Wednesday 20 March 2019

Horizon trial: day 7 transcript

This is the unperfected transcript of the seventh day of the Horizon trial, held on 20 March 2019 in court 26 of the High Court Rolls Building.

The first witness is David Johnson for the Post Office, followed by Andy Dunks for Fujitsu and then Torstein Godeseth for Fujitsu.

                                       Wednesday, 20 March 2019
   (10.32 am)
   MR DE GARR ROBINSON:  My Lord, good morning.  Before I call
       my next witness there is one small matter I should raise
       with your Lordship.  Your Lordship may recall that
       I raised the question of disclosure from the claimants
       in relation to the documents that were referred to by
       the claimant witnesses who gave evidence last week.
   MR DE GARR ROBINSON:  Your Lordship will recall that
       a letter was sent on Friday which sought a response from
       Freeths by close of business on Monday.
   MR DE GARR ROBINSON:  I raised it with you on Tuesday.  It
       is now Wednesday morning.  I simply wish to make
       your Lordship aware that this is an issue and that the
       point is fast approaching where I may have to ask
       your Lordship to do something.
   MR JUSTICE FRASER:  Okay.  Have I got a copy of that letter?
   MR DE GARR ROBINSON:  My Lord, I don't believe you have,
       I will make sure --
   MR JUSTICE FRASER:  It is not on Magnum, is it?
   MR DE GARR ROBINSON:  That will need to be checked, my Lord.
   MR JUSTICE FRASER:  All right.  I think the best thing is
       have the letter put on Magnum, I'm just going to explore
       the situation with Mr Green now and if we have to come
       back to it, then obviously we will fit it in with the
       trial timetable and if people have to be recalled, they
       have to be recalled, but obviously I would like to avoid
       that if possible.
   MR DE GARR ROBINSON:  Of course.
   MR GREEN:  My Lord, I'm afraid we have been working on
       cross-examination and I just don't know what the
       position is on it, but I'm sure it is being attended to.
       I will find out and update your Lordship later in the
       day.  Obviously, any documents that they have referred
       to need to be disclosed and that's obviously -- we must
       do it, so I'm --
   MR JUSTICE FRASER:  We are in -- I suppose in a sense on the
       basis that these might be -- or these would be documents
       which Mr De Garr Robinson might want to put a point to
       a factual witness, then the factual witness would have
       to be recalled anyway, but just in terms of proper and
       efficient trial management --
   MR GREEN:  Absolutely right.
   MR JUSTICE FRASER:  -- we've got a little bit of scope next
       week, but I want all the factual evidence dealt with
       before the experts are called.
   MR GREEN:  My Lord, yes.
   MR JUSTICE FRASER:  And one of the days next week has
       already been set aside for a contested third party
       disclosure application against Royal Mail which I think
       has been moved by consent from tomorrow to next Tuesday.
   MR GREEN:  My Lord, yes.
   MR JUSTICE FRASER:  And I don't want to let sand run through
       all our fingers unnecessarily.  So we will revisit --
       today is Wednesday, we will revisit this at the end of
       today, please.
   MR GREEN:  I'm grateful, my Lord.
   MR DE GARR ROBINSON:  My Lord, I call David Johnson.
               MR DAVID MALCOLM JOHNSON (affirmed)
   MR JUSTICE FRASER:  Thank you, Mr Johnson.  Do have a seat.
           Examination-in-chief by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Mr Johnson, there should be a file of
       documents in front of you.  Can I ask you please to go
       to tab 4 of that file {E2/4}.  You will see there
       I think a sheet of two corrections and then behind that
       sheet there should be a witness statement which
       describes itself as being of David Malcolm Johnson; do
       you see that?
   A.  Yes.
   Q.  And is that your name and address there on the first
   A.  Yes, it is.
   Q.  And could you go to the last page in that same tab
       please {E2/4/20}.
   A.  Yes.
   Q.  Is that your signature on that page?
   A.  Yes, it is.
   Q.  And if you could look briefly at the corrections -- have
       you seen those corrections before?
   A.  Have I seen them before?
   Q.  Yes.
   A.  Yes.
   Q.  Are they corrections you wish to make to this witness
   A.  Yes.
   Q.  And then if we go forward in the bundle could I ask you
       to go to tab 6 please {E2/6}.
   A.  Okay.
   Q.  That's your name and address, I think I can take it from
       you, on page 1 of that?
   A.  Yes.
   Q.  And on the back page, page 5 {E2/6/5}, is that your
   A.  Yes, it is.
   Q.  So these are two witness statements that you have made.
       Subject to the two corrections that we have just
       referred to, are those witness statements true to the
       best of your knowledge, recollection and belief?
   A.  Yes, they are.
   MR DE GARR ROBINSON:  Thank you, Mr Johnson.  If you wait
       there there will be some questions for you.
                  Cross-examination by MR GREEN
   MR GREEN:  Mr Johnson, I think you may have been involved in
       training some of the legal representatives.
   A.  I gave some demonstrations on how the Horizon system is
       used in branch to various parties involved in this, yes.
   Q.  And I think one of the points you covered was how to
       reverse a -- how to sell stock into the system, to
       correct too much stock and how to enter a transaction --
   A.  Yes.
   Q.  -- that would then balance stock and cash?
   A.  Yes.
   Q.  Do you remember that?
   A.  Yes.
   Q.  And you are very familiar with how the system works?
   A.  Yes.
   Q.  You are a trainer?
   A.  (Nods).
   Q.  In your witness statement you say at paragraph 10, which
       is on {E2/4/2}, which is page 2 of your first witness
       statement, it will come up on the screen as well, you
       say that:
           "The screenshots that appear in this statement are
       primarily taken from a document called Post Office
       Onboarding Counter Guide ... where a screenshot has been
       taken from another document I refer to that document."
           Is that correct?
   A.  Yes.
   Q.  So what you have done is you have taken the screenshots
       that we see in your witness statement from that guide
       and if they're not from that guide, you have pointed
       that out?
   A.  Yes.
   Q.  So when we look, for example, at the screenshot on
       page 3 {E2/4/3}, that's come from the guide?
   A.  Yes.
   Q.  We can see a date in the top, Tuesday 2 December 2014?
   A.  Yes.
   Q.  And if we look over the page on page 5 please {E2/4/5},
       similarly we see layouts there.  There's a date
       of October 2017 at the top.
   A.  Yes.
   Q.  And August 2017.
   A.  Yes.
   Q.  Can we just look over the page now at page 6, please
       {E2/4/6}.  Now, you haven't said there that those have
       come from any other source, but they are not actually in
       the guide, are they?
   A.  I don't know.
   Q.  Can you see they look a little bit different?
   A.  Yes.
   Q.  And if you have a look at the two examples we've got
       there, in the travel line in the top one can you see
       "Business Mails" is in italics?
   A.  Yes.
   Q.  And "Drop Mails Suite" is in italics?
   MR JUSTICE FRASER:  Sorry, which one are you looking at?
   MR GREEN:  I'm sorry, in the top box --
   MR JUSTICE FRASER:  On page 6.
   MR GREEN:  -- on page 6 on the travel line at F4, you go
   MR JUSTICE FRASER:  I see, yes.
   MR GREEN:  "Business Mails 45" is in italics and the one
       beneath it is in italics and "Returns" is in italics.
   A.  Yes.
   Q.  And if we go down to "Licences & Government", "Sell
       Euros" and "Sell Dollars" are in italics, yes?
   A.  Yes.
   Q.  And we can also see "AP Manual Entry" and "Transcash" in
       the "Retail F7" line are also in italics?
   A.  Yes.
   Q.  In the one below, none of those ones are in italics.
       There's no system reason for that, is there?
   A.  Not that I know of.
   Q.  So do you know where these ones have come from?
   A.  No.
   Q.  Did you actually cut and paste these into the statement
   A.  No, I did not.
   A.  The statement was provided to me by our solicitors based
       on conversations and --
   MR JUSTICE FRASER:  You don't need to tell me about that.
       I just wondered who had cut and paste these into the
   A.  I don't know who did that.
   MR JUSTICE FRASER:  You don't know.  Right.
   MR GREEN:  Can we go back please to page 5 {E2/4/5}.  Just
       a couple of practical points.  Could we very kindly
       enlarge the bottom table please.  Thank you very much.
           So, Mr Johnson, just to understand how it works
       practically, which is your area --
   A.  Mm-hm.
   Q.  -- this is a typical screen that an SPM might see --
   A.  Yes.
   Q.  -- when they're in the branch and they're serving
   A.  Yes.
   Q.  Now, a couple of quick points.  When they press
       "1st Stamp" in the F2 line, which is "Postal Services",
       yes, what happens is that it registers that a first
       class stamp is going to be purchased.
   A.  Yes.
   Q.  That's right.  And the SPM doesn't need manually to
       enter in the price of a first class stamp, do they?
   A.  No, they don't.
   Q.  And the reason for that is that there is a reference
       data table from which that's populated?
   A.  As far as the technical aspects of it, I'm not familiar
       with what goes on behind the scenes, what I know is when
       you press that button --
   Q.  When you press it --
   A.  -- that's what comes up.
   Q.  -- the price of a first class stamp pops up?
   A.  Yes.
   Q.  So there are two aspects to what's happening: there's
       a button press, which is the actual physical input by
       the subpostmaster or subpostmistress?
   A.  Yes.
   Q.  And then there's what the -- the value of that
       transaction, which is coming from the system --
   A.  Yes.
   Q.  -- back onto the screen?
   A.  Yes.
   Q.  So there are two elements of that interfacing together,
   A.  Mm-hm.
   MR JUSTICE FRASER:  Exotic though your hand gestures are,
       they're not going to come out on the transcript.
   MR GREEN:  My Lord.
           Mr Johnson, those are acting together to produce
       what's going into the basket: two components --
   A.  As I understand it, yes.
   Q.  -- a button press -- it's practically what you would
   A.  Yes.
   Q.  So the SPM presses a button and the item that they have
       pressed and its value should appear in the basket?
   A.  Yes.
   Q.  If it is all working well?
   A.  Yes.
   Q.  Now, just looking at the layout of that table, there is
       quite a lot of white space there, isn't there?
   A.  Yes.
   Q.  And the actual buttons are very cosy, they're all stuck
       right together, aren't they, with no white space between
       them: "1st Stamp", "1st Large Stamp", "1st x 12 Stamps",
       they're all absolutely tight together, there's no white
       space separating them?
   A.  Yes, the items in the middle of the screen correspond to
       the -- in most -- in the vast majority of cases to the
       most commonly used products.
   Q.  And the point I was just seeking to make to you is there
       are a number of ways that screen could be laid out, and
       on that screen we can see there would be plenty of room
       to separate the buttons from each other more, wouldn't
   A.  It would appear that way.
   Q.  Yes.  And you are aware that sometimes SPMs have
       problems with miskeying, don't they?
   A.  Yes.
   Q.  Can we look please at {F/932} on page 7 please
       {F/932/7}.  We can see here if we look at the -- sorry,
       shall we start at the first page just to be fair to you,
       so you can see what the document is.
   A.  Okay.
   Q.  This is a miskeying project feasibility study and you
       can see that it is a document from May 2012, yes?
   A.  Yes.
   Q.  And if we go back please to page 7 of the document
       {F/932/7}, there are a number of recommendations.  I'm
       just going to follow through one particular one.  If we
       look at the penultimate bullet point there.
   A.  Yes.
   Q.  "Look at the Buy and Sell icons on the travel home
       screen are too close together and it becomes difficult
       to isolate the correct icon.  It would be useful to
       clearly show which icon to press showing the Buy and
       Sell icons more clearly."
   A.  I can see that, yes.
   Q.  One of the features of the buy and sell icons, which
       you, I think will know about, is that they are at the
       end of the transaction, so if you press the wrong one,
       the transaction has already gone?
   A.  No, that's not right.
   Q.  Let's have a look, if we may please, at page 14 of the
       document {F/932/14}.  Is what's said in the top line of
       that correct?  Let's just look at it together, if we
           "The Buy and Sell icons on the travel screen are too
       close together."
           And the second box says:
           "Having these two icons next to each other many of
       the Counter Colleague hit the wrong icon, which means
       there is no way of reversing the transaction when
       a mistake has been issued."
           What is suggested is:
           "Separate these two icons to a more logical location
       on the screen."
           And so forth.  Can you see what's being meant by
       that second box there?
   A.  I don't agree with the second part of that where it says
       there is no way of reversing the transaction when
       a mistake has been issued.  The pressing of either the
       buy or the sell icon is at the very start of the
       transaction, so there are various opportunities before
       the transaction is completed to recognise that the wrong
       button may have been pressed.
   Q.  But if it is not recognised and the transaction is then
       completed, it's correct, is it, there's no way of
       reversing the transaction at that point?
   A.  No, to my knowledge a bureau de change buy or sell
       transaction can be reversed.
   Q.  As the system is today?
   A.  As I understand, yes.
   MR JUSTICE FRASER:  Has it always been capable of being
   A.  I believe so.  It's almost nine years since I last
       worked on Legacy Horizon.  To my knowledge, yes, it has
       always been possible to reverse a bureau de change
   MR GREEN:  Let's look, if we may, at another facet of this.
       We haven't got a screen for it, but there is on some
       screens a zero and a double zero button, aren't there?
   A.  On the keyboard, there is a zero and a double zero
       button, yes.
   Q.  Yes, and they're next to each other?
   A.  Yes.
   Q.  And we can see that that's got the potential for
   A.  I wouldn't say it has any more potential than any other
       layout particularly.
   Q.  Well, if you put in -- I mean, we have seen some of the
       examples of miskeys already during the trial and there
       are things where items which should be perhaps 3,400 are
       34,000, so quite a lot of them have got an extra nought
       on the end.  Can you understand from your knowledge of
       the layout why that might sometimes occur, might feature
       quite prominently?
   A.  Yes, it could happen because the buttons are next to
       each other one might press the double zero rather than
       the single zero, yes, I can see how that --
   Q.  But it's easy -- you can imagine someone not spotting
       a double zero as easily as they might spot perhaps a 9
       instead of a 4, or a 9 instead of a 2.  It's more
       striking, a 9 instead of a 2, isn't it?
   A.  A completely different number would be more striking,
       however, if I were serving a customer and they were
       paying a bill for, let's say, £350, I would check the
       terminal after I had keyed the entry to make sure that
       is the amount that's showing on the stack.
   Q.  Yes, but what we're talking about is the opportunity for
       the system to minimise errors that are made in the
       ordinary course by people who are just busily serving
       customers, trying to be conscientious and deliver a good
       service; that's all we're talking about.
   A.  Okay.
   Q.  And it's right, isn't it, that if you stop and
       rigorously check and never make a mistake, which is
       perhaps unusual for humans, that wouldn't happen, but
       what this is focusing on is how to improve the system so
       it is less easy for people to make understandable
       mistakes.  Yes?
   A.  Yes, I understand that.
   Q.  And that's a good idea in system design, isn't it?
   A.  I think so.
   Q.  Yes.  And the screenshots that we've got have largely
       maintained the same design since Horizon was brought in,
       haven't they?
   A.  Since original Horizon or Horizon Online?
   Q.  Since original Horizon.  They have broadly looked the
       same since Horizon was brought in?
   A.  Legacy Horizon, the screen looked rather different
       because there were kind of small pictures on the icons
       rather than just -- there were visual representations of
       it rather than just the written product, if you like.
   Q.  But the overall layout itself has stayed broadly the
   A.  Yes.
   Q.  And so the icons were fitted into the little buttons
       that we have seen here?
   A.  As far as I'm aware, yes.
   Q.  At paragraph 32 of your witness statement on page 8
       {E2/4/8} you talk about the cash declarations having to
       be made by 6.55 because polling takes place at 7.00 pm.
       Is that something you know about in terms of what the
       consequences are if, for whatever reason, the cash
       declaration is made at 7.01?
   A.  Yes.
   Q.  What happens?
   A.  The reason we say to make a cash declaration by 6.55,
       yes, as it states there, the cash declaration
       information is sent to the cash management team, so they
       are aware of what cash on hand is at the branch and to
       my understanding -- I don't work in the cash management
       team, but to my understanding, the cash management team
       use that information to decide how much cash to send to
       that branch on their next scheduled delivery, or if
       they're holding extra then -- more than they need, how
       much they need to return.
   Q.  Now, part of your witness statement has dealt with the
       reports available to SPMs.
   A.  Yes.
   Q.  One of the things they can't do is export data to a CSV
       file, can they?
   A.  I don't know what a CSV file is.
   Q.  Or an Excel spreadsheet?
   A.  No, they can't export that from Horizon, as far as
       I know, no.
   Q.  And has any thought been given, as far as you know, to
       allowing that to happen?
   A.  I don't know.
   Q.  The Post Office itself has Credence, doesn't it?
   A.  Yes.
   Q.  And that allows it to look at the transactions that have
       happened in branch?
   A.  Yes, as far as I'm aware, yes.
   Q.  Do you know why the Post Office just doesn't use the
       same reports as are available to the SPM?  Why does it
       need Credence?
   A.  I don't know.
   Q.  Because the Post Office could print-out the till rolls
       and analyse it that way too, couldn't they?
   A.  As far as -- well, I don't know whether the Post Office
       could print-out a transaction log as you would print-out
       in branch.  As far as I'm aware, that is only available
       in branch.
