WITN08410100
WITN08410100
Witness Name: Alexander Simon Talbot
Statement No.: WITN08410100
Dated: 22 May 2023
THE POST OFFICE HORIZON IT INQUIRY
First Witness Statement of Alexander Simon Talbot
1, ALEXANDER SIMON TALBOT, SAY AS FOLLOWS:
1. My name is Alexander Simon Talbot, although I am generally known as Simon
Talbot. I have been employed by Post Office Limited ("POL") (or its
predecessors) since August 1987.
2. Except where I indicate to the contrary, the facts and matters contained in this
witness statement are within my own knowledge. Where any information is not
within my personal knowledge, I have identified the source of my information or
the basis for my belief. The facts in this witness statement are true to the best
of my knowledge and belief.
3. In this statement I use the term "Postmaster" broadly to refer to those people
or entities that are responsible for operating post offices (but excluding those
individuals employed by POL), rather than with any formal definition in mind. I
use the terms "Postmaster" and "Sub-postmaster" interchangeably given their
common usage. Nothing in this statement is intended to detract or differ from
any definition adopted by POL.
This witness statement has been prepared in response to the request made by
the Post Office Horizon IT Inquiry (the "Inquiry") pursuant to Rule 9 of the
Inquiry Rules 2006, dated 3 April 2023 (the "Rule 9 Request"). In this witness
statement, I address each of the questions set out in the Annex to the Rule 9
Request regarding my career background at POL and my knowledge of and
involvement with the following areas within POL:
a. Audit; and
b. Knowledge of bugs, errors or issues with the Horizon IT System ("Horizon").
Although I also have some knowledge of and involvement with training of
Postmasters, as the Rule 9 Request has only asked two specific questions in
relation to training of auditors, I have not set out my general experience with,
and knowledge of, training of Postmasters within POL which I would be happy
to do if it would be helpful to the Inquiry.
Where I refer to specific documents in this statement, copies of those
documents are identified by the Inquiry's unique reference number for that
document.
DEFINED TERMS
In this statement, I have used a number of acronyms and defined terms. I have
set out a definition of each as I have introduced them. However, for
convenience, I also set out the definitions of these acronyms and definitions
below:
ARD Audit Rationale Document
ART Audit Reporting Tool
WITN08410100
WITN08410100
Audit Team
Contract Team
Debt Recovery
Team
FAT
FBPP
FSA
FSC
FTL
GLO
Horizon
A Standard 2300
Inquiry
NOA
NOM
POL
P&BA
QAR
Rule 9 Request
Security Team
POL team responsible for carrying out audits of Post
Office branch accounts
POL team responsible for the contractual liability of
Postmasters, including managing the contractual
relationship between POL and Postmasters such as
managing performance and making decisions on the
suspension and termination of Postmaster contracts
POL team responsible for recovering debts from
Postmasters
Financial Audit Tool
Financial Branch Performance Profile
Field Support Advisor
Finance Service Centre
Field Team Leader
Group Litigation Order
The Horizon IT System
Institute of Internal Auditors standards
The Post Office Horizon IT Inquiry
Network Operations Advisor
Network Operations Manager
Post Office Limited
Product and Branch Accounting
Quality Assurance Review
The Inquiry's request pursuant to Rule 9 of the Inquiry
Rules 2006, dated 3 April 2023
POL team responsible for managing the physical
security of POL assets and branches and dealing with
security incidents such as robbery and burglary
Training and AuditPOL employees who conducted training for
Advisors
121 meetings
2019 / 2020
changes
Postmasters and auditing of branch accounts
Regular meetings between an individual auditor /
trainer and their team leader
Full scale revision of audit practices and procedures
precipitated by the settlement of the GLO
WITN08410100
WITN08410100
CAREER BACKGROUND
8.
I have been asked to briefly set out my professional background and identify
and explain my roles within Post Office to date.
August 1987 — 2004: Postal Officer at Stockport Crown Office
9.
I first joined Post Office in August 1987 as a Postal Officer at Stockport Crown
Office, a branch directly managed by Post Office. I did not have any significant
work experience prior to this. I had partially completed my A Levels when I
joined Post Office and have not obtained any further qualifications since. When
I first joined, I received four weeks of training at a POL training school in
Bradford, and two weeks of supervised working at a "satellite" branch located
in Leeds. During this time, I used Horizon (since its roll-out) on a day-to-day
basis including inputting transactions.
2004 — 2006: Assistant Branch Manager at Ashton-Under-Lyne Crown Office
10.
In 2004, I was promoted to Assistant Branch Manager at Ashton-Under-Lyne
Crown Office, another branch directly managed by Post Office. This role was
the first time I had managerial responsibility. During this time, I used Horizon on
a day-to-day basis.
2006 — 2007: Financial Services Assistant at Stockport Crown Office
11.
In 2006, I returned to the Stockport Crown Office, where I was a Financial
Services Assistant. During this time, I had less involvement with Horizon than I
had in my previous roles, but I continued to use Horizon to enter transactions
in relation to financial products, such as life insurance.
WITN08410100
WITN08410100
2007 — 2008: Assistant Branch Manager at Stockport Crown Office
12.
In 2007, I was promoted to Assistant Branch Manager of the Stockport Crown
Office. During this time, I had managerial responsibility, as Stockport Crown
Office was a large branch with a number of staff who I assisted in managing in
my role as Assistant Branch Manager. In this role I was more removed from
day-to-day activities including entering transactions, but I would still have
regularly used Horizon, including for weekly/monthly balancing and printing off
reports.
2008 — April 2012: Post Office Branch Manager Stockport Crown Office
13.
In 2008, I was promoted to Branch Manager of the Stockport Crown Office. In
this role I was responsible for approximately 16 employees who worked at the
branch. Like when I was the Assistant Branch Manager at Stockport, during this
time I was more removed from day-to-day activities including entering
transactions, but I would still have regularly used Horizon, including for
weekly/monthly balancing and printing off reports.
April 2012 — September 2016: Field Team Leader Network Services
14,
In April 2012, I took up a new position as a Field Team Leader ("FTL") Network
Services. The grade for this role was 2A. My line manager was Lesley McNally
(née Frankland), Audit & Training Team Leader, who I believe reported to Adrian
Wales, Regional Network Manager, who I believe then reported to Angela Van
Den Bogerd, Head of Network Services. The reason I moved from a Crown
Office to a Network position is because I wanted to further my career within the
Post Office. This role was not based at a particular POL site, and I largely
WITN08410100
WITN08410100
15.
16.
worked from my home near Manchester unless I was required at a specific
location. The team I was responsible for was based in the North West of
England, however our activities were not limited to the North West geographic
area.
When I first became an FTL, I was trained in the skills required to perform my
role. I attended a training course for a week in Chesterfield with approximately
six newly recruited FTLs. The course was given by Chris Gilding, who was a
fellow FTL. I otherwise learnt about the procedures and teams for which I was
responsible through observation of my fellow FTLs once I was in my role. I do
not have any formal qualification or training in audit.
This was the first time that I was involved with audit functions within Post Office,
and part of the team which was responsible for carrying out audits of Post Office
branch accounts ("Audit Team"). In broad terms, an audit of a branch's
accounts involved attending a branch, gathering Horizon data as to the levels
of cash and stock which ought to be present within a branch (by printing off
various Horizon reports) and reconciling that Horizon data with the physical
cash and stock actually present by counting the amount of cash and stock in
the branch. Section 2.2. on page 5 of “Audit Charter” (version 4.0)
(POL00083966) states that:
"The primary purpose of branch and cash centre audit activity is to
provide an independent assurance to Post Office Ltd that:-
+ Its assets exist at Post Office® branches and cash centres
+ There is compliance to relevant policies, processes, regulations and
WITN08410100
WITN08410100
17.
18.
19.
standards".
My understanding is that this type of audit is more akin to a stock-taking
exercise, rather than a forensic exercise of verifying the accuracy of the
accounts such as those conducted by professional auditors such as the "Big
Four". Accordingly, when I refer to "audits" and "auditors" in this witness
statement, I am referring to audits and auditors in this context.
My key responsibility in this role was the management of a team of auditors and
trainers ("Field Support Advisors" or "FSAs"). Each FSA had responsibilities
of giving training to Postmasters and carrying out audits of branch accounts.
My role involved, for example, managing the IT equipment and cars that the
auditors used; looking after the wellbeing and health and safety of auditors; and
liaising with the scheduling team based in Bolton. My role in relation to the
scheduling of audits would be to make sure that the Audit Team could staff the
audits which had been planned by the scheduling team, for example by
organising travel arrangements and making sure there was sufficient time for
the auditor to get to the audit location.
Part of my role was liaising with auditors in relation to issues that arose and
fielding calls from auditors who were carrying out audits on location. My contact
with auditors was primarily to ensure that they got to and from the audit
locations safely. I would also be contacted in relation to specific issues that
arose, such as Audit Team hardware or equipment failures (not equipment
failures in branches), or for advice. If something unexpected came up, such as
a large discrepancy arising at audit, an auditor may have contacted me to let
me know, but as I was not the relevant decision maker, this contact would be in
7
WITN08410100
WITN08410100
20.
21.
22.
23.
addition to the auditor contacting the Contract Manager of that branch who was
the proper decision maker.
In the period of time that I was an FTL, I was responsible for approximately 13
FSAs at any given time. I recall that there were approximately 14 FTLs in total,
and approximately 160 FSAs during this period.
I also had responsibilities as part of the quality assurance process of audits,
which I discuss in more detail at paragraph 129 to 131 below.
I also had responsibilities for maintaining documents and information sources
which contained the key procedures and policies to be followed by auditors and
trainers. The key document which contained the policies and procedures to be
followed by auditors was the Audit Process Manual. This was a document which
was broken up into several chapters, such as "Performing a Branch Audit,
Chapter 3 of the Audit Process Manual” (version 5.1, 2010 is POL00084801).
The FTLs were each assigned different chapters of the Audit Process Manual,
which we were responsible for reviewing on approximately a yearly basis and
updating as necessary. The chapter for which each FTL was responsible would
change depending on the personnel movements into and out of the FTL team
over time. Although I do not recall all the details as to when I was responsible
for various chapters of the Audit Process Manual, I do recall that at some point
I was responsible for Chapter 5 — Closures and Chapter 11 — Quality Assurance
from approximately August 2012, along with other FTLs.
In addition, each FTL was responsible for keeping up-to-date assigned sections
of ‘EASE’. EASE was the name of the system run on the Lotus Notes platform
WITN08410100
WITN08410100
24.
25.
26.
which contained knowledge articles and guidance for FSAs. Like in relation to
chapters of the Audit Process Manual, FTLs would be assigned responsibility
for the maintenance of various sections of EASE. The EASE system was later
replaced by a SharePoint used by the Audit Team, although I do not recall when
this occurred. Upon review of the version control section of Chapter 9 of the
Audit Process Manual (page 1 of POLO0088750) which records the
replacement of Lotus Notes with SharePoint, I believe it may have been around
October 2013.
I also had responsibilities in relation to training, which I discuss briefly in more
detail at paragraphs 82 to 87 below.
Broadly speaking, in this role I had a high-level overview of the specific audit
practices which occurred within branches. Although I did not routinely perform
audits myself, I had a good understanding of the audit process. I recall assisting
with audits and had conducted regular observational quality assurance reviews
of audits, during which I would be present at the branch being audited.
