Key Matters for Consideration
Risk Driven Considerations: The current documentation over System Us age Risks has
been largely written in response to key incidents or events, by non-indepe ndent parties and
from operational perspectives. Whilst detailed, it is also not written from a risk and
assurance perspective and is rarely evidential in i ts content
Risk and Control Framework: There are areas where an understanding of the design and
nature of operations relating to S ystem Usage Risks is available, but the design,
implementation and oper ating effectiveness of key controls has not been aggregated into a
risk driven framework nor formally assured through evidence based testing. Further, the
ability of documentation to fully support inf ormation relating to the detailed design of controls,
relating to System Usage Risks is unclear (e.g. whilst JSNs are sequential is there a
systems operations c ontrol which checks the completeness of this Sequence proactively?)
The Schedule of Assurance over Horizon Features we have formulated as part of our work
(and documented in Appendix 2) provides a basis for such a risk and control framework, as
well as targeted testing over key controls. Managem ent should consider enhancing thei
assurance provision by verifying the completeness of this schedule, and conductting
implementation and oper ating effectiveness testing of the key controls there-if.
Interfaces - DVLA: Whilst environmental risk relating to s ystem operation is largely
assured in the ISAE3402, we note that no evidence of specific or detailed testing or
assurance work has been carried out over System Usage Risks relating.tothe DVLA
interface (both IT and business in nature). We note that many interfaces observed donot
relate directly with the Horizon Features in scope for this review, bute recommend that
such activities be considered for inclusion in the overall is nd sontrot framework relating,
to the Horizon processing environment.
Audit Store: We observed the following: /
© tis not clear from the documentation we have been provided wheiter POL has agreed
that the current capturing of certain, key sytem events, is complete yd appropriate f or
potential governance and investigation feeds; and
© _nvestigatory work on the Audit Store has alllbeen_ performed by Fujitsu who, whilst
technically qualified, do not constitute an indépenient or risk experienc ed party for
assurance driven purposes. POL could tonsider doing’moré independent analysis of
Audit Store historic data to verify that it isecorded.i line with expected characteristics.
Proactive monitoring of Key System U sage Risks: The current assurance environment
appears to be “reactive’in nature, with exc eptions in processing triggering diagnostic and
remediation activity only when reported: It would a ppear that no use is being made of the
Audit Store, for prodetive monitéring of unusua) ot exceptional system events potentia lly
worthy of further investiga tion and action
Hardware controls over. the Audit Store: The Centera EMC devices used to host Audit
Store data’have not been Gonfiguredin the most secure EC+ configuration. As a result
system”administrators on these boxes may be able to process changes to the data stored
within the AaditStore, if other alternative software controls around digital seals, and key
granagertent are not adequately segregated from Centera box administra tion staff,
@. Branch Di
Three key findings were obs erved in relation to the Branch Database
being: /
© mathod for posting ‘Balance Corrections’ was observed from technical documentation
which allows for posting of additional transactions centrally without the requirement for
these trafsactions to be accepted by Sub-postmasters (as ‘Trans action
‘Acknowledgements’ and “Trans action Corrections’ require). Whilst an audit trail is
asserted to be in place over these functions, evide nce of testing of these features is not
available;
© recesses around Transaction Acknowledgements and Transaction Corrections are
subject to out of date documentation, or in the case of Transaction acknowledgements,
no documentation at all. Such documentation should be produced or brought up to date;
and
© ecurity on the Branch Database around the ‘Messaging Journal table’ is a key area of
risk due to branch transactional data being held on this table for up to a day before being
written to the Audit Store. it was unclear from the documentation reviewed whether
specific assurance work had been carried out in this area.
WITN10370171
WITN10370171
Nature of
Assurance
Work
Partial
Documentation
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
29
WITN10370171
WITN10370171
Factors to Consider in Formulating an Action Plan
In formulating the action plan to respond to the considerations raised above, we recommend that management
consider the factors below
Risk Appetite - In responding to both IT Provisioning, System Baseline, and System Usage Risks effectively,
management should consider their risk appetite, and target achievement of residual risk levels which are aligned
with this appetite. All the elements of the COSO model (articulated in Section 3) should then be considered to
contribute to the achievement of the desired risk appetite.
Risk Intelligence — To assure risk in commercial context, controls need to be assured on a prioritised basis, in line
with the defined risk appetite above. As part of the creation of a risk and control framework, we recommend that
management integrate risk intelligent contexts so that future enhancements to risk management activities are
appropriately prioritised to key, rdevant matters. \
Control Balance — In order to maximise both the effectiveness and efficiency of assurance, a balanced approach to
control must be adopted, whereby controls used to mitgate key risks are considered across two principle types
. reventative controls (designed to prevent issuesoccurriny ‘in the fitst instance); and
. etective controls (designed to identify issues if they écur’and take corrective action).
Proposed Action Plan
1
Set Rit ee \
Appetite Risk Appetite relating to the Horizon processing en vironment. ~_
Review of Project Documentation: Due td gaps in the documentation provided around th e Baseline position, we
recommend that, if documentation cah be Jocated, management performs deeper dive activity on key ar eas of project
gonzon and change risk. Such deeper dive ctivity should be focused on establishing a well-defined baseline position for the
'ystem . /
Position system in key risk areas rélating to the risk Staterhents made in the diagr am on page 9 of the ‘Approach’ section of
\ \
this document,— a \
3 Finalise ‘Risk’and Control Framew ork: Extend and confirm the completeness of the Horizon Features which are
Construct Risk I designed to exdrt contol over jhe Horizon processing environment. The framework can be used to prioritise key
once areas for iqproventant (retaing clarifications / the removal of ambiguity in existing s ources) and embed agreed
changes in Surrent assurance sources. A key component for the construction of this risk and control framework is the
initial information produced as part of our analysis and reproduced in Appendix 2.
Test Controls: Once the framework is verified as complete, key controls can be identified and evidenc e based
rest testing performed to validate (a) their implementa tion and (b) that they are operating effectively. In addition, this
Controls exercise can be used to feedback on the design of the control environment so that it can be optimised (.e.: maximise
coverage of key risks, with minimal duplic ation).
Test Historic Transactions: The Audit Store is asserted to contain seven years of Branch transactions, and a
5
jg I Number of system event activities. In addition, a n umber of assertions relating to data integrity and record / field
Test Historic
Transactions I structure in the database have not been validated b y parties outside of Fujitsu. POL could consider extracting the
Audit Store data and performing independent analytics to verify the expected characteristics are as described.
Sustain Assurance Delivery and Implement More Proactive Monitoring: The longer term assurance map can be
8
Optimise _I designed to sustain assurance delivery for POL over key risks. This may include a transition to a more proactively
‘eating monitored control environment (“continuous controls monitoring”), where automated alerts are generated if certain
key behaviours in the s ystem are identified.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
30
WITN10370171
WITN10370171
We have outlined below in some more detail the rationale and specific requirements of each stage of this action
plan:
1.
Set Risk Appetite - Management would benefit from setting their risk appetite in relation to the operation of
the Horizon processing environment. Risk appetite statements can suffer from imprecise or open statements
which are not effective in managing the subsequent response to risk. In the face of these challenges
management needs to set a risk appetite statement which is well defined and measurable.
Alongside the risk appetite statement there is a requirement to define ‘key risk indicators’ which can be utilised
to define and measure performance against risk appetite. These indicators will usually directly correspond to
the statements within the risk appetite statement which can be defined and measured, although may also
include additional indicators which are not directly called for within the risk appetite statement itself. For
example, given the particular risks faced in relation to Horizon at the present time, suggested key risk
indicators could include:
* umber of problem or security inddents on the Horizon system during a defined period:
* umber of allegations or concerns raised by Sub-postmasters during a defined period
. rrors or exceptions in processing reported during business as usual’ Processing;
. ey controls tested during the period; and MY >
. ey control exceptions during the period.
The above are not exhaustive and key risk indicators needto be considéred thoroughly in response to the
particular risks and controls which are required in response tothe riskuniverses formulated over the Horizon
processing environment. ~ \
Assure Baseline Horizon System Position — A detailed review over the controls functioning over the Horizon
IT system should then be performed to establish whether the baseline system was implemented in line with
business requirements and as intended. This \ would provide’ point in time assurance, giving confidence that the
solution has operated at this baseline since ofiginal implementation. The output of the exercise may also
highlight further Horizon Features which were identified jr’the implementation project but may have not been
apparent in the Assurance Work provided to us to date. Management however need to consider the likelihood
of success in spending more effort {2oekieg such further Assurance Work.