   Q.  Oh, I see.
   A.  In that format.
   Q.  One of the things you have mentioned in your witness
       statement -- it's actually in your second witness
       statement, if we could kindly go to that, which is
       {E2/6/1}.  I will just show you the front page to
       orientate yourself.  This is your second witness
       statement, yes?
   A.  Yes.
   Q.  And if we go to paragraph 21 on page 5 {E2/6/5}, you say
           "The transaction log is a list of all transactions
       and transfers completed in the branch, in chronological
           "The transaction log can be used as a general
       investigation of all transactions or it can be filtered
       by time, value and product.  The transaction log records
       the transaction that has taken place and also shows how
       it was settled, for example by cash, card or cheque.  It
       is therefore possible to see all the transactions where
       customers have paid by debit or credit card."
   A.  Yes.
   Q.  Now, let's say you're in a situation faced by one of the
       lead claimants, Mr Bates, where he is worried that there
       may be duplicate entries in his account, but he doesn't
       know what they are; how does he use the Horizon
       reporting system to find them?  What does he do?
   A.  To my knowledge, the transaction log will produce what
       I have said there.
   Q.  No, I understand.  Mr Johnson, I'm not trying to be
       unfair to you.  Just practically, so we can look at
       this, you suspect there may be some duplicate entries,
       perhaps giving you a discrepancy that's unexplained.
       Just practically, what do you do if you are Mr Bates in
       your sub-post office in Craig-y-Don in Wales and you
       want to try and find out what's going on?
   A.  Are we saying that these are transactions which don't
       appear on the transaction log?
   Q.  Well, he doesn't know whether they will -- we will come
       to that in a minute --
   A.  Okay.
   Q.  -- but let's just say -- what do you suggest that person
       in that situation does?
   A.  I would advise a postmaster in that instance to first,
       raise the issue with NBSC.
   Q.  Okay.  But if they're told that it is their
       responsibility to find discrepancies in the branch, what
       can they do for themselves?  Do they -- because we have
       heard of SPMs printing out very long transaction
       rolls --
   A.  Yes.
   Q.  -- we have actually got one, it's quite long.  Is that
       what they do if they're looking for possible duplicates,
       they print out -- because they don't know what the value
       is --
   MR JUSTICE FRASER:  You are rolling about two or three
       questions into one again, Mr Green.
   MR GREEN:  Sorry.
   MR JUSTICE FRASER:  Why don't you just give me
       a walk-through of the steps that you say hypothetically
       someone in Mr Bates' position should take.
   A.  So if a postmaster wants to check what transactions have
       gone through, they would go to the transaction log.  If
       they wanted to look at a particular -- as I have
       suggested, it could be filtered in a number of ways: by
       date, by product, by value, by stock unit, by user,
       there are a number of ways it can be filtered, and
       obviously the more you can filter it, the shorter the
       report will be, and then it would be a question of, as
       you say, printing the transaction log out and manually
       checking each item.
   MR GREEN:  But if you're looking for duplicates, you would
       have to try and remember the figures you have seen?
   A.  Yes, I mean if you're looking for a duplicate then
       I'm -- I mean, I don't know, I'm -- I'm guessing here
       that if there would be -- that there would already be
       one transaction on the transaction log.  I'm not quite
       sure what you are getting at.  Presumably we can see one
       transaction on the transaction log and there's a thought
       that that transaction may have been duplicated, is that
       what we are ..?
   Q.  Well, you get an unexplained discrepancy of a figure you
       don't recognise.
   A.  Right.
   Q.  Let's say £1,723.
   A.  Okay.
   Q.  And you don't understand how that can have happened.
       You think "Well, maybe there's a duplicate entry of some
       sort", just, you know, this is one example, or maybe
       there's a number of duplicate entries.  You can see it's
       not very easy, is it?
   A.  It's not the most user-friendly way of investigating.
   Q.  That's all I was really asking.
   MR JUSTICE FRASER:  Can I just ask you a question.  When you
       say the filtering that it can be done, that can be done
       in branch, can it?
   A.  Yes.
   MR JUSTICE FRASER:  Am I right that would only be of any --
       that would only be of any assistance if you knew what
       you were looking for already, wouldn't it?
   A.  Not necessarily.  A postmaster may have come to the
       conclusion that a discrepancy occurred on a particular
       day by virtue of looking at his cash declaration for the
       previous day and the current day, and the previous day
       had no discrepancy, the current day does, so he may want
       to filter then to that particular day when the
       discrepancy occurred on his cash declaration.
   MR GREEN:  Could we look please at {F/1556} please.  Now,
       this it document is titled the "Network Development
       Programme Operation Simplification", and if we go over
       the page {F/1556/2}, you can see the sorts of things
       that it is covering and can we go please to page 6,
       which is the "Business Context" section {F/1556/6}, and
       can I just invite you to look at this first paragraph:
           "There are a number of branch operations processes,
       especially around branch accounting and reconciliation,
       which operate using legacy processes.  They are
       unnecessarily complex and detract Post Office branch
       resources from serving customers.  Stock Unit Management
       and accountability is very poorly controlled and is
       operated on very complex business rules.  The lack of
       accountability and visibility of cash and stock
       transfers between Stock Units can lead to errors, rework
       and provides opportunities for fraud."
           Is that a statement that you disagree with, or agree
   A.  I would agree with that.
   Q.  And then if we look just below:
           "Similarly, Suspense Accounting is based upon legacy
       cash accounting practices, ill-defined and out of date
       processes.  Inefficiencies lead to poor utilisation of
       resources both in Post Office branches and Support
           Is that something you would agree with or disagree
       with?  Is that fair?
   A.  My experience of the suspense accounts in branch is that
       it works -- it does what it's supposed to do.
   Q.  Can you see why that might be a reasonable view, or is
       it a completely unreasonable view?
   A.  I don't think it's completely unreasonable, no.
   MR GREEN:  Okay, I'm very grateful.  My Lord, I have no
       further questions for this witness.
   MR JUSTICE FRASER:  Can you just tell me what date this
       document is, Mr Green?
   MR GREEN:  This is 21 October 2016.
   MR JUSTICE FRASER:  Mr De Garr Robinson?
              Re-examination by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Mr Johnson, you were asked some
       questions about buttons being close together, but there
       are some questions you weren't asked that I would like
       to ask you now.
           As I understand it, you have experience of working
       in branch?
   A.  Yes.
   Q.  Do you have experience of working in a busy branch?
   A.  Yes.
   Q.  How much experience of that sort do you have?
   A.  I have -- before I started my current role in 2012 I had
       worked in branches since 1984.
   Q.  So could you give the court some indication of how
       much -- would you consider yourself very experienced,
       not very experienced?  I'm just trying to get a clear
       answer from you.
   A.  I suppose you could say I am very experienced at working
       in branches.
   Q.  Thank you.  It was suggested to you that -- you were
       shown one of the screenshots in your witness statement
       and it was suggested to you that the buttons were close
       together.  What you weren't asked about is whether you
       took the view that the buttons you saw, or the buttons
       on the screen -- that their closeness together is
       a cause of any difficulty in using the system.  Would
       you like to comment on that question?
   A.  The fact that buttons are close together can mean that
       one does occasionally press the wrong one.  However,
       that is easily rectified.
   Q.  And when you say it is easily reconciled, why is it
       easily reconciled?
   A.  Rectified.
   Q.  Rectified, I'm so sorry.
   A.  If one would notice that the wrong button had been
       pressed -- for example, you may go to sell a first class
       stamp and you know yourself that the cost of that stamp
       is 67p.  If you were to hit the first class large stamp,
       which is next to it, in error, the amount on the stack
       would be a different amount, so it would be easily
       recognisable that you had then pressed the wrong button.
   Q.  And another question that you were asked is whether the
       layout of the counter had been broadly consistent over
       the period of operation of Horizon.  Mr Johnson, you may
       not be able to answer this question, but do you have
       a view as to whether keeping the layout of the screen
       consistent over time is a good thing or a bad thing?
   A.  That's -- my opinion on that is it is a good thing.
   Q.  Why do you say that?
   A.  Because one gets used to working on the system and the
       buttons are where you would expect them to be.
   MR DE GARR ROBINSON:  My Lord, I have no further questions.
           Thank you, Mr Johnson.
                  Questions by MR JUSTICE FRASER
   MR JUSTICE FRASER:  I just have a couple about your
       experience.  I know you have said in paragraphs 2 and 3
       how you started as a counter clerk.
   A.  Yes.
   MR JUSTICE FRASER:  And that was in a Crown branch I think,
       wasn't it?
   A.  Yes.
   MR JUSTICE FRASER:  And then you say you became the
       assistant manager and worked in various branches as the
       assistant manager.  Were they all Crown branches?
   A.  Yes, they were.
   MR JUSTICE FRASER:  And your last role was the branch
       manager at the Barry Crown office?
   A.  My last role prior to taking up my current role, yes.
   MR JUSTICE FRASER:  Which was in 2012?
   A.  Yes.
   MR JUSTICE FRASER:  I'm sure I can guess from the name, but
       Barry Crown office is a Crown branch, isn't it?
   A.  Yes.
   MR JUSTICE FRASER:  All right, that's very helpful.  Thank
       you very much indeed for coming, and that's the end of
       your evidence.  I assume there are no follow-up
       questions to that from either of you?
          Further re-examination by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Perhaps one question.
           Does it make a difference whether you are working --
       in terms of operating the system, is there a material
       difference between operating the system from
       a subpostmaster branch, an agency branch, or from
       a Crown office?
   A.  No.
   MR DE GARR ROBINSON:  Thank you.
   MR JUSTICE FRASER:  Thank you very much.
   MR DE GARR ROBINSON:  My Lord, I call Andy Dunks.
                   MR ANDREW PAUL DUNKS (sworn)
           Examination-in-chief by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Mr Dunks, there should be a bundle of
       documents in front of you.  Can I ask you to go to
       divider 10 of that bundle please {E2/10}.  You will see
       a witness statement that describes itself as being by
       you.  Is that your name and address on the first page?
   A.  That's the name of my -- where I work.
   Q.  Where you work, I see.
   A.  Yes.
   Q.  Thank you.  And if you go to page 3 {E2/10/3}, is that
       your signature?
   A.  Yes, it is.
   Q.  And do you confirm that this statement is true to the
       best of your knowledge, recollection and belief?
   A.  Yes.
   MR DE GARR ROBINSON:  Thank you.  If you could wait there
       for a moment.
   MR JUSTICE FRASER:  Mr Miletic.
                 Cross-examination by MR MILETIC
   MR MILETIC:  Good morning, Mr Dunks.
   A.  Good morning.
   Q.  I would like to start with paragraph 3 of your witness
       statement which is {E2/10/1}.  There are you say:
           "I have been employed by Fujitsu Services Limited,
       on the ~... (Post Office Account), since 11 March 2002
       as an ~... (IT) Security Analyst responsible for audit
       data extractions and IT Security."
           That's quite a long time, isn't it?
   A.  Yes.
   Q.  17 years of experience you have in this particular area
       of data extractions?
   A.  Yes.
   Q.  And over the course of that 17-year period, how many
       extractions do you think you have carried out?
   A.  I couldn't tell you.  Hundreds.
   Q.  Hundreds?
   A.  Yes.
   Q.  You have probably seen every issue that possibly could
       arise with extraction of data, haven't you?
   A.  I would say so, yes.
   Q.  And how many others have a similar position to yours at
       Fujitsu at any given time and carry out data
   A.  Generally, there is a team of three or four people.
   Q.  And do they carry out a similar number of extractions
       each year as you would?
   A.  Yes.
   Q.  Would that number vary from year to year, or would it be
       fairly consistent?
   A.  No, it varies.  It varies week by week.
   Q.  And you have experience of carrying out audit data
       extractions both on Legacy Horizon and Horizon Online?
   A.  Yes.
   Q.  If we could please go to {E2/1/10}.  This is
       Mr Godeseth's witness statement, his first witness
       statement, and he is a colleague of yours at Fujitsu,
   A.  Yes.
   Q.  Now, at paragraph 31 there he says that he has been
       informed by a colleague that the number of ARQs issued
       since 2014/15 are as follows, and then he sets some out
       there at 31.1 to 31.4, do you see?
   A.  Yes.
   Q.  That suggests huge fluctuations over the years, doesn't
   A.  Yes.
   Q.  729 extractions in 2014/2015.  Can you think of why that
       would be?
   A.  I have no idea.  It is what we would get supplied or
       requests from the Post Office, so we don't control how
       many we get.
   Q.  Would it make sense to you if that was during the period
       when the mediation scheme was taking place and so maybe
       you had more requests at that time?
   A.  Yes, it could quite well be, yes.
   Q.  And in 2016/2017 and 2017/2018, over 300 requests.  Do
       you think that these proceedings may have an impact on
       that number and why it is a bit higher than for example
   A.  It could well be, but I can't guarantee that.
   Q.  In 2015/2016, 103 without these two alternative events
       going on.  Is that perhaps more representative of what
       you would get on a yearly basis, or do you not know?
   A.  I would be guessing if I said yes, without looking at
       all the previous years and how it has incremented over
       the years, I couldn't tell you.
   Q.  Sure.  But in your experience that might be about right,
       100 or so?
   A.  It could be, yes.
   Q.  And for 11,000 branches in a year, it's not a high
       percentage of ARQs that were requested during that year?
   A.  I suppose so.
   Q.  Now, there are no figures there for pre-2014, and
       the court has had had evidence from Mrs Mather -- and we
       don't need to turn it up, but for his Lordship's note it
       is paragraph 19 of her first witness statement which is
       {E2/8/4}.  There Mrs Mather says that there is
       a contractual limit on the amount of data requests that
       Post Office can ask for of 720.  Is this a limit that
       you're aware of?
   A.  Yes.
   Q.  If there's a contractual limit on the amount of ARQs
       that can be requested, Fujitsu must be keeping a record
       of how many requests are made each year?
   A.  Yes, we do.
   Q.  Why then are there no figures seemingly for prior to
   A.  I can't answer that.
   MR JUSTICE FRASER:  Have you been asked to get --
   A.  No.
   MR JUSTICE FRASER:  You haven't?
   A.  No.
   MR MILETIC:  But as far as you are aware, there would be
       a record of those?
   A.  As far as I'm aware, there is, yes.
   Q.  There should be really?
   A.  Yes.
   Q.  The purpose of your witness statement is essentially to
       talk about the process of audit extraction, audit data
       extraction, and the integrity of data and how it is
       maintained during that process, is that fair?
   A.  Yes.
   Q.  If we could go back to paragraph 4 of your witness
       statement {E2/10/1}, you say:
           "During 2009/2010 the Horizon system was upgraded to
       Horizon HNGX [Horizon Online] and the detail contained
       in this witness statement refers to audited transaction
       records generated by this upgraded ... system."
           I just want to be precise about the language there.
       When you say "audited transaction records", you are
       talking about transaction records generated from the
       audit store; what you're not talking about -- it's not
       the case that those records are actually audited prior
       to going into the audit archive, correct?
   A.  No, it's just the extraction data that I'm taking out.
   Q.  Exactly.  And so it's an important distinction because
       really the only time when those records are audited is
       when they are extracted and then someone uses them to
       compare against different records.  Does that sound
   A.  I think so.  I don't think they are actually compared.
       All the data that we extract is specific data from the
       servers with all the transactions so it's not -- I think
       the word "audit data" -- it's just we extract that data,
       we don't then compare it.  We then extract the data and
       supply it to the Post Office.
   Q.  Yes, so where it says "audited transaction records" it
       might be slightly misleading because it is not that they
       are audited prior to going into the audit store; that's
       correct, isn't it?
   A.  I don't know how it is put onto the audit store.
   Q.  And the second sentence there:
           "Unless I state otherwise in this statement when
       I subsequently refer to the 'Horizon System' I am
       referring to the ~... system as upgraded by Horizon
           Looking at your statement I have not seen somewhere
       where you have stated otherwise, and so actually your
       evidence is limited to the extraction process under
       Horizon Online, correct?
   A.  It is probably misleading.  As I have been doing it that
       long, it is both Horizon and Horizon Online.
   Q.  But the specific content of your witness statement from
       that point onwards only addresses Horizon Online?
   A.  I would say it's -- it's the data that I have extracted
       for these proceedings.
   Q.  I see.  And when you discuss controls, which we will get
       on to in a little bit, is it your evidence that those
       controls have always been the same and the same
       processes have been followed both in Legacy and
       Horizon Online?
   A.  I believe so.  I don't know all the controls -- the
       technical controls which are used for the storage of the
   Q.  So when you provided your evidence here, you really were
       talking about the controls as at effectively today's
       date when you were making extractions for this trial?
   A.  Yes.
   Q.  And if we could go over the page please to paragraph 5
       {E2/10/2}, the first sentence:
           "When information relating to
       individual transactions is requested, the data is
       extracted from the audit archive media of the Horizon
       System via the Audit Workstations."
           And then this second sentence:
           "Information is presented in exactly the same way as
       the data held in the archive although it can be filtered
       depending on the type of information requested."
           Pausing there, do you always provide data that's
       filtered, or do you sometimes provide data that's
   A.  We supply data that's filtered.
   Q.  Are there any circumstances in which you provide
       unfiltered data?
