The Post Office Horizon Scandal

The scandal revealed a critical failure in process design. Horizon’s outputs were treated as absolute, with no effective reconciliation or escalation mechanisms in place. Internal controls failed to effectively detect or challenge anomalies, and sub-postmasters were held accountable without the right questions being asked.

Action: Design processes with built-in checks and balances. Ensure that exception reporting, root cause analysis, and escalation protocols are embedded and regularly reviewed. It is also critical that when assessing data and technology systems you understand the potential for issues and apply a questioning mindset when presented with data. Technology should be seen as an enabler, not as an absolute.

System updates and patches to Horizon were poorly managed and inadequately tested, often introducing new errors. With no structured change management framework to assess the impact of changes on operational integrity, problems grew.

Action: Implement a formal and consistent change management process that includes risk assessments, stakeholder input, and post-implementation reviews. Internal audit should provide assurance over the effectiveness of change governance.

Sub-postmasters received limited training on Horizon and were not equipped to understand and challenge discrepancies, further contributing to the perpetuation of errors and fear of reprisal.

Action: Invest in comprehensive training programmes that empower staff to understand systems, identify anomalies, and escalate concerns. Training should be ongoing and tailored to roles and responsibilities.

Studies into the Horizon Inquiry have established challenges with culture, including issues not being escalated or when presented, were downplayed and avoided independent challenge. Whistleblowers were ignored, and legal action was pursued despite mounting evidence of system flaws.

Action: Foster a culture of integrity and transparency. Internal audit should assess the tone at the top and ensure that ethical leadership is demonstrated and reinforced throughout the organisation. Internal audit should demonstrate professional courage and provide independent challenge to the organisation.

Fujitsu, as the system provider, was not held accountable for the performance or integrity of Horizon. There was a lack of oversight and contractual enforcement.

Action: Strengthen third-party governance. Conduct regular performance reviews, enforce accountability clauses, and ensure that suppliers are subject to the same risk and control expectations as internal teams. Equip teams with the skill sets to both understand supply chain risk and to manage contracts and key suppliers effectively.

Horizon was not subject to rigorous, independent testing. Known issues were downgraded or ignored, and there was no mechanism for validating system outputs.

Action: Ensure all critical systems undergo independent testing, including stress testing, scenario analysis, and user acceptance testing. Internal audit should review testing protocols and outcomes.