Finalise Risk and Control Framework — Eléments of the key control framework, in particular relating to IT
Provisioning Risks and Horizgn Features‘have now been documented. These assets could be extended to
cover the entiré Horizon, Processing Environment, and an exercise performed against stakeholders in the
business to formally veriits Gompleteness.
In constructing this framework the individual allegations being made against the system could also be
considered in detail (potentially matters that are unrelated to the IT system). Risks and controls identified could
also be categorised and prioritised in terms of their importance to the overall processing environment, in the
context of the risk appetite definitions above. The framework will also assist with the formal identification of
mitigating controls in the event that testing finds deficiencies in the operation of certain controls.
Test Controls — In most areas of assurance, POL management is reliant on the Horizon Features operating as
described, either in documentation or verbally. We recommend that management perform implementation and
operating effectiveness testing to validate and thus assure that the Horizon Features are indeed operating as
described.
Test Historic Transactions — It is noted that the Audit Store transactiona record has only ever been analysed
by Fujitsu, the outsourced service provider. Such reporting activity will be performed through operational
processes, unfamiliar with risk analytic techniques which can assess and profile Big Data sources through a
risk lens. We recommend that management consider such analytics on the Audit Store data in order to fully
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
31
WITN10370171
WITN10370171
validate its archived data and assure the existence of characteristics that would be expected. This exercise
would also provide valuable insight into those Horizon Features that could be automatically monitored as part
of the optimised risk and control environment described below.
6. Optimise Ongoing Testing — In parallel and as a result of the testing activities above, the risk and control
framework, and the assurance approaches there-on can be optimised, to provide a fully optimised, risk
intelligence assurance strategy.
Such a strategy would seek to:
. inimises duplication in the control framework, and the assurance activities there-on:
* _ upport targeted assurance provision in the context of existing or potential future allegations;
* rovide more measureable benchmarks of performance against other organisations;
* _ nderpin further efficiencies in the assurance provision, for example the automation of existing manual
controls;
* — ncentivise ongoing improvement in both the processes and the assufance‘ provision, by highlighting
deficiencies on a timely basis and reporting these directly back to'those business or outsourced
owners who need to take a remediation or corrective action id Lf \
. upport the maintenance of the completeness of documentation Over the Horizon Features.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
32
WITN10370171
WITN10370171
Appendix 1: IT Provision Assurance Source Mapping and Gap
Analysis
The mapping below outlines the more detailed IT Provision assurance mapping against IT Provision risks, ‘as summarised in Section 4:
Environmental Risk 02700) diate nee I COVEIARS I “(¢apsaudsedtion” Coes PCIDSS Covnane
of Applicability Rating Rating Rating
A.10 Communications and
Data converted from legacy systems
or previous versions introduces data I Operations Management
Change Crore it the conversion wanstews ‘A.12 Information Systems 48. 10Ghange 7
Requirement 6: Develop
and maintain secure
Ac Devel it "
Management I incomplete, redundant, obsolete, or auleiton, Development Management systems and applications.
inaccurate data. and Maintenance
A170 Communications and
Inappropriate changes are made to I Operations Management 7
system software (e.9., operating A112 Information Systems Requirement 6: Develop
Change. I system, network, change- Acquisition, Development fegonanee and maintain secure
9 management software, access- and Maintenance lanag\ systems and applications.
control software). -
‘A.10 Communications and
Operations Management
Inappropriate changes are made to I A-12 Information, ystems, I Requirement 6: Develop
enense ent I the database structure and Acquisition, Development fevsoret” and maintain secure
g relationships between the data. and Maintenance 9 systems and applications.
‘A110 Communications and 4.82 Backup
Operations Management 4.8.5 Incident
Financial data cannot be recovered I A.14 Business Continuity Management Information System
Operations I or accessed in a timely manner Management 4.8.6 Major Incident Operations not within
when there is a loss of data. Process scope for PCIDSS review.
48.7 Security Incident
Process
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
33
Environmental Risk
15027001 Statement Coverage
of Applicability Rating
A.10 Communications and
Operations Management
Coverage
Rating
Coverage
Rating
ISAE3402 Section PCIDSS
4.8.3 Job Scheduling
4.8.4 Availabilty and
Capacity Management
Production systems, programs,
4.8.5 Incident Information System
Operations I andlor lobe result in ynaccurate, Management Operations not within
processing of data 4.8.6 Major Incident scope for PCIDSS review
Process
4.8.7 Security Incident
Process
AAT Access Contro ,
Requirement 3: Protect
Inappopite changes are made aeazaccessto < Shred corholder sata
Securit databases, data files, and Requirement 6: Develo
y means other than application programs x ad maintain secure
transactions, systems and applications.
‘40 Communications and y,
Inappropriate changes are made to. I Operations Management (?
Application systems or programs A.12_ Information Systems \
that contain relevant automated ‘Acquisition, Development agsocnange Requirement 6: Develop
Security controls (j.e., configurable settings, I and Maintenance NeSaoemen. > and maintain secure
automated algorithms, automated agement. systems and applications.
calculations, and automated data
extraction) and/or report logic.
A ‘ i ‘AS Human Resources
Individuals gain inappropriate access I Security
to equipment in the data centre and I 9 ‘pr sical & “4584 Physical and Requirement 9: Restrict
Security exploit such access to circumvent Environ ental Securit Envir ba tal Control physical access to
logical access controls and gain y Aemvironmental Controls cardholder data
inappropriate access to systems y
‘Aat Access Contfo
Systems are not adequately / .
Securit configured or updated to restrict 4.8.10 Change Reauiremere &: Develop
ecurity system access to properly J Management and maintain secure
systems and applications.
authorized and appropriate users.
‘AAt Access Control 7 i
Requirement 6: Develop
The network does not adequately 4.8.9 Networks and maintain secure
Security prevent unauthorized users from 4.8.10 Change systems and applications,
gaining inappropriate access to
information systems.
Management
4.8.11 Security
Requirement 11: Regularly
test security systems and
processes.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
34
Environmental Risk
Users have access privileges
beyond those necessary to perform
their assigned duties, which may
create improper segregation of
duties
Security
15027001 Statement
of Applicability
A8& Human Resources
Security
A.11 Access Control
Coverage
Rating
Coverage
ISAE3402 Section ;
Rating
4.8.11 Security
4.8.12 Access to
databases, data files, and
programs
Coverage
PCIDSS Rating
Requirement 7: Restrict
access to cardholder data
by business need-to-know.
Requirement 12: Maintain
a policy that addresses
information security for
‘employees and
contractors.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
35
WITN10370171
WITN10370171
Appendix 2: Assurance Schedule over Horizon Features
We present below a schedule of the Assurance Work and sources we have identified which relate to certain groups of Horizon Features.
We have structured these in line with our three areas of assessment (System Baseline, IT Provision and System Usage), as defined in our report.
We have also recorded our assessment of the level of comfort that POL has over that Horizon Feature, defined as:
* “Significant” means we have seen Assurance Work that delivers comfort through evidence based testing by independent parties.
* “Partial” means we have seen Assurance Work in the form of descriptions in formal documentation, but no testing of implementation or operating effectiveness
+ “Limited” means we have seen Assurance Work that documents verbal assertions we-feceived during our work.
* “None” means that Assurance Work has not yet been provided to us.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
36
System Baseline
Baseline
Key Assertion
re. Processing
Integrity
The system was
fit for purpose
and worked as
intended when
Description of feature
The design of key elements of the
Horizon system relevant to the
integrity of auditing and capturing
transactions was formally agreed and
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual /
Automated / IT
Dependent
Manual)
first put in? signed off prior to systems
deployment. S :
Baseline I The system was _ I Traceability Matrices have been No information provided: Preventative Manual
fit for purpose I documented, implemented and <4
and worked as periodically reviewed to ensure that
intended when business requirement documents
first put in? have been regularly reviewed against D
project progress. /™~
Baseline I The system was I During the initial implementation of No information provided. Preventative Manual
fit for purpose the software, Key Project Governance.
and worked as mechanisms were put in place to- .
intended when I ensure the: ° \
first put in? Working Group
Steering Group/Project board
Requirements Review Group
Baseline I Major changes Traceability Matrices have been No information provided. Preventative Manual
since
implementation
have not
impacted the
system.
documented, implemented and
periodically reviewed to ensure that
business requirement documents
have been regularly reviewed against
project progress.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Level of
Comfort
WITN10370171
WITN10370171
37
Baseline
Key Assertion
re. Processing
Integrity
Major changes
since
implementation
have not
impacted the
system.