   A.  To the Post Office, I don't believe I have done.
   Q.  And then you go on to say:
           "The integrity of data retrieved for audit purposes
       is guaranteed at all times from the point of gathering,
       storage and retrieval to subsequent despatch to the
       person making the request."
           Again, just in the interests of being precise, can
       you explain exactly what you mean when you're saying
       "data integrity"?
   A.  That's what I'm led to believe within the systems that
       it is -- that hasn't -- the integrity is complete, it
       hasn't been touched in any other way.
   Q.  So your definition of integrity of data is simply
       whether it has been tampered with or not?
   A.  No, my definition of integrity is that the data I have
       extracted and supplied to the Post Office my -- I'm
       aware of is in -- its integrity is complete.
   Q.  And if I was to say the data integrity is the overall
       completeness, accuracy and consistency of that data
       which you can measure by comparing between sources,
       would you agree with that as a definition of data
   A.  Yes.
   Q.  And if we could please go to {D3/1/67}, this is from
       Dr Worden's first expert report, and if we could look at
       paragraph 238.6 and what he says there, which is:
           "The audit system provides a highly secure and
       tamper-proof record of what is entered into Horizon at
       the counter, which can be used, in cases of any anomaly,
       to provide a 'gold standard' for comparison with data
       held in other parts of the Horizon estate, supporting
       the diagnosis of software errors.  This acts as a secure
       kernel and redundant store of data (SEK and RDS)."
           I'm not going to ask you about the second sentence
       and those acronyms, but in terms of that first part, is
       it your evidence as well that it is highly secure and
   A.  The -- where the data is stored, I'm not involved in, so
       I can't answer that side of the question.
   Q.  But in terms of when it is extracted?
   A.  From my point of view, the processes that we follow and
       extract them and supply them to the Post Office, that is
       my belief.
   Q.  It is highly secure and tamper-proof?
   A.  Yes.
   Q.  And is it your evidence as well that it can be used in
       cases of an anomaly as a gold standard for comparison?
   A.  They are -- they are words that I probably wouldn't use,
       but I'm happy with the integrity of the data that I give
       to the Post Office.
   Q.  But "gold standard" might be putting it a bit high for
       your -- in your opinion?
   A.  Well, no, if you want to use "gold standard", yes,
       I will agree with that.
   Q.  But in any event, you agree that the accuracy of that
       audit data and maintaining the integrity upon extraction
       is extremely important, particularly, if it is going to
       be used in disputes with subpostmasters?
   A.  Yes.
   Q.  And if we could go back to {E2/10/2}.  Paragraph 6 where
       you set out what you say the following controls are that
       apply.  Did you look at any specific Fujitsu documents
       when listing what amount to 12 controls there?
   A.  Where am I looking at here, sorry?
   Q.  So in paragraph 6 you say:
           "During audit data extractions the following
       controls apply ..."
   A.  Yes.
   Q.  And then you list out in subparagraphs, 12 specific
       particular controls and I was just wondering whether you
       looked at any specific Fujitsu documents when you set
       out those controls?
   A.  No, this is the process -- there are security processes
       and protocols in place within Fujitsu, but these are
       basically the security controls that we have as a team
       that we have to extract the data.
   Q.  My question might not have been entirely clear,
       Mr Dunks, but when you set out these 12 controls, when
       you were drafting this part of your statement, did you
       look at any specific documents in order to think of
       and write out these 12 controls?
   A.  No, this is my knowledge of the controls.
   Q.  So this is purely from your memory that you draft the 12
   A.  Yes.
   Q.  I see.  And in terms of those 12 controls, have they
       always been available throughout your time at Fujitsu,
       or have some potentially changed?
   A.  No, that's basically as is the whole time I have been
   Q.  As far as you can recall those are~...
   A.  Yes.
   Q.  Would you say that those are sort of the core controls,
       or they just some that you thought of?
   A.  No, they are the core controls surrounding the audit
   Q.  So at any point in time when we look we should probably
       see the 12 same controls listed at other points in time?
   A.  Yes.
   Q.  And just over the page, please, {E2/10/3}, at
       paragraph 7 you just describe the fact that you have
       extracted data in relation to these proceedings.  And
       then paragraph 8, again, I just want to be very precise
       and I want to make sure that I understand exactly what
       is being said in this statement.  Paragraph 8 begins:
           "There is no reason to believe that the information
       in this statement is inaccurate ..."
           Pausing there, what is "this statement"?  Do you
       mean your witness statement?
   A.  Yes.
   Q.  Okay:
           "There is no reason to believe that the information
       in this [witness] statement is inaccurate because of the
       improper use of the system."
           What is the "system" there?  Is that the system of
       the process of extracting audit data, or is it something
   A.  Good question.  There's no -- I'm not sure what I was
       meaning by that, "There is no reason to believe ..."
   Q.  We will take this step-by-step, but just looking at that
       first sentence, you are not quite sure what you mean by
   A.  I think I was meaning about the improper use of the
       audit data extraction system.
   Q.  So when you say "system", you mean the process of
       extracting audit data?
   A.  Yes, I do.
   Q.  I see, so:
           "There is no reason to believe that the information
       in this [witness] statement is inaccurate because of the
       improper use of the system [in place for extracting
       audit data]."
   A.  Yes.
   Q.  "To the best of my knowledge and belief at all material
       times ..."
           Pausing there, what are "all material times" in your
   A.  The whole time I had been using the workstations to
       extract the data, as far as I'm concerned, there has
       been no issues or faults with the workstations to
       extract the data.
   Q.  So "at all material times" is actually the 17 years you
       have been at Fujitsu?
   A.  Yes.
   Q.  I see, so:
           "To the best of my knowledge and belief at all
       material times the system ..."
           Ie the process of extracting data:
           "... was operating properly, or if not, any respect
       in which it was not operating properly ..."
           Again, pausing there, it is slightly confusing.  Are
       you aware or not aware of any instances where that
       system was not operating properly?
   A.  No, not really, no.
   Q.  Okay.  So you're not aware --
   A.  There may have been a few faults -- software faults --
       I would say software faults -- where the system has
       rebooted or whatever, but if that does, it interrupts
       the data extraction which doesn't complete, so we will
       then re-run the data extraction.  So it's not affecting
       any data that's been extracted.
   Q.  I see.  And is that the only example that you can
       provide his Lordship as to occasions when that system
       wasn't operating properly?
   A.  Yes.
   Q.  So you say it was operating properly:
           "... or if not, any respect in which it was not
       operating properly, or was out of operation was not such
       as to effect the information held within it."
           What is "it"?
   A.  The data that I have extracted.
   Q.  I see, okay.  So, Mr Dunks, how could you possibly say
       that in any respect that the system wasn't operating
       properly, it wouldn't affect the data that you have
       extracted?  Surely if that process isn't operating
       properly, it must have an effect on the data that it
   A.  Well, no, because if it doesn't extract the data wholly,
       or there is an issue with the PC at the time, it will --
       it shows that there is an error, so we actually re-run
       the data and there are some checksums within the data
       which is a number for each day and if there's a gap
       between -- and we check that there's no gaps between
       those numbers, and on each report it states that there
       are no gaps, which would show if it there were any
       issues, but ...
   Q.  I see.  And is it your case that there has never been
       a circumstance where the data that's been produced
       hasn't[sic] appeared inaccurate because of the process
       used to extract it?
   A.  Not to the best of my knowledge, no.
   Q.  So now that we have deconstructed that paragraph
       a little bit, it is a very specific and slightly hard to
       follow choice of wording.  Has that come from you, or
       has that come from somebody else, Mr Dunks?
   A.  It -- I did produce the witness statement and then it
       came back slightly altered to see if I was happy with
       that and I read it and I was happy with it.  Maybe
       misunderstanding how it could be interpreted, but ...
   Q.  Yes, but paragraph 8, is that your choice of wording or
   A.  I can't remember.
   Q.  Is it more of a Fujitsu party line when it comes to
       providing statements on extracting data?
   A.  There is -- as far as witness statements, there are
       no -- I'm not aware of any party line, no.
   Q.  Thank you.  Can we please go to {E2/1/10} and we're back
       in Mr Godeseth's witness statement here.  We looked at
       the ARQ extraction rates over the years.  At
       paragraph 32, Mr Godeseth says:
           "I am not aware of any instances where data
       retrieved from the Audit Store differs from other
       sources of data, nor am I aware of any instances where
       the integrity checks described in paragraph 30 have
       revealed any issues."
           Those integrity checks are broadly similar to the
       ones that you have outlined, but are you aware of any
       instances where data retrieved from the audit store has
       differed from other sources of data?
   A.  No, because I'm not aware of any other forms -- I'm not
       involved in any areas of data storage.
   Q.  So Fujitsu wouldn't know that anyway?
   A.  Well, I can't say that.
   Q.  Does Fujitsu keep a list of any times when that might
   A.  I don't know.
   Q.  It would be quite a useful thing to have though, for
       Fujitsu's purposes, if they did have such a list,
       wouldn't it?
   A.  Yes.
   Q.  And I guess my second question is a bit overlapping with
       the first, but are you aware of any instances where
       integrity checks have revealed issues?
   A.  No, I'm not aware, no.
   Q.  Not aware of any instances?
   A.  No.
   Q.  And again, Fujitsu don't keep a list of any of these
       times when it might have revealed issues?
   A.  Again, I don't know.
   Q.  Can we please go to {F/1557}.  Mr Dunks, this is
       actually a Post Office document titled "Back Office
       Transformation".  It is dated 22 October 2016.  The
       context -- there's a little bit in that first part
           "This paper outlines the business case for the back
       office transformation.  An opportunity to significantly
       improve our basic process and controls, whilst
       simplifying the back office application landscape and
       reducing our cost base."
           If we could please go to page 4 of that document
       {F/1557/4}.  Have you seen this document before,
       Mr Dunks?
   A.  No.
   Q.  Now, there it says "Why do we need to transform?":
           "Transformation in the back office is required due
       to unsuitable processes and significant operational
           "The Post Office has been running the same
       sub-optimal back office processes for many years."
           If we go down a bit further:
           "Industry best processes exist that can, and will be
           And then 14:
           "The back office is currently operating with a far
       higher operational risk profile than is accepted by the
       Post Office when making investment or project decisions.
       High proportion of manual accounting steps."
           And then the first arrow bullet point there:
           "Lack of system audit trail between transactions."
           What do you think that means?
   A.  I have no idea, I would be guessing.
   MR DE GARR ROBINSON:  Is this a fair --
   MR JUSTICE FRASER:  Just -- Mr De Garr Robinson.
           I'm not sure you can actually really pursue that
       very much further with this witness given he has never
       seen the document before.
   MR MILETIC:  I'm grateful, my Lord.
   MR JUSTICE FRASER:  Is it a phrase you have ever come across
       before "lack of system audit trail"?
   A.  No.
   MR MILETIC:  I suppose the one question I would ask Mr Dunks
       is: are you aware that Post Office had any concerns
       regarding system audit trail as far back as 2016.
   A.  No, because I'm not involved in that area at all.
   Q.  I see.  I will move on.
           If we could please go to {F/1716}.  This is the
       audit extraction client user manual.  Presumably you are
       very familiar with this document?
   A.  I haven't read it for a long time, but I'm aware of it,
   Q.  So it's not something that you really look to on a daily
   A.  No, it's not.
   Q.  When do you think is the last time you would have looked
       at it?
   A.  A few years.
   Q.  A few years?
   A.  Yes.
   Q.  The date of this document is 1 December 2017.  It's the
       most recent version, as far as we're aware, but you're
       not sure either way probably whether it is or it isn't,
       is that fair?
   A.  No, not -- no.
   Q.  If we could go please to page 9 of this document
       {F/1716/9}, the introduction there:
           "In addition to the historic data collected under
       Horizon, the HNG-X system generates significant amounts
       of data that is of interest to Post Office~... Internal
       Audit ... and other groups.
           "This document describes the Audit Extraction Client
       application that is run on the Audit Workstations ...
       the AE client provides functionality to manage [ARQs]
       ... and to retrieve and process audit data from the
       audit archive."
           It seems like an incredibly important document for
       your job, doesn't it, Mr Dunks?
   A.  Yes.
   Q.  It is effectively a step-by-step guide on how to
       contrary out data extraction?
   A.  I don't know.  I can't remember reading it but --
   Q.  You can't remember reading.  The definition there of
       "filtering" under 3, do you see?
   A.  Mm-hm.
   Q.  "Filtering is the process of searching the retrieved
       audit files for specified FAD codes or strings in order
       to select a subset of data for further processing.  The
       user has the option of selecting the whole file in which
       a match is found or of just selecting the matching
       messages or records."
           So filtering takes place obviously after you have
       actually retrieved the files from the archive?
   A.  Yes, yes.
   Q.  Under 4, "Audit Data Integrity", the second paragraph
           "The integrity of audit data must be guaranteed at
       all times and controls have been established to provide
       assurances to Post Office Internal Audit that this
       integrity is maintained."
           That wording actually mirrors paragraph 5 of your
       witness statement.  Do you recognise that wording?
   A.  Yes.
   Q.  And then it says:
           "During audit data extractions the following
       controls apply ..."
           Now, there are two there on that page which actually
       mirror your 6.1 and 6.2 controls and then just over the
       page please {F/1716/10}, the third one there matches
       your paragraph 6.6.
           If we could please move forward to page 42 of this
       manual {F/1716/42}, the section begins with "Validation
       and Query":
           "This tab will only be available if the following
       conditions have been met:
           "1.  The retrieved data consists exclusively of TMS
       and/or BRDB messages.
           "2.  Filtering has been performed."
           So this is now the data has been retrieved and now
       we have been filtering, is that right?
   A.  Right, this is -- there would be two forms of data
       retrieval, one is the fast and one is a slow one.  This
       is the historic one which I haven't used for quite
       a while, but yes, I believe so.
   Q.  I see.
   MR JUSTICE FRASER:  Is this the slow one or the fast one?
   A.  It's the slower one.
   MR JUSTICE FRASER:  The slow one.
   MR MILETIC:  And if we could go over the page, please
       {F/1716/43}, it says:
           "TMS and BRDB messages are numbered in sequence for
       each node.  During filtering any retrieved audit message
       data is analysed to determine what message sequences are
       present in the data and whether there are any gaps or
       duplicates in those sequences.  A gap in a message
       sequence may indicate that a message is missing from the
       audit data.  Duplicates may indicate that an audit file
       has been gathered twice."
           Taking those in turn, "a gap in a message sequence
       may indicate that a message is missing from the audit
       data"; that suggests that the underlying audit data is
       incomplete, doesn't it, Mr Dunks?
   A.  I would say so, yes.
   Q.  But it uses the word "may", so actually it might be the
       case that it is the retrieval process that has caused
       the gap?
   A.  I don't -- no, I don't think -- I don't know.
   Q.  So the use of the word "may", may just be a slip in
       language there?
   A.  Quite possibly.
   MR JUSTICE FRASER:  Well, it could be any one of a number of
   MR MILETIC:  Precisely, my Lord.
   MR JUSTICE FRASER:  But on the basis that the witness didn't
       draft it, I think he has agreed with your proposition to
       the extent he can, but he also says he doesn't know.
   MR MILETIC:  I'm grateful, my Lord.
           And the second part there "duplicates may indicate
       that an audit file has been gathered twice", so that
       would be an example of the processing -- the system you
       were describing before, potentially causing duplicates
       to be gathered?
   A.  Yes, possibly.
   Q.  And are you aware whether actually it might be the case
       that duplicates were in the underlying data itself
       rather than through the process?
   A.  I don't know, I can't -- I don't know.
   Q.  Well, the diagram there shows what would happen in the
       event that gaps and duplicates are found, and do you see
       it says gaps found shown in red, duplicates found shown
       in blue and in block capitals "Seek assistance from
       audit support".  Now, on the face of that message --
       first of all, have you seen messages like this before
       when you have retrieved data?
   A.  If I have it was a long time ago.  I'm not saying
       I haven't, but it would have been a long time ago.
   Q.  You may have done?  And on the face of it doesn't tell
       you what the cause is of those gaps or duplicates, does
   A.  No, I don't believe it does, no.
   Q.  And you wouldn't know what the cause was?
   A.  No, I wouldn't know, no.
   Q.  And in block capitals it says "Seek assistance from
       audit support".  Seek assistance from audit support, but
       there's no explanation as to what audit support might
       do.  What do audit support do in that circumstance?
   A.  I'm assuming they would investigate the cause of the
   Q.  Do you have any experience of when you have called audit
       support and they have come back to you?
   A.  Possibly.  I think I possibly -- yes, I think we have
       raised PEAKs, which is if this -- we would raise an
       issue via a PEAK for the audit team to investigate.
   Q.  It's a problem, isn't it, if gaps and duplicates are
       found upon the retrieval process?
   A.  Yes, I think so.
   Q.  And it's obviously very important what happens to the
       data afterwards.  Would you provide ARQs containing gaps
       and duplicates, or would that go out of your hands and
       then audit support gets involved?
   A.  Yes, the latter, yes.
   Q.  The latter?
   A.  Yes.
   Q.  And you're not quite aware of what they do.  You say
       they investigate?
   A.  Mm-hm.
   Q.  When the ARQ is ultimately provided, do they -- do you
       know if they provide a version containing gaps and
       duplicates, or if they provide a version without gaps
       and duplicates because they have removed them?