I do not recall that there were any significant changes in the policies or practices
within the Audit Team during the period I was an FTL. Likewise, I do not recall
being involved in any specific projects or initiatives relating to changes to the
policies or practices within the Audit Team during this time.
September 2016 — April 2018: Network Operations Manager
27.
In September 2016, I moved to the role of Networks Operations Manager
("NOM"). The grade for this role was 2A. My line manager was Lesley McNally,
Network Operations Area Manager, who I believe reported to a Regional
WITN08410100
WITN08410100
28.
29.
Network Manager, although I do not recall who that was, and who I believe then
reported to Andrew McBride, and then later Pam Heap, Head of Network
Operations. The NOM role was created following a restructure within POL which
brought responsibilities which had previously been undertaken by FTLs, Field
Change Advisors and Property Project Managers, under the NOM role. Under
this structure, each NOM had responsibility for fewer Network Operations
Advisors ("NOAs"), but had expanded responsibilities in other areas. NOMs
were responsible for particular geographic areas. I recall that I was responsible
for approximately 344 branches during this time, which were primarily in the
North West of England.
Prior to the creation of the NOM role, Field Change Advisors had been
responsible for things such as: scoping for potential new branches; delivering
new branches; finding alternative sites for branches; arranging consultations
with the public for the potential opening or closing of branches; reviewing
business plans submitted by prospective Sub-postmasters; and assisting with
interviewing prospective Sub-postmasters. These responsibilities all came
under the new NOM role in respect of my assigned branches.
Also prior to the creation of the NOM role, Property Project Managers had been
responsible for the arrangements necessary to get a new branch up and
running, such as: considering the size of the branch and how much equipment
would be required; appraising the specification of this equipment; ordering said
equipment; and creating a financial estimate of the cost required to establish
new branches. Like in respect of the Field Change Advisor responsibilities,
10
WITN08410100
WITN08410100
30.
31.
32.
these responsibilities all came under the new NOM role in respect of my
assigned branches.
As a NOM, I retained largely the same responsibilities in relation to training and
audit as I did as an FTL, and as described at paragraphs 16 to 24 above.
However, I recall that my role did not include responsibilities for quality
assurance (as described at paragraphs 129 to 131 below). My understanding
is that quality assurance of audits did not occur during the time the NOM role
existed.
I recall that there were approximately 36 NOMs in total, and approximately 78
NOAs during this period. Accordingly, I had responsibility for fewer NOAs than
I did when I was an FTL, but I had many other responsibilities as described at
paragraphs 28 to 29 above.
I do not recall that there were any significant changes in the policies or practices
within the Audit Team during the period I was a NOM. Likewise, I do not recall
being involved in any specific projects or initiatives relating to changes to the
policies or practices within the Audit Team during this time.
April 2018 — April 2019: Area Training and Audit Manager
33.
In April 2018, I moved to the role of Area Training and Audit Manager. The grade
for this role was 2A. My line manager was Lesley McNally, National Training &
Audit Manager, and I believe she reported to Judith Aubrey, National Network
Operations Manager, who I believe then reported to Pam Heap, Head of
Network. The Area Training and Audit Manager role was created following a
restructure that removed the NOM role. Broadly speaking, I understand that
11
WITN08410100
WITN08410100
34.
35.
36.
POL reverted to a model more similar to that employed while I was an FTL. That
is, the audit and training responsibilities were separated back out from what had
been the responsibilities previously associated with Field Change Advisors and
Project Property Managers.
As an Area Training and Audit Manager, my responsibilities were almost the
same as my responsibilities as an FTL, as described at paragraphs 16 to 24
above, looking after a team of POL employees who conducted training for
Postmasters and auditing of branch accounts ("Training and Audit Advisors").
However, as when I was a NOM, I recall that my role did not include
responsibilities for quality assurance (as described at paragraphs 129 to 131
below). My understanding is that quality assurance of audits did not occur
during the time the Area Training and Audit Manager role existed.
I recall that there were approximately 10 Area Training and Audit Managers in
total and approximately 84 Training and Audit Advisors during this period. While
the number of Training and Audit Advisors each Area Training and Audit
Manager was responsible for were not necessarily equal, I believe that I had
responsibility for approximately 9 Training and Audit Advisors.
I do not recall that there were any significant changes in the policies or practices
within the Audit Team during the period I was an Area Training and Audit
Manager. Likewise, I do not recall being involved in any specific projects or
initiatives relating to changes to the policies or practices within the Audit Team
during this time. However, I recall that there was a general emphasis on training
during this period as there was a desire to get new branches open and to
maintain the network. As all auditors had a dual role as both auditor and trainer,
12
WITN08410100
WITN08410100
the consequence of a greater emphasis on training was that there were fewer
resources devoted to audit functions.
April 2019 — April 2020: Area Audit Manager
37.
38.
39.
40.
In April 2019, I moved to the role of Area Audit Manager. The grade for this role
was 2A. My line manager was Alison Clark and I believe she reported to Julie
Thomas, Network Operations Director for at least some of the period I was an
Area Audit Manager. As an Area Audit Manager, my responsibilities were very
similar to those when I was an Area Training and Audit Manager, which in turn
was very similar to when I was an FTL, as described at paragraphs 16 to 24
above. The main difference in the role was that the training and audit functions
were split at this time, and as an Area Audit Manager I only managed auditors
who no longer had a role in training Postmasters.
Although I cannot recall exactly when this change occurred, I recall that the
quality assurance exercise returned approximately upon the creation of the
Area Audit Manager role, and so I believe I did have responsibilities for
conducting and managing the quality assurance exercise during this period (as
described at paragraphs 129 to 131 below).
I recall that there were three Area Audit Managers in total, and approximately
30 auditors during this period. While the number of auditors each Area Audit
Manager were responsible for were not necessarily equal, I believe that I had
responsibility for approximately 10 auditors.
During the time I was an Area Audit Manager, there were large changes to our
practices and procedures in terms of how we engaged with Postmasters, and
13
WITN08410100
WITN08410100
41,
42.
43.
a full-scale revision to our audit practices and procedures over this time ("2019
12020 changes"), which I describe in general terms below at paragraphs 40 to
45. My understanding is that changes were precipitated by the new ways of
working developed following the settlement of the Horizon Group Litigation
("GLO").
I recall that all chapters of the Audit Process Manual were reviewed and
amended where appropriate to reflect the new engagement practices.
One major change I recall is the procedure for speaking to a Postmaster when
the auditor arrived to carry out an audit. Previously, an audit could have been
scheduled for a number of reasons, which I have described at paragraph 90
below. When an auditor arrived at a branch to conduct an audit, they would not
necessarily inform the Postmaster why the branch was being audited.
Following the changes in the audit practices, the Network Monitoring Team (also
known as the Branch Analysis Team during certain time periods) were
responsible for selecting which branches were to be audited. The selection of
a branch to audit was based purely on the data which the Network Monitoring
Team had access to, such as the amount of cash on hand at the branch. The
Network Monitoring Team would provide the reasons for an audit to be carried
out in the form of an Audit Rationale Document ("ARD"). The ARD would be
provided to the Postmaster when the auditor arrived at the branch to commence
the audit. The engagement with the Postmaster was designed to be more
Postmaster-centric and was designed to step through the process that would
be carried out by the auditor. My impression is that these changes were well
received by Postmasters.
14
WITN08410100
WITN08410100
44,
45.
Asecond major change I recall in the time I was an Area Audit Manager was
ceasing the practice where only one auditor may have conducted an audit
(other than in Scotland, where there needed to be two auditors both before and
after the 2019 / 2020 changes). Previously, some audits may have been
performed by only one auditor, particularly if the branch was small. Following
the 2019 / 2020 changes, it became a requirement for there to be a minimum
of two auditors at any audit. My understanding was that this change was
introduced to ensure a higher level of consistency in audit practices and results,
and to allow for audit results to be verified by two auditors.
A third major change that I recall in the time I was an Area Audit Manager was
the introduction of an opportunity for the Postmaster to check the results of the
audit themselves and record on the audit papers whether they agreed with the
results reached by the auditors. A section on the papers which were completed
at every audit was introduced for the Postmaster to acknowledge that they had
checked the results reached by the auditors and whether they agreed or
disagreed with the audit results. Alternatively, the Postmaster could
acknowledge that they had been given an opportunity to confirm the audit
results but had declined to take up this opportunity. The Postmaster would be
asked to sign this section of the audit papers. My understanding was that this
change was introduced to help reduce the number of disputes which later arose
about the results of an audit and to further support the Postmaster through the
audit process.
15
WITN08410100
WITN08410100
April 2020 - April 2021: Contract Advisor
46.
47.
In April 2020, I moved to the role of Contract Advisor. At that time, there were
only four Contract Advisors across all of POL, and so we each had responsibility
for a large number of branches. The branches for which I was responsible were
divided by reference to a list of all branches maintained by POL which was
based on the postal code of each branch.
During this time, I was not part of the Audit Team and had no responsibility in
respect of the audit of branch accounts.
April 2021 — present: Security Support Team Manager
48.
In my current role as Security Support Team Manager, my responsibility is to
ensure the provision of a comprehensive security service. This is achieved by
reducing the business exposure to risk of crime, and by safeguarding
Postmasters, their teams and customers. This involves the following core
responsibilities:
a. taking ownership of all security responses in branch and supply chain,
and ensuring a security response when incidents occur;
b. leading the team of security managers to protect Postmasters and
assets from internal and external threats;
c. ensuring that the Security Team consistently supplies a quality output
and offers appropriate support to both internal and external partners;
d. ensuring that the team adheres to a supportive, compliant and audited
approach to Postmasters and the business; and
16
WITN08410100
WITN08410100
49.
50.
51.
e. driving supportive crime prevention activity focused on keeping
Postmasters, their teams and customers safe.
I manage all eight Security Managers within the POL network, who are
geographically dispersed and located in Northern Ireland, Scotland, and
England and Wales.
During the time that I was a member of the Audit Team, I understand that the
functions of the Security Team involved investigations following the
identification of discrepancies. However, before April 2021 when I joined the
Security Team, the functions of this team were significantly altered such that
the Security Team no longer conducts any investigations. The primary role of
the Security Team now is to support Sub-postmasters and the business,
including responding to robberies, burglaries, antisocial behaviour and
otherwise providing physical security support to branches. The Security Team
also supports the supply chain through a programme known as Cross
Pavement Observations. The Security Team also performs support visits to new
Sub-postmasters, provides post-incident support, and performs ‘health checks’
at branches to help ensure compliance with physical security measures.
In my current role I am not part of the Audit Team and have no responsibility in
respect of the audit of branch accounts.
AUDIT
Organisational Structure
52.
I have been asked to consider POLO0085682, POL00085769, POLO0086765,
POL00086831, POL00088445, POL00088445, and POL00033398, and to
17
WITN08410100
WITN08410100
53.
54.
provide a summary of the changes to the organisational structure of the Audit
Team during the time I was a member of that team, together with my
understanding of the reasons behind those changes.
I have reviewed the documents listed at paragraph 52 above. I note that
POL00033398 is described in the Rule 9 Request as being ""Post Office
Training Presentation on Assurance Review: Quality of Auditing" (Draft)
(version 0.5, undated)". Upon my review of this document, it appears from the
face of the document that it may more accurately be described as a
Presentation titled "Assurance Review: Quality of Auditing" dated February
2011.
