WITN11970100
WITN11970100
Witness Name: Mike Deaton
Statement No.: WITN11970100
Dated: 26 November 2024
POST OFFICE HORIZON IT INQUIRY
FIRST WITNESS STATEMENT OF MIKE DEATON
I, MR MIKE DEATON, will say as follows:
INTRODUCTION
1. I am currently employed by Fujitsu Services Limited (“Fujitsu”) as Head of
Enterprise & Project Services, UK Digital Workplace Delivery, a position I have
held since July 2013.
2. This witness statement is made to assist the Post Office Horizon IT Inquiry (the
“Inquiry”) with the matters set out in a Rule 9 Request provided to Fujitsu on 11
November 2024 (the “Request’), to the extent I have or had direct knowledge of
such matters. I was assisted in preparing this statement by Morrison Foerster,
who represent Fujitsu in the Inquiry.
3. The topics set out in the Request relate to a proposed review by KPMG of the
Horizon IT System (“Horizon”) in or around 2011 to 2012 (the “KPMG Review’).
The KPMG Review concerned the version of Horizon known as Horizon Online
or HNG-X (“HNG-X”), and KPMG prepared a report as part of the review titled
Page 1 of 11
WITN11970100
WITN11970100
“HNG-X Data Integrity: Phase 0 Report” dated 23 April 2012 (“Phase 0 Report”)
(FUJ00172083), which is referenced in the Request. In the limited time available,
I have tried to refresh my memory by reviewing contemporaneous documents
relating to the KPMG Review. These have included the Phase 0 Report and other
documents that have been made available to me by Morrison Foerster and
Fujitsu, as well as documents that I have identified following a search of my work
emails. My recollection of the KPMG Review is very limited. The content of my
statement is therefore based primarily on the content of these documents. Where
I have relied on documents, I have set out the URN of the relevant document
below.
PROFESSIONAL BACKGROUND
4. I joined Fujitsu in November 2010 as a Business Development & Change
Director for the Royal Mail Group Account, which was later renamed the Post
Office Account (“POA”) following the separation of Post Office Limited (“POL”)
from the Royal Mail Group. I have since held the following roles at Fujitsu:
a. August 2011 to October 2011: Project secondee. I was seconded to a
project to support Fujitsu’s finance department, which was unrelated to
Horizon and/or POL. I was assigned to the project by Gavin Bounds,
Fujitsu’s Chief Operating Officer (“COO”) at the time. The project was led
by lan Hayward.
b. November 2011 to June 2012: Change & Operations Director, Business
Operations. This role involved various projects that were also unrelated to
Page 2 of 11
WITN11970100
WITN11970100
Horizon and/or POL. This role and the roles that I set out below were not
part of the POA.
c. June 2012 to June 2013: Director of Central Shared Services.
d. July 2013 to the present: Head of Enterprise & Project Services, Digital
Workplace Services.
BACKGROUND TO THE KPMG REVIEW
5. In the Request, the Inquiry has asked for a summary of the reasons for
commissioning the KPMG Review. In addition to addressing this topic below, I
have also set out how I came to be involved in the KPMG Review, as well as my
role and responsibilities.
6. Onor around 31 October 2011, Stephen Long (POA Director) and Gavin Bell
(who succeeded Mr Long as POA Director) asked me to take on the role of
project leader for the KPMG Review on behalf of the POA (see emails involving
me and Gareth Jenkins dated 3 November 2011 (FUJ00243333)). Mr Bell
introduced me to Ervin Jocson, the director at KPMG conducting the KPMG
Review, who was my primary point of contact at KPMG (see emails involving me,
Mr Jocson and Mr Bell dated 31 October to 9 November 2011 (FUJ00243335)).
As noted above, by this point in time, I had recently left the POA and moved into
a role in the Business Operations team, working on various projects that were
unrelated to Horizon and/or POL, but I cannot recall why I was asked to lead the
project. As part of this new role, I reported to Mr Bounds, and I expect that Mr
Bell would have engaged Mr Bounds beforehand to get his agreement to my
taking on the project leader role on the KPMG Review.
Page 3 of 11
WITN11970100
WITN11970100
The Horizon Online Data Integrity Report dated 25 November 2011 (“HNG-X
Report”) (FUJ00080534) lists the Fujitsu stakeholders that were involved in the
KPMG Review (the “Fujitsu Stakeholders’):
a. Stephen Long, Project Sponsor
b. James Davidson, Service Operations Director
c. Torstein Godeseth, Architecture
d. Gareth Jenkins, Architect
e. Myself, as Project Leader
f. Tim Healy, Commercial
g. Edward Phillips, Legal
h. — lan Howard, Security
This list accords with my recollection, although I would also have considered
Mr Bell, who is listed as an “Optional Reviewer” of the HNG-X Report to have
been a Fujitsu Stakeholder. I would have also considered Mr Bounds to have
been a Fujitsu Stakeholder as he was my line manager and the POA reported
into him as COO, and I would have expected that the purpose and outcome of
the KPMG Review to be shared with him.