   A.  I don't know.
   Q.  You don't know?
   A.  No.
   MR MILETIC:  My Lord, would it be a convenient moment for
       a break?
   MR JUSTICE FRASER:  Yes, it would.
           Mr Dunks, you are in the middle of giving your
       evidence.  We have a short break in the morning and
       a short break in the afternoon for the shorthand
       writers.  Please don't talk to anyone about your
       evidence or the case.  We will have ten minutes, come
       back in at 11.50, but please don't feel constrained to
       stay in the box, you are allowed to go outside, stretch
       your legs, even get some fresh air if you think you can
       get down and get back up in time, but 11.50.  Thank you
       very much.
   (11.41 am)
                          (Short Break)
   (11.52 am)
   MR MILETIC:  Could Mr Dunks please be shown {F/676}.  This
       is a witness statement dated 8 July 2010 by
       Gareth Jenkins.  Do you know Gareth Jenkins?
   A.  Yes, I do.
   Q.  He was a colleague of yours, correct?
   A.  Yes, he worked on the same account.
   Q.  And he provided this witness statement in the trial of
       Mrs Seema Misra.  I assume you are familiar with
       Mrs Misra's case?
   A.  Yes.
   Q.  In fact I understand, having seen a reference in
       a transcript, that you in fact provided at least one
       witness statement in that case?
   A.  I did.
   Q.  Do you remember what the content of that witness
       statement, what it was dealing with?
   A.  That was around the help desk calls.
   Q.  I see.  Now, Mrs Misra was a subpostmistress in
       West Byfleet that was at the time being prosecuted on
       charges of false accounting and theft and you recall
   A.  Yes.
   Q.  Have you seen this witness statement of Gareth Jenkins
   A.  No.
   Q.  Could we please go to page 2 of this statement
       {F/676/2}.  In the first full paragraph it says:
           "With Horizon counters, the mechanism by which data
       is audited has always worked on the principle that it is
       acceptable to audit the same data more than once -- in
       particular if in doubt as to whether or not it has been
       previously audited successfully.  The Mechanism used on
       Horizon to retrieve the audit data took this into
       account and only presented one instance of such
       duplicate data in the ARQ extracts.  The Audit Mechanism
       cannot alter the base information and therefore
       a re-running of the audit process will always produce
       the same result."
           Does that accord with your understanding of how the
       process of retrieving audit data worked in
       Legacy Horizon?
   A.  Yes.
   Q.  Are you sure or is it --
   A.  No, no, as far as I'm aware it extracts the data that's
       there and if I extract it again, it will bring out the
       same data.
   Q.  I see, so duplicates would not show up at that time?
   A.  When you say duplicates --
   Q.  Well, when it says:
           "~... only presented one instance of such duplicate
       data in the ARQ extracts."
   A.  As far as I'm concerned the data that -- it is very
       process-driven, so we input the FAD code, the dates and
       extract the data, and if I extracted it a second time,
       it would bring back the same data, so I'm not aware, or
       I don't know about duplicates it would bring back -- as
       far as I'm concerned, it brings back the same data.
   Q.  I see.  Mr Jenkins goes on to say:
           "In January 2010 a new HNG-X application was
       introduced to filter transaction records for
       presentation to Post Office Limited.  It has recently
       been noticed that this HNG-X retrieval mechanism does
       not remove such duplicates.  An enhancement to the
       extraction toolset will be developed, tested and
       deployed and will remove such duplicate data in the
       future.  However until this enhancement is deployed,
       there is a possibility that data is duplicated."
           Pausing there, do you recall this being an issue at
       the time?
   A.  I vaguely remember it, yes.
   Q.  And he goes on to say:
           "The reliable way to identify a duplicate
       transaction is to use the <Num> attribute that is used
       to generate the unique sequence numbers.  This will be
       included in all future transaction record returns until
       the retrieval mechanism is enhanced.  A semi-automated
       process to copy the returned data, and then to identify
       and remove any duplicated records which may be present
       from this copy by using the <NUM> attribute, has been
       agreed with Post Office Limited for use in the interim
           What that suggests is there was a period of time
       when there was -- it says semi-automated, a partly
       manual process in removing duplicate records from ARQ
       extracts.  Does that accord with your memory?
   A.  It wasn't in the process that we did when extracting the
       data.  I'm aware of that happening, whether it went
       on -- I don't know the process of it, but it wasn't in
       our daily process for extracting and removing any
   Q.  So where it says that there is a process agreed with
       Post Office in the interim period for removing those
       duplicate records, that's not something that you were
       involved in as the person extracting the data?
   A.  No.
   Q.  And not anyone in the similar role to yours was involved
       in that?
   A.  I don't believe so, no.
   Q.  So there was effectively a separate department that was
       taking care of that?
   A.  That was dealt with -- yes, not within our team.
   Q.  I see.  And it says there:
           "A transaction log data disc has been produced as
       exhibit PT/02 in the trial of Seema Misra.  The
       transaction log data disc is made up of ARQs 436 to 448.
       It should be noted that ARQ 447 which records the
       transactions between 1 November 2007 to 30 November 2007
       does contain some duplications of audited records."
           But then Mr Jenkins says:
           "It is emphasised that [it doesn't] ~... in any way
       [affect] actual physical transactions recorded on the
       counter~... The duplication of records has ..."
           If we could turn the page:
           "... occurred during the auditing process when
       records were in the process of being recorded purely for
       audit purposes from the correspondence servers to the
       audit servers."
           That final paragraph there, does that look familiar
       to you?
   A.  Yes, it's the same as what's in my statement, yes.
   Q.  There's a slight difference in that it says improper use
       of the computer rather than system, but the rest does
       seem to match up?
   A.  Mm-hm.
   Q.  But you hadn't seen this witness statement before?
   A.  No.
   Q.  And you're not sure why it would largely replicate your
       paragraph 8?
   A.  No, I mean, we do have a standard witness statement that
       we produce for ARQs.  When we supply ARQs we are
       sometimes asked for a witness statement to go through
       the process and verify as far as I'm aware that the data
       I supplied is accurate.  Now, we use that quite a lot
       and it may actually be in that statement.
   Q.  I see.  So when I asked you earlier whether it was
       something of a Fujitsu party line you said you didn't
       think it was, but actually it looks as though it is on
       the basis of what you have just told me and on this
       document as well.
   A.  It could be.  It may be part of our standard witness
       statement that we supply.
   Q.  And it's not something you think about too much, that
       specific section?
   A.  No.
   Q.  It's just template.  You don't think about it, and you
   A.  No.
   Q.  I see.
   MR JUSTICE FRASER:  Is that no, you are agreeing, or no, you
       are disagreeing?
   A.  No, I agree.
   MR MILETIC:  I'm grateful, my Lord.
           Now, if we could please go to {F/573/1}.  This is
       a witness statement of Penelope Anne Thomas.  Do you
       know Mrs Thomas?
   A.  Yes, she used to be a colleague.
   Q.  And have you seen this witness statement before?
   A.  No.
   Q.  This is a witness statement also in Mrs Misra's trial
       and if you look at the first full paragraph, that
       largely replicates your paragraph 3.  She was
       essentially performing the same role in terms of
       providing evidence as you are here, is that fair?
   A.  Yes.
   Q.  And if we could turn to page 3 please {F/573/3}, and
       just to say, the date of that statement -- it says
       4 February on the front page and she describes a bit of
       the process there in the second paragraph and in the
       final two sentences, in discussing the transaction
       records, she says:
           "They therefore provide the ability to compare the
       audit track record of the same transaction recorded in
       two places to verify that systems were operating
       correctly.  Records of all transactions are written to
       audit archive media."
           Nothing controversial there, do you agree?
   A.  Yes.
   Q.  And just in passing, the two paragraphs below that where
       it says:
           "The Horizon system records time in GMT and takes no
       account of Civil Time Displacements ..."
           This is something we have actually heard some
       evidence on earlier, but it's correct, isn't it, that
       the audit data -- six months of the year the time stamp
       will be off by an hour?
   A.  Yes.
   Q.  And at the bottom of that page, Penelope Thomas says:
           "During audit data extraction the following controls
           And then over the page {F/573/4}, and she too lists
       12 controls that aren't entirely -- they don't entirely
       match up to the controls that you have set out, for
       example, one of the controls that I noted appears to be
       missing is in your paragraph 6.9 where you said:
           "Checks are made using the JSN that all audited
       messages for each counter in the Branch ~..."
           I will just let you find it if it would help?
   A.  Mm-hm.
   Q.  "Checks are made using the JSN that all audited messages
       for each counter in the Branch have been retrieved and
       that no messages are missing."
           To your knowledge, was this an available control at
       this time when Ms Thomas gave her statement?
   A.  I don't know.  I don't know.
   Q.  So you don't know when that control came into play?
   A.  No, I don't.
   Q.  I see.  Do you think if it was available it's quite an
       important check that Ms Thomas would have mentioned it?
   A.  Possibly.
   Q.  But it is quite difficult because she hasn't listed
       where she derives those controls from either and a point
       that we made earlier when looking at your witness
       statement -- you said that you had listed 12 controls
       effectively from recollection, or what you understand
       them to be, but we can't now verify that by looking at
       any documents to see where those controls might appear
       and when they were brought into force or not as the case
       may be?
   A.  No -- well, I don't know.  There may be ...
   Q.  I see.  How did you satisfy yourself that the controls
       you were speaking to in paragraph 6 of your witness
       statement do actually apply as at today's date?
   A.  I -- on those checks -- those -- I was trying to imply
       that the data as far as I was concerned, when extracted,
       was true and accurate to my best knowledge.
   Q.  Well, stopping just there.  You're trying to imply the
       result which is that the data is accurate, but the
       question is very specific as to the content, the
       existence of the controls that are in place.  How did
       you verify to yourself that those controls are actually
       in place?  How did you know?
   A.  I was trying to imply that the data that I had extracted
       hadn't -- from the date of -- from the time of being
       extracted hadn't been manipulated or touched and when
       you said before (inaudible) with the Post Office, and
       controls to actually go in and log on and extract that
       data, there were controls in place to do that.
   Q.  But can you actually be sure that the controls you
       listed were in effect and were operating as at the time
       you extracted the data?
   A.  To the best of my knowledge, yes.  Yes.
   Q.  I see.
   A.  I had no reason to doubt it.
   Q.  Even though you didn't confirm it through any documents?
   A.  No.
   Q.  I see.  And over the page, please, {F/573/5}.  Ms Thomas
       there just describes that she was in fact the one that
       extracted the records in relation to Mrs Misra so we
           "ARQs 436 to 448 ... were received on
       26 February 2010 ..."
           It goes on to say:
           "I produce a copy ... as exhibit PT/01.  I undertook
       extractions of data held on the Horizon system in
       accordance with the requirements of ARQs 436 to 448 ...
       and followed the procedure outlined above.  I produce
       the resultant CD as Exhibit PT/02.  This CD, Exhibit
       PT/02, was sent to the Post Office Investigation section
       by Special Delivery on 4 March~..."
           Do you recall that PT/02 was the exhibit that
       Gareth Jenkins in his witness statement was talking
   A.  I'm -- with it being called the same, I'm assuming it is
       the same.
   Q.  Yes, and he, in that statement, referred to ARQ 447
       containing duplicate records and then needing to be
       removed.  I can take you back if you would like to see
       that section?
   A.  No, that's fine.
   Q.  So then Ms Thomas sets out:
           "This report is formatted with the following
           And then over the page, please {F/573/6}:
           "The Event report is formatted with the following
           Now she doesn't mention anywhere there that ARQ 447
       contained duplicate records, does she?  I can give you
       a moment to look at that section.
   A.  No.
   Q.  And then the paragraph immediately below it, that again
       is your paragraph 8 although this time word-for-word is
       the same as your paragraph 8, isn't it?
   A.  Yes.
   Q.  And it is consistent with your answer earlier that this
       is a sort of template Fujitsu witness statement document
       that is provided and you sign --
   A.  Yes.
   Q.  -- just to show that the extraction has been okay?
           Ms Thomas not identifying duplicates in ARQ 447,
       that's slightly problematic, isn't it, to either
       Post Office or an SPM that is trying to look at
       anomalies and compare sources of data?  That's not very
       helpful, is it?
   A.  The statement again is to verify the integrity of the
       data once extracted and given.  We don't control what's
       in the data.  Our process is about extracting it and
       securely passing it over to the Post Office.  It's not
       our concern of what's in the data.
   Q.  It's not your concern what's in the data?
   A.  No, it's what we're -- we're process-driven to extract
       certain types of data for certain requests.
   Q.  And so whether or not that might match another record or
       not, or replicate or duplicate or have gaps, that's not
       part of your remit, that's not really part of your
   A.  No, it's not.
   Q.  I see.  So reading that and reading the paragraph 8 as
       it was in your witness statement, it doesn't give much
       comfort to somebody that's then trying to rely on ARQ
       data as being a gold standard to compare and investigate
       anomalies, does it?
   A.  Possibly not.
   Q.  Are you aware, Mr Dunks, of any other specific issues
       with the retrieval of audit data that may have impacted
       disputes between Post Office and subpostmasters or
   A.  Not that I can -- not that I can recall would cause
       those issues, no.
   Q.  Could we please look at {F/829}.  This is a PEAK,
       PC0211833, and do you see under "Summary" it says:
           "Audit Retrieval for ARQ Returns Missing Reversal
           Do you see that field?
   A.  Yes.
   Q.  And then under "Impact Statement" in capitals:
           "Service on stop ... ARQ returns for HNGX
       transaction records must stop until resolution.
       Analysis must identify returns which may require
           Do you recall a particular issue in terms of
       reversals and audit retrieval?
   A.  No.  At that time, Penny managed the ARQ retrieval
       process and she -- that was her main priority and her
       main job, so I wasn't -- I wouldn't have been --
       I wouldn't have seen this issue, or been made aware of
       these issues.
   Q.  You would not have been made aware of this issue at all?
   A.  No.
   Q.  Even though you are the person that's extracting data?
   A.  No.  With our team we had a number of different roles
       and audit extraction is one of those roles, which is
       process-driven, so -- and Penny would have managed that
       via this PEAK.  I wasn't aware of -- and if I was,
       I certainly don't remember.
   Q.  And if we could go over to page 2 please {F/829/2}.  Do
       you see that bottom box there?  If we look down at
       "Impact on operations" -- well, if we start at the top
       it says:
           "Specify the HNG-X platforms impacted."
           Do you see that?
   A.  Yes.
   Q.  And it says:
           "The platform has been specified and it is the Audit
           "Technical summary: the spreadsheets presented in
       support of prosecution at court miss out an indication
       as to whether or not a transaction is a reversal."
           And then further down do you see "Impact on
   A.  Yes.
   Q.  There again it says:
           "Spreadsheets supplied by the prosecution team miss
       out an indication as to whether a transaction is
       a reversal."
           It says:
           "The prosecution team are well aware of the
       problems; we hope to have a release out in a few days;
       a KEL is therefore not required."
           Just over the page please {F/829/3}, and it says:
           "Risks (of releasing and of not releasing proposed
           "There are few risks with this fix.  It must be got
       out or prosecution evidence is incomplete."
           And then there is a description there of queries
       being changed in order to show reversals, and this is
       taking place now this PEAK from -- August 2011 is when
       this problem was identified, but you say you were never
       made aware of it and presumably you weren't aware either
       of queries being changed subsequently?
   A.  I don't recall this, no.
   Q.  And on the final page, please, of this document
       {F/829/5}, there is a final message there saying:
           "Fix deployed; all appears to be operating as
       required.  Closing call.  Many thanks to all, Penny."
           So it is fair to say that up until August 2011, the
       data that you were retrieving did not have an indicator
       as to whether or not reversals had taken place?
   A.  Correct, yes.
   Q.  Do you see that as detracting somewhat from this being
       a secure gold standard record to be compared with other
   A.  I honestly can't say whether that has an implication on
       that at all or -- that data missing has an implication
       on that at all, I don't know.
   Q.  It's not in your remit, it's not in your concern?
   A.  No, no.
   Q.  Were you in court on Monday when Mrs van den Bogerd was
       being cross-examined?
   A.  Yes.
   Q.  Did you hear a reference to something that was referred
       to as the Helen Rose report?
   A.  I don't recall it but ...
   Q.  It's a very short point I was going to make, but
       actually perhaps it is fair to take the witness to the
       document very briefly.
   MR JUSTICE FRASER:  It depends what the point is, I suppose.
   MR MILETIC:  Well, the short point is this but actually it
       might be, Mr Dunks, that you simply don't know the
       answer to this either, so the point that I was going to
       make is that it wasn't until the summer of 2013, at the
       time of the Helen Rose report, that in actual fact it
       was identified to be a problem that the reversal
       indicator didn't show whether it was system or
       user-generated, but is that something that is outside of
       your knowledge?
   A.  Yes.
   Q.  Very well.  I won't go to that point then.
           So, Mr Dunks, having now canvassed through various
       documents and looked at various problems that existed
       with ARQ data when it was retrieved, can you just
       explain to the court why those things, or a semblance of
       those issues were not set out candidly in your witness
   A.  Sorry, I don't understand.
   Q.  So we have just been through several documents and
       several issues in terms of when audit data is retrieved
       and the problems in relying on that data, but none of
       that is set out in your witness statement, and is there
       a particular reason as to why that might be?