I have described the various roles I held within the Audit Team between April
2012 and April 2020, and how those roles changed over time at paragraphs 14
to 44 above. When my role changed from FTL, to NOM in September 2016,
then to Area Training and Audit Manager in April 2018, and finally to Area Audit
Manager in April 2019, it was because the Audit Team had undergone a
restructure. My grade did not change during the course of these moves. At no
point was I ever involved in the design of the restructure, nor do I have any
actual knowledge of the reasons behind these changes. However, I have set
out below my understanding as to the perception within the Audit Team as to
why these restructures may have occurred, as follows:
a. In respect of the creation of the NOM role, my understanding is that it
was perceived by POL that there would be a benefit to both Sub-
postmasters and the business for there to be a single point of contact
between a branch and POL in respect of all aspects relating to the
18
WITN08410100
WITN08410100
design, establishment and running of a branch, rather than three
different teams with responsibilities for different facets of the interactions
between POL and a branch.
. In respect of the change from NOMs to Area Training and Audit
Managers, my understanding is that this restructure may have been
precipitated by the view that the NOM role was not working as well as
had been hoped. Although it made sense for there to be a single point of
contact for the establishment and running of a branch, the skills required
for each of the three roles were distinct and not all NOMs felt comfortable
operating across the spectrum of activities. For example, NOMs who had
previously been Project Property Managers may not have had expertise
managing people, while those who had previously been FTLs may not
have had project management skills, although some training on project
management skills was provided.
In respect of the division between training and auditing through the
separation of Area Training and Audit Managers into Area Audit
Managers and Area Training Managers, my understanding is that the
training and audit functions were separated following the settlement of
the GLO. As far as I understand, this change was implemented for the
benefit of the Postmasters and the individuals performing the training
and audit roles. In my view, the division of the audit and training functions
into distinct roles was beneficial as it meant that auditors could
concentrate on auditing and could build up their knowledge and
expertise in audit. It also allowed individuals who had previously
19
WITN08410100
WITN08410100
55.
56.
57.
58.
59.
performed both audit and training functions to select the role they
preferred.
I recall that between 2012 and 2016, during the time I was an FTL, there were
a large number of recruits to the Audit Team. My understanding is that this high
level of recruitment was driven by the large amount of activity within the team
due to Network Transformation. During this time, there were a large number of
branches being opened and closed, and therefore there was an increased
demand for both trainers and auditors. In addition, vacancies were created
within Audit Team due to POL employees, who had previously been members
of the Audit Team, taking up positions within the Network Transformation team.
I recall that between 2016 and 2018, during the time I was a NOM, the number
of trainers / auditors was reduced significantly. My understanding is that this
was because the Network Transformation project was coming to an end and
therefore there were fewer branch openings and closings, and therefore less
demand for training and auditing functions.
I have been asked to describe the relationship between the Audit Team and
other teams in POL, particularly the teams responsible for the contractual
liability of Postmasters ("Contract Team"), debt recovery ("Debt Recovery
Team") and security ("Security Team").
I have set out at paragraphs 59 to 61 below the standard interactions that the
Audit Team would have with each of the teams responsible for security, debt
recovery, and the contractual liability of Postmasters as part of the audit role.
In relation to the Security Team, an auditor would contact the Security Team in
a number of circumstances, for example if the Sub-postmaster admitted any
20
WITN08410100
WITN08410100
fraudulent activity (see section 9.3.3 on page 15 of POLO0084801), or if the
auditor discovered a discrepancy over a certain threshold during an audit of a
Crown Office branch. As at March 2011, the threshold for contacting a member
of the Security Team in this case was £1,000 (see section 9.3.2 on page 15 of
POL00084801). I do not recall what the threshold was to contact a member of
the Security Team in relation to agency branches in 2011, however I believe it
would have been higher than £1,000. My reason for saying this is because there
were no Contracts Advisors for Crown Office branches, and therefore any
discrepancy above the threshold would have been escalated directly to the
Security Team. However, as there were Contract Advisors for agency branches,
it is likely only larger discrepancies which would be escalated directly to the
Security Team. In addition, POL00088623 which is version 7.3 of Performing a
Branch Audit, Chapter 3 of the Audit Process Manual dated January 2019,
states at section 9.3.2 that the Security Manager must be contacted if a
discrepancy over £5,000 was identified. The same document states at
Appendix A— Crown Offices, at page 24, that discrepancies greater than £1,000
should be reported to the Crown Cluster Manager and the Security Manager.
The usual practice was for the auditor to call the relevant Security Manager and
inform them of the admission or discrepancy. The Security Manager would then
make a decision as to whether they would attend the branch. Once the auditor
passed the case to the Security Manager, the Security Manager would take the
case forward and that would be the end of the Audit Team's involvement in the
matter, unless the Security Team had any issues to clarify with the Audit Team.
The Security Team would request the audit working papers if they considered
that they may wish to continue to investigate the matter. If the Security Team
21
WITN08410100
WITN08410100
60.
61.
did not request the working papers, the papers would be retained by the Audit
Team for 60 days and then destroyed. This was the total of the routine
interactions between the Audit and Security Teams.
In relation to the Debt Recovery Team, I do not recall that the Audit Team had
any routine interactions. However, in some circumstances an audit might have
been triggered by certain information, including information from the Debt
Recovery Team. For example, there may have been an existing debt, the
recovery of which was being pursued by the Debt Recovery Team. In these
circumstances, the existence of the debt may have been shared with the Audit
Team by the Debt Recovery Team. I describe in greater detail the circumstances
in which an audit might have been triggered at paragraph 90 below.
In relation to the Contract Team, an auditor would contact the Contract Team in
a number of circumstances, including if the auditor discovered an unexplained
discrepancy over a certain threshold during an audit. During these calls, the
Contract Advisor would ask the auditor a number of questions, including
whether the Postmaster was willing to settle the amount of the discrepancy. The
threshold for contacting a member of the Contract Team in March 2011 was
£1,000 (section 9.3.2, POL00084801) and the same in January 2019 (section
9.3.2, POLO0088623), however I do not recall if the threshold otherwise
changed over time. Once the auditor passed the case to the Contract Advisor,
the Contract Advisor would take the case forward and that would be the end of
the Audit Team's involvement in the matter, unless the Contract Advisor had any
issues to clarify with the Audit Team. If the amount of any discrepancy did not
cross this threshold, the results of the audit would be sent to the relevant
22
WITN08410100
WITN08410100
62.
63.
64.
Contract Advisor once the audit working papers were finalised at the same time
the results were sent to other stakeholders, including the Postmaster. This was
the total of the routine interactions between the Audit and Contracts Teams.
I did not have any routine interactions with the POL legal team during the time
I was a member of the Audit Team, however I am aware that other members of
the Audit Team did have interactions with the POL legal team. My recollection
is that this was primarily experienced senior members of the Audit Team who
would present teach-ins to the POL legal team on Horizon and the audit
process.
I do not believe that the relationship between the Audit Team and other teams
within POL changed significantly during the time I was a member of the Audit
Team, although I believe that changes may have occurred after I left the Audit
Team in April 2020.
I have been asked whether I consider now, and whether I considered at the
time, that it was important for the Audit Team to have organisational
independence. I did not consider at the time whether it was important for the
Audit Team to have organisational independence. It is important when
considering the function of audit of branch accounts to understand what the
Audit Team did: the function of the Audit Team was confined in that auditors
were not performing a forensic role and as such no audit qualifications were
required. The role of the auditor was to confirm whether the amounts recorded
in Horizon were consistent with what was physically present in a branch, ice. it
was essentially a "stock taking" exercise and not a forensic or exhaustive
testing of the accuracy of the branch's accounts. There was little scope for
23
WITN08410100
WITN08410100
65.
66.
67.
subjectivity or opinion, as there was either a discrepancy between the Horizon
figures and the stock in the branch, or there was not.
I was never conscious of any influence from other teams within the business as
to any components of the audit process, including which branches should be
audited. The Audit Team was not responsible for selecting which branches
would be audited.
In light of the fact that the audit team did not possess any control over
determining the branches to be audited, scheduling the audits, or any discretion
in the audit process, coupled with the limited nature of the branch audit (i.e. it
was not a forensic audit but a stock-taking exercise), I do not now consider that
it is important for the Audit Team, performing the function that it had, to have
organisational independence. In hindsight, I consider that it may have been
more important for the Audit Team to have organisational independence if the
function that it was performing was more akin to a forensic audit.
I have been asked whether I was aware of any concerns raised about the
independence of POL's auditing activity and if so, what the nature of these
concerns were and how I became aware of any concerns. I do not recall being
aware of any concerns ever being raised about the independence of POL's
auditing activity.
Recruitment and training of auditors
68.
I have been asked to consider POL00032698, POL00086765, POL00088453,
and POLO0088557 and to describe the process by which auditors were
recruited.
24
WITN08410100
WITN08410100
69.
70.
71.
72.
I have considered the documents described at paragraph 68 above. My
recollection is that the vast majority of auditors were recruited internally from
within POL. By ‘internally’, I mean from existing POL employees, being people
with Post Office email addresses and who had access to the POL intranet site.
This might include Crown Offices, Network Services, Product and Branch
Accounting ("P&BA"), or from elsewhere within the business.
My recollection of the recruitment process was that any job vacancies would be
posted internally on the 'Success Factors’ platform which was a page available
on the POL intranet site which contained adverts for all the vacancies available
for application within the business. Applications would include an application
form and a Curriculum Vitae.
The team leaders, which included me from time to time for the duration of the
period I was a member of the Audit Team, would then "sift" the applications
using a matrix to assess suitability based on the application form and the
Curriculum Vitae. The matrix would include a list of various skills and
competencies that we would score each applicant against, such as
“organisational skills". I do not recall how these skills and competencies were
determined, but I believe that they were similar to the knowledge and skills set
out in the job advertisements, as described at paragraphs 78 and 80 below.
Applicants who had been identified following the initial "sift" were then invited
to attend an interview. Following the interview, successful applicants would be
recruited and begin the induction process.
25
WITN08410100
WITN08410100
73.
74.
75.
76.
77.
As far as I recall there was no financial or other vetting process because the
applicants were already POL employees and I believe these checks would
already have been carried out.
On rare occasions we did recruit externally. I recall that we hired externally
during the time I was an FTL, when there was a high level of activity and
approximately 160 auditors. External recruits would be required to undergo a
vetting process.
The process described at paragraphs 70 to 73 above was the same process
how I was recruited to the FTL role in 2012. I recall that I was interviewed by
Lesley McNally and Alan Currie.
I have been asked whether there was a minimum level of qualification or
experience an individual was expected to have before they conducted branch
audits. There was no minimum level of educational attainment required to be
recruited as an auditor. I am not sure whether there was a minimum level of
educational attainment required to be hired within POL in the first instance, in
which case this effectively would have been the minimum educational
requirement to become an auditor, given that the vast majority of auditors were
recruited internally.
In order to be recruited as an auditor, the application process was designed to
ensure an applicant had the appropriate aptitude for the role. This would be
assessed on factors including their experience within POL and _ their
performance within their current role. Desirable experience would have
included applicants who had a strong knowledge of how a branch operated and
the many stock items within a branch.
26
WITN08410100
WITN08410100
78.
79.
80.
POL00088453 is a job advertisement for the role of Training and Audit Advisor.
Page 3 describes the following knowledge and skills as being necessary for that
role:
a. An understanding of business strategy, policies, Post Office operating
procedures and network transformation processes;
b. An awareness of both the wider social and commercial environment in
which Post Office Ltd operates;
c. Excellent knowledge of the Post Office Horizon system;
d. Ability to interrogate Horizon reports;
e. Report writing;
f. An awareness of Audit & Compliance procedures;
g. An awareness of training, interventions and evaluation techniques; and
h. An understanding of the range of products and services provided by Post
Office Ltd.