My role on the KPMG Review would have been primarily concerned with
facilitating the progress of the review and coordinating Fujitsu’s engagement with
KPMG, performing the role of a project manager. My responsibilities included (i)
Page 4 of 11
10.
11.
WITN11970100
WITN11970100
coordinating the Fujitsu Stakeholders and KPMG to facilitate the scoping of the
KPMG Review, which had commenced before I joined the project (see emails
involving me, Mr Jocson and others dated October-December 2011
(FUJ00172048, FUJ00172052, FUJ00243335, FUJ00243336)), (ii) managing
and coordinating agreed actions relating to the KPMG Review with the Fujitsu
Stakeholders and KPMG (see emails involving myself and Mr Jocson dated
January-February 2012 (FUJ00172064)), and (iii) coordinating resources and
Fujitsu’s technical staff to provide information and documentation to KPMG to
conduct the KPMG Review (see emails involving myself, Mr Jenkins and Mr
Godeseth dated February 2012 (FUJ00172072)). The KPMG Review was
independent from POL and POL was not involved in the review (see emails
between me and Mr Jenkins dated November 2011 (FUJ00243333) and March
2012 (FUJ00156534)), and I cannot recollect any communications with POL on
the KPMG Review.
The other Fujitsu Stakeholders, particularly those in the POA, would have been
responsible for (i) making decisions with regards to the scope of KPMG’s work,
(ii) providing technical input and documentation required by KPMG to conduct
the review, and (iii) authorising KPMG to carry out the work (see emails involving
myself, Mr Healy and Mr Long dated February—March 2012 (FUJ00243337)).
I cannot recall if there was a catalyst for the KPMG Review, nor whether this was
a POL or Fujitsu initiative. The HNG-X Report (FUJ00080534) notes that Fujitsu
instigated the KPMG Review to conduct an “independent audit of the HNG-X
environment currently delivered to Post Office Limited to provide confidence that
Page 5 of 11
WITN11970100
WITN11970100
the solution has intrinsic security controls commensurate with the requirement
for legal admissibility’ to enable a legal review of Fujitsu’s compliance with its
contractual obligations. In December 2011, Mr Jocson, Mr Phillips and myself
exchanged emails regarding Fujitsu’s requirements for the KPMG Review and
Fujitsu’s potential use of any reports prepared by KPMG (FUJ00243336). In this
email chain, I explained to Mr Jocson that Fujitsu was primarily commissioning
the KPMG Review to inform Fujitsu’s legal team, but should it later choose,
Fujitsu expected that it would be able to provide any reports prepared by KPMG
to “other auditors, Post Office, in disputes (either between [Fujitsu] and Post
Office, or where [Fujitsu] are supporting Post Office in defending the integrity of
its systems)” (FUJ00243336). Based on the wording I have used in these emails
and in line with my role as project leader, as described above, I believe that I
would have been coordinating and channeling these communications around the
scope and purpose of the KPMG Review with technical and legal input from
Fujitsu Stakeholders in the POA and legal teams.
WORK CARRIED OUT ON THE KPMG REVIEW
12. The Inquiry has requested a summary of the following matters in relation to the
KPMG Review with reference to the Phase 0 Report: (i) any further work that
KPMG carried out further to the KPMG Review, including any findings made by
KPMG; and (ii) if no further work was carried out on the KPMG Review, the
reasons why the decision was made not to carry out such work.
13. The KPMG Review was divided into three phases or stages, which are noted in
KPMG's letter of engagement dated 22 February 2012 (FUJ00172076). These
Page 6 of 11
14,
WITN11970100
WITN11970100
were Phase 0 (Documentation readiness review), Phase 1 (Documentation
detailed review), and Phase 2 (Controls review and testing).
I do not have any recollection of what happened following the Phase 0 Report.
However, based on the contemporaneous documents that I have reviewed,
Phase 0 of the KPMG Review was completed in or around April 2012, and
following this, no further work was carried out by KPMG. I refer to the following
documents in this regard:
a. KPMG provided a draft of the Phase 0 Report to Fujitsu on 23 April 2012,
which was sent to me by email (FUJ00172081). The Phase 0 Report was
prepared by KPMG based on information in the HNG-X Report, “a sample
of additional High and Low Level Design Documents, a site visit to witness
a demonstration of the system and subsequent clarification dialogue
between KPMG and [Fujitsu's] system architects” (FUJ00172083).
b. Later that day, I shared the Phase 0 Report with relevant Fujitsu
Stakeholders by email and noted that I had not informed KPMG that “plans
may have changed with POL” (see emails dated April 2012
(FUJ00172081)). I also arranged a meeting with the Fujitsu Stakeholders
on 3 May 2012 to discuss the Phase 0 Report (see meeting invitation dated
1 May 2012 (FUJ00172080)). At the conclusion of Phase 0, KPMG was to
provide Fujitsu a final quote for completing the KPMG Review (see KPMG’s
letter of engagement dated 22 February 2012 (FUJ00172076)), which was
noted in the Phase 0 Report as £131,000 (FUJ00172083). While I cannot
Page 7 of 11
WITN11970100
WITN11970100
recall specific individuals or conversations, I can recall the Fujitsu
Stakeholders being very surprised when the cost was announced.