Description of feature
Key Project Governance mechanisms
have been enacted and operated over
significant changes to the system since
implementation. Examples of such
mechanisms include:
- Working Group
- Steering Group/Project board
- Requirements Review Group
Assurance Work Source
No information provided.
2
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
WITN10370171
WITN10370171
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Level of
Comfort
Baseline
The system was
fit for purpose
and worked as
intended when
first put in.
Prior to implementation into the live
environment (and in some cases post)
acceptance criteria in relation to key
system elements important for
auditing and capturing transactions
were formally agreed and signed off.
For Audit Store Baseline:
Example acceptance ériteria
document entitled Acceptance
Report 200709178L01:13WIP
(note no sigh off of
acceptance criteria is included
within this document).
For. 2011 Horizon
‘Implementation (BRDB
Baseline):
'Testing plans were provided in
the document ‘Copy of IT
Health Check 23-07-2009.xIs',
a Risk Assement of the project
has been provided in ‘Securty
All Risk Extract 090928 v2.xIs'
and Migration instructions
have also been provided in the
document ‘Migration _
Instructions.pdf'. Also a report
by third party consultancy firm
Wipro has been provided to
Preventative
Manual
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
38
Area
Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
demonstrate the project was
delivered as planned in the
document ‘Horizon :
Performance Test Audit Post
Office Limited ( POL)'.
For 2012 Data Strategy « \
Foundation (External Feeds
Baseline): L
- Example acceptance criteria
document entitled‘ CFD New
Requirements VL-11.xIs (note
no sign off of acceptance
criteria is included within this
document), Additionally, an
example of of a designed, and
réviewed Migration Strategy,
titled “Migration Strategy CFD
), v0.4’, was provided, in
jaddition to a Test Report,
I ‘POLTSTREPOO10 - CFD E2E
Test Report vO 1’.
Control Type
(Preventative /
Detective /
Monitoring)
\
Level of
Comfort
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Baseline
The system was
fit for purpose
and worked as
intended when
first put in?
The testing of key elements of the
system important for the auditing and
capturing of transactions was formally
agreed and signed off and then
delivered against.
For 2011 HNG-X
Implementation:
For 2012 Data Strategy
Foundation:
- Test Strategy Document
entitled ‘Acceptance Testing
Strategy’ - authorised version
dated 10/11/2011.
Preventative
Manual
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
39
Key Assertion
re. Processing
Integrity
Description of feature
Assurance Work Source
- Test Exit Report entitled
‘Client File Delivery Report E2E
- Exit Test Report’, draft
version 0.1 dated 06/01/2012.
Control Type
(Preventative /
Detective /
Monitoring)
XN
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Level of
Comfort
Baseline I Major changes Sign off for design of significant 2005 Design Proposal Preventative Manual
since change is formalised and documented. I ASDPRO27.doc
implementation 2005 Audit Centera API<
have not Implementation \
impacted the DELLD026.doc YZ “
system. 2002 Change Proposal /
CP3240.rtf _ \
2004 Change Proposal.
CP4021.rtf 7
Baseline I Major changes Acceptance criteria related to key 2002 Acceptance Test Preventative Manual
since areas such as the branch database and I Specification IAACS002.doc
implementation I audit store. Cima VY
have not
impacted the Yo \
system. .
Baseline I Major changes Test Strategy and Execution have 2003 Acceptance Test Report Manual
since been documented and signed off, and I IAACROO3.doc Preventative
implementation I provide an adequate audit trail for the
have not testing of key system features such as
impacted the the Audit Store and Branch Database.
system.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
40
Baseline
Key Assertion
re. Processing
Integrity
Major changes
since
implementation
have not
impacted the
system.
Description of feature
Independent Assurance over design of
HNG-X system by Gartner.
Assurance Work Source
No information provided.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
WITN10370171
WITN10370171
Control Method
(Manual /
Automated / IT
Dependent
Manual)
Manual
Level of
Comfort
Baseline
Major changes
since
implementation
have not
impacted the
system.
Programmes and projects effecting
the Horizon system are controlled and
governed using an established change
methodology.
Harmony Delivery Lifecycle
document
Preventative
Manual
Baseline
Major changes
since
implementation
have not
impacted the
system.
Independent Assurance report over
testing procedures has been obtained.
Wipro petforinance testing
feport;
Preventative
Manual
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
41
IT Provision Assurance
WITN10370171
WITN10370171
Key Assertion re. Description Source Control Type Control Method Level of
Processing Integrity (Preventative / (Manual / Automated Comfort
Detective / /\T Dependent
Monitoring) Manual)
Provision I IT supporting Management have ISMF Minutes Preventative
processes are well established forums to FJS Security Report
controlled. oversee the performance of S
third party IT providers. gj
Provision I IT supporting POL has documented end POL End User Preventative Manual
processes are well user control considerations Considerations C4
controlled. to supplement third party Document
service provider controls
assurance reports ~ v
Provision I IT supporting Third party assurance ISAE3402 Report” Preventative Manual
processes are well reports are in place to PCIDSS Report
controlled. ensure the overall control of ry) ,
the IT environment, \/ ¥
including: ISAE 3402 reports,
PCIDSS compliance report
and 1SO27001 certified ~~
accredition. }
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
42
Usage Assurance
Key Assertion re. Description Source Control Type Control Method
Processing Integrity (Preventative / (Manual / Automated
Detective / /\T Dependent
Monitoring) Manual)
Counter transactions Digital Signature is applied to I Horizon Online Data Preventative Automated
are recorded each transaction basket at Integrity_POL N
completely, accurately I the point of counter document. J
and ona timely basis inception to prevent °
centrally. downstream tampering. \
Usage Counter transactions Transactional Verbal confirmation” Detective ~ Automated
are recorded Acknowledgement and from Rod Ismay and.
completely, accurately I manual review Jane Smith in Finance.
and ona timely basis Shared Services. 7
centrally. \ >
= oa
Usage Counter transactions Sequential numbering is Horizon Online Data Preventative Automated
are recorded applied to each counter Integrity! POL
completely, accurately I basket prior to digital document.
and ona timely basis signature application to XO
centrally. provide a ‘baked in‘ . NU
sequence check. . }
Usage Counter transactions Oracle commit and roll-back IHorizon Online Data Preventative Automated
are recorded
completely, accurately
and on a timely basis
centrally.
process is atomic (i.e. either
a complete transaction is
posted or nothing is posted).
Integrity_ POL
document.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Level of
Comfort
WITN10370171
WITN10370171
43
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
completely, accurately
and ona timely basis
centrally.
Description
A fall back mobile link is in
place to ensure that if
transactions are still
processed in a timely manner
Source
Horizon Online Data
Integrity_ POL
document.
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual / Automated
/\T Dependent
Manual)
Level of
Comfort
Automated
Usage Directly posted Formalised change control Email communication Preventative Manual
transactions, such as approval and monitoring from John Simpkins . \
“Balancing process over the usage of dated 15/05/2014, L
Transactions", are Balancing Transactions articulating control YS
visible and approved. design around this N\ \
process. °
Usage Directly posted An audit trail log is in place Email communication_/ Detective Manual
transactions, such as to monitor the use of from John Simpkins
"Balancing balance transactions. The log I dated,15/05/2014,
Transactions", are is monitored by an articulating control
visible and approved. independent department ‘design.around this
that does not have access to “process.”
the function. ax .