I consider that the knowledge and skills set out at paragraph 78 above are an
accurate reflection of the knowledge and skills which would have been required
for an applicant to be recruited to the Audit Team at the time. Although the
document is undated, I believe that the document must date between April 2018
and April 2019, when the training and audit functions were separated, as the
role is for a Training and Audit Advisor.
POL00088557 is a job advertisement for the role of Audit Advisor. Page 3
describes the following technical skills and experience as being necessary for
that role:
27
WITN08410100
WITN08410100
81.
82.
a. Good working knowledge of POL accounting processes and Horizon
workings;
b. Good knowledge of POL in branches processes;
c. An awareness of Audit & Compliance procedures;
d. Ability to be mobile and travel as required, working outside of normal
office hours if required;
e. Ability to work independently;
f. Strong communication skills;
g. High attention to detail and can spot things away from ordinary practice;
h. Be numerically competent; and
i. Ability to write reports.
I consider that the knowledge and skills set out at paragraph 80 above are also
an accurate reflection of the knowledge and skills which would have been
required for an applicant to be recruited to the Audit Team at the time. Although
the document is undated, I believe that the document must date from after April
2019, when the training and audit functions were separated, as the role is for
an Audit Advisor only.
I have been asked whether there was a minimum level of training auditors
received, including any induction or refresher training. Upon recruitment to the
Audit Team, auditors would receive an induction training course which I recall
was approximately one week in duration. I was not involved in the induction
28
WITN08410100
WITN08410100
83.
84.
85.
training during my time in the Audit Team and therefore am not in a position to
speak to what that training involved.
After induction, a buddy system was employed whereby a new auditor would
be partnered with an experienced auditor. The new auditor would then attend
audits with the experienced auditor. The new auditor would essentially undergo
a period of shadowing which could last from several weeks to several months,
depending on the competence and confidence of the new auditor. The amount
of time before an auditor might be sent out by themselves or as a lead auditor
might also have depended on the level of auditing activity within the team at the
time. If there was a greater focus on training at the time an auditor was
recruited, it might have taken a longer period of time before the new auditor got
the requisite amount of experience.
I believe an auditing skills matrix was used and a new auditor had to be
assessed as competent on all skills before they would be sent out by
themselves or as a lead auditor. In addition, we would generally perform a
greater amount of quality assurance on new auditors, to allow us to identify and
close any skill or knowledge gaps.
In relation to ongoing training, there were a number of resources available to
auditors which were constantly being updated and it was expected that auditors
would familiarise themselves with. It was expected that auditors would
familiarise themselves with any updates in the Audit Process Manual, and any
updates on EASE. EASE would record any operational updates to the Audit
Process Manual. Reviewing updates on EASE was an administrative task that
auditors could work on when they were not in the field completing an audit. I
29
WITN08410100
WITN08410100
86.
87.
88.
recall that the schedule for upcoming audits was circulated each day, and any
operational updates would also generally be attached to that schedule to draw
the changes to the attention of the Audit Team.
In addition, there were also team meetings which were held on an
approximately quarterly basis where the entire team would discuss updates in
practices and procedures, amongst other things. If there were any significant
changes in audit practices and procedures, a national meeting of auditors might
be called where the changes were introduced. Additional training tools such as
quizzes may also have been used for new products and stock.
Auditors could also request additional training, including during the regular
catch ups between auditors and team leaders ("121 meetings"). I recall that I
generally received these kinds of requests in relation to lottery and ATMs, as
these were technical products which were not available at all branches and
therefore an auditor might not have been as familiar with. For example, if an
auditor noticed that they were scheduled to perform an audit at a branch that
had a particular product, they could make arrangements to go and brush up on
this product in advance of the audit.
I have been asked whether I consider now, and whether I considered at the
time, that auditors had the necessary training and experience. During the time
I was a member of the Audit Team and to this date, I considered that, in general,
all auditors at POL had the necessary training and experience to perform their
role. However, I recall that there was a small number of auditors whose
performance at times did not meet the expected standards. My expectation is
that this should have been addressed as part of the quality assurance process
30
WITN08410100
WITN08410100
and that auditors would be given any additional training or support required to
close the performance deficit. I do not consider that there are any inherent or
systematic issues with the training provided to auditors.
Planning and scheduling of audits
89.
90.
I have been asked to consider POL00085286 and describe the circumstances
in which branch audits were scheduled. I note that POL00085286 is described
in the Rule 9 Request as being "Audit Plan & Scheduling, Chapter 1 of the
Audit Process Manual" (Version 8.0) (2010)". Upon my review of this document,
it appears from the face of the document that it may more accurately be
described as version 9.0 of Chapter 1 of the Audit Process Manual, which is
dated January 2011. Accordingly, I have also reviewed POL00084650 which is
version 8.0 of the that document. Any changes between versions 8.0 and 9.0
would be summarised on page 2 of POL00085286. Given there are no changes
listed, I believe there are no differences between versions 8.0 and 9.0 of "Audit
Plan & Scheduling, Chapter 1 of the Audit Process Manual".
The circumstances when an audit may be scheduled are set out in order of
priority in section 3.2 at page 4 of the POL00084650 as follows:
a. ‘Transfer / Closure’ audits (type 10/12): these audits were mandatory
when a branch was being transferred from one Postmaster to another or
closing;
b. "Robberies / Burglaries’ audits (type 20/21): these audits were
mandatory following any security incident at a branch, including a
robbery or burglary;
31
WITN08410100
WITN08410100
Cc.
‘Special request’ audits (type 200): these audits would take place when
an Area Manager or Contract Advisor had concerns about a branch; for
example, following a branch visit. Royal Mail might also have contacted
an Area Manager or Contract Advisor if they had concerns about their
stock, and the POL manager may have requested a Special request
audit. Special request audits have now ceased, as all decisions to audit
a branch (with the exception of Transfer / Closure and Robberies /
Burglaries audits) are based on a risk assessment of the branch which
is based on data analysed by the Network Monitoring Team.
. ‘Cash Centre’ audits (type 1): these audits were specific to Cash
Centres and did not relate to auditing branch accounts. I believe these
audits have also been abolished.
‘Risk-driven’ audits from the Financial Branch Performance Profile
("FBPP") (type 100): these audits were scheduled based on risk
assessments which was analysed by the Network Monitoring Team. For
example, an audit might be triggered if the data suggested that a branch
was carrying a high volume of cash, which had not been returned when
requested. My understanding is that this is more akin to the current
approach to scheduling branches for audit.
"Follow up activity’ audits (type 475): I do not specifically recall these
audits, but I recall that they may have taken place a short period of time
after an earlier audit occurred, particularly if a discrepancy was identified
at that earlier audit, to verify that the branch was now operating as
expected.
32
WITN08410100
WITN08410100
91.
g.
"Random audits’ (type 150): my recollection is that these audits
occurred when the Scheduling Team had gaps in the schedule which
they needed to fill. They would select branches from a list of branches
that had not recently been audited. I do not know how these branches
were selected from the list. Additionally, a random audit may have been
scheduled at a nearby location during the induction training of a new
auditor, so that arrangements can be made for the new auditor to attend
an audit with an experienced lead auditor without having to travel a great
distance.
. ‘Compliance only’ audits (type 400): these audits were not financial
audits and would not require a full financial verification, but instead would
confirm that proper process and procedures were being followed at the
branch, such as the safe or secure room in a branch was secured
appropriately or that each person working on a stock unit was using their
own Horizon ID. My recollection is that these audits would be scheduled
to take place in the afternoon to fill in the gaps in the schedule because
they could be completed relatively quickly.
I had no involvement in the scheduling of audits during the time I was a member
of the Audit Team, however my recollection is that the circumstances described
at paragraph 90 are a comprehensive list of the circumstances in which an audit
would be scheduled. In addition to the categorisation of audits described above,
audits could either be a Financial Assurance Audit or a ‘full’ audit, known as a
Tier 2 Audit. During a Financial Assurance Audit, not all the assets in a branch
would be checked, but only cash and a selected number of stock items and
33
WITN08410100
WITN08410100
92.
93.
vouchers, or a selected number of stock units. Items not verified were deemed
to be "assured". If any discrepancy was identified during a Financial Assurance
Audit, the audit would be upgraded to a Tier 2 Audit. Financial Assurance Audits
would typically be used to audit large Crown Office branches with a large
number of stock units so as to minimise the amount of time these branches
needed to be closed, so that they could open to serve the public as soon as
possible. I recall that Financial Assurance Audits were also performed at agency
branches during the first years I was a member of the Audit Team, in which case
only cash and high value stock would have been audited. I recall that transfer /
closure audits, robberies / burglaries audits and special request audits would
always be Tier 2 Audits. My recollection is that risk-driven audit, random audits,
and follow up activity audits could be either a Financial Assurance Audit or a
Tier 2 Audit.
I have been asked how promptly audits were completed once they had been
scheduled. My recollection is that audits generally took place at the time they
were scheduled to occur. The only circumstances in which an audit might not
proceed is if there were extenuating circumstances, such as an auditor
becoming ill or difficulties with travel to the audit site.
In relation to how quickly audits were scheduled, although I was not a member
of the Scheduling Team, my understanding is that an audit would be scheduled
depending on the type of audit and the prioritisation of certain types of audits.
For example, an audit would be scheduled more urgently if it was for a transfer
or closure of the branch. This is because the steps for closure would be finely
scheduled, such as the removal of alarms or safes and therefore the closure
34
WITN08410100
WITN08410100
94.
audit needed to occur on a specific day. Similarly, for a robbery or burglary, my
recollection is that the Audit Process Manual stated that an audit should be
scheduled on the day of the incident if possible (see section 3.5 of
POL00084650). This was necessary because an audit was necessary before
the branch could re-open. I do not recall that there were any requirements as
to when special request or random audits needed to be scheduled.
I have been asked to describe any enquiries or investigations which were made
prior to a branch visit. Before the 2019 / 2020 changes described at paragraphs
40 to 45 above, auditors were not required to do any significant preparation
before the audit. The auditor's obligations for planning were set out in section 5
on page 6 of Performing a Branch Audit, Chapter 3 of the Audit Process Manual
(POL00084801) and recorded that the auditor must check the audit type,
branch name and other details provided by the schedulers. There might be
some notes on the schedule, however little explanation was provided as to why
an audit had been scheduled. On some occasions an auditor might have
received a call from the relevant Contract Advisor with some additional context
or background information. The auditor would also check whether there were
any pending error notices/transaction corrections with P&BA/ Finance Service
Centre (“FSC”). However, after the 2019 / 2020 changes, there was more
explanation given to the auditor as to why an audit was occurring. The auditor
was given access to the ARD which explained why they were undertaking the
activity, and the auditor would then provide the information to the Sub-
postmaster as part of the pre-audit conversation. In addition, there may have
been a phone call to the stock team to check on any issues with stock, but my
35
WITN08410100
WITN08410100
95.
96.
recollection is that this practice was ad hoc and that the work in relation to the
background to the audit had already been completed by the Network Monitoring
Team.
I have been asked how frequently branches were audited. There was no
minimum frequency for audits of a given branch. The only exception was Crown
Office branches, which were required to be audited every two years during the
majority of the time I was a member of the Audit Team.