On 4 May 2012, I emailed Christopher Starnes (Senior Manager, KPMG)
and Mr Jocson and informed them that (i) POL was “now considering a full
end to end integrity check on both former and previous systems”, which
would extend outside of Fujitsu’s obligations in relation to Horizon to
incorporate POL’s obligations, systems and processes, and (ii) it was
therefore unlikely that Fujitsu would be engaging KMPG in relation to the
next phase of the KPMG Review (i.e., Phase 1) (FUJ00243338). I then
asked Mr Starnes and Mr Jocson to stand down on the KPMG Review
(FUJ00243338). I expect that this email was the output of the meeting on 3
May 2012 with the Fujitsu Stakeholders.
On 16 May 2012, Mr Starnes emailed me a signed copy of the Phase 0
Report, which closed out Phase 0 of the KPMG Review (FUJ00243339).
A POA business review presentation dated 18 June 2012 (FUJ00174459)
notes the following update on or around 22 May 2012: “Following update
from JD: Following discussion with Post Office, the KPMG integrity study is
to be put on hold pending a review of the approach by Post Office. [Fujitsu]
will be talking with Post Office over the next period to understand their
intentions and what support they will need from Fujitsu in the future”. I
understand “JD” to refer to James Davidson, and I believe that this POA
business review would have been presented by Mr Bell and the POA to Mr
Bounds, Steve Clayton and Duncan Tait.
Page 8 of 11
WITN11970100
WITN11970100
f. On 19 June 2012, I emailed Mr Jocson and Mr Starnes and corifirmed that I
had been in contact with the “account lead” and it seemed that POL were
“still exploring how they [could] approach the broader topic of the full end to
end piece’, but the KPMG Review was “definitely off the table”
(FUJ00172084). The “account lead’ in the context of these discussions may
have been Mr Long.
Statement of Truth
I believe the content of this statement to be true.
Signed
Dated: 26 November 2024
Page 9 of 11
WITN11970100
WITN11970100
INDEX TO THE FIRST WITNESS STATEMENT OF MIKE DEATON
Exhibit
No.
URN
Document Description
Control No.
a.
FUJ00172083
KPMG HNG-X Data Integrity Phase 0
Report dated 23 April 2012
POINQ0178264F
FUJ00243333
Email chain last dated 3 November
2011 with subject ‘KPMG HNGX
Integrity Review’
POINQ0249358F
FUJ00243335
Email chain last dated 9 November
2011 with subject ‘Post Office EPOS
Review - intro meeting 13/10/11’
POINQ0249360F
FUJ00080534
Horizon Online Data Integrity Report
dated 25 November 2011
POINQ0086705F
FUJ00172048
Email chain last dated 2 December
2011 with subject ‘CONFIDENTIAL:
Horizon Online Integrity Testing :
Proposal’
POINQ0178229F
FUJ00172052
Email chain last dated 14 December
2011 with subject ‘Horizon OnLine
Integrity Testing: Proposal’
POINQ0178233F
FUJ00243336
Email chain last dated 12 December
2011 with subject ‘Horizon OnLine
Integrity Testing: Proposal’
POINQ0249361F
FUJ00172064
Email chain last dated 8 February
2012 with subject ‘HNGX Integrity
Proposal (Meeting 23/1)’
POINQ0178245F
FUJ00172072
Email chain last dated 20 February
2012 with subject ‘HNGxX Integrity
Proposal - initial meeting —
documents’
POINQ0178253F
10.
FUJ00156534
Email chain last dated 20 March 2012
with subject ‘RM v Bramwell’
POINQ0162728F
11.
FUJ00243337
Email chain last dated 5 March 2012
with subject ‘KPMG Contract
Approval’
POINQ0249362F
Page 10 of 11
WITN11970100
WITN11970100
Exhibit URN Document Description Control No.
No.
12. I FUJ00172076 I KPMG letter to Fujitsu dated 22 POINQ0178257F
February 2012 with subject ‘HNG-X
Data Integrity Assessment’
13. I FUJ00172081 I Email chain last dated 1 May 2012 POINQ0178262F
with subject ‘HGNX Review’
14. I FUJ00172080 I Meeting invitation sent 1 May 2012 POINQ0178263F
with subject ‘HGNX Review Telecon’
15. I FUJ00243338 I Email chain last dated 4 May 2012 POINQ0249363F
with subject ‘HGNX’
16. I FUJ00243339 I Email chain last dated 16 May 2012 POINQ0249364F
with subject ‘HGNX Report’
17. I FUJ00174459 I Presentation dated 18 June 2012 POINQ0180640F
titled ‘Post Office Business Review’
18. I FUJ00172084 I Email chain last dated 9 July 2013 POINQ0178265F
with subject ‘HGNX’
Page 11 of 11