   A.  Again, the -- what I was trying to convey with our
       witness statements, as I believe, is the integrity of
       the data once we have extracted it, and then supplied it
       to the Post Office, and the controls around the
       extraction, not the data itself.
   Q.  I see, so what you are not saying in your witness
       statement is that the data then is accurate and reliable
       in terms of use for disputes between subpostmasters and
       Post Office?
   A.  No, I can't say that at all.
   MR MILETIC:  You can't say that?  That's fair.
           My Lord, I have no further questions.
   MR JUSTICE FRASER:  Mr De Garr Robinson?
              Re-examination by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Mr Dunks, I would just like you to
       look at your witness statement please, paragraph 8.  You
       were asked a question about this paragraph and you were
       asked -- it was suggested to you that you didn't really
       think about that paragraph much and I would just like to
       take you through it {E2/10/3}.  In the first sentence
       you say:
           "There is no reason to believe that the information
       in this statement is inaccurate because of the improper
       use of the system."
           Mr Dunks, is that sentence true or is it not true?
   A.  It is -- well, it's true.  I don't believe -- there's no
       reason to believe that it is inaccurate at all.
   Q.  And did you think about that sentence when you signed
       the statement?
   A.  It wasn't in the forefront of my mind when I was signing
       the statement, no.
   Q.  The next sentence:
           "To the best of my knowledge and belief at all
       material times the system was operating properly, or if
       not, any respect in which it was not operating properly,
       or was out of operation was not such as to effect the
       information held within it."
           Is that sentence true?
   A.  Yes.
   Q.  Would you have signed this statement if either of those
       sentences had not been true?
   A.  No.
   MR DE GARR ROBINSON:  Thank you.
                  Questions by MR JUSTICE FRASER
   MR JUSTICE FRASER:  I have just got a question.
           You started doing your current role in 2002, is that
       right?  I think it is in paragraph 3, you say.
   A.  I have worked within this team since then, but the roles
       have changed within that over that period of time.
   MR JUSTICE FRASER:  What were you doing before 2002?
   A.  I was -- there were different roles again within then
       ICL, from desktop support, et cetera.
   MR JUSTICE FRASER:  And when did you start at ICL, do you
   A.  Good question.  About 21 years ago.
   A.  Yes.
   MR JUSTICE FRASER:  You are trying to catch me out with some
       mental maths.
           I don't have any questions other than that.
       I assume there's nothing arising out of that.  Thank you
       very much for coming, you can now leave the witness box.
   MR DE GARR ROBINSON:  My Lord, I call Torstein Godeseth.

               MR TORSTEIN OLAV GODESETH (affirmed)
   MR JUSTICE FRASER:  Have a seat, Mr Godeseth.
           Examination-in-chief by MR DE GARR ROBINSON
   MR DE GARR ROBINSON:  Mr Godeseth, there's a bundle of
       documents in front of you.  Could I ask you to go to
       divider 1 of that bundle please {E2/1}.  This is
       a document that describes itself as a witness statement
       by you.  Is that your name and address on the first
   A.  It is.
   Q.  And if you go to the last page, page 20 {E2/1/20}, is
       that your signature?
   A.  It is, my Lord.
   Q.  If we could go on to tab 7 in the same bundle, please
       {E2/7}.  I believe you will see a page with two
       corrections, is that right, at the front of that tab?
   A.  Yes.
   Q.  And then over the page, there is another witness
       statement by you and again, there's your name and
       address on the first page, isn't there?
   A.  That's right.
   Q.  And page 18 {E2/7/18}, that's your signature, is it?
   A.  It is.
   Q.  And then there's a third statement which should be
       behind divider 14 of the bundle {E2/14}.  Again, your
       name and address on page 1, and on page 7, is that your
       signature? {E2/14/7}
   A.  It is.
   Q.  Now, the later statements clarify and in some respects
       correct matters that are set out in the earlier
       statement.  Subject to those clarifications and
       corrections, and subject to the two corrections you saw
       in the front sheet at tab 7, do you confirm that these
       witness statements are true to the best of your
       knowledge, recollection and belief?
   A.  I do.
   Q.  Now, Mr Godeseth, I've got a question I would like to
       ask you arising from evidence that's just been given by
       Mr Dunks, and with your Lordship's permission ...?
   MR DE GARR ROBINSON:  If we could go to {F/1716} please and
       could we go to page 43 of that document {F/1716/43}.
       This is a Fujitsu document.  It's the Audit Extraction
       Client User Manual.  Do you see that?
   A.  Yes.
   Q.  Now, just remind me, how long have you been working for
   A.  Since 2010.
   Q.  And since that time, have you had any familiarity with
       the audit extraction process and its reliability and so
       on, and issues surrounding it?
   A.  I have clearly been aware that audit extracts have been
       happening, but I have not been intimately involved in
       that process until more recently.
   Q.  I see.  I would like to ask you about -- at the top of
       the page it says:
           "TMS and BRDB messages are numbered in sequence for
       each node.  During filtering any retrieved audit message
       data is analysed to determine what message sequences are
       present in the data and whether there are any gaps or
       duplicates in those sequences.  A gap in a message
       sequence may indicate that a message is missing from the
       audit data.  Duplicates may indicate that an audit file
       has been gathered twice."
           I would just like to ask you a couple of questions
       about that.  If there had been a gap in a message
       sequence during the extraction process that's described
       here, is that something that you would know about?
   A.  I believe so, yes, because it would be a highly serious
   Q.  And can I ask you whether there have been any such gaps
       during the time that you have been at Fujitsu?
   A.  I'm certainly not aware of any, and I'm confident that
       I would have been told.
   Q.  Very good.  And then moving on to the next sentence, the
       duplicates.  Could I ask you the same question about
       duplicates: what would have happened?  Would you be
       aware if there were any duplicates?
   A.  Having seen Gareth's statement, I would say that
       duplicates are probably being misinterpreted here,
       because if a record goes into the audit trail twice it's
       simply two copies of the same record.  As long as that's
       dealt with, I don't think that's a problem.
   MR JUSTICE FRASER:  When you say duplicates are being
       misinterpreted here, do you mean in this document, in
       Mr Jenkins' document, or in what you are being asked?
   A.  I think here the issue is -- I clearly understand that
       the claimants are interested, my Lord, in whether
       transactions got duplicated, and I think what goes into
       the audit is a record which has come from a counter,
       different mechanisms in Riposte and also in the newer
       Horizon system.  I think what Mr Jenkins is referring to
       is that a record can be written to an audit trial twice
       and as long as you spot that and you deal with it,
       that's fine, because it is simply saying, it is
       simply: I wrote down the same thing twice.  And the
       circumstances in which I have some recollection of is
       that the audit trail got written to Bootle and to Wigan,
       our separate data centres in the days of Riposte, so
       clearly I would have a copy of a record in both Bootle
       and Wigan.
   MR JUSTICE FRASER:  I'm not sure that necessarily answers my
   A.  Sorry, my Lord.
   MR JUSTICE FRASER:  When you said duplicates are being
       misinterpreted, do you mean misinterpreted in this
       Fujitsu document, interpreted insofar as you understand
       what Mr Jenkins is saying, or misinterpreted in the
       question that Mr De Garr Robinson asked you?
   A.  I think here I'm saying that duplicates may indicate
       that an audit file has been gathered twice is --
   MR JUSTICE FRASER:  When "here" you mean the Fujitsu
   A.  In this Fujitsu document.  I think that is entirely
       consistent with what Mr Jenkins said in his statement.
   MR DE GARR ROBINSON:  "The suggestion here that duplicates
       may indicate that an audit file has been gathered
       twice" --
   MR JUSTICE FRASER:  That's what it says in the paragraph.
   MR DE GARR ROBINSON:  Yes, I have just read out the
       paragraph, I don't know why I did that.  If duplicates
       were being produced in audit extractions, is that
       something with which Fujitsu would be interested to
   A.  I think it is important to go back to understand what
       the audit trail is looking to do, and I think I would
       like to start by describing the Horizon Online system
       which I'm more familiar with, and the audit trail in my
       book is I'm trying to write down, transaction by
       transaction what is coming from a counter and I am
       keeping a record of effectively the transaction as
       entered at the counter as closely as I can possibly make
           In the Horizon Online, the big protection there is
       a thing called the JSN which is the Journal Sequence
       Number, and we use this to indicate that -- or to prove
       that I have not missed any records and I haven't got any
       duplicates.  So built into the system at the BOWL(?), we
       get a sequence of messages coming up from the counter to
       the BOWL, and these all have a JSN in them, and these
       are checked to make sure that they just increment by
           In the Riposte system, there was a very similar
       concept, but this was the message number on the messages
       coming from a particular counter, and again, by checking
       that I've got a -- what we call a dense list which says
       I've got every number accounted for, and I -- if I have
       duplicates, and they both say the same thing, that is
       just the fact that I have written something down twice
       and I imagine from what I have read in Gareth's
       statement that this obviously happened in Riposte days
       when there were data centres in Wigan and Bootle and
       I know that audit trails were written in both centres,
       but I think by then saying "Okay, I have now written
       some things down twice, but I can recognise those
       because they have the same message number", they are
       simply copies of the same thing.
   MR DE GARR ROBINSON:  My Lord, I'm at the margins of my own
       understanding of the system and I think I had better
       stop now.
   MR JUSTICE FRASER:  Well, I'm actually just go to pursue
       this on your behalf, because your question was quite
       simple and it has led to an answer of about a page and
       a quarter, so I'm just going to ask the same question.
           What Mr De Garr Robinson asked you was if duplicates
       were being produced in audited extractions, is that
       something that Fujitsu would be interested in knowing?
       And I'm unclear as to what the answer is.
   A.  Yes.  Sorry, yes, my Lord.
   MR JUSTICE FRASER:  The answer is yes?
   A.  Yes.  We would be interested in knowing because we would
       have to explain it.
           If you want to ask a follow-up question,
       Mr De Garr Robinson, you can do so.
   MR DE GARR ROBINSON:  Are you aware of -- since your time at
       Fujitsu -- I'm not asking you about Legacy Horizon now,
       but since your time at Fujitsu, are you aware of this
       issue having arisen in relation to extracting audit
       data, duplicates?
   A.  No, my Lord.
   MR JUSTICE FRASER:  Mr Green, your turn.
                  Cross-examination by MR GREEN
   MR GREEN:  I will start at the beginning of your statement,
       if I may, Mr Godeseth.  If we can look at {E2/1/1}.  You
       explain in paragraph 1 that you are employed at Fujitsu
       Services Limited as the chief architect on the
       Post Office account.
   A.  I am, my Lord.
   Q.  And you say you are authorised to make this statement on
       behalf of Post Office Limited in the proceedings.  It is
       right, isn't it, that you were first employed by
       Post Office?
   A.  I was employed by Post Office from 1987 for a number of
   Q.  Let's have a look at paragraph 5 of your witness
       statement please.  Sorry, I think we've got the wrong
       one there.  Can we get {E2/1/1}, please.
           Just look at paragraph 5 on page 1 to start with
       {E2/1/1}.  You give your employment history there and at
       the bottom of the page, after leaving the Royal Navy you
       joined Forward Trust in November 1981 to work in systems
       programming and technical support for their IT systems.
       Then if we go over the page:
           "I joined the Post Office IT department
       in November 1987 to work on a project to introduce
       technology into Post Office branches."
           What project was that?
   A.  I know it as the Thames Valley pilot.  It was a project
       to introduce -- we supported three products in those
       days, it was Girobank, DVLA and National Savings,
       a pilot in the Thames Valley area which had about 250
   Q.  Then at paragraph 6 we see you worked as the technical
       advisor to Post Office when they and the Benefits Agency
       procured the Horizon system.
   A.  That's correct, my Lord.
   Q.  It was unusual as a project; it was being procured by
       two different government bodies, wasn't it?  There was
       the Department for Social Security, Benefits Agency, on
       the one side and then there was Post Office at that time
       under Royal Mail on the other?
   A.  That's right, my Lord.
   Q.  And latterly you were then technical advisor to
       Post Office when Legacy Horizon changed to
       Horizon Online?
   A.  Correct.
   Q.  And then from 2010 you then moved from Post Office to
   A.  I did, yes.
   Q.  What occasioned that move?
   A.  I was working as a contractor for Post Office.  My
       contract came to an end, and I joined Fujitsu on
   Q.  But when you say "as a contractor", do you mean as an
       independent contractor --
   A.  Yes.
   Q.  -- rather than employee?
   A.  I joined Fujitsu initially as a contractor and then
       in November, I accepted a full-time role.
   Q.  And just so we have a vague idea, for what proportion of
       your time with Post Office were you employed, and for
       what proportion of the time were you an independent
   A.  I became an independent contractor in 2005, just as
       Impact Programme was going live.
   Q.  Just as ...?
   A.  The Impact Programme was going live.
   Q.  Can you explain to the court what the Impact Programme
   A.  The impact -- the major change in the Impact Programme
       delivered was to take out the old cash account and
       replace it with branch trading statements, but there
       were a few other changes implemented at the same time.
   Q.  Now, you effectively have worked for both Post Office
       and Fujitsu and have been involved in pretty much the
       entire history of the Horizon system in different ways,
       haven't you?
   A.  I was -- pretty much, but I was not involved in the
       early days of the roll-out of Horizon, so when
       I finished my stint on the procurement, I worked
       elsewhere in the Post Office, then came back to
       Post Office counters to deal with banking and since then
       I think my time has been pretty much with Post Office
       counters.  I had a break in 2009 before coming back for
       a short contract with Post Office counters and then
       joining Fujitsu.
   Q.  Right.  We will come to the introduction of Horizon and
       so forth in a minute, but just clarifying the
       construction of your witness statement, your first
       witness statement which we're looking at, which is the
       one of 27 September 2018, broadly covers the accuracy of
       audit data and the issue of remote access for both
       Legacy Horizon and Horizon Online, is that fair?
   A.  It is, yes.
   Q.  And at paragraph 7 of that witness statement {E2/1/2},
       if you just look at that for a moment, do you see at the
       bottom of that paragraph it says:
           "I therefore have consulted with colleagues who work
       in the areas that are covered by this statement to
       ensure that my understanding of them is correct."
           Which were the areas that you were referring to
   A.  Basically any area that I wanted to just double check,
       so I don't see it as anything specific.  I work with
       a number of people and if I'm uncertain of anything, or
       just want to check up, then I would talk to them.
   Q.  So you were sufficiently uncertain about certain things
       to have to go and speak to a number of your colleagues?
   A.  I wouldn't say "uncertain".  It is due diligence, double
   Q.  Who were the colleagues you spoke to?
   A.  Off the top of my head, I would say Steve Parker and
       a couple of guys in his area; Pete Jobson,
       Gareth Seemungal, Alan Holmes, Jon Hulme.
   Q.  Could you just help the court just in relation to each
       of those, what were the aspects they were contributing
       to your statement, could you just explain?
   A.  In Steve Parker's area, certainly there are people who
       have longer -- or recollections of how Riposte actually
       worked.  Gareth Seemungal, I talked to about BRDB and
       how Oracle works.  Pete Jobson I talked to about how
       batch systems work.  Alan Holmes knows a fair amount
       about audit.  Jon Hulme, knows the counter pretty well.
   Q.  Right, that's helpful.  Let's look at paragraph 34
       please on page 11 {E2/1/11}.  We see there "Audit data -
       Legacy Horizon."
           You say:
           "In Legacy Horizon Riposte, a messaging system, was
       responsible for storing all data in Post Office branches
       and replicating it to data centres.  As I was on 'the
       other side of the fence' ..."
           Because you were working with Post Office at the
           "... when Riposte was in use I have consulted with
       my former colleague, Gareth Jenkins, to prepare this
       section of my statement."
   A.  Yes.
   Q.  And in fact we see Mr Jenkins' name in a number of other
       paragraphs throughout your witness statement?
   A.  Yes.
   Q.  And it is fair to say that really the source of that
       information that you're giving is Mr Jenkins, isn't it,
       because you were working for Post Office at the time?
   A.  I feel I had a pretty good knowledge of how Riposte
       works, since I needed it when I was working on Impact,
       but it's absolutely the case that I would get more
       detailed information from Gareth.
   Q.  Because in a number of paragraphs -- I mean, just give
       us a couple of examples.  At paragraph 38 you say:
           "I understand from Gareth that each message included
       three key pieces of information ..."
           And if we go to paragraph 39, over the page
           "I also understand from Gareth that messages also
       had an associated 'Expiry Date' ..."
           Paragraph 41:
           "I understand from Gareth that due to the size of
       the Post Office network [they] were split into four
       separate clusters ...."
           And so forth.  Paragraph 43:
           "I understand from Gareth that the audit application
       read every record that was visible to the correspondence
       server ..."
           Paragraph 44 {E2/1/13}:
           "I also understand from Gareth that once these files
       had been written they became visible to the audit server
       which would pick them up ..."
           I'm obviously not going to keep going, but that's
       information you have obtained from Mr Jenkins, isn't it?
   A.  It's difficult to judge how much I knew beforehand, but
       certainly talking to Gareth has freshened up my
       understanding of it.
   Q.  I suggest to you it is mostly Mr Jenkins' explanations
       to you which you seem to think --
   A.  I would certainly regard Gareth as an expert on Riposte,
       having far more knowledge about it at a practical level
       than I have.