I have been asked whether there was any variation between the scheduling of
audits of Crown Office branches and other branches. Other than the
requirement for Crown Office branches to be audited every two years, the
triggers for scheduling an audit were generally the same as for other branches,
as set out at paragraph 90 above. There was occasionally a robbery or burglary
in the Crown Offices, which triggered a robbery / burglary audit. There were
also closures of Crown Offices during the time I was a member of the Audit
Team due to a programme of these offices being transferred to agency
branches, which triggered transfer / closure audits. The Area Manager could
also make a special request for an audit of a Crown Office. However, my
recollection is that special requests were not made as frequently, possibly
because the Crown Office branches were generally under more scrutiny, and
because risk audits were more likely to be triggered by the FBPP if there were
concerns rather than an Area Manager making a special request.
The audit process
97.
I have been asked to consider POL00083966, POL00084801, POL00087627,
POL00088745, POL00088204, POL00088252, POL00088634, POL00084003,
36
WITN08410100
WITN08410100
98.
POL00085652, POL00084977, POL00085652, POL00086765, POL00086831,
POL00086839, POL00087716, POL00087614, POL00088628, POL00088830,
POL00084979, POL00084978, and POL00088445, and to set out the sources
of information I would expect an auditor to have considered when completing
an audit, and whether those sources varied according to the type of audit being
conducted.
I have reviewed the documents listed at paragraph 97 above. Upon my review
of these documents, it appears from the face of some of these documents that
they may more accurately be described as different versions of the documents
to those described. In these cases, I have reviewed both the documents
provided to me, and the document which appears to match the description in
the Rule 9 Request, as follows:
a.
In respect of “Retention of Audit Papers, Chapter 9 of the Audit
Process Manual” (version 5.1) (POLO0088634), this document
appears to be version 5.0 of Chapter 9. Accordingly, I have also
reviewed POL00088750 which is version 5.1 of that document. The
changes between versions 5.0 and 5.1 are summarised in the version
control table on page 2 of POL00088750.
In respect of “Condensed Guide for Audit Attendance” (version 2,
October 2008), document POL00085652 does not appear to match
the Inquiry's document description, being "Requirement of Network
Field Support Advisors at audit, following discovery of discrepancy".
As such, I have also reviewed POL00084813, which does match the
stated description.
37
WITN08410100
WITN08410100
99.
100.
101.
c. In respect of “Training Guide: Compliance Audit Tool” (December
2013), document POL00086839 of the Guide. Accordingly, I have also
reviewed POL00034503 which is Version 1.1 of the Guide, dated
January 2014. The changes between versions 1.0 and 1.1 are
summarised in the version control table on page 2 of POL00034503.
In my experience, the relevant sources of information to be considered by an
auditor would be stated in Performing a Branch Audit, Chapter 3 of the Audit
Process Manual (POL00084801). If there were any changes to these sources,
then the Chapter would be updated either during an annual review or as part of
a separate review, and those changes would be communicated to the Audit
Team as described in paragraphs 85 to 86 above.
In section 8.2 on pages 11 to 12 of Performing a Branch Audit, Chapter 3 of the
Audit Process Manual (POL00084801), there was a list of all the material which
needed to be printed from Horizon against which the physical cash and stock
in the branch would be verified, and this was modified whenever Horizon was
updated. This process was to be followed for every audit. For example, it would
instruct an auditor to print a pre-transaction log before they arrived at a branch
to check if any transfers had been made on the day of the audit. Other printouts
might be required to obtain data from other terminals, such as the ATM or the
National Lottery.
The auditor would then progress by physically checking stock units. In smaller
branches there may only be one stock unit, whereas larger branches might
have had many stock units. Each stock unit would include all manner of things,
including cash, stamps, travellers’ cheques, milk tokens (when they were in
38
WITN08410100
WITN08410100
102.
103.
use) and tax discs. The auditor would work through each stock unit, check what
they were looking for was there, hand in their working papers to the lead auditor,
and then repeat this process until all the stock units and the safe in the branch
had been checked.
I have been asked to comment on whether the sources would change according
to the type of audit being conducted. In my experience the sources of
information would not change. However, the stock and products to be audited
would change depending on what was present at the branch. The only
exception that I can recall is that during Financial Assurance Audits described
at paragraph 91 above (which occurred before the 2019 / 2020 changes
described at paragraphs 40 to 45 above) only certain stocks or stock units
would be audited, such as stock with the most value or stock unit the most cash
and stock in a branch. After the 2019 / 2020 changes, the auditor would check
all stock units.
I have been referred to the evidence of Susan Harding (WITN03980100,
paragraphs 23 to 32) and asked to consider the role of the local suspense
account in the audit process, as well as any impact its removal would have on
the audit process. I have considered paragraphs 23 to 32 of Ms Harding's
evidence which contain detailed information on and issues regarding the
operation of the ‘local suspense account’ which I was not aware of. I do not
recall being aware of the IMPACT program either at the time it was being
implemented, or subsequently. I believe this may be because the IMPACT
program occurred prior to me joining the Audit Team. I am, however, aware of
the existence of a suspense account, and an auditor would check this as a
39
WITN08410100
WITN08410100
104.
105.
106.
source of information during the audit process. This was because the amount
in the suspense account would form part of the ultimate Horizon figure, against
which all physical cash and stock would be verified.
I understand that a view was expressed in the evidence of Susan Harding
(WITN03980100, paragraph 31) that, given the way that the suspense account
was operated, it could be theoretically possible for someone to "hide" shortfalls
or discrepancies. I have not personally experienced instances of this, but I have
heard of instances where auditors state they have experienced it. I do not,
however, recall any specific incidents.
If the ‘local suspense account’ is the same as the suspense account that I am
aware of, the impact on the audit process would be minimal - it would just be
one less source of information for the auditor to check. Upon reviewing versions
of "Performing a Branch Audit, Chapter 3 of the Audit Process Manual” dated
May 2007, (POL00087540), and November 2009 (POL00084287), and
Appendix J to Chapter 3 dated November 2015 (POL00087785), it is apparent
that, as a general requirement, auditors were required to check suspense
accounts as part of the audit; however the specific requirements changed over
time. I do not recall any specific changes to the audit process being introduced
as a result of the removal of the ‘local suspense account’.
I have been asked to comment on what enquiries an auditor would make if they
discovered a discrepancy during an audit. If there was a discrepancy at the end
of the audit, the auditor would first check that the audit figures had been inputted
correctly and then, if there was still a discrepancy, they would ask the
Postmaster if they had an explanation. If the discrepancy was unexplained and
40
WITN08410100
WITN08410100
107.
108.
above the threshold, the auditor would then follow a process set out in the Audit
Process Manual described at paragraph 61 above and speak to the Contract
Advisor. It was not the responsibility of the auditors to investigate the cause of
the discrepancy (for example POLO0083966 at section 2 states: "The [audit]
role is not an investigative one nor is its primary function to detect fraud"). The
auditor's role was limited to checking the assets and verifying the figures
against Horizon data. If any investigation into the cause of the discrepancy was
required, that would be conducted by teams other than the auditors. If it was
clear that the discrepancy related to a specific product, the investigation was
likely to be carried out by the product team in P&BA.
I have been asked to consider if auditors were explicitly instructed not to
consider the cause of incorrect Branch Trading Statements, discrepancies and
shortfalls. I do not recall any such explicit instructions being given, although I
note that in section 3.1 in POL00084801, auditors were required not to
"speculate" on the cause of the outcome of the audit or the honesty of agents
or staff either overtly or by implication. As stated in paragraph 106 above, the
auditors were there to verify the branch assets against Horizon data. It was not
the auditor's responsibility to investigate the cause of any discrepancy.
With reference to the email dated 26 March 2020 at POL00088823, I have been
asked if I am aware of a practice in which auditors asked Postmasters to make
good discrepancies on the day of audit. If there was an unexplained
discrepancy and the Contract Advisor was contacted by the auditor to inform
them of the discrepancy, it was common practice to ask for the Contract Advisor
to ask the auditor to ask the Postmaster if they could make good the shortfall
41
WITN08410100
WITN08410100
109.
110.
(not that they must). I became aware of this practice, which was part of the
standard audit process when I joined the Audit Team in 2012. After the 2019 /
2020 changes, we no longer asked that question, and this was one of the
changes incorporated in our full revision of audit practices.
I have been asked if I am aware of auditors being given instructions on taking
payment from Postmasters. I am not aware of any instructions in the relevant
Chapters. Before the 2019 / 2020 changes, it might be that post-audit
conversations would happen between the Contract Advisor and the auditor, who
would advise the auditor (to inform the Postmaster) or the Postmaster directly
on how payment could be made and the options available to the Postmaster,
but I was not aware of auditors doing so.
I have been asked to consider whether, when a discrepancy or shortfall was
discovered, Postmasters were able to provide their own information or
undertake their own investigation. As stated above in paragraph 106, the
responsibility of auditors was to verify the branch’s assets against Horizon data,
it was not to investigate the cause of any discrepancy. Any issue with the cause
of a discrepancy found at an audit would be referred to the appropriate team. If
it was clear that the discrepancy related to a specific product, the investigation
was likely to be carried out by the product team in P&BA. Before the 2019 /
2020 changes, a "Record of Significant Comment" would be made in the audit
report where a Postmaster could add comments about the discrepancy, such
as describing what they believed at the time to have caused the discrepancy,
or the fact that they did not know the cause of the discrepancy. I do not have
any recollection of seeing a "Record of Significant Comment" which alleged that
42
WITN08410100
WITN08410100
111.
errors in the Horizon data were the source of the discrepancy. The auditors may
be aware of what the Postmaster had to say about the discrepancy at the time,
but this was because the auditors were present when the discrepancy was
discovered. The audit report would be sent to the appropriate stakeholders,
such as the Contract Advisor, for further action, including taking forward any
necessary investigation to look into the cause of a discrepancy. It is possible
that the Contract Advisor might decide to suspend the Postmaster upon being
informed of a large unexplained discrepancy, in which case, the Postmaster
would no longer have access to the branch. As a result, the Postmaster may
not have had an opportunity to undertake their own investigation into the cause
of the discrepancy. After the 2019/2020 changes, the Postmaster would be
informed of the discrepancy by the auditors and there would a post-audit
conversation where the Postmaster could discuss the discrepancy and next
steps with the auditors. In addition, as I explain in paragraph 111 below, after
the 2019 / 2020 changes it would be highly unlikely for the Postmaster to be
suspended on the day of the audit. They would therefore have an opportunity
to undertake their own investigation after the audit. I was not aware of any
practice, pre or post 2019 / 2020 changes, of Postmasters investigating the
cause of a discrepancy during the audit process.
I have been asked to comment on the information communicated to
Postmasters while a branch audit was being conducted. The information that
auditors were required to communicate to the Postmaster at an audit would be
set out in Chapter 3 of the Audit Process Manual. Before the 2019 / 2020
changes, at the start of the audit the auditors would introduce themselves and
43
WITN08410100
WITN08410100
112.
hand over their ID cards. If asked why the audit was taking place, the auditor
was to not offer an explanation. During the audit, the Postmaster would be
informed by the auditors of the steps in the audit in order to assist with the
conduct of the audit. The auditors would request access to the necessary
assets (such as asking the Postmaster to open the safe in the branch) and ask
the Postmaster about the stock and the cash. If there was a discrepancy, the
auditors might ask the Postmaster for further information, such as if there was
anything else that may belong to that stock unit. At the end of the audit, the
auditors would break down the audit findings to the Postmaster. If the
discrepancy was over the threshold, then the auditor would call the Contract
Advisor, and the Postmaster would be informed of this fact. After 2019 / 2020,
a few changes were introduced. The ARD was used and the Postmaster was
given an explanation of why their branch was being audited. If the Postmaster
was not present for the audit, the auditors would endeavour to contact them to
inform them; if they were within a reasonable travel distance, they would be
invited to attend the branch. There was also a more stringent process in place
for Contract Advisors to suspend a Postmaster as a result of findings at an audit.
