13 Jan 2024 - The Post Office Horizon Affair

PostOfficeThis week the Post Office Horizon Enquiry Phase 4 continues with further evidence and examination of those involved in audit and Investigation.  It will be interesting to discover how the Post Office and Fujitsu conducted these key activities.

Having been an auditor in a multinational company, and having audited financial processes and systems of comparable complexity to the Post Office Fujitsu Horizon System, I thought I should give my opinion on what has happened.  This opinion is not necessarily that of Reform UK.

The dreadful mistreatment of Sub-Postmasters should never have happened and I believe this situation could so easily have been avoided by standard accounting controls and audit, leading to earlier investigation, with the consequent far earlier detection and correction of defects.  Why was this allowed to happen?

Basic Accounting

If you are an accountant or are familiar with basic bookkeeping, you may skip this section.

A fundamental principle of keeping accounts is that of double-entry bookkeeping.  What this means is that for every accountable event, there will be both a debit entry and a credit entry.  It is not possible to just perform a debit entry because the ledger accounts would not balance to zero.

So, for example, let's say the Post Office Branch just has cash of £100, and stamps of £100, so assets are £200.  A customer pays cash and buys £20 of stamps.  The accounting entries would be to debit Cash Account with £20 and credit Stamps Stock Account with £20, so the balance on the Cash Account would then be £120 and the Stamps Stock Account would be £80, leaving the asset balance correctly remaining as £200.

Where were the Errors?

The discrepancies could have occurred in several ways, so let's explore that.

Application Defects

The program suite may have errors in it.

  • Transactions that should have created accounting entries may not have done so.
  • The tables within the accounting system may have been set up incorrectly.
  • Transactions could have been duplicated or even triplicated.
  • Entries to balance sheet accounts may have in error been posted to profit & loss accounts, or vice versa.

Human intervention

There may have been accidental or deliberate incorrect transactions.

  • An incorrect transaction may have been processed in error.  For example, a stamp sale recorded incorrectly as say a Postal Order sale.
  • A transaction may have been accidentally missed, like a stamp sale.
  • Unit of measure errors where stamp quantities and stamp book quantities were inconsistent.
  • Some money from the till may have been stolen.

Systems Access Controls Weaknesses

Systems access controls may have enabled unauthorised users to have access to and potentially process fraudulent transactions or inappropriately manipulate systems data.  The following regular checks should have been made.

  • Who were the users that had access to enter each type of transaction in each Sub-Postmaster account?
  • How often were the userids or Horizon users checked and verified?
  • How was remote access to Horizon System data managed?
  • Who had update access to Horizon systems data or production programs?
  • Was auditing turned on for access to Horizon systems data and production programs?
  • What were the systems controls?
Stating the Obvious

Why after so many reports of errors in Sub-Postmaster Accounts, did Fujitsu and the Post Office conduct an in-depth review of the Horizon System to determine whether or not there were defects?

Why the discrepancies should have been found.

As I mentioned earlier, I have been a financial systems and process auditor and as part of a team, we have audited financial systems and processes at least as complex as Horizon, so I will now explain how I would have found the cause of the discrepancies.

One of the principles of Audit, is to accept no assertions as being factually correct unless tested.  Too often individuals be they operators or management explain how they believe processes operate rather than how they actually do operate so testing is needed.

Application defects

In any financial audit, the reconciliation of balance sheet accounts and review of Profit & Loss (P&L) accounts is always a priority.  Unknown and unreconciled balances always received high focus.

Any errors in the application should have been identified:

  • Tables should be reviewed to confirm their appropriateness and accuracy.
  • Specific attention should be paid to the accounts to which transactions are directed.
  • Were the ledger balance sheet accounts reconciled to the Horizon system balances?
  • Were Horizon system balances reconciled to physical assets at the Sub-Postmaster premises?
  • Were control accounts between Sub-Postmaster accounts and central Post office reconciled and differences investigated?
  • Where errors were detected, how were they corrected?

The key message here, is if there was an incorrect debit to the cash balance sheet for assets at the Sub-Postmaster's ledgers (suggesting a cash shortfall), then there MUST be a corresponding credit somewhere else, but where were these credits?  Did the Post Office take these unexpected credits as profit?  We will never know unless a proper financial systems audit has been carried out.  All the MainStream Media talk about is the shortfalls, they have ignored the unidentified credits.

The lack of identification of unexpected credit balances is a key issue here.

Human intervention

If an incorrect transaction was processed in error.  For example, if a stamp sale instead of say a Postal Order sale, then the total asset value would have been correct, but the balances on the Stamp Account and Postal Order account would have been out by equal amounts of opposite value, so no fraud and easily detectable when performing reconciliations.

If a transaction for say a stamp sale had been missed, then the cash balance would show a surplus to the value of the sale.  However, on performing a stamp inventory check, the stamp inventory account would be in deficit, so a correcting missing entry could be done to correct the balances.

If some money was stolen from the till, then there would have been a cash deficit and no corresponding credit, so potential fraud could be suspected, subject to there being no systems access controls weaknesses.

We must bear in mind, that many Sub-Postmasters employed family and casual support to help in their businesses and tens of thousands of pounds just do not go missing without being noticed.

Systems Access Controls Weaknesses

When I conducted financial audits I obtained the personnel numbers of all users who had access to financial systems and matched them to HR records to determine whether their level of access was consistent with their job responsibilities.  I paid specific attention to users who had left the company or who had not accessed the system data for a while. 

Systems access controls are always a key area to validate controls on financial systems.  All personnel with any systems access to Horizon data should have been regularly validated.

  • Were userids checked against HR systems to determine where the user worked?
  • Did the Sub-PostMaster training include the importance of system security, password control and not sharing passwords
  • Were passwords forcibly changed frequently?
  • Were users removed from having access once they left their role or company?
  • How frequently were access reviews held?
  • Programmers, developers, and support staff should NOT have update access to Horizon systems data, did they?
  • Did an audit validate the auditing settings and reports of access to change production data?
  • If balances on Horizon were updated manually (I hope not!), how were the corresponding ledger entries made and how was the reconciliation of the Horizon system to physical assets managed?

These checks would have identified any fraudulent or uncontrolled manipulation of Horizon system data.


I have concluded that a thorough audit of the Horizon system and processes would have determined if there were any application, user, or systems access controls issues and that an investigation would have uncovered the causes of both the incorrect account balances that suggested possible fraud, but more importantly, where the missing contra entries went to.  It is normal in business to conduct an audit of a new system after 6-12 months.

I would like to know if the Post Office (with Fujitsu support) did indeed perform such audits, and if so what was the scope of these audits; what the recommendations were; and were the recommendations tracked to implementation.

While I was in audit we did indeed audit processes and systems like Horizon, and indeed gave unsatisfactory ratings where systems access controls were deficient even if no fraud took place (after thorough verification).

There seems to have been gross negligence within the Post Office and Fujitsu without any clear Government oversight.

In the next few weeks of the Post Office Horizon Enquiry, we will hear what audits and reviews were performed by the Post Office, Fujitsu, and Government into Horizon and the accounts of the Sub-Postmasters.  What is so important is, were standard Audit disciplines followed - I am sure like you, we are all very concerned about what we will find.

Thank you for visiting this blog.

John Perry BSc (Hons) ACMA
Reform UK
Havant Constituency Prospective Parliamentary Candidate

For:  Bedhampton, Crookhorn, Emsworth (part), Havant, Hayling Island, Langstone, Leigh Park, Purbrook, Stakes, St Faiths, Warblington, West Leigh, Westbourne (part), Widley (part)