   Q.  He is the most obvious person to talk about it in
       a sense, isn't he?
   A.  Yes.
   Q.  And let's look, if we may please, at page 16 of your
       first witness statement {E2/1/16}.  This falls under
       a heading called "Balancing Transactions" which has been
       given an acronym of "BTs".
   A.  Yes.
   Q.  We will come back to that.  But just for the moment,
       just to orientate you where you are in the statement, if
       you look -- I'm sorry, Mr Godeseth, I didn't spot you
       didn't have any water.
           Just to orientate yourself in the witness statement,
       you've got:
           "A small group of Fujitsu users from the Software
       Support Centre ... (30 users) have the ability to inject
       additional transactions into a branch's accounts in
       Horizon Online, using a designed piece of functionality
       called a Balancing Transaction."
           Now, pausing there, we heard Mr Roll being
       cross-examined and it was suggested to him that within
       SSC there were about 25 members who were -- whose
       experience Mr De Garr Robinson went into with Mr Roll,
       and then five sort of super elite members, as they were
       described by Mr De Garr Robinson.
   A.  Mm-hm.
   Q.  That's a total of 30.  Is that about the same size as
       the department is now?  Is 30 users the whole of SSC?
   A.  I wouldn't know.  Steve would be able to give a far
       better -- but I -- I think there was about that number
       of people there, yes.
   Q.  So Mr Parker would be the person who knows, and you
       think it's probably about the whole of SSC?
   A.  Yes.
   Q.  So when we just look at the words:
           "A small group of Fujitsu users from the Software
       Support Centre."
           It's actually probably the whole or most of the
       Software Support Centre?
   A.  Mm-hm.
   Q.  Everyone, it looks like?
   A.  Yes.
   Q.  If we come down to paragraph 58.9, just go over the page
       {E2/1/17}, that's -- that all seems to be dealing with
       Horizon Online and then at 58.10 you say:
           "In Legacy Horizon, any transactions injected by SSC
       would have used the computer server address as the
       counter position which would be a number greater than
       32, so it would be clear that a transaction had been
       injected in this way."
           Yes?  That's what you said in that first witness
   A.  That's what I said in that statement, correct.
   Q.  Now, just pausing there, you don't say who you got that
       from, but did that come from Mr Jenkins?
   A.  Yes.  The greater than 32 came from Mr Jenkins, correct.
   Q.  So we could write in there "I understand from Gareth"?
   A.  Yes.
   Q.  And in fact if we go back to paragraph 36 on page 11
       {E2/1/11}, it is effectively mirroring the overall
       description that the node ID associated with an injected
       message would be that of the correspondence server at
       which the message had been injected, and not a normal
       counter node ID, and therefore would have been clearly
       visible in any audit data.
   A.  Yes.
   Q.  That's the same point but without using the number 32,
       yes?  It's a broader point, but it captures the point
       that you're making in 58.10 and is consistent with it.
   A.  There were a number of mechanisms for the -- I think the
       preferred route for injecting any transactions would
       always be to do it at the correspondence server.  There
       were occasions where it was necessary to inject messages
       at the counter.  I think that was the point that Mr Roll
       was making in identifying that messages had to be
       inserted to correct problems at the counter, and there
       are a few instances where clearly that happened.
   Q.  Yes.  And so can I just ask you, did you get this
       section in 36 also from Mr Jenkins, broadly?
   A.  Yes.
   Q.  And then just going forward in your third witness
       statement at {E2/14/7}, paragraph 25 -- I'm so sorry.
       If you look at paragraph 25 you say:
           "In paragraph 58.10 of my first statement I stated
       that any transactions injected by SSC in Legacy Horizon
       would have used the computer server address as the
       counter position which would be a number greater than
       32.  I have read Parker 2 and I am now aware that it was
       also possible for SSC to insert transactions with
       a counter position with a number less than 32.  I did
       not discuss this in my first statement because I was not
       aware of it."
   A.  That's correct.
   Q.  So at what point did you realise that it was not
   A.  When it was brought to my attention at the time that
       Steve was preparing his second statement.
   Q.  Were you a bit shocked about that, to find it was wrong?
   A.  "Shocked" would be too strong a word.  It was -- I was
       finding out a detail that I didn't know before.
   Q.  You were finding out a detail that you didn't know
       before in quite a controversial area, weren't you?
   A.  It was clearly an area that was going to be of interest
       because of the fact that we were inserting transactions
       into Riposte.  It was an operational necessity and it
       was done in a controlled way.  I had believed that the
       way that transactions were being injected would give
       them a counter position greater than 32 because the
       correspondence servers basically had nodes or addresses
       which were above 32, there was a special address for the
       gateway server, there was a special address for the
       extra disc in a single position branch and I had
       basically expected messages to be introduced using
       a different counter position and having read a whole
       number of PEAKs, I can quite clearly see that the
       standard practice in Fujitsu was to label something
       which was being inserted into Riposte so as to make it
       as clear as possible that it was not being done -- it
       was being done as something out of the ordinary, it was
       being inserted because of a problem.
           So we had techniques for doing that.  You could put
       in an attribute because this wouldn't be visible to
       a subpostmaster, I fully understand that, but it would
       be visible in the audit trail, when you ever come back
       to pull out the audit trail, you could put in an
       attribute to say "This was done under PEAK 75".
       Subpostmasters would never see that.  They would not see
       it in their account in their branches and I'm fully
       aware that that is the case.  It was a better audit than
       Mr Roll was alluding to when he said that it was left in
       a PINICL, because that would have been an audit which is
       separate from the actual data that we would be looking
       at should we ever need to pull stuff out of the audit
       trail and the intention was always to make it as clear
       as possible that this had been done under exceptional
           The techniques used to make it as visible to the
       subpostmaster as possible would be to put in references
       which referred to a counter that didn't exist in the
       branch, such as -- I saw a technique described in
       a number of cases which said put in a -- you know, if
       you are correcting something for counter 1, call it
       counter 11; if you're correcting something for counter
       2, call it counter 12.  These things would have been
       visible to a subpostmaster and the reason that you had
       to do it that way was to make sure that these
       transactions also got picked up and dealt with because
       these were legitimate counter numbers.
           If I start to put in data with a number which is not
       a legitimate counter number then it's going to be
       ignored by systems further down the track.
   Q.  So which were legitimate counter numbers?
   A.  Up to 32.
   Q.  Right, so you say less than 32 in your witness statement
       at paragraph 25 --
   A.  Sorry, I may have got that -- the boundary was at 32;
       whether 32 was a legitimate --
   Q.  Don't worry about that.  That's not -- that's not --
   A.  -- counter or not, I don't know.
   MR JUSTICE FRASER:  Please don't talk over each other.
   MR GREEN:  I'm so sorry.
           Don't worry about the boundary.  So the short point
       is that you learned, when Mr Parker was preparing his
       second witness statement, that it was in fact possible
       to inject transactions which a subpostmaster would not
       know about at the counter rather than at the
       correspondence server, you learned that for the first
   A.  I cannot see how a subpostmaster would not have been
       aware of these transactions being injected, because
       there's a technical rationale why the subpostmaster had
       to be in his branch -- sorry, it didn't necessarily have
       to be the subpostmaster, it had to be somebody in the
       branch who was logged on when these techniques were used
       to inject transactions at the counter and the simple
       reason is that if you didn't have somebody logged on,
       then Riposte would have generated a message with a blank
       user ID.  Riposte was responsible for actually wrapping
       the message that we were looking to insert at the
       counter, and in doing that, Riposte will tell you the
       counter ID, or technically it was a stream, it would
       pick up the user ID, it would pick up the time, so this
       was effectively the envelope which wrapped the payload
       that we were looking to inject.
           If there was no user logged on at the counter then
       Riposte would introduce a blank user ID and that would
       be picked up in later processing.
   Q.  But let's take it in stages, if we may.
   MR JUSTICE FRASER:  Just before you do.
           Mr Green is going to be putting quite precise
       questions to you.  I know it's an understandable human
       reaction to want to argue wider points, but I would like
       you to listen to his questions and answer his questions
   A.  Yes, my Lord.
   MR JUSTICE FRASER:  Right, Mr Green.
   MR GREEN:  Can we separate what you can do from what you
       have inferred was done in many cases from PEAKs you have
       looked at, and let's focus on what could be done.
           You realised for the first time that it was possible
       to inject or insert a transaction with a counter
       position less than 32 when Mr Parker was preparing his
       second statement?
   A.  Correct.
   Q.  And you knew that that was a contentious issue in this
       litigation, yes?
   A.  Yes.
   Q.  And if we can go back please to paragraph 58.10 of
       {E2/1/16}.  Go over the page please to 10 {E2/1/17}
       there it says:
           "In Legacy Horizon, any transactions injected by SSC
       would have used the computer server address as the
       counter position which would be a number greater than
       32, so it would be clear that a transaction had been
       injected in this way."
           Can we go back to the previous page just to get the
       introduction to that {E2/1/16}.  It's not immediately
       clear from this part of your statement that you got that
       information from Mr Jenkins, is it, 58.10?
   A.  Sorry, I'm looking at 58.7 here?
   Q.  Yes, I'm just showing you --
   A.  I agree, yes.
   Q.  So what had actually happened to you is that you had had
       a conversation with Mr Jenkins, he had given you the
       information on a contentious point in the litigation,
       and you had repeated it in a way that could be read as
       sounding as if you knew about it yourself?
   A.  That was certainly not deliberate.
   Q.  No, but I'm just saying that is what had happened?
   A.  I can accept that.
   Q.  And then you found out that was wrong.  Did you go back
       and talk to Mr Jenkins about it?
   A.  I don't think I have, no.
   Q.  Were you not interested to find out from him directly
       whether they always used counter numbers other than
       those in use by the SPM, rather than inferring matters
       from PEAKs as you have suggested?
   A.  I have not discussed it further with Gareth.
   Q.  So you are not in a position to comment on that beyond
       what you have inferred from the PEAKs?
   A.  I think that's fair, yes.
   Q.  Now, it would be possible, would it not, to use
       a counter number of 1, or 2, or 3?
   A.  It would.
   Q.  And if that counter number was a counter number actually
       in use by the SPM, it would appear to the SPM, from the
       records they could see, that it was a transaction which
       had been done in their branch, by them or their
   A.  Yes.
   Q.  Now, you were at Post Office at the time that
       Legacy Horizon was in use, weren't you?
   A.  I was certainly at the Post Office when Legacy Horizon
       was in use.
   Q.  You had a break, I think you mentioned earlier.  Was
       that around 2009?
   A.  In 2009 I finished my contract with Post Office counters
       in roughly June, and went back to Post Office counters
       in the following January, so I had a six-month gap.
   Q.  And apart from that were you continuously working for
       Post Office from 1987 to when you left and joined
   A.  No.  I think it's covered in my opening statement, that
       I was -- from Post Office I was outsourced to a company
       called Xansa, and then after a couple of years --
       probably two and a half years at Xansa, I decided to go
   Q.  So when you were outsourced to Xansa --
   A.  I continued in roughly the same role.
   Q.  -- you continued -- did you remain an employee of
       Royal Mail IT department outsourced, or were you
       outsourced so that you went and worked for someone else
       with a direct relationship with them?
   A.  I was outsourced from Royal Mail to Xansa as part of
       a rationalisation programme, so therefore I was employed
       by Xansa, I was paid by Xansa.
   Q.  I understand.  So apart from that period and the short
       break you had in 2009 that you have described, the
       six-month break which began in 2009, you were at
       Post Office effectively throughout the period from 1987?
   A.  I was at Post Office, I was working actively on the
       Post Office account for most of that time, but, as
       I say, once the procurement of Horizon with ICL Pathway
       had come to a sensible juncture, I did spend some time
       working with other parts of Post Office, Parcelforce,
       the Television Licence Agency and such.  So there was
       a gap in my time alongside Post Office counters.
   Q.  In the light of your time and position and role within
       Post Office, would you have been regarded as
       a knowledgeable person within Post Office about whether
       remote access of the type we're talking about was
   A.  I believe I would have been regarded as a knowledgeable
   Q.  Very knowledgeable?
   A.  Yes, I would like to think so.
   Q.  And it is your evidence to the court that you were
       completely unaware that inserting transactions in this
       way was possible throughout your time at Post Office?
   A.  To be honest, I wouldn't have actually thought about it.
       If you are looking to support a large system, then
       I think the logical conclusion is it's inevitable that
       you have to do this sort of thing on occasion.
   Q.  So if you had been asked whether it was likely that it
       would be possible, you would have said --
   A.  Yes.
   Q.  -- it's inevitable because it's a large system?
   A.  I think so, yes.
   Q.  So were you a bit surprised when Mr Jenkins told you
       when you were preparing your first witness statement
       that it would not be possible to do it unless it was
       done just to the correspondence server?
   A.  I don't think he told me that.  I think that is his --
       his description to me was a far more generic one rather
       than going into that level of detail.
   Q.  But wasn't the key point that you were giving evidence
       about whether or not it would be identifiable as not
       having been done by the subpostmaster?
   A.  I think we were really talking about messages coming in
       at the correspondence server which would therefore be
       very different from the ones coming from the counter
       which would have the lower counter numbers or node
   Q.  The short point is, Mr Godeseth, that your original
       witness statement was -- paragraph 58.10, if we can just
       look at that finally {E2/1/17}.  Paragraph 58.10 was
       clearly designed to suggest that it would not be
       possible to insert transactions as Mr Roll was
       suggesting, wasn't it?
   A.  I don't see that as the intention at all.  I think there
       I was looking to describe -- I think the intention was
       to describe that transactions injected by the SSC would
       be different from transactions done by the counter.
   Q.  Well, that's not quite what you say.  This is my last
       question on this, I think.  You say:
           "In Legacy Horizon, any transactions injected by SSC
       would have used the computer server address as the
       counter position which would be a number greater than
       32, so it would be clear that a transaction had been
       injected in this way."
   A.  Yes.
   Q.  You were specifically ruling out injection of
       transactions in a way that the subpostmaster could see,
       weren't you?
   A.  Sorry, could you repeat the question?
   Q.  That form of words you have used was specifically ruling
       out the injection of transactions in a way that
       a subpostmaster could not see?
   A.  I think there are too many negatives in this.
   Q.  The effect of what you were saying there was that any --
       we can read "all" -- transactions injected by SSC would
       have had a number greater than 32?
   A.  Yes.
   Q.  And that would make it clear that a transaction had been
   A.  Yes.
   Q.  What you were trying to say by that was it was not
       possible for transactions to be injected which would not
       be clear that they had been injected?
   A.  I would still say that transactions that have been
       injected are clearly identifiable, albeit there may be a
       convoluted route to identifying them.
   MR GREEN:  My Lord, is that a convenient moment?
   MR JUSTICE FRASER:  I think it probably is.  We will come
       back at 2 o'clock.
           Mr Godeseth, you are in the middle of giving your
       evidence so you're not allowed to talk to anybody about
       the case over the short adjournment.  Come back at
       2 o'clock.
   (1.03 pm)
                    (The luncheon adjournment)
   (2.01 pm)
   MR GREEN:  Mr Godeseth, can we look at the introduction of
       Horizon itself, paragraph 6 of your witness statement at
       {E2/1/2}.  We have mentioned already you were technical
       advisor in the procurement of the Horizon system and
       touched on the fact that it was unusual because it was
       two different government entities.
           It was not uncontroversial, this project, at the
       time, was it?
   A.  Sorry, it was -- certainly it was an interesting project
       to be working on, so I'm not sure ...
   Q.  Well, let's take it in stages.  It encountered quite
       a lot of difficulties as a project, didn't it?
   A.  Yes.
   Q.  And its sort of birth as a system was not entirely easy,
       is that fair?
   A.  I think that probably the relationship between Post
       Office, Benefits Agency and the contractual situation is
       fairly well-known, yes.
   Q.  And if you can very kindly look at {F/70} as an example.
       This is a Computer Weekly article, 1 November 2000, and
       you will see there it says:
           "The infamous 1996-1999 Pathway project aimed to
       computerise the nation's post offices and tackle benefit
       fraud.  But 18 months later, after losing millions and
       destroying reputations a credible IT project has
           So although, as we will see, the problems were
       well-known, as you have fairly accepted, a credible IT
       project did emerge from it?
   A.  Mm-hm.
   Q.  Which was what we now know as Horizon?
   A.  Yes.
   Q.  And the article then, in paragraph 2, notes:
           "It was one of the largest roll outs in Europe~...
       despite its complexities, it is now running smoothly, on
       time and to budget."
           That was the impression they had.  And the NAO had
       had some concerns about money wasted on the aborted
       attempt for the swipe card system, yes?
   A.  I must admit I have no recollection of what the swipe
       card system would have been, but ...
   Q.  Do you remember that the focus of the project changed as
       it went along?  It was originally going to be very high
       levels of security for the direct payment of Social
       Security benefits through the system and then in the end
       the DSS pulled out and --
   A.  I certainly recall that the Benefits Agency pulled out.
   Q.  And a deal was done with Fujitsu to carry on with just
       the Post Office --
   A.  Yes.
   Q.  -- as a contracting party.  If we look at the reason
       that the Select Committee on Trade & Industry was
       looking at it in July 1999, if we look halfway down the
       page you will see:
           "At a hearing of the Select Committee on Trade &
       Industry in July 1999, two months after deciding to
       cancel the swipe card, and causing massive monetary
       loss, three cabinet ministers leaned heavily towards
       blaming the supplier, ICL Pathway, for the disaster."