I understand that a higher level of authorisation and a rationale document was
required. It is highly unlikely, post the 2019 / 2020 changes, that a suspension
would be made on the day of an audit.
I have been asked to comment on the processes in place which allowed a
Postmaster to raise issues or concerns during an audit. Before the 2019 / 2020
changes, Postmasters could have done so, but this would have only been
through an informal conversation with the auditors. After the 2019 / 2020
44
WITN08410100
WITN08410100
113.
changes, the audit report contains a space where Postmasters could note any
concerns, and this would go to the relevant stakeholders. Postmasters could
also provide feedback in a satisfaction survey. For the majority of the time that
I was a member of the Audit Team, the satisfaction survey was run through the
‘Kendata' platform; although I recall that this later became defunct and a
different method was used. Following the 2019 / 2020 changes, a satisfaction
survey was no longer used, and I understand that instead the Scheduling Team
would contact branches randomly by phone following an audit and ask a series
of questions about the audit.
I have been asked if it was possible to conduct a branch audit in circumstances
without access to Horizon. It was possible to conduct an audit without Horizon
being accessible within the branch, although I recall that this did not happen
often. It is possible that an auditor would not be able to access Horizon
because, for example, the power was down or the branch had been
disconnected from electricity, or the Horizon kit had been damaged. Whether
the audit would proceed would depend on the circumstances of each incident
(section 1 of POLO0084003). For example, if it was a closure audit or audit
which needed to take place on that day, then it was possible to proceed with
the audit. The process to follow was set out in "Compliance Team Process for
Auditing Branches Without Access to Horizon" (POL00084003). If it was a
closure, the process to follow was set out in "Closure Process when Horizon is
not operational" (POL00088628). I recall that the auditor would complete the
audit working papers with values for the counted stock units. The auditor would
then return these papers to the FSC, previously known as the P&BA, who would
45
WITN08410100
WITN08410100
114.
115.
reconcile the cash and stock figures against the central Horizon records. I recall
audits being carried out in such a situation where there had been flooding in the
North. It would not be possible to conduct an audit without any access to
Horizon (either through the branch or centrally), as there would be nothing to
verify the cash and stock figures against.
I have been asked to describe any variation between the audit process in
respect of Crown Office branches and other branches. Before the 2019 / 2020
changes, the only difference between auditing Crown Office branches and other
branches was the frequency of audits, as set out at paragraph 95 above. In
addition, given the size of some Crown Offices, in some circumstances a full
financial audit, being a Tier 2 Audit, would only be undertaken in respect of
certain stock units, and then other units would be assured, i.e. a Financial
Assurance Audit would take place. If a Crown Office was scheduled for a
Special request audit, transfer / closure audit, or robberies / burglaries audit
then all stock units would be subject to a full financial audit, i.e. a Tier 2 Audit.
This is the same for other branches. My recollection is that Crown Office
branches ceased being audited around the same time as the NOM role was
introduced, being approximately 2016.
I have been asked to describe the involvement Area Training and Audit
Managers had at the time an audit took place. My recollection is that Area
Training and Audit Managers (active between April 2018 and April 2019 as
described at paragraph 33 above) would not generally have been present at an
audit. The only exception to this is if they needed to step in and assist due to
unforeseen circumstances, such as an auditor falling ill or being unable to
46
WITN08410100
WITN08410100
116.
attend the audit location, or if they were attending the audit to perform
observational quality assurance. When performing observational quality
assurance, I may have assisted in tasks as part of the audit process, for
example counting currency or stock. Finally, in order to support the auditor, an
Area Training and Audit Manager may have attended an audit if it was occurring
at a location nearby. I do not recall that, as an Area Training and Audit Manager
or any other role I held within the Audit Team, that I was ever scheduled to
attend an audit as an auditor (lead or otherwise). However, section 3.1 of
version 5.1 of Retention of Audit Papers, Chapter 9 of the Audit Process Manual
(POL00088750) provides for when an Area Audit Manager had been
designated as a lead auditor, so it must have been a possibility for managers in
the Audit Team to lead an audit.
I have been asked to consider POL00002841 and FUJ00001894 and describe
any involvement Fujitsu had in the audit process. I have considered these
documents. My recollection is that Fujitsu had no involvement in the audit
process. The only involvement that I recall that Fujitsu had is that they would
create a Global User Account for every auditor. The Global User Account was
a unique account which allowed an auditor to log on to any branch with
managerial level access. However, Fujitsu had no involvement in the actual
audit process nor any oversight as to how audits took place. On reflection, I do
not consider that Fujitsu ought to have had a role in the POL audit process, as
auditors had access to all the information that was necessary to perform the
‘stock taking’ function they were required to do. However, if the function of audits
47
WITN08410100
WITN08410100
117.
118.
had been more akin to a forensic audit it may have been appropriate for Fujitsu
(or a third party) to play a role in the analysing the integrity of the data.
I have been asked whether auditors had access to information to which a Sub-
postmaster did not have access when they were conducting a branch audit.
Auditors did not have access to any information at the branch which Sub-
postmasters did not also have access to. There were different levels of access
which could be granted on Horizon, so for example a clerk did not have the
same access as a Sub-postmaster. Sub-postmasters had ‘manager’ level
access, which was the same level of access which was granted to auditors by
the Global User Account.
Reports which may need to be printed out during an audit are listed at pages
20 to 21 of “Audit Trail Functional Specification" (FUJ00001894). The reports
are also listed at section 8.2 on pages 10 to 11 of Performing a Branch Audit,
Chapter 3 of the Audit Process Manual (POL00084801). My recollection is that
these reports were accessible through either the Global User Account or
through the managerial access held by Sub-postmasters. I believe that it was
best practice for an auditor to ask the Sub-postmaster to grant them access
rather than using their Global User Account. Page 1 of POL00002841 states
that the Audit Global User Account was to be used "if there is no one available
in the branch with manager access to add them to the system" which accords
with my recollection. In addition, Appendix G — Access to the Horizon System
of version 7.3 of Performing a Branch Audit, Chapter 3 of the Audit Process
Manual on page 33 of POL00088623 states that "You should request the
AGENT/POSTMASTER to add you to the system, if this is not possible due to
48
WITN08410100
WITN08410100
119.
120.
no one in the branch having managers access, then your Global User ID should
be used to access the system". Accordingly, given Postmasters routinely
granted auditors access to the system, I do not believe that auditors had access
to additional information in the branch which Sub-postmasters could not have
accessed.
I have been asked to explain my understanding of an Audit Global User
Account. POL00002841 sets out some background in relation to Global User
Accounts, and states on page 1 that field team members have two accounts:
Trainer; and Audit (Emergency Manager). Trainer accounts were to be used in
Counter Training Offices only and allowed the trainer to reset the kit and clear
the transaction history. This was so that different training sessions could be run
each day and not carry over past transactions. Audit (Emergency Manager)
Global User Accounts are those described in paragraph 116 above and allowed
the auditor to log on to the kit at any branch and print out the reports necessary
for an audit.
I have been asked to describe what, if any, audit measures were in place in
respect of Audit Global User Accounts. My recollection is that there was a list
which was circulated to the relevant stakeholders, such as Audit Managers,
periodically which listed all individuals with Global User Accounts. We would
then review these lists and confirm whether there were any individuals who no
longer required access because, for example, they had left the business. I am
not aware of any additional auditing or whether the usage of the Global User
Accounts was monitored.
49
WITN08410100
WITN08410100
Reporting audit results
121.
122.
123.
I have been asked to consider POLO0085431, POLO0088887, and
POL00088634, and describe how a branch audit finding was communicated to
a Postmaster. As described at paragraph 98a above, I note that POL00088634
appears to be version 5.0 of Chapter 9 of the Audit Process Manual while
POL00088750 is version 5.1 of that document. The changes between versions
5.0 and 5.1 are summarised in the version control table on page 2 of
POL00088750.
Once an audit had been completed, the auditor would have a close of audit
meeting with the Sub-postmaster. This requirement is described in section 13.1
on page 18 of Chapter 3, ‘Performing a Branch Audit’ of the Audit Process
Manual (POL00084801). During this meeting, the auditor would go through the
findings of the audit, including breaking down any discrepancies identified by
category, if relevant. The Sub-postmaster may have been shown the working
papers as part of the meeting but would not have been provided with any written
confirmation of the outcome of the audit on the day.
The auditor would then finalise their working papers and produce an audit
report. More recently, the audit report was generated using the Audit Reporting
Tool ("ART"), which was a Microsoft Excel tool (see page 1 of POL00088887).
The audit report would be sent to the Sub-postmaster in the following days
(either physically via post or latterly via email (see page 4 of POLO0088887)).
Prior to the introduction of ART, the Audit Team used a similar tool called the
Financial Audit Tool ("FAT"). The auditor was also required to call the branch
two days after sending the branch the audit report to confirm the Sub-
50
WITN08410100
WITN08410100
124.
125.
postmaster's understanding of the content and highlight their responsibility for
the return of the Declaration of Compliance (see page 18 of POL00084801).
I have been asked which stakeholders in POL were informed of branch audit
findings, and how this occurred. As described at paragraph 59 above, an auditor
would have called the relevant Security Manager to inform them of the audit
results if a Postmaster had admitted to fraudulent activity or a discrepancy over
the threshold was identified during audit. If a Postmaster admitted to fraudulent
activity, in addition to informing the Security Manager, a Record of Significant
Comment needed to be completed by the auditor so as to record that statement,
or it could be completed by the Postmaster directly, and the Postmaster would
be asked to sign the Record of Significant Comment to confirm its accuracy.
Likewise, as described at paragraph 61 above, an auditor would have called
the relevant Contract Advisor to inform them of the audit results if a discrepancy
over the threshold was identified during audit.
Regardless of whether the Security Manager or Contract Advisor had been
contacted on the day of the audit, the relevant stakeholders would receive a
copy of the audit report once it had been completed by the lead auditor in the
days following the audit. During the time I was an FTL, a NOM and an Area
Training and Audit Manager, once the report was completed it would be
uploaded to a SharePoint site and any interested stakeholder could access the
audit report (see page 4 of POL00088887). During the time the FAT and ART
were used, it was not necessary to email the stakeholders copies of the audit
reports as the platform where the documents were managed would
automatically distribute the reports. I do not recall who had access to the
S1
WITN08410100
WITN08410100
126.
127.
SharePoint where audit reports were stored, but it would have included the
Security Team, Contract Advisors, the Audit Team, the Area Manager and
Regional Manager and potentially others. I do not recall that there was any
process for the removal of audit reports after a certain period of time.
During the time I was an Area Audit Manager, I believe the communication of
audit reports to internal stakeholders may have changed. The report was
instead disseminated using a program which allowed the report writer to add
people to the distribution list and then the report was automatically distributed.
While I cannot recall exactly, I believe the teams and individuals who received
a copy of the audit report would have been broadly the same as described in
paragraph 125 above.
I have been asked whether I had any concerns regarding the reporting process.