Usage Branch Ledger JSNs are processed into the. Technical Design Preventative IT Dependent Manual
transactions are
recorded accurately in
the Audit Store.
audit store and reviewed,
when users access audit —
store information. Audit
store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
Document for Audit
Extract Process -
DESAPPHLDO029.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
44
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
recorded accurately in
Description
Digital seals are in place to
ensure that files are not
amended following load to
Source
Technical Design
Document for Audit
Extract Process -
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual / Automated
/\T Dependent
Manual)
Level of
Comfort
Automated
the Audit Store. the audit store DESAPPHLD0029 S
Usage Branch Ledger The digital seal applied to the I Security Architecture Preventative Automated
transactions are batched digital signatures Document \
recorded accurately in I ensures that any Network Architecture °
the Audit Store. amendments to data leaves a I Document A
traceable audit trail Cryptography \ YS
Architecture _ \ \
Document “ ~~ -
Usage Branch Ledger JSNs are processed into the BRDB Technical Design Automated
transactions are audit store and reviewed Document
recorded accurately in I when users access audit Audit Technical Design
the Audit Store. store information. Audit Document
store will automatically . >
detect non-sequential files VY
that are then processed by )
the Tivoli monitoring tool
and investigated where \.
appropriate. ‘
Usage I Branch Ledger Formalised change control I Email communication I Preventative Manual
transactions are
recorded accurately in
the Audit Store.
approval and monitoring
process over the usage of
Balancing Transactions
from John Simpkins
dated 15/05/2014,
and articulating
control design around
this process.
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
45
Usage
Key Assertion re.
Processing Integrity
Branch Ledger
transactions are
Description
Audit trail monitoring the
usage of balance
Source
Email communication
from John Simpkins
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual / Automated
/\T Dependent
Manual)
Level of
Comfort
Manual
recorded accurately in I transactions dated 15/05/2014
the Audit Store. S
Usage Information from the Logical access controls in Audit Store Preventative Automated
Audit Store retains place over user management I Procedures ~ >
original integrity. to ensure that only y VY
appropriate staff have access YS
to extract information from >» 7
the audit store
Usage Information from the Hardware controls are in Audit Store > __ I Preventative Automated
Audit Store retains place to prevent the Procedures - /
original integrity. modification of data in the “.
audit store y
Usage Information from the JSNs are processed into the Branch Database Detective Automated
Audit Store retains
original integrity.
audit store and reviewed
when users access audit \—
store information. Audit
store will automatically
detect non-sequential files
that are then processed by
the Tivoli monitoring tool
and investigated where
appropriate.
‘I Procedures
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
46
Usage
Key Assertion re.
Processing Integrity
Information from the
Audit Store retains
original integrity.
Description
The digital seal applied to the
batch on data transfer is
checked back to the initial
seal to ensure that hash
value has not been altered.
Source
Branch Database
Procedures
Control Type
(Preventative /
Detective /
Monitoring)
Detective
Control Method
(Manual / Automated
/\T Dependent
Manual)
Level of
Comfort
Automated
Usage I The system used by the I 3 way match between Data Flow Diagram YY IT Dependent Manual
Finance teams for Branch Database, provided by Finance J a
control contains all Transaction file and POLSAP (Jane Smith) YS
records load file
Usage Data posted from Amendments posted Transactional _ Preventative Automated
other systems and centrally via transactional Corrections Procedural
teamsis visible to and I corrections must be Evidence
accepted by sub post- approved by sub-Post ° a)
masters Masters must be approved C J y
before they can be applied to I
the Branch Database _~ SS >
Usage Data posted from Amendments posted .I Branch Database Preventative Automated
other systems and
teams is visible to and
accepted by sub post-
masters
centrally via transactional
adjustments must be
approved by sub-Post
Masters must be approved
before they can be applied to
the Branch Database
Procedures
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
47
Usage
Key Assertion re.
Processing Integrity
DBAs or others granted
DBA access have not
modified Branch
Description
Sub post-master must
functionally approve the
Transactional
Source
Branch Database
Procedures
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
WITN10370171
WITN10370171
Control Method
(Manual / Automated
/\T Dependent
Manual)
Level of
Comfort
IT Dependent Manual
Database data. Acknowledgement file S
produced by the POLSAP x
system before items can be -
processed through to the \
branch database. Vv
Usage I DBAs or others granted I Formalised change control __I Email communication I Preventative Manual
DBA access have not approval and monitoring from John Simpkins \ <
modified Branch process over the usage of dated 15/05/2014,
Database data. Balancing Transactions and articulating ¥
control design around
this process.,
Usage DBAs or others granted I Audit trail monitoring the Emait communication Preventative Manual
DBA access have not usage of balance from/John Simpkins
modified Branch transactions - ‘dated 15/05/2014
Database data. / \\ 7
Usage DBAs or others granted I Hardware controls are in J Audit Store Preventative Automated
DBA access have not place topreventthe Procedures
modified Branch modification of data in the
Database data. audit store
Usage Counter transactions TWS scheduler and ISAE3402 Detective Automated
are recorded
completely, accurately
and ona timely basis
centrally?
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
monitoring processes are
defined and formalised.
48
Usage
Key Assertion re.
Processing Integrity
Counter transactions
are recorded
Description
Logical security access
controls in place to minimise
Source
Security Architecture
Document reference -
Control Type
(Preventative /
Detective /
Monitoring)
Preventative
Control Method
(Manual / Automated
/\T Dependent
Manual)
Automated
completely, accurately I the risk of inappropriate ARCSECARCO0003
and ona timely basis access to the counter section 6.2 and S
centrally? software within branch. ISAE3402, PCIDSS and xm
15027001 reports as 7
well. . \
Z \
Usage Branch Ledger Logical security access ISAE3402 report. I Preventative Automated
transactions are j
recorded accurately in
the Audit Store?
controls are in place in
relation to the Branch
Database and audit store to
ensure that only appropriate
staff members have access.
Key transactions and tables
are monitored and activity is
verified by an independent
third party. Z
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Level of
Comfort
WITN10370171
WITN10370171
49
Appendix 3: Inventory of Documentation Reviewed
The following documentation was reviewed during the course of our review:
Document Document Document Type
Number
1 Horizon Core Audit Process (Powerpoint) Other sources of comfort
2 Factfile (updated with SS comments) Other sources of comfort
3 ISAE3402 Report over Fujitsu managed service on Horizon Assurance
4 Centrally Generated Transactions document Other sources of comfort
5 POL Summary of Horizon Anomalies Referred to in Second Sight Report ‘Assurance
6 Report on Local Suspense (14 Branch) Issue Other sources of comfort
7 Report on Receipts Payments (62 Branch) Issue Other sources of comfort
8 Spot Review Bible v Other sources of comfort
9 Horizon Data Integrity Document Other sources of comfort
10 Horizon Data Integrity Document Other sources of comfort
1 Fujitsu 15027001 Certificate Assurance
12 1S027001 Statement of Applicability produced by Fujitsu Assurance
13 PCI DSS Attestation of Compliance Assurance
14 PCI DSS Report by Bureau Veritas Assurance
15 ISMF Minutes for three months Other sources of comfort
16 Fujitsu Security Reports for three months Other sources of comfort
17 Fujitsu Information Security Management System (ISMS) Scope Other sources of comfort
18 Horizon Solution Architecture Outline Other sources of comfort
19 Post Office to Driving & Vehicle Licensing Agency Automated Payments Client File Interface document Other sources of comfort