           Now, there was -- I think you have hinted at it,
       that the relationships were not very easy, is that
       a ...?
   A.  There were some very fascinating tensions going on, yes.
   Q.  Yes.  And there was some dispute over the terms on which
       Fujitsu would carry on with a project that they had
       anticipated and agreed would be both for two clients
       essentially, with just one?
   A.  Yes.
   Q.  And so the deal that was done with Fujitsu at that stage
       was one which in some senses compensated Fujitsu for
       losing the DSS?
   A.  I can't comment on that.  I didn't know about the
       contractual situation at that point.
   Q.  Now, in your paragraph 12 you say Fujitsu began a pilot
       of the system in 1996 and it was rolled out across the
       Post Office network between 1999 and 2000.  At that
       stage, the pilot was still for the Post Office and the
       Benefits Agency, wasn't it?
   A.  I honestly don't know.  The objective of the original
       Horizon system was very much to replace what was then
       the mechanism for issuing pensions and such-like, which
       was an order book, you would get 13 slips in it and --
       so my recollection is that this was what we were looking
       to replace.
   Q.  And if we go to {F/3} please.  That is the ICL Pathway
       Technical Environment Description, do you see that?
   A.  Yes.
   Q.  At that stage I think ICL -- Fujitsu had a majority
       shareholding in ICL, but only became a 100% shareholder
       in 1998, is that right?
   A.  I honestly don't know.
   Q.  You're not sure, no.  If we look at page 9 of that
       document please {F/3/9}, we can see references there.
   A.  Sorry, I'm looking at page 8 at the moment.
   Q.  Oh, you should have page 9.
   MR JUSTICE FRASER:  I think you are looking at page 9.
   A.  Okay, at the bottom it says --
   MR GREEN:  Internal page 8 at the bottom, but at the top,
       electronic page 8 --
   MR JUSTICE FRASER:  No, electronic page 9.
   MR GREEN:  I'm sorry, electronic page 9.
           "References", you can see who was involved there.
       If you look at the bottom of the references you see
       "Agent Architecture - Gareth Jenkins."
   A.  Yes.
   Q.  Is that the same Gareth Jenkins we have been mentioning?
   A.  Yes.
   Q.  And if we look at page 92 please {F/3/92}, you will see
       under the heading "Migration":
           "This section describes the mechanism by which the
       Outlets that take part in the Limited Go Live will be
       integrated into the Pilot Roll-out."
           So there were two sort of phases of that, weren't
   A.  Again, I don't have any personal recollection of this
       because I wasn't involved at that time.
   Q.  You didn't have any involvement in this bit?
   A.  No, no, no, for the actual roll-out of it, I was not --
       I was off doing other things.
   Q.  What were you doing at that time?
   A.  Parcelforce, SSL, as they were known, who were the TV
       licence guys in Bristol, Post Office Group.
   Q.  Okay.  Let's just look under "Background" you will see:
           "The 10 Outlets that take part in the~... Go Live
       use early versions of the solution.  This includes the
       counter PC ..."
           Which we now know as the Horizon terminal?
   A.  Yes.
   Q.  "... the BPS application suite ..."
           What's that?
   A.  I don't know.
   Q.  Might it be business process systems?  You don't know?
   A.  It could be, but I --
   Q.  "Riposte etc"?
   A.  Riposte I recognise, the rest I don't.
   Q.  Okay.  And if we go please to {F/3/92} -- sorry, I think
       we may have a misreference there.
           Let's go to {F/299} please.  Now, this is a document
       that begins the migration to Horizon Online --
   A.  Yes.
   Q.  -- and what's contemplated.  Pausing there, by the time
       you were advising in relation to this, you were aware
       that there had been a number of problems with the old
       legacy system that we have seen in many of the PEAKs.
   A.  HNG-X was very much geared -- or HNG as it started
       off -- was geared at refreshing the solution.  I don't
       remember it being seen as fixing a whole load of PEAKs,
       it was simply seen as refreshing the system.
   Q.  Yes, but pausing there, I -- my question is quite
   A.  Sorry.
   Q.  Did you have any awareness of any problems that had been
       encountered with Legacy Horizon by the time that you
       were advising in relation to migration to
       Horizon Online?
   A.  I will have been aware of some at the time but
       I honestly cannot remember any major issues that I was
       dealing with, but because of the work I was doing,
       because I was having to ensure that Post Office could
       continue to deliver change and whatever, I would have
       been aware of it, yes, certainly.
   Q.  Okay.  So important PEAKs would have been drawn to your
       attention under Legacy Horizon, you think?
   A.  I believe so, yes.
   Q.  And when we look at the aims of the HNG-X plan, this is
       dated 21 September 2005?
   A.  Yes.
   Q.  Can we look at page 10 please {F/299/10}.  This is
       a document that you would have known about, isn't it, in
       all likelihood?
   A.  I was certainly involved at this stage, yes.
   Q.  And you will see that the -- under 1.4 you will see:
           "While Post Office has considerably increased
       expectations on cost reductions, the organisation has
       also become substantially more open to operational
       changes.  Post Office has clearly indicated that
       aspirations to a more retail-type IT spending are
       matched with the acceptance of more retail-type
       operational practices."
           And then:
           "The original business case for HNG within
       Post Office was based on a balance of cost reductions
       and improved capabilities.  The new business case is
       almost entirely based on cost reductions".
           Now, that was accurate at the time, wasn't it?
   A.  I didn't write it, but I'm not going to argue the case.
   Q.  And if we look at page 13, paragraph 3.1.1 {F/299/13} we
       see under "Assumptions":
           "The fundamental assumes is that Post Office will
       accept a solution based on the business capabilities
       that the solution provides and will not insist on being
       involved in the technical and technology aspects.  This
       will require Post Office to fully engage with suitable
       empowered personnel in these initial stages and to have
       in place assurance and decision-making processes that
       align with the time/cost boxed programme milestones."
           Now, just pausing there, effectively what is being
       said is that Post Office was not insisting on being
       involved in the technical and technology aspects, is
       that correct?
   A.  Certainly it was looking for a more arm's length
       relationship, sir, yes.
   Q.  A more ..?
   A.  Arm's length, I think.
   Q.  Arm's length?
   A.  Yes.
   Q.  If we look at page 16 of this document please
       {F/299/16}, do you see under 4.0 "Business
   A.  Mm-hm.
   Q.  "In order to reduce the overall application development
       costs within HNG-X, substantial reuse of data centre
       application components is proposed."
   A.  Yes.
   Q.  That's correct, isn't it?
   A.  Yes.
   Q.  That's what was proposed and what was done:
           "The Legacy Host database applications (TPS, APS,
       LFS, DRS and TES) are to remain largely intact."
           Can you remember what they were?
   A.  TPS is transaction processing system, AP is automatic
       payment system, LFS is logistics feeder system or
       service, DRS is data reconciliation service, TES is
       transaction enquiry service.
   Q.  Thank you.  And they were remaining largely intact:
           "The online interfaces (~... Banking Streamline and
           What was ETU?
   A.  ETU is electronic top-up.  It's paying for your mobile
   Q.  "... will be modified to provide a Web Service interface
       in place of Riposte messaging together with
       a simplification of the security mechanisms."
   A.  Yes.
   Q.  That's a fair summary of the matters that it deals with
   A.  Yes, I think so.
   Q.  Now, that was recycling quite a lot of application
       components, wasn't it?
   A.  Yes.
   Q.  And if we look at page 23 of this document {F/299/23}
       you see in the second paragraph:
           "There will be minimal change to legacy
       applications.  LFS, DRS and TPS will incorporate new
       harvesters that will extract transactions from the
       Branch database rather than the message store."
           And that reflected the change that was going to be
       made because the data would no longer be held in the
       message store in branch, it would be held in the branch
       database, the BRDB?
   A.  That's right.
   Q.  "APS will be modified such that it extracts
       transactional data directly from the TPS stream and this
       reduces the need for much of the AP-TP reconciliation."
           Can you just tell the court what the AP-TP
       reconciliation is?
   A.  AP is responsible for sending transactions off to
       clients; TP is responsible for sending transactions to
       basically Post Office back-end systems.  The
       reconciliation was there to make sure that if you sent
       something to the back -- to a client, it was also being
       sent through to the Post Office back-end systems.
   Q.  Okay.  Then it says:
           "No other rationalisation is proposed to the data
       centre applications as part of HNG.  A phase II
       rationalisation programme is not deemed to be part of
       the HNG-X project and must be separately justified at
       a later stage."
           What was phase II, do you know?
   A.  I don't think there ever has been a phase II.  We're
       currently making changes which will probably get rid of
       things like -- or certainly reengineer things like DRS
       and LFS.  TPS is still there, but pretty nearly
       redundant, so nothing that I would recognise as
       a phase II rationalisation process.
   Q.  Okay.  And if we look at {F/451} please, this is the
       HNG-X testing strategy.  The document is dated
       10 April 2008 and can we just go to page 10 please
       {F/451/10}.  Now, if you look at the third paragraph
           "It has been recognised for some time that this
       architecture, whilst providing an extremely robust
       operational solution, was not ideally suited to the very
       different business and technology drivers that prevail
           Now, we see "robust" as a description of the
       solution in lots of places in lots of documents, both at
       PO and Fujitsu, and it's a term that you're very
       familiar with, isn't it?
   A.  Yes.
   Q.  The latter part of that sentence is saying it is not
       ideally suited to the very different business and
       technology drivers that prevail today and it goes on and
           "In addition, in common with many elderly systems
       that have been subjected to a succession of major
       changes, it has become increasingly difficult to make
       those changes, and expensive to operate."
           Now, that's a fair description of how the system
       originally was perhaps designed jointly with the DSS at
       the beginning and launched and then over the years,
       between then and 2008, there have been lots of sort of
       bolt-ons and additional things that have been changed on
       the system, haven't there?
   A.  Yes, I think that's fair.  The major one probably in my
       mind would be banking.
   Q.  And if we look at the fourth paragraph down, three lines
       down please:
           "The main drivers were to create a solution that was
       more responsive to business change (faster time to
       market), and more efficient to operate, maintain, and
       enhance, thus providing lower Total Cost of Ownership
       (TCO).  However, HNG was ambitious, projected costs were
       high, and the benefit realisation profile was unclear.
       In particular, HNG had been predicated on expecting
       a high rate of future business change for the system.
       Emerging business strategy in the Post Office indicated
       that this was uncertain and could not be relied upon
       sufficiently to support the proposed business case.  As
       a result HNG was suspended in the summer 2005."
           Yes?  Can you remember that happening, the project
       being suspended at that point?
   A.  Yes.
   Q.  And if we now look at what is being proposed, the bottom
       paragraph of section 1.1 on {F/451/10}:
           "The HNG-X programme proposes a somewhat less
       ambitious re-engineering of Horizon, without the branch
       network hardware refresh ..."
   A.  Yes.
   Q.  "... and with the focus squarely on reduction of the TCO
       [total cost of ownership].  The principal drivers for
       the HNG-X programme are to deliver a solution that
       significantly reduces the TCO, whilst maintaining
       'Business Equivalence' (ie the HNG-X solution is to
       provide effectively the same business capability as the
       existing Horizon solution, but cost less to operate and
           Now, is that a fair summary?
   A.  I can't argue with it, certainly.
   Q.  Can we look, please, at {F/555}.  This is a Post Office
       online induction training presentation.  Can we go to
       the next page of that please {F/555/2} and the course
       aims are to:
           "... give you all the information and skills that
       you will need to successfully support a branch from
       Horizon to Horizon Online."
           So this is actually an internal Post Office
       document, it appears, and if we look at page 10 please
       {F/555/10}.  This is Horizon's current state:
           "13 year old design and technology to satisfy
       a different business.
           "Slow and expensive to use.
           "Evolved rather than designed - a consequence of
       which is a robust service but complicated to change."
           Do you see that?
   A.  Yes.
   Q.  Now, the comment on it being a 13-year-old design and
       technology is fair, isn't it?
   A.  Yes.
   Q.  The comment on it being slow and expensive to use is
       fair, as at that date, or do you feel a bit conflicted
       because you now work for Fujitsu?
   A.  I know that Post Office regarded this as expensive and
       they also regarded it as slow to change.  I personally
       didn't necessarily go along with that because there was
       a -- there's an AP-ADC product which since I was
       involved in Post Office at this time, AP-ADC was my way
       of being able to carry on making business changes whilst
       we were going through this particular phase, so yes,
       I feel slightly conflicted because I know that the
       Post Office high-level view was that you couldn't make
       changes to Horizon, whereas I was busy -- you could
       do -- there were certainly changes you certainly could
       not do, but my feeling was that we could continue to
       support the business, they could continue to take on new
       clients using this facility, AP-ADC.
   Q.  Okay, well, have a look at the four lines at the bottom
       of the page if you would and see whether you think this
       is fair:
           "Horizon is also a system that's wrapped up in
       'barbed wire' -- making changes difficult and costly --
       test everything!"
           Is that an understandable observation?
   A.  I think that I would see that from Post Office
       perspective but, as I say, my personal view on this was
       that I could still make changes by getting AP-ADC
       scripts through, but there were certainly some things
       that yes, if -- there were some things that would have
       been very difficult to change at that time.
   Q.  If we look at -- if we just go back if we may please to
       {F/451} which is the HNG-X testing strategy of
       10 April 2008.  If we look at page 33 of that document
       please {F/451/33}, paragraph 2.2.6, "Migration Complex
       and Critical":
           "The system and data migrations required for HNG-X,
       both at the Data Centres, and at the branches (which
       continues branch by branch throughout the roll-out
       period), are absolutely fundamental to the success of
       the deployment.  It is a complex area requiring careful
       and detailed planning.  Thorough verification and
       validation will be essential."
           Now, that's fair, isn't it?  I mean, that's what you
       would expect to see, yes?
   A.  Yes.
   Q.  And if we look at the bottom two paragraphs of that
           "Migrated data should be introduced into the
       mainstream tests as soon as practicable, interleaving
       migration tests with functional test cycles."
           And then:
           "Full-blown rehearsals of the detailed migration
       plans must be completed prior to Pilot."
   A.  Yes.
   Q.  So what this envisages is that before the pilot is done,
       there must be full-blown rehearsals of detailed
       migration plans to try and see if there are any problems
       or difficulties.
   A.  Yes.
   Q.  Now, in fact, the pilot had to be stopped, didn't it?
       Do you remember that?
   A.  Yes.
   Q.  Let's have a look, please, at {F/588}.  This is PEAK
       PC0195380 and you can see it is created apparently on
       2 March in the top box under "Progress Narrative",
       and --
   A.  This is which year, sorry?  This is 2010, yes.  Yes.
   Q.  Sorry, I think I've got the wrong reference there, wait
       a minute.  Just give me one second.
           I will come back to that in a second, if I may.
       I think we may not have the correct reference.
           Let's go forward, if we may, to {F/614} and this is
       the Horizon Online Programme Update.  Who was
       Mark Burley?
   A.  Mark Burley was my boss whilst I was working on the
       preparation for HNG-X.
   Q.  And how long had you worked with him?
   A.  On this -- I knew him way before I started working with
       him.  On this project I guess I was working for him for
       a year, a year and a half.
   Q.  And if we look, please, on that document at page 4
       {F/614/4}, we can see Horizon Online status:
           "614 branches live on Horizon Online (plus 8 Model
   A.  Yes.
   Q.  And then do you see:
           "High Volume Pilot suspended."
   A.  Yes.
   Q.  And:
           "NFSP raised concerns but remain supportive."
   A.  Yes.
   Q.  And can you remember that the NFSP had raised concerns
       about the problems that people were having in the pilot?
   A.  No, I can't, because at this stage -- this is early
       2010 -- at that time I was actually -- I was back in the
       Post Office working on a different project and so this
       was happening around me, but I was concentrating on
       something which was called SMTS.
   Q.  Okay, so you weren't in touch because you had only just
       come back I think, hadn't you?
   A.  I had just come back into the Post Office to work on
       this specific --
   Q.  In March?
   A.  No, sorry, I came back in January.
   Q.  Came back in January?
   A.  I came back to the Post Office in January to work on
       small money transfer service.
   Q.  Okay, at the bottom of that slide we see:
           "Fujitsu initiated 'red Alert' and independent
   A.  Yes.
   Q.  What did you -- did you know what a red alert from
       Fujitsu meant at the time?
   A.  I certainly would have done and when I moved across to
       Fujitsu, we were in red alert.
   Q.  So when you moved to Fujitsu they were in a state of red
       alert on this project?
   A.  Yes.
   Q.  And were there different codes for the colours of alert?
       Were there other alerts, amber alert?
   A.  You have got me on that one, but I'm sure there were.
   Q.  Can we infer from "red alert" that it is quite serious?
   A.  Oh, it was very serious.
   Q.  And can you tell his Lordship why it was serious?
   A.  There was an issue with Oracle which was the biggest
       problem, but clearly there were other problems going on
       at the same time because it was a brand new system, but
       the big one was an Oracle issue which I got involved in.
   Q.  Can you remember some of the other problems that were
       happening at the time?