During the time that I was a member of the Audit Team, and now, I did not have
any concerns about the reporting process. The individuals who received a copy
of the audit report were defined in the Audit Process Manual and I considered
that they were the right teams and individuals to receive a copy of the report.
Quality Assurance
128.
129.
I have been asked to consider POL00086424, POLO0086831, and
POL00033398, and describe my involvement in conducting quality assurance
reviews.
As an FTL, one of our responsibilities was to carry out quality assurance.
Quality assurance took multiple forms, as follows:
52
WITN08410100
WITN08410100
. "Paper assurance" or Quality Assurance Review ("QAR") involved
requesting a random sample of audit workpapers for audits which had
been completed, and reviewing those papers to ensure that all practices
and procedures had been followed thoroughly;
. "On-site assurance", or "Observational QAR" involved attending
branches while audits were being carried out and reviewing the practices
of the lead auditor to ensure that all practices and procedures were
followed and that the lead auditor's behaviour at the branch was
appropriate; and
. "Training assurance" involved attending training sessions in branches
and the classroom to ensure that all training practices and procedures
were being followed thoroughly. It was necessary for an FTL to complete
an observation QAR form.
130. My primary responsibilities in relation to quality assurance are set out under
131.
‘Section 2 — Responsibilities of a Regional Network Manager & Field Support
Team Leader" on page 2 of POL00086424. While I was an FTL, the policy was
for us to complete at least six QARs each quarter, with at least two of those
being observational QARs. We were also required to perform six reviews of
each auditor every year, with two of those being observational QARs. We would
discuss the findings of those QARs at 121 meetings with the relevant auditor.
On approximately a quarterly basis, FTL's would meet and exchange QAR
reports which they had completed to discuss and critique the results which had
been reached by the FTL. We would seek consensus amongst the FTLs as to
53
WITN08410100
WITN08410100
132.
133.
what score the audit papers should receive. This process was known as the
"levelling process" and is described on page 4 of POL00086424.
An example of the forms that were used to perform quality assurance is
POLO0112462, which sets out the metrics on which an auditor would be
assessed. I was not involved in the development of this skills matrix, as I was
likely quite a junior FTL at the time it was developed, if it was not already
developed by the time I joined the Audit Team. However, I recall that there was
a desire to align (to the extent possible) the skills matrix with the Institute of
Internal Auditors standards ("IA Standard 2300"), mapping it across to the
limited scope of the audit. This is also reflected in section 2 of Quality
Assurance, Chapter 11 of the Audit Process Manual (POL00086028). I do not
recall why it was thought desirable to align the skills matrix with the IIA Standard
2300, but I recall that the IIA Standard 2300 was referred to consistently in the
context of quality assurance over the duration of my time in the Audit Team. I
think that the alignment between the IIA Standard 2300 and the quality
assurance function within the Audit Team contributed to my belief that the
quality assurance function was adequate. In hindsight, I do not necessarily
consider that the metrics being assessed conformed with the requirements set
out in IIA Standard 2300.
POL00033398 appears to be a presentation by the Risk & Compliance Team
titled "Assurance Review: Quality of Auditing" dated February 2011. This
document pre-dates my time in the Audit Team, and I do not recall ever having
seen it before prior to being provided it by the Inquiry. However, in the limited
time available to produce this witness statement, I have not had time to carry
54
WITN08410100
WITN08410100
134.
135.
136.
137.
out an extensive search of my emails or underlying documents to confirm that
I did not receive a copy of that document at any point. I may have seen other
presentations which reported on the findings, conclusions and
recommendations in respect of an annual review in relation to the quality of
branch auditing within POL, but I do not specifically recall this occurring.
I recall that the quality assurance exercise did not take place around the time
that the NOM role was created (September 2016). I believe that I was not
required to perform any QAR while I was in the NOM role. Quality assurance
was reintroduced later as a responsibility of the audit managers while I was still
in the Audit Team. While I cannot recall exactly when this occurred, I believe
that it may have been around the time the Area Training and Audit Manager role
was split into the constituent parts of audit and training, being April 2019.
I have been asked to describe my contribution to the policies and guidance
applicable to the quality assurance process.
I recall that I had responsibility for reviewing and updating Chapter 11 — Quality
Assurance of the Audit Process Manual for a portion of the time that I was an
FTL (see POL00086424). I do not recall how long I had that responsibility for.
However, I recall that in September 2012 (at the time POL00086424 was
produced), my involvement with updating the Audit Process Manual was fairly
limited because I had only recently joined the Audit Team and did not yet have
experience with the quality assurance functions of the Audit Team. I recall that
Peter Jackson and Paul Humber took on larger roles within that review process.
I have been asked to explain my understanding of the ‘three lines of defence’
model. POL00086831 appears to be a report to the POL Executive Committee
SS
WITN08410100
WITN08410100
138.
139.
dated October 2013, potentially authored by Malcolm Zack, titled "Internal Audit
— Future options". I do not recall ever seeing this document prior to it being
provided by the Inquiry and it does not appear to me to be the kind of document
which would have filtered down to someone at my position within the
organisational hierarchy. Page 3 of POL00086831 refers to the ‘three lines of
defence model’. I do not recall ever having heard that phrase prior to being
directed to document POL00086831 by the Inquiry. I do not have any
understanding as to what the model means beyond what is set out in
POL00086831.
I have been asked to describe the measures in place to ensure that the quality
of audits was consistent across England, Wales, Scotland and Northern Ireland.
The quality assurance processes, as set out in Chapter 11 of the Audit Process
Manual, were identical in respect of branches located in England, Wales,
Scotland and Northern Ireland. I am also not aware of any difference in practice
in relation to the quality assurance exercise conducted in the various devolved
jurisdictions across the UK, and do not recall any specific measure which were
put in place to ensure that the processes were adhered to consistently across
the United Kingdom.
The only significant difference I recall between the jurisdictions was that even
prior to the changes to our ways of working during the time I was an Area Audit
Manager (including the requirement of a minimum of two auditors at any audit,
as described at paragraph 44 above), all audits in Scotland required the
attendance of at least two auditors. I believe this was because of a requirement
56
WITN08410100
WITN08410100
140.
under Scottish law, but I do have any further recollection as to why this was the
case.
I have been asked whether I consider now, and whether I considered at the
time, the quality assurance process was effective. In years which the quality
assurance exercise did take place, it was designed to ensure that auditors were
following the correct processes as set out in the Audit Process Manual and had
the key skills required to complete their jobs. These included: the ability to verify
stock, cash and currency at a branch; attention to detail in the verification and
report writing process; and clear and legible communication. As described at
paragraph 16 above, the audit process was essentially a “stock taking”
exercise. I believe that the QAR and observational QAR process was effective
at ensuring this function was met and these standards were met. I considered,
at the time that I was a member of the Audit Team and now, that the quality
assurance process as designed, when it was active, was effective at ensuring
that auditors were following the processes they were obliged to follow based on
the Audit Process Manual. The exception is that between September 2016 and
approximately November 2019, I believe that the quality assurance program did
not exist, in which case there was no effective quality assurance of audit during
those years.
Review of policies, guidance and instructions
141.
I have been asked to consider POLO00088739 and POL00085682 and describe
my involvement in reviewing and updating the policies, guidance and
instructions which were relevant to the audit process.
s7
WITN08410100
WITN08410100
142.
143.
144.
145.
146.
As described above at paragraph 22 above, the key document governing the
process to be followed in relation to auditing was the Audit Process Manual. All
other documents relating to practices and procedures were derived from the
Audit Process Manual.
As described at paragraph 22 above, when I was an FTL, I was assigned certain
chapters of the Audit Process Manual which I was responsible for reviewing on
a yearly basis and updating as necessary. It is also possible that chapters would
need to be updated more frequently than on the yearly basis, for example, if a
major change in processes had been rolled out. Although I do not recall all the
details as to when I was responsible for various chapters of the Audit Process
Manual, I do recall that at some point I was responsible, in conjunction with
other FTLs, for Chapter 5 — Closure and Chapter 11 — Quality Assurance.
During the time that I was a NOM, I did not have any responsibilities for updating
the Audit Process Manual, and therefore had no formal involvement with the
review of policies, guidance and instructions during the period from September
2016 to April 2018.
During the time that I was an Area Training and Audit Manager and Area Audit
Manager, I recall that we did have some responsibilities for updating chapters
of the Audit Process Manual, but my recollection is that it was a less structured
process than when I was an FTL, and I may not have had specific chapters
assigned to me.
I have been asked to describe the process by which audit policies, guidance
and instructions were kept under review. POLO0085682 appears to be a paper
authored by Sue Ricardson titled "Review of post Office Ltd Audit Processes
58
WITN08410100
WITN08410100
147.
and Tools October 2011". The date of this paper pre-dates my joining the Audit
Team. However, the statement on page 3 that "/CjJurrently all of the Audit
Process Chapters are reviewed against an annual rolling timetable and are the
responsibility of the Network Services Team Leaders" accords with my
recollection of the review process, except that chapters were reviewed by Field
Team Leaders rather than Network Services Team Leaders. The paper states
at page 3 that, following the complete review in the 2011/2012 Financial Year,
that "(W]e have returned to BAU ["Business as Usual"] in the on-going revision
of the processes and tools", which I believe would have been the case when I
joined the team in April 2012.
POL00088739 appears to be an email from Jo Milton to Alison Clark and
myself, and copied to Tim Perkins and Zoe Brauer, dated 14 January 2020 in
relation to the revision of certain chapters of the Audit Process Manual. I recall
that in 2019, following the settlement of the GLO, as part of the 2019 / 2020
changes, there was a complete review of the Audit Process Manual to reflect
the new audit processes and procedures required as part of POL's 'new ways
of working’. The two major themes which I recall from the 'new ways of working’
were working to better support Sub-postmasters and to rebuild trust with Sub-
postmasters. I have described some of the major changes at paragraphs 40 to
45 above. I recall that Jo Milton was a contractor who was overseeing the
process of reviewing the Audit Process Manual. I was heavily involved in the
redrafting of various chapters of the Audit Process Manual at this time because
I was one of the most experienced audit managers within the team at the time.
59
WITN08410100
WITN08410100
148.
149.
As part of the review process, I worked with Jo Milton, Alison Clark and others
to review the Audit Process Manual to ensure that it was fit for purpose in light
of the new ways of working. The 'new ways of working’ and changes required
to the audit process had already been determined by more senior teams within
POL and cascaded out to the relevant teams. Our role was to then update the
Audit Process Manual to reflect these changes and therefore facilitate the 'new
ways of working’. We were not involved in the design of the new ways of
working. I recall that Alison Clark, who was my line manager at the time, and I
did most of the drafting of the revised chapters, following consultation with other
stakeholders, including auditors, and then we would send the draft to Jo Milton
who would consolidate the draft and then send it on to other stakeholders for
review. I recall that the revised chapters of the Audit Process Manual were being
reviewed by the legal department at this time. I believe that Zoe Brauer listed
in copy on POL00088739 may have been a member of the legal team.
I have been asked whether legal advice was sought when reviews of audit
policies, guidance and instructions were undertaken. Other than in relation to
the review of the Audit Process Manual in 2019 — 2020 as part of the 2019 /
2020 changes, as set out at paragraph 148 above, I do not recall having any
interaction with the POL legal team. As set out at paragraph 62 above, I did not
have any routine interactions with the POL legal team, and I am unsure whether
legal advice was ever otherwise sought in relation to audit policies, guidance
and instructions.
60
WITN08410100
WITN08410100
KNOWLEDGE OF BUGS, ERRORS OR ISSUES WITH THE HORIZON SYSTEM
150.