20 DVLA Internal Web Service High Level Design document Other sources of comfort
21 Security All Risk Extract Other sources of comfort
22 Migration Overview Document for Horizon system Other sources of comfort
23 Horizon Technical Security Architecture Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
50
Document Document Document Type
Number
24 Solution Architecture Document Other sources of comfort
25 Batch Processing Overview Document Other sources of comfort
26 EMC Centera Acceptance Test Report - IAACROO3 Other sources of comfort.
27 Centera Accepting Testing Specification - IAACSO02 Other sources of comfort
28 Application Interface Design - DELLD026. Other sources of comfort
29 Audit Server Specification Design -TDDESO71 Other sources of comfort.
30 Configuration Design - TDMANO06 Other sources of comfort
31 Configuration Design - TDMANO09 Other sources of comfort
32 Centera star OS upgrade to version 2.4 design proposal Other sources of comfort
33 Centera star OS upgrade to version 2.4 design proposal Amendment -CP4021_/ Other sources of comfort
34 Centera star OS upgrade to version 2.4 design proposal Amendment -CP3241 Other sources of comfort
35 Exception and Event Guide - TDMANOO7 g Other sources of comfort
36 Functional Separation - CRFSPO06 Other sources of comfort
37 High Level Design - SDHLD001 Other sources of comfort
38 Audit Data Retrieval - SDHLD002 - Cy Other sources of comfort
39 Centera Migration HLD - TDIONO39 Other sources of comfort
40 Centera - High Level Test Plans - VIHTP014 / Other sources of comfort
41 Horizon System Audit Manual - IAMANOOS5 Other sources of comfort
42 Low Level Design Document i Other sources of comfort
43 Centera Operational Procedures - TDMANO08 Other sources of comfort
44 Centera - Performance Test Specification - TDLLTO08 / Other sources of comfort
45 Centera Support Guide - TDMANO17 Other sources of comfort
46 Centera Support Guide - TDMANO018 Other sources of comfort
47 Centera Test Report - VITRPO29 Other sources of comfort
48 Centera User Guide - TDMANOOS Other sources of comfort
49 Data Strategy Foundation - 04 - G149 Data Strategy Foundation - Client File Transfer - PODG Closure v2 0 Other sources of comfort
50 Data Strategy Foundation - CFD New Requirements v1.11 Other sources of comfort
51 Data Strategy Foundation - Data Strategy Foundation Test Strategy V10 Other sources of comfort
52 Data Strategy Foundation - Migration Strategy CFD v0.4 Other sources of comfort
53 Other sources of comfort
Data Strategy Foundation - POLTSTREPOO10 - CFD E2E Test Report vO 1
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
51
Document Document Document Type
Number
54 Data Strategy Foundation - Revised business case CFD 24 1110 Other sources of comfort
55 Horizon Technical Network Architecture - ARCNETARCOO01 Other sources of comfort
56 Horizon Crypto Services High Level Design -DESSECHLD0002 Other sources of comfort
57 E2E data flows Other sources of comfort
58 idocs involving settlement Other sources of comfort
59 Process Management Systems Diagram (Version 14 - 24.10.2011) Other sources of comfort.
60 AR11.005 - Horizon controls Other sources of comfort
61 AR12.050 - Horizon follow up Other sources of comfort
62 AR12.050a -Follow-up Horizon May2013 Other sources of comfort
63 Horizon Counter Application High Level Design - DESAPPHLD0047 WA . Other sources of comfort
64 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICECAND PROCESS CONTROL Other sources of comfort
65 Horizon Operational and Support Services Requirements < Other sources of comfort
66 ACCEPTANCE REPORT FOR DESIGN WALKTHROUGH EVENT DWO3 ~SECURITY_ Other sources of comfort
67 Draft Deloitte Phase 2 Instructions (RDW 07 05 14)2 Other sources of comfort
68 Phase 2 - Areas of Focus diagram (DRAFT v1) v 4 Other sources of comfort
69 Project Zebra - Phase 2 Potential Next Steps v3 \ Other sources of comfort
70 REQAPPAIS1392v3.2.PayStation.ETL “) WA Other sources of comfort
a REQAPPAIS1391v2.1.P0Go.ETL. Other sources of comfort
72 Acceptance Report 20070917BL01.13WIP Other sources of comfort
id All Streams Plan vsn 0.98 ad \ Other sources of comfort
4 BC PLA 001 v 0.3 / Other sources of comfort
if BCO20 HNG PD Potential Risks and Issues Register v1.0 Other sources of comfort
76 Change Management Assessment Template Other sources of comfort
a DES SEC HLD 0010 v 1.0 Other sources of comfort
78 Engagement Meeting Log Notes v1.2 Other sources of comfort
79 Gartner Report Findings 1.1 with Appendix Assurance
80 HARMONY Full Guide 1.1a Other sources of comfort
81 HARMONY Full Guide 1.1a Other sources of comfort
82 HNG Benefits Tracking in confidence May 08 final Other sources of comfort
83 Other sources of comfort
HNG Board Report 080408
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
52
Document Document Document Type
Number
84 HNG PID v1.3 Other sources of comfort
85 HNG Reqts Team Meeting 050606 Other sources of comfort
86 HNG Risk and Issues 070424LY Other sources of comfort
87 Horizon Testing Strategy - HXTSROO1 Other sources of comfort
88 In Touch report for HNG 080418a Other sources of comfort
89 In Touch Report for HNG 081205 Other sources of comfort
90 POL HNG IMP 002 v 1.0 Other sources of comfort
91 POLHNG REQ014 Other sources of comfort
92 QRHO31 HNG Reqts PID v0.1f Other sources of comfort
93 ACCEPTANCE REPORT FOR Horizon ACCEPTANCE GATEWAY 1 & 2 - REQ GEN ACS 0001 vo. 2 Other sources of comfort
94 Horizon GENERIC ACCEPTANCE PROCESS -REQGENPROO735 / Other sources of comfort
95 Stakeholder Engagement Log_091218 Other sources of comfort
96 Test Report for the Integrity Testing of Horizon Data-centre Disaster Recovery.— Week Commencing 1st
September 2008 - SVMSDMREPOO0S Other sources of comfort
97 Wipro - Horizon : Performance Test Audit Post Office Limited ( POL) “ Assurance
98 DVLA Internal Web Service High Level Design - DESAPPHLD0012 Other sources of comfort
99 Audit Data Retrieval High Level Design - DESAPPHLD0029 _/ Other sources of comfort
100 Audit Data Collection & Storage High Level Design - DESAPPHLD0030 Other sources of comfort
101 Horizon Counter Application High Level Design - DESAPPHLDO047 Other sources of comfort
102 COMPONENT TEST PLAN FOR Horizon COUNTER INFRASTRUCTURE: SERVICE AND PROCESS CONTROL -DEV
CNT CTP 0068 v 2.1 Other sources of comfort
103 DVLA AP Client File AIS Other sources of comfort
104 Product Branch Accounting - Issuing Process forTransaction corrections v0.1 Other sources of comfort
105 Audit Data Collection and Storage High Level Design Other sources of comfort
106 Data Flow - Transaction Processing for client file delivery Other sources of comfort
107
Data Flow - NBSC Miskey Process - Network Banking
Other sources of comfort
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
53
With the prior permission of POL, the following individuals were interviewed or consulted during the course of our review:
Contact Name
Job Title / Role
Organisation
Dave King Senior Technical Security Assurance Manager POL
Julie George Head of Information Security and Assurance Group POL
Rod Williams Litigation Lawyer POL
James Davidson I Fujitsu Primary Point of Contact Fujitsu
Pete Newsome Quality responsibility Fujitsu
Will Russell Regional Network Manager NT - South POL
Phil Norton Horizon Requirements responsibility Atos
James Brett Senior Test Manager — Post Office Account Atos
Bill Membery Requirements/Testing responsibility on Horizon Fujitsu
Gareth Jenkins Distinguished Engineer Fujitsu
Neil Crowther Senior Business Analyst POL
Matthew Lenton I Document Management responsibility Fujitsu
Rod Ismay Head of Finance Service Centre POL Y
Jane Smith AP Enquiry Team Leader, Finance Service Centre “ROL
Dave King Senior Technical Security Assurance Manager POL
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
54
WITN10370171
WITN10370171
Appendix 4: Engagement Letter
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
55
Deloitte.
Me Chris Aaja
Pat Office Lad
148 Od Steet
London
BCTV 9HQ:
Apit2004
Dear Sits
STRICTLY PRIVATE AND CONFIDENTIAL,
‘We are pleased to set ct for your approval the
Ditee Ca CPL" or "You We weal at You we mapong lees Gat te
“pion VGA" I som edo rec enact Pt es bce, elective
that the processes associated with ar inadeuate (the ~Allegstions”)
1 one to resp better tothe Alegations, You require services fom ws, as outlined in paragraph
2(b) below, These arrangements are set ut inthis fete together with the enclosed Terms of Busines
tnd appendices
So that we re able to ait You festive. plese ens that You have conser uly al of the
terms aad ceritions Set ut this ete adh enctomares ad that You are sts thatthe cope of
si Servies decribed below i suficient for Vou need
1 Scope and objectives
tn ees rap ter the Allegany ich hare x, wil ol too cine
be, atone sour, You wardens athe io HNG-X sae a and
{0 Hlrizon NX operating roma and pocesing ite)
These of wting ie tm Dub LLP CU) Dee) et pri, nd pon te,
‘made pee ine.
