The Post Office IT scandal – why IT audit is essential for effective corporate governance

Abstract

The Post Office Horizon scandal is possibly the most serious corporate failure in the United Kingdom in living memory, and possibly for more than a century. This is because of its disastrous consequences for hundreds (perhaps thousands) of individuals who were wrongly prosecuted by the Post Office and who lost their livelihoods, and often their homes, on the basis of incomplete and misleading evidence from its Horizon computerized accounting system. That corporate failure has given rise to the most extensive miscarriage of justice in English legal history, with an unprecedented number of wrongful convictions now in the process of being reversed.The Post Office Horizon scandal had many features and causes, but a significant contributory failure was that of corporate governance. There were many warning signs over the years, which should have been acted upon by Post Office Internal Audit and in particular, by specialist IT auditors. The evidence is clear that the Post Office failed to live up to its commitment to corporate governance, and that this failure was neither detected nor acted upon by the government, if civil servants and ministers were aware of the failure, until too late. An effective IT audit function would have contributed significantly to a prevention of the scandal.

Index words: Post Office, Horizon, Fujitsu, IT audit, internal audit, corporate governance, Three Lines of Defence, Institute of Internal Auditors, IIA, AICPA, IAASB, SSAE 16, SSAE 18, ISAE 3402, SAS 70, ISAE 3000, SOC-1, SOC-2, SOC-3, Trust Services Criteria, processing integrity, Justice for Subpostmasters Alliance, Ernst & Young