151.
152.
I have been asked to consider POLO0088935, POLO00088209, and
POL00087879, and confirm whether I was aware of the trend of increasing debt
and average audit loss, and, if so, what I considered to be the cause of this
trend at the time.
I have reviewed the documents referred to in paragraph 150 above.
POL00088935 appears to be a report authored by Rod Ismay, Head of P&BA
dated 2 August 2010 in relation to concerns about the reliability of Horizon.
POL00088209 appears to be a report authored by Angela Van Den Bogerd
dated 1 August 2016 in relation to a Mitigation Proposal for Agent Branch
Losses. I do not recall ever having seen these documents previously, and they
do not appear to me to be the kind of document which would have filtered down
to someone at my position within the organisational hierarchy. At the time
POL00088935 was authored, I was still a branch manager at the Stockport
Crown Office. However, in the limited time available to produce this witness
statement, I have not had time to carry out an extensive search of my emails or
underlying documents to confirm that I did not receive a copy of either document
at any point.
POL00087879 appears to be a document titled 'Approach to Business Risk,
Branch Audit and Accountancy Support for Operators’. Although the document
is undated, I believe from the information contained in the document that it may
date from 2016. I do not recall ever seeing this document, however I have not
carried out an extensive search of my emails or underlying documents to
confirm that I did not receive a copy of this document at any point.
61
WITN08410100
WITN08410100
153.
154.
155.
I do not recall that I was ever aware of a trend of increasing debt and average
audit losses. The function of the Audit Team was to carry out the audits which
were scheduled, and report back the findings to other teams within the
business. The Audit Team were not involved with the analysis of the results or
strategy decisions relating to these results.
As a manager of auditors, although I do not specifically recall this occurring, it
is possible that we may have received information in relation to some statistics,
such as the number of audits that had been completed during the previous year.
This is because there were targets for the number of audits to be completed in
a year in the Audit Plan (see section 3.1 of "Audit Plan & Scheduling, Chapter
1 of the Audit Process Manual) (POL00085286), and so it may have been
relevant for us to have this information. However, I do not recall that we were
routinely sent information in relation to the total or average audit losses which
had been identified by auditors in our team. The value of losses identified at
audit did not relate to any of our performance indicators, and so I do not think it
would have been relevant for the audit team to have information of this nature.
I have been asked whether I had, or was aware of, any concerns regarding the
robustness of Horizon during the time I have been employed by POL. In relation
to the scope of "robustness", I have been asked to specifically consider:
a. the accuracy and integrity of the data recorded and processed by the
Horizon IT System;
b. the extent to which deficiencies in the Horizon IT System were capable
of causing and / or caused apparent discrepancies or shortfall in the
branch accounts;
62
WITN08410100
WITN08410100
156.
157.
c. the ability of the Horizon IT System to identify errors in data and
discrepancies or shortfalls in branch accounts and the cause of the
same; and
d. the ability of the Horizon IT System to continue to operate satisfactorily
in the presence of adverse conditions.
During the time I worked in Crown Offices, from 1987 to 2012, I was never
aware of any issues or problems with Horizon. I did not personally encounter
any problems with Horizon during the time I was an Assistant Branch Manager
or Branch Manager and do not recall being told of concerns or being made
aware of systematic or specific issues by others.
Once I joined Network Services and became a member of the Audit Team, I
likewise was not aware of any systemic issues or problems with Horizon as part
of my role. I personally do not recall instances where Sub-postmasters asserted
during or after an audit that a shortfall was due to an error with Horizon,
although this may well have happened. I do recall hearing that allegations had
been made regarding the robustness of Horizon. Although I cannot be sure
exactly when I first became aware of these allegations being made, I believe it
may have been around the time of the Panorama program in 2015. I do not
recall that concerns regarding the robustness of Horizon being raised by Sub-
postmasters at audit was a trend identified or discussed by the Audit Team.
After the Panorama program, I believe that I became more aware of questions
about the robustness of Horizon around the time the GLO was made in March
2017. Through my work at POL and the media I have come to be aware of
‘Second Sight’, but I was not aware of their operation at the time of their
63
WITN08410100
WITN08410100
WITN08410100
WITN08410100
investigation. Around the time of the GLO settlement and the 2019 / 2020
changes, I recall that the Audit Team received some communications regarding
the integrity issues with Horizon, including receiving a presentation on Known
Error Logs (see POL00112803).
158. While I was a Contract Advisor between April 2020 and April 2021, although I
was aware of concerns regarding the robustness of Horizon in the wake of the
GLO, I do not recall that any of the Sub-postmasters raised concerns with me
regarding the robustness of Horizon, nor that there were any Sub-postmasters
who had significant discrepancies arise during this time. However, I was only a
Contracts Advisor for one year, and I believe that there were very few audits
during this year because of COVID-19.
159. While I do not have any recollection of being made aware of any concerns
regarding the robustness of Horizon during the time I have been employed by
POL (except to the extent set out at paragraph 157 above), I have not carried
out an extensive search of my emails or underlying documents to confirm that
I was not sent any material which indicated that there may have been concerns
with the robustness of Horizon.
OTHER MATTERS
160. I do not consider the Chair of the Inquiry should be aware of any other matters
which I recall or have knowledge of.
64
WITN08410100
WITN08410100
Statement of truth
I believe the content of this statement to be true.
65
Index to First Witness Statement of Alexander Simon Talbot
No.
URN
Document Description
Control Number
POL00083966
Audit Charter (version 4.0)
POL-0081024
POL00084801
Performing a Branch Audit, Chapter
3 of the Audit Process Manual
(version 5.1, 2010)
POL-0081859
POL00085682
Review of Post Office Ltd Audit
Processes and Tools October 2011
POL-0082740
POL00085769
Business Loss Programme Board
ONCH — Cash Loss deficiencies
POL-0082827
POL00086765
Network Auditing Approach,
Methods and Assurance
POL-0083823
POL00086831
Post Office Ltd Executive
Committee: Internal Audit Options
POL-0083889
POL00088445
Process document - Agent Debt
(undated)
POL-0085503
POL00033398
Draft Post Office Training
Presentation on Assurance Review:
Quality of Auditing (Version 0.5)
POL-0030333
POL00032698
Assurance Review - Recruitment
(Vetting & Training) (27 October
2009)
POL-0029633
10.
POL00088453
POL's advertisement for Training
and Audit Advisor Role (undated)
POL-0085511
11.
POL00088557
POL job advertisement for Audit
Advisor role within Loss Prevention
(undated)
POL-0085615
12.
POL00085286
Network Support Team Policy /
Process - Audit Process Manual
Volume 4 Chapter 1 Audit Plan and
Scheduling (v9
POL-0082344
13.
POL00088750
Retention of Audit Papers,
Chapter 9 of the Audit Process
Manual (version 5.1)
POL-0085808
66
WITN08410100
WITN08410100
14,
POL00084813
Condensed Guide for Audit
Attendance (version 2, October
2008)
POL-0081871
15.
POL00084650
Audit Plan & Scheduling, Chapter 1
of the Audit Process Manual
(Version 8.0)
POL-0081708
16.
POL00087627
Follow Up Audit Process, Chapter
3b of the Audit Process Manual
(Version 3.0)
POL-0084685
17.
POL00088745
Closures, Chapter 5 of the Audit
Process Manual (Version 8.0)
POL-0085803
18.
POL00088204
Network Support Team
Policy/Process document,
Robbery/Burglary Audits, Chapter 6
of the Audit Process Manual
(version 6.0)
POL-0085262
19.
POL00088252
Performing a Cash Centre Audit,
Chapter 7 of the Audit Process
Manual (Version 5.0)
POL-0085310
20.
POL00088634
Retention of Audit Papers, Chapter
9 of the Audit Process Manual
(Version 5.0)
POL-0085692
21.
POL00084003
Compliance Team Process for
Auditing Branches Without Access
to Horizon (version 1.0)
POL-0081061
22.
POL00085652
Requirement of Network Field
Support Advisors at audit, following
discovery of discrepancy (version
1.0)
POL-0082710
23.
POL00084977
Former Subpostmaster End To End
Debt Review (version 0.5,
December 2009)
POL-0082035
24.
POL00086839
Training Guide, Compliance Audit
Tool (December 2013)
POL-0083897
25.
POL00087716
Training-Aide for Branch Asset
Checking (version 1.7)
POL-0084774
26.
POL00087614
Terms of Reference Audits (version
1, April 2015)
POL-0084672
67
WITN08410100
WITN08410100
27.
POL00088628
Closure Process when Horizon is
not operational (version 3.2)
POL-0085686
28.
POL00088830
Checklist for Audits (4 July 2019)
POL-0085888
29.
POL00084979
Network Field Support Team
(formerly Audit) (undated)
POL-0082037
30.
POL00084978
Network Field Support Team
flowchart - Audit Discrepancy
Process
POL-0082036
31.
WITN03980100
Witness Statement of Susan
Harding
WITN03980100
32.
POL00034503
Training Guide: Compliance Audit
Tool (December 2013)
POL-0031438
33.
POL00088623
Performing a Branch Audit, Chapter
3 of the Audit Process
Manual (version 7.3, 10 January
2019)
POL-0085681
34.
POL00112462
Financial Audit Spreadsheet &
Quality Assurance Review - Excel
tool (version 4.2)
POL-0104989
35.
POL00087540
Performing a Branch Audit,
Chapter 3 of the Audit Process
Manual (version 3.9, 17 May 2007)
POL-0084598
36.
POL00084287
Performing a Branch Audit, Chapter
3 of the Audit Process
Manual (version 4.3, November
2009)
POL-0081345
37.
POL00087785
Performing a Branch Audit,
Chapter 3 of the Audit Process
Manual (version 5.7, 13 November
2015)
POL-0084843
38.
POL00088823
Email from Jo Milton to Alison
Clarke, Simon Talbot, Hugo
Grenyer dated 26 March 2020 re:
Transfer/Opening/Closure Pack,
Transfer Audit Chapter and
Workaid
POL-0085881
68
WITN08410100
WITN08410100
39.
POL00088887
Ashort guide to the Audit Reporting
Tool (ART)
POL-0085945
40.
POL00086424
Quality Assurance, Chapter 11 of
the Audit Process Manual (Version
2.0)
POL-0083482
41.
POL00088739
Email from Jo Milton to Alison Clark
and Simon Talbot dated 14 January
2020 re: revised audit chapters
POL-0085797
42.
POL00088935
Report from Rod Ismay, Head of
Product & Branch Accounting to
Dave Smith, Mike Moores and Mike
Young regarding dated 2 August
2010 "Horizon — Response to
Challenges Regarding Systems
Integrity"
POL-0085993
43.
POL00088209
Report from Angela Van Den
Bogerd dated 1 August 2016 "
Agent Branch Losses - Mitigation
Proposal"
POL-0085267
44.
POL00087879
Approach to Business Risk, Branch
Audit and Accountancy Support for
Operators (undated)
POL-0084937
45.
POL00086028
Quality Assurance, Chapter 11 of
the Audit Process Manual (version
1.2)
POL-0083086
46.
POL00112803
Email from Branch Insights dated
29 November 2019
POL-0110222
47.
POL00002841
Global User Accounts Guidance for
Sandra McBride dated 01 September
2016
VIS00003855
48.
POL00085431
Guide to sending reports/documents
post audit dated 05 November 2010
POL-0082489
69
WITN08410100
WITN08410100