Cour wok setae oir Yor eaten ay Motz LG pe, pemaaon
‘cussion with the POL Bowed at T meek)
We that the input sin i Kem Yo
reas of additional work hat You may choose wo commission to
Sei SESS
(Onder or parse Engagement
Ev nrenvaeemem\/
describe in Section 2(8). (the “Parpeee")
DRAFT FINDINGS
Deloitte.
fad tht any work being. by in with this eter is
la elation to ongoing aor fora ‘ad ence i subject
Sib pede as
In ation, this matter i svietly confidential. Save as permited under Section 4 of our terms of
business,
‘8 information relating to this matter, or our work for i, wil be dvclosed to any tied pty
‘without ual writen coment
‘You have advised sth all Sorrenpondnce anal
Lawyer. The elie 0
Paula Vonnells, Chief Executive. We note that we will be advised of ary fatare changes tothe client
‘eam,
‘Togetber they comprise the “Client T
(0) Services
Part I of our Services wll rove the following:
aii sis: ts Ms ti stew:
mater that we may deem necenary to complete oer
Page 20f 8
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
WITN10370171
WITN10370171
56
© Obinin an understanding of the Key differences between the curfent Horizon HNG-X
‘othe system which thin thereto 10 atthe “legacy
Horizon systen".
‘© Review, understand ond consolidate the investigations, assurance activities and
‘teemediation actions which You OF third parties have undertakes (see Appendix I for the
“Sources of Information” known to be within scope at this stage) focussing ox three prinsary
areas:
9 Seth Sat hn Seen pedorned osu SoS sd sponte sonrl
‘tivities that crested and preserve the integrity of processing weross the Horiave
HING-X environment (the Audit Store),
©, sia pac cde enn Sn ‘openon ey ten
‘with the DVLA tind
‘that created and preserve the integrity of
Durty sytem andthe Hovzon HING-X envionment;
° igations wd actions that have been taken in response to the thematic
Findings of
cuittined in Your supplied document “POL Summary of Seeand Si
=e a
© Hold discussions with relevant members of Your staff aad other hey stakcholders as pre-
agreed with You, to deliver the work outlined above;
‘© Prepare the Deliverable outlined in section 2(4) below;
. twice weakly menting or conference ele with Your let Tam, oop oor
Spree satan of oh ade entry wie oy Det tad
Carry out anyother work required by You whichis reasonably incidental tothe shove
‘You do not require Deloitte to comment on oF test the quality of the surance work
pinion bs sony, tla sans, ior of ora HR
‘environment (nor the heyacy Horizon systern)
‘As engagement coquirements are discussed, clarified and agreed further, we will
-seope wed timetine for such work vis the ‘Order process at set out it
‘work You require us to perform will be agreed unser these Change Onder
tat will nt be leat to:
© Testing on dain held within the system audit tails, 10 seas (For
‘previously drawn by Fujita into the extent of known deficiencies,
. ‘ad profiling of system audit tails, to look for chamcterstics of ud twonds in
prove yordord.cropsehspecnerseryt
+ Enguicy into and tewting of the nature and extent of unit, system and user acceptance testing of
‘the Horizoe HING-X processing enviroment, during is implementation,
© More detailed consideration as 0 any aspects of the internal control environment which
‘operate over the current Horizon IING-X processing eaviroament which were aot in place of
operating over the legacy Horizon system,
Understand the manure an extent of interfaces ith other thd party systems and text the
‘opcrating integrity of dtaflows to and from certain of these nyvensy, and
Pages of 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
+ Testing of responses to thematic concems mised by other independent reviews,
Te sae fo series ada divers wl be mid shy wo the Sevan Daven
set out in this Contract. We will make no representations in respect of and will not consider any other
aspect
‘Our ‘work will be performed through # combination ‘of desk baved inspection of documentation,
corroborative enquiry snd theoagh thing party provided evidence or contact, ax agreed between You
si
(©) Owe responsi
In performing we will be responsible for:
. aking 8 necessary to ue and
accurecy of ou report with You.
ni i te iris etn ie, el an i ie ne
ton given tous hi the course of the Services. fn particular, unless otherwine
‘You to do s0, we will not perform or re-perform say assurance work that has texted and
‘on the design, implementation and operational effectiveness of any internal conttols over
processing environment,
by db th ee orion va: Wil we wl opr ww og
‘the information
‘mn particu, we note that, in certain respects, we will be reliant on the integrity of those people wom
‘se interview, aed that cur ability to eoeroborate and test what we have bees tok! may tse limited by the
available information
‘We shalt discuss with You auy difficulties we encounter with completing our work should ony
problems arise.
Yow schnston ht Yi we repo rei dma vhs ere
control system that reduces the likelihood tht errors. or leregularities will oecur and remain
‘undetected however, it does aot eliminate that possibility. Nothing in owr work guarantees that erors
(oF regularities wil at occur, Hot ist designod to detect any such erors or ireyularties shoul! they
oxour.
‘The scope of our Servicer and our responsibilities will aot involve ws in performing the work
necessary for the purpose of providing. neither shall we provide, any assirance on the reliability,
Foes comlon occa ww of yp, bar pean we one Croce
financial information”) no the reasoeableness of the undertying asnimytions. Since any prospective
‘financial information relates tothe future, i may be affected by wnforescen evertn. Acti results are
UUkely o be different from those projected because events ated circumstances frequently bo not occur as
‘expected, ad those differences mary be material,
Page 4 of 18
WITN10370171
WITN10370171
57
Deloitte,
(4) Format und use of the Detoite Deliverables
‘The ie od ng fa pi Cn Taha) en tm De end ws Ye, The
ry nd a written report, as follows:
Executive Summary:
© Asumiinary of our objectives, approach, work performed wad observitots, weit Yor Bowed
Decne id can a it mening oh 38 Ae 2914 (ang ny by oan
points, i aeeinia eile nin hoe ‘our assumptions and the fulfilment of
‘Yoor responsibilities, below)
‘Writen Report:
‘© Introduction — recosifirming the context of ove appointment and the scope of work performed
© Our Approach ~ outlining epoca hove del pn dry of or wet oe
documents reviewed and the individuals we have
a the HING-X ng Em
‘Provided to 8s, provide an overview:
© Relating to the Technical ‘environment ~ envisaged to be a description of
technical
iat to es IS. pee, sang Wem
~ bawed Ge the documentation
provided 1
ay ak ig 6 png lai ib ig Hci Ga
ftpeaed by Foie, ching th ong nd cowrton of the etn itr
protocols (the Audit Store;
ay seer lng 8 sii hail ch han,
software components,
hardware components, ~~
. ites ig hy inliading the timing of We implementation the
‘of Governing responsibilities }
‘over this project and the key me O
rato (tloaeg coor tnlng jroeaans,blor
user Support end system recovery, and assurance rexponsibilities er these” =)
© Relating to the User pig hele,
‘exvieoomest of the Horizoa HING-X. system, consisting
provided 10 wx:
‘© a description of the types of users in the system anid the
‘Which Hlorioe TING-X is accesible,
‘the sypes of transactions
integrity
variances
Bl ederbedongiry
‘sdoptedI
. ‘ey ofthe esr felled defects in Hernan HNGEX.
© An Assurance those sourves of Your assurance which You have shored with
+ showing
‘ey snd the areas of ey tsk relating tothe integrity of processing that these weve designed to
asvare,
Page Sof 8
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
‘© Matters for Consideration - an astesament of Your Assurance Map in the context of Your
‘objectives aed significant matters we have observed during our work that we recomumend You
‘consider further.
‘Any Deliverable should not be copied, referred to or quoted to any other party, except i the context of
‘Your defence of the Allegations, or be used for any other purpose. We draw Your attention to elauye $
of the enclosed Terms of Husiness that sets out the conditions under which the Deliverables will be
provided to You
{In the event that You wish to share our Deliverable with third paities, we may consent to such « course
abe i fail." ema snleings (or Set ete There procedures notify
+ the to chem. will not create any uy, Nabilty or responsibility whatsoever to
in 10 our Deliverable or any ofits contents;
yeas not prepared for their use or with their aces or intrests in and: wont
Y they) ‘ar Deliverable confidential and not copy or create oer Delivers, oF
\ any extracts Of tet, to any thir pty without cur expres written permission.
1m connection with the provision sf the Services, we refer Yow to clause 3 of the encloned Terms of
‘Business. These continm Your responsibility for the provision of information wad decision-making in
‘we are to provide. fa. ‘our delivery of the is dependent
following:
Snoonniyten
You agree fo making available to ws all information You deem relevant to this view,
You agree to providing timely access to relevant persoonel in order for us to obtsin sufficient
Information to inform our vaderstanding and report,
'¢ Unless we are otherwise instructed, You agree to carrying oot ail contact with thind parties;
You ngree ta providing » nominated point of sontact for ws thoughout the work;
© You agree to provide « room for our team and secure storage facilities for paperwork, if required,
(148 Old Street, London: sod
‘+ Yow agree to assess the Deliverable we provide to You, to determine the most appropriate courses
‘of action for You.
Pape bf 8
WITN10370171
WITN10370171
58
‘You scknowledge and agree that oar performance of the Services is dependent on the timely and
‘effective completion of Your own activities and responsibilities in connection with this engagement,
‘6 well as timely decisions and approvals by You.
‘The responsibilities set out above and those contained in clause 3 of the Term of Business are
togetber referred to ja this Contract m the “Chiewt Respomsibiities”.
() Assumptions
The Services, Charges (as set out in Section 4 below) ind timetable are tase pon the following
assumptions, representations and information suppticst by You (° Asmamptions”)
‘© Hoviaoe 1ING-X-is alse knows ay Horizon Online J Your organisation. We will refer tr the
‘Processing environmeat a3 Horizon HNG-X through-out our work. The system whieh Horizon
TING replaced wil be referee lpaey Howton sytem
© Only matters relating 10 the HING-X processing will be in ou
eview, i cour Erne ng te Se Hin Sen, OR he
ry for us to obtain an ‘hat te
Hatton INGIX deed hen wes ineend
1 Detoitt will not provide « legal or any ether opinion at any poitt throughout the work:
‘+ That sufficient information is avaiable On a timely basis regarding the scope of Services ant
[Deliverables for us to be able to carry oat ove work,
+ That all pertinent joformation relating
‘Provided 10 ws such that we are fully aware of the detail of the
© Unless otherwise iastructid, that Deloitte staff will have no dirvet contact with any third
‘other thao naied Fujitss contacts that You provide tw ws;
+The individuals we muy toed to interview will be available 10 ws for sufficient time for \e to —
perform our work during the period of our assessment and third paris can be contacted
timely basis by You to request further ieformation shoul! this be required, A
‘© Deloitte will not verify oF test any information provided directly by You, Ss)
parties via Yous
+ edo sos Sok soph 8 ek pert
agente ey ena ot
‘+ Deloitte will not review any contractual provisions in place between You nnd thint partes,
(©) Client contacts
‘We understand that Rodric Williams, Litigation Lawyer, will be Your nominated point of contact ant
that requests for information and documentation shouk! be copied to Blinds Crowe.
Page Toft
tee mas ibe aang suet Von bo be \
Deloitte.
4 Our Charges
‘We will base our charges pom the ectul time and materials incurred, plus out-of-pocket expenses snd
epplicuble velue added tax. The billing rates we will apply match hove of previous specialist advivory
‘wuirk which vee have performed for You in 2013.
‘We estimate thatthe Part 1 work will take 15 days of senior time to deliver, To provide some
‘over our fees, we will eap our total fee for Part 1 work at £50,000 (plus VAT and out of pocket
expenses), for work done undet « Change Order will be hascd on the rate cand below (in
ssddition Wo this fee cap for the Part 1 work), unless otherwise agreed.
course of our work, or Change Order there-cnder, » need for ancillary specialist services
‘entitled, agreement 19 thoir use and related changes will be obtained
‘The enclonod Terms of Business form an integral port of the Contract between ws and Your attention is
dewwn to them. You agree that for the purpowe of claute 6 of these Terms of Business, our aggregate
liability arising fom or in any way in conection with the Services shall not exceed £750,000,
© Variations
6 You or we wish to request or recommend any addition, modification or other change to the Services
‘0c performance required under this Coninct, we ench agree to follow the change control procedures
described in Appendix 2,
Pape 8 of 8
WITN10370171
WITN10370171
AAD FINwINeS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
59
Deloitte.
Acksowledgement and acceptance
We appreciate the opportunity to be of service 19 You and look forward te working with You on this
‘assignment. You can be assured that it will receive our chose attention.
Uf, having considered the provisions of this Contract You conclude that they are reasonable in the
context of ail the factors relating to our proposed appointment and You wish to engage ws on these
terims, please let us have Your written agreement to these arrangements by signing and returning t0 us
the enclosed copy of this letter.
‘Yours faithfully
bin
Post Office Lid agrees to the appointment of Deloitte LIF on and subjeet to the terms of the,
Contract set out
wo GRO
me CO
Primed Name Ae My cae & (
Ce $a.
Position: 5 NE Or
bate 2514 } 251
Enclosures:
Appendix. 1 ~ Sources of Inforniation
Appendix 2 - Change Control Procedures
Page 9p 18
URAP IL FINUINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
Deloitte.
APPENDIX 1
ENGAGEMENT LETTER DATED 9 ArRit 2014
SOURCES OF INFORMATION
For Pert 1 work, we will use the following sources of information which hae been provided by You:
J. “Horizoa Core Audit Process” which outlines how Horiaon HING-X has been designed to
operate,
“Draft Factfile” which deals with how POL uses Horizon HING-X in the branch network;
“Description of Fujitsu's System of IT Infrastructure Services supporting Post Office
Limited's, POLSAP and HING-X applications” which outlines the environmen in which
Hoc ex;
Of Seoocd Sight ancenalies™ which is an fiteraal POL, summary of the
tin Horizon HING:X referring to pamn’s 6.4 to 6.10 of Second Sights fuly
09 the “Local Suspense”! 14 Branch ancunaly:
Eujite’s ‘on the “Receipts Payments” / 62 Branch anomaly;
ihe “Spot Review Bible”, which contains the fen "Spot Reviews” sent 10 POL and POL"s
responses (cf para 2.7 of Second Sights July 2013 Report)
Fujitsu's “Horizon Data Integrity” document, which provides a technical description of the
‘measures built into Horizon HNG-X 0 ensure data integrity, inckiding « description of
several faitare scenarios, and descriptions as to how those measures apply in each case,
Fuae's “Siete, Online Dota ntgy foe Pt Office Lif” document. which provides 8
‘echnical description of the messures tht are bulk Into Hotizon HNG-X 40 ensure data
integrity and descriptions as to how those measures apply in each case;
Current Fujitsa POA 18027001 certification;
The associated Fujtan POA ISMS Statement of Applicability,
The Post Office Horizon PCI DSS certificate,
The Post Office Horizon PCI DSS signed AOC
The Post Office Horizon PCI DSS ROC;
The last 3 published Post Office [SMF minutes with Fuji, and
The Inst 3 Fujitsu Security Ops Reports
Additional documents may be provided by You as part of our engagement. The Full list of information
sources will be disclosed in ous Deliversble,
Pee 10 of 8
WITN10370171
WITN10370171
60
WITN10370171
WITN10370171
APPENDIX 3
APPENDIX 2
CHANGE CONTROL PROCEDURES. ENGAGEMENT Lerrex DATED 9 APRIL 2014
Cuance Oxpex Nuwmen
1 If.at any time ether party wishes to requestor recommend any adktiton, tnodification o other bead
change tothe Services or porformance required under the Contract (a “Change”, the party «<
propating ts Change il chm write oqo for a Changs (“Changs Roque?) fe ient Name and Address
other party.
2. AN Charge Rages i en tetera wring by the mined pion wh bat
the Engagement Letier for ax on behalf of the Client, in the case of Change Requests
initiated by the Client ce the Delite clit service partner an specified in the Engagement Letter
in the case of Change Requests initiated by Deloine.
3 Foncfitrditarfird implications for the Contact of implementing, each: Change
‘and prepare and sabwnit to the Client a peoposed Change Order, in the form attached as
Arpt’ eo nh Change Rs Was pty een, ie
tad reqpond to one or more Change Requests, because’ of their
fremucney, ny resuh la a delay nthe Servo, thal pasty wl ny Ye eter prt). Tor
para wl han need w agro unSppropae one of oren
4 The Clicnt will senify Deloitte in writing of its decision os w whether or aot it wishes to
appendices, schedules, andlor atachments), records agreed changes to the
LLP 7 “we td <> ded < > sed by ple nro Change
the Rngagement Letter set forth below land any earlier Change’ Ordei(s) or amendments
the 6 3008 a a ay event pe ater han cooled. fictive te 0 ftotve dts of hg), by te flesting hx
5 days (or sch other period agreed by the parties) afer receipt of the Change Onder subunted \ Spe awa
by Deloite ‘the parties wish to proceed with the proposed Change, the Order _ Seon and objectives
document being referred to as » “Change Order”)
, ¢
5 Neither party is obliged to proceed with any proposed Change (and the related changes)
(Changs (and related changes) wil be elective and exoreette gaia pry, valews and vals I 3 Client Reepensibilities sad Asvemptions
Lp oarnrcdong prvi woe lpoorchuhepel ag a aaa NN
ert eae dees Deke ot sian pate nde pl fs Sr sve
‘Tike Chang had ont ben proponed 4 Our Changes
UB co wlaraledapaardalnnchpsled-cesny- sheeted
with investigating the implications of a Change Request, whether or not = S Consequential changes to the Contract
signed in reapest of such Change Request.
Page Hof Page 12 of 18
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
61
Exoopt as expressly modified herein, all other terms and conditions of the Contract remain inchanged. Please
inuihcne Your agreement tothe terms of this Change Order by signing and retuming to Deloite the enclosed
copy of this Change Order,
‘Yours faithfully,
Partner
Deloitte LLP
Agreed by Post Otice Lads
‘Signed:
For and on behalf of Post Office Lad
Printod Name:
Page 19 of
nares
WINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
APPENDIX 4
ENGAGEMENT Lerre DATED 9 Armin. 2014
DELOITTE LLP - TERMS OF BUSINESS:
DELOITTE LLP
TERMS OF BUSINESS:
‘Consulting and Advisory Services
1 THE CONTRACT REWER Es
1% Tig Cit es ot me er ak He ae
amen at
utsee LLP Cohidh e fooe fps ncbes sefone 1
‘cae ws aed "pr tapes af in sunt
Sern aor
CLP ate
im mck Oeouns {LP hes ber of neha
“ian. ic dees ta ry oe Yom eps
(oh Wee oy held he bee ec pr of
en be
Pore
‘meme
"ie ere of
‘=m
‘Puerta be endear ne Yo ele aes
Fea choc den-eqnechuhapres ert nckoolgrtocd
i Cat hav oe topes sith ma eee
Gye at al porte orate en ms prove mabe
‘eo enh rope
ee Preece
2S pein es Ym ro ee
Se Seve, we ay
sd slit, a sa ne ition
s
f
1
t
f
E
r
ff
“a cis slack oe bee ef
wt whee oe or Fhe Setar ta
Page of 8
WITN10370171
WITN10370171
62
WITN10370171
WITN10370171
HE PHBE Ho naY i Er aie ‘iil ili 5
Hl Lis Hi i a it i Wi 7 Hie th :
an Hey eae a ia siti!
it rae lt i bi att
el Hi il tin ii 1 BULL ull Abani
be gl ithe advls 33 3
Re Hn HE an faBneaE AY RENAE IE
a dicta el et Hf i ate ii
a are ee
Hane i fe iene Ub
uy papal i fit at ill ii Hi
GEM chal eT
ay Face a pray
i ft lll i He
ane j i: ite
me dy ili Hii
Hate eyelid tie
Hi HH
Hill Univ Sabie 2h
Ly tt, H il vi H ' 1
! i wih fil tf ui pli ii! af
ital Ls bate titi
ena i Gn aL He I
iT Gs a aL
“A 23 SBE Ane! MET i gl
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
63
WITN10370171
WITN10370171
i ki ii i
‘ va
Hal
inj HH fill I :
ei aT i
Hie gy
He He
Hi ii “ifid : i
ii ites eqlil THT ii in Pu “
fey we f i Ha i He
Tee Ea stg eT
Ce Sea
He 3 ee fi i i
CE ERE
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
64
WITN10370171
WITN10370171
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
65
WITN10370171
WITN10370171
Appendix 5: Change Order 01
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
66
ENGAGEMENT LETTER DATED 09 APRIL 2014
CHANGE ORDER NUMMER O1 (VERSION 2)
(06 May 2014
Me Cherie Ant
Pont Office Lad
148 Old Stee
‘London
ECIV9HQ
ox the attention of Che Aajard
Dear Shes
This Change Order ( andlor ), ord agreed I
10 the Contr betwecn Deke LLP (-Debaie” or we") and Pet Office CPOL ar -¥ac) dated
1 Ari 2014 arene by pr sre Change Ord) ot amendment thereto This Chan
Order constitutes the entire uncrstanding and agreement between the Client and Deloite with respect
(0 the ‘set oot ln this all prior oral and written
respect to such changes (i but not limited to Change ‘and may only be: in
\weiting. signed by sorhorised representatives ofboth parties.
‘The section(s) of the Kngagement Letter set forth below are hereby amended, effective as of 06 May
2014, by the following tent:
1 Project scope and objectives
Your project scope and objectives rerstin as previously described within our ergagemcit letter dated
09 April 2014.
2 OwrServices and responsibilities
Our services within 2(0) of ew cordract date! 09 April 2014 will be amended 10 include the two
following extension areas: ¢
Exteaslon Aree:
‘extent of project. with the Deloitte rey. The.
inchide « review of that outline if nec bow
‘features of the system were inmpacted by the implementation.
Deetoite wilt assess relating to signoff of requirements as wel
Cachet tang Hegre elngmsce pion
Deloitte wilt @ description of our and recommendations
Delain = iegnte« der approach, findings and reco ror this. work.
owes
Deloitte.
Extension rea 2:
Deloitte will review futher documentation relating Yo the specific design features of the processing
cewvirooment which ae asserted to be in place to unerpi two hey objectives
1 That sub,post masters have fll ownership and visibility of all records in thei Branch ledger,
12, That the Branch ledger records are kept bythe system with integrity and full mat tail
Deloitte will prosce a schedole ofthese specific design featres, Wenttied only through desktop
review of documenation provided by Post Office, al use this to assess whether the existence ofthe
specific design feature has been tested and/or assured. Delote will comment on the 2 point above in
this context.
Deloitte will not on rf and will not perform any
or operating effectiveness te
Deloite's work, sill based’on procedures will also ince:
+e on wit is etoile specials to validate the Andit Store's tamper proof
che ede ner iy ems which oe have pct
tanes ith i ingen wing ses,
‘by POL to provide further assurance to the Board.
of ou Findings and fiom this work
rey see of whims sxe, oie Wi spoon te Gey of erring
ings with POL stakebolers document (wacked a8 Draft)
_ prepare a
, ee ror wo cath Tsay LF My Te wd Pn 16 May 24
‘Charges
time charges for this addkional work will be charged on a time and materials based, in line with
S ae card shown in our original Engagement Letter.
s
‘Consequential changes to the Contenet
Except as expressly modified herein all other terms and conditions of the Contract remain unchanged
Please indicate your agreement to the tern of this Change Order by signing and returning to Debyitte
the enclosed copy of this Change Orde.
eo eteiuP
WITN10370171
WITN10370171
DRAFT FINDINGS
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
67
WITN10370171
WITN10370171
Deloitte
Partner
Deloitte LLP
Agreed by Post Office jini
Signed: ae y /
For and on behalf of Post Office Limited <
Primed Nome: _ CARAS Aver
Postion Gevenat Coser
Date
J ¢
Osim LP
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.
68
WITN10370171
WITN10370171
Statement of Responsi
We take responsibilty fn this report which i$ prepared on the basis of the limitations set out below. The matters
raised in this report are only’those whith came 16 our attention during the course of our work and are not
necessarily a comprehensive statement of alfthe weaknesses that may exist or all improvem ents that might be
made. Any recommendations made or jiprovem ents should be assessed by you for their full impact be fore they
are implemented.
Deloitte LLP
London
May 2014
In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kin gdom
member firm of Deloitte Touche Tohmatsu Limited (‘D TTL"), a UK private company limited by guarantee, whose
member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed
description of the legal structure of DTTL and its member firms.
© 2014 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675
and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom.
STRICTLY PRIVATE AND CONFIDENTIAL. SUBJECT TO LEGAL PRIVILEGE.