   A.  I have to admit, I was focused on the Oracle problem.
       I was new into Fujitsu.  In that sense I was finding my
       feet and trying to work on the big one.
   Q.  Fair enough.  Can we go back to {F/588} please.  This is
       the same PEAK I think I identified, PC0195380, and can
       we go to page 4 of that PEAK please {F/588/4}.  Now, can
       you see in the box under 5 March 2010 at 08.03.08,
       second box down?
   A.  Yes.
   Q.  Under -- it says:
           "We have received notification from POL regarding
       the problems at this office.  PSB ..."
           Do you know who PSB was, or what it was?
   A.  No, I don't think it's a person.  I don't know what PSB
       means.  It is possibly "Please see below" but ...
   Q.  Okay:
           "On the 1st of March at the close of business we
       found that on node 5 the cash was short of £1,000.  All
       of the figures for that day match the figures presented
       at the time of each transactions.  An instant saver
       withdrawal of £1,000 was transacted that day, but I was
       unable to find this transaction using the online report
       facility.  I feel very anxious as I believe a system
       error has occurred at the time of this transaction."
           So this seems to be being relayed from what the SPM
       has rung up about:
           "On the 2nd of March a transaction for a cash
       withdrawal was completed where the system commanded
       a member of staff to issue the money to the customer on
       screen but the receipt printed for that transaction
       printed out a decline slip.  The customer was honest
       enough to bring back the decline receipt a day later
       with the money."
           "On the 2nd of March on node 5 a £220 cash deposit
       was authorised on screen but twenty minutes later the
       customer brought back a receipt that stated the
       transaction had declined.  We contacted the NBSC as and
       when the customer produced the receipt.  The NBSC stated
       that the transaction approved on the system and had no
       idea why the money was not deposited and why the decline
       slip was printed."
           Now, pausing there, was this something that you
       would have been aware of in March 2010 or not?
   A.  No, I was in the Post Office at that time and so
       I wasn't involved in this bit.
   Q.  What were you -- you were in the Post Office at that
       time ...?
   A.  I was working in the Post Office on a separate project.
       I had just come back in on a new project, on a new
   Q.  But you were someone who had been working a lot in
       relation -- was very knowledgeable about Horizon?
   A.  Yes.
   Q.  Did any of this come to your knowledge?
   A.  No.
   Q.  And if we see then:
           "A rem was scanned in our system and all figures had
       doubled up.  The helpline team was notified at the time
       to which they seemed more confused as to why it happened
       than me!"
           In your time prior to going off in 2009, had you
       sort of encountered difficulties of this sort in other
   A.  No, this is a problem with Horizon Online, so this is
       a problem with the new system.  I had -- at the time
       that I finished my contract with Post Office, we were
       gearing up for starting the migration process but the
       big bit that concerned me most was the moving stuff
       across from one data centre to another.  This bit, the
       counter migrations, was just kicking off in May 2010, so
       okay, the figures there say that we had 600 branches,
       I think you said there.  So in May 2010 when I was back
       on the scene but this time on the Fujitsu side, we were
       in red alert, we did have a big problem with Oracle, we
       were having to recover the situation so as to get ready
       to carry on with the counter roll-out.
   Q.  Now if we look -- I apologise, I haven't got time to
       take you to all of it, but there are quite a number of
       apparent problems that they are wishing to raise, aren't
   A.  I think this is the BT one, isn't it?  Does this one end
       up with the branch transaction -- or the balancing
       transaction, sorry?  This looks to me as though the
       dates are about right for the balancing transaction,
       but -- yes, I think there were -- there certainly were
       issues with the software in the early days of HNG-X.
   Q.  Yes.  And that doesn't come leaping out of your witness
       statement, does it?
   A.  No.
   Q.  And you know that his Lordship is trying to determine
       how well the system worked over this period, don't you?
   A.  Yes, that's fair enough.
   Q.  And is there a reason why there isn't really any
       reference to the problems with the system in your
       witness statement?
   A.  I was looking to give an overall explanation as to how
       Horizon works.  Obviously I was asked to pick up on
       a number of specific problems that have been experienced
       in the life of Horizon.  There certainly were problems
       to be dealt with in the early days of Horizon Online.
   Q.  Now, at paragraph 13 of your witness statement you say
       horizon Online was the biggest overhaul.  That's at
       {E2/1/3}, but:
           "~... continuous and iterative updates to the system
       over its life."
           You mention those as well, yes?
   A.  Sorry, could you remind me where we are?
   Q.  Sorry.  If you look at paragraph 13 of your witness
       statement, you talk about the migration to HNG-X --
   A.  Yes.
   Q.  -- or Horizon Online, that's the same thing?
   A.  Yes.
   Q.  And you say this:
           "This was the biggest overhaul in the Horizon
       infrastructure that I can recall, although there have
       been continuous and iterative updates to the system over
       its life."
           Now, pausing there, we have seen that quite a number
       of the system components remained the same, didn't they,
       from legacy days?
   A.  Yes.
   Q.  And we have also -- you have very fairly accepted that
       there were lots of additions made to the system over its
       life; yes?
   A.  Yes.
   Q.  Now, isn't HNG-X, or Horizon Online, an end of life
       version of the Horizon system rather than
       a reinvigorated and rejuvenated version?  Is that fair?
   A.  No.  Horizon Online is -- the components that were
       introduced by Horizon Online is the branch database, new
       technology for communication between the branches and
       data centres, so that was moving to an online system
       which is a radical change to the -- it's a radical
       change to the architecture compared to Riposte and there
       are -- the communications technology change was pretty
       dramatic in terms of moving from ISDN to what we have
       now -- or, sorry, to ADSL, which is -- so it was a big
   Q.  Can I pause there.  The communications changes that you
       mention are significant, aren't they, because there have
       been quite a lot of communications problems with the
       legacy version of Horizon?
   A.  Yes.
   Q.  And --
   A.  Sorry, the legacy version of Horizon was far more
       susceptible to communication glitches.
   Q.  Exactly.  And so there were two improvements in that
       respect: the susceptibility to communication glitches
       was reduced, and also the quality of the communications
       infrastructure was improved, is that fair?
   A.  Yes.
   Q.  Can we now look please at {F/1663}.  This is an IT risk
       management document from Post Office and it is dated
       20 July 2017.  Now, can we look at page 6 of this please
       {F/1663/6}.  Can you see under the "Where we are now"
           "There is increased risk in our Branch technology
           "The ~... (HNG-X) platform is end of life ..."
   A.  Yes.
   Q.  "... and is running on unsupported Windows software,
       therefore needs replacing ..."
   A.  Yes.
   Q.  This is 2017?
   A.  Yes.
   Q.  Is it fair to describe it in these terms as at the date
       of this document?
   A.  Absolutely.
   Q.  "Branch counter technology is aged and unreliable, with
       frequent hardware failures, resulting in branch
           Is that fair?
   A.  Yes, I think so.
   Q.  "The branch IT network service (ISDN) provided by
       Vodafone will be switched off on 30 September 2017 and
       therefore needs transitioning."
           That's a different observation relating to an
       external comms change.
   A.  The ISDN bit was a small number of branches where -- and
       I can't remember the numbers, but there was a relatively
       small number of branches that were still running on ISDN
       because you could not get ASDL there.
   Q.  Yes.  So that's in the -- in the hierarchy of those
       points, that's the least important, isn't it?
   A.  Indeed.  The straight case is that the platform was
       running on NT 4 and any technologist would tell you that
       that was too old, but it continued to work surprisingly
   MR JUSTICE FRASER:  That's the Windows NT 4?
   A.  Yes.
   MR GREEN:  And under the "Mitigation" heading we see:
           "Accelerated plans to transition from HNG-X to
       updated HNGA ..."
           And that's going to run basically on Windows 10, it
       doesn't say it there, but that was the plan, wasn't it?
   A.  Well, HNGA has now been installed and it is, as you say,
       running on Windows 10.  At this stage I suspect the
       target was Windows 8, but that's irrelevant.
   Q.  Yes.  In fact, you mention on page 4 of your witness
       statement, if we can go to {E2/1/4} -- you mention in
       the footnote there:
           "HNG-X is being replaced by HNG-A.  There is no
       functional difference between the two: HNG-A refers to
       an implementation of the same counter code as is used in
       HNG-X to run on a Windows 10 device (whereas HNG-X
       counters are NT4 devices)."
   A.  Yes.
   Q.  Yes?  But there's not an explanation to anyone reading
       this witness statement of the sort of state of the
       technology in the terms that we have just seen in your
       witness statement?
   A.  That's a fair point.
   Q.  And in terms of the roll-out, did the first wave begin
       in about February 2017, is that right?
   A.  For HNG-A?
   Q.  Yes.
   A.  I can't really remember.  The roll-out of HNG-A was not
       really a Fujitsu problem.
   Q.  Who was handling that?
   A.  There were two aspects to the roll-out of -- there were
       two aspects of roll-out.  The network was moved from
       Fujitsu to Horizon and then the counters -- the actual
       hardware running HNG-A is supported by Computer Centre,
       so the software that runs in the counter is still
       Fujitsu's and so that's -- so we provide the software to
       Computer Centre, they wrap it up, they send it to the
       branches now.
   Q.  Can you remember roughly when that handover started, or
       took place?  When did Computer Centre become responsible
       for it?
   A.  You mentioned the date in 2017, that rings true.
   Q.  If we have a look -- we don't necessarily know the
       answer at all, but {F/1710.1}.  Let's look at the front
       first, "Post Office Limited audit planning report"; do
       you see that?  And if we go to page 24 of that report
       {F/1710.1/24}, you can see -- it is quite small writing,
       but under the first yellow bullet point:
           "Branch tech refresh - HNG-X in branches will be
       replaced by HNG-A in phases, the first wave started
       in February 2017."
   A.  I'm --
   Q.  You may not know.
   A.  I'm certainly not disputing that.
   Q.  Thank you.
           Can we now turn please to paragraph 17.1 of your
       witness statement in relation to data sources, that's at
       {E2/1/4}.  You have identified what the sources of
       transaction data are and can we just identify this in
       a little bit more detail please:
           "The vast majority of transactions are manually
       entered by user in branch at the counter, by pressing
       icons on the touchscreen, keying in the transaction on
       the keyboard, scanning a barcode, scanning a magnetic
       card or some other manual interaction with the system.
       These are referred to as 'counter transactions'."
   A.  Mm-hm.
   Q.  Then transaction corrections, as you understand it:
           "... they are produced when Post Office compares the
       data entered into Horizon by branches with data
       generated from other sources in order to identify any
           You say there "as I understand it", that's because
       it's not something that you knew that much about when
       you were at Post Office?
   A.  I know the general principles of it, but I certainly
       wouldn't know the detail of how TCs are generated.
   Q.  And it says:
           "TCs are sent to the branch via Horizon."
           And there is a footnote:
           "TCs are incepted in Post Office's POLSAP system
       before being communicated to Horizon, via TPS to the
           Was that something you knew yourself or something
       somebody assisted you with?
   A.  Sorry, where are we now?
   Q.  Footnote 2, explaining how they are generated.
   A.  I'm only seeing footnote 1.
   Q.  If we go over the page, sorry. {E2/1/5}.
   A.  I know that they come from POLSAP.
   Q.  And how they are communicated via TPS to the BRDB, did
       you pick that up from someone else or ...?
   A.  I could work that out for myself.
   Q.  Did you, or did someone else tell you?
   A.  In this case I would have checked it, yes, so ...
   Q.  With Gareth or ...?
   A.  No, this would be more a Pete Jobson one.
   Q.  Okay.  And you say "then accepted by a user in branch".
       You don't know what's involved in that, do you?
   A.  I understand the principle because TCs were first
       introduced in Impact, which I was involved with, and
       I remember we had the conversations as to how TCs would
       go into the branch and we were very clear that the
       postmaster had to be aware, hence the mechanism that
       I have seen described, which is they are presented with
       the TC, they have to settle, they are given various
       options on how to settle.
   Q.  Yes.  So why did -- you were involved in that design?
   A.  Yes.
   Q.  Why was there no dispute button?
   A.  That was a Post Office decision.
   Q.  Can you remember what the pros and cons that they had in
       mind were when they made the decision?
   A.  I think the basic argument was that disputes -- we
       wanted the flow of data through the system as quickly as
       possible because that keeps our books tidy and it was an
       inference that there was always the -- you had to press
       a button to take things through, but then you would pick
       up the phone to NBSC and say that wasn't right.
   MR JUSTICE FRASER:  Were you involved in the discussion
       about that, or were you just told there wasn't going to
       be a dispute button?
   A.  I would say that I was aware.  I wasn't particularly
       engaged in the conversation.  I regarded that as
       business processing, my Lord.  There is a precedent to
       this which is technically very similar, which is
       auto-rems, which I was also involved in, where the whole
       process changed so to save the subpostmaster having to
       key in the amounts in each pouch, they were presented
       with a screen which said "The amounts coming in are
       this, press this button."  I would like to remember, but
       I can't be certain, that at that point there was
       a message to say "If you disagree, phone up the help
       desk", but again the principle was there to say "This is
       the right figure, accept it and then argue the case
   Q.  Then we look at "Equipment located in a branch other
       than a Horizon terminal."  You say it:
           "... is required for some transactions, such as
       a Camelot terminal for lottery products and a Paystation
       terminal for some bill payments."
           And the point you make there is that these bits of
       equipment communicate information direct to a client or
       other supplier, who relays that information to
       Post Office, or Fujitsu on Post Office's behalf, who
       then send a transaction acknowledgement to the branch
       via Horizon.
           So can we just pause there.  Can we trace how
       a piece of information gets from a scratchcard
       activation into the various repositories of information,
       so tracing it through in accordance with what you have
       said there, there's a piece of equipment, namely the
       lottery terminal, and the SPM activates some cards on
       the lottery terminal, yes?
   A.  Yes.
   Q.  That information is then relayed directly to Camelot,
       the client?
   A.  Yes.
   Q.  And Camelot then in turn relay that to the Post Office,
       or Fujitsu on the Post Office's behalf, just following
       your witness statement.
   A.  My apologies -- well, apologies for that being unclear.
       In the case of Camelot, the data goes to the Credence
   Q.  Okay.  So the Camelot data goes to Post Office's
       Credence system?
   A.  Correct.
   Q.  And then that then automatically engages with Horizon to
       send through a transaction acknowledgement to the branch
       via Horizon?
   A.  Yes.  We receive a file from Credence which then gets
       loaded into the branch database, then makes its way down
       to the counters.
   Q.  Yes.  So the information going into the branch database
       is in fact in this case information that has come via
       a third party and back in?
   A.  I don't see it in quite those terms.  I see it as we
       have received data which goes into the branch database,
       so we -- the Horizon system knows absolutely nothing
       about it until this file appears.
   MR GREEN:  Precisely.  So just reputting that question --
   MR JUSTICE FRASER:  It might be because you said "via".
   A.  Sorry, I think that's probably the case, my Lord.
   MR JUSTICE FRASER:  Is that the part of it --
   A.  I think so, my Lord, yes.
   MR GREEN:  That's my fault.
   MR JUSTICE FRASER:  Do you want to just clear it up?
   MR GREEN:  Yes.  So the journey that immediately is seen by
       Horizon is information coming in from Camelot --
   A.  Yes.
   Q.  -- via Credence, is that fair?
   A.  It comes in and we know it is coming from Credence, yes.
   MR JUSTICE FRASER:  So it goes: Camelot terminal in the
       branch, to Camelot, to Credence, to Horizon?
   A.  Correct.
   MR GREEN:  And because it has come into Credence, it then
       goes into the branch database?
   A.  The branch database is the holding place where we put
       this data so that it is -- it's not technically sent to
       the branches but -- well, I suppose it is, because at
       the appropriate point the data comes from the branch
       database to the counters.
   Q.  Yes.  So when someone turns on their terminal in the
       morning and logs on, they have some TAs on the screen?
   A.  Yes.
   Q.  And they have no choice but to accept those?
   A.  I don't know whether they have the option to stop them,
       but I think the principle is certainly right, that the
       TAs are going down there with the expectation that they
       have to be -- that they will be accepted.
   Q.  Just so you know, it is not controversial that they
       don't have a --
   A.  No, that's fine.  Thank you.
   Q.  It's at that point that they enter the branch accounts?
   A.  Yes.
   Q.  And that is the data that is then captured by the audit
   A.  Yes.
   Q.  And that's true -- with minor differences but
       substantially correct -- for the other items of
       equipment that you have in mind in paragraph (c)?
   A.  Yes, the difference is that the Paystation data comes
       from Ingenico to us.  We load it into the branch
       database in separate tables and we generate the TA, but
       then you are onto a common stream.
   Q.  And then again, that is the data that then goes into the
       audit store?
   A.  Yes, it's the action at the counter which then contains
       data which comes up into the branch database and that is
       the bit that goes into the audit store.
   Q.  What is the action that you are talking about there at
       the counter?
   A.  Pressing the "Accept" button.
   Q.  On the TA?
   A.  Yes.
   Q.  And then at (d) you say:
           "In Horizon Online it is possible for Fujitsu to
       insert a balancing transaction - see paragraph 58
   A.  Yes.
   Q.  We will come back to that later.  We have already dealt
       with it, at least in part.  Just focusing on (a), (b)
       and (c) for a moment, when we look at the data that
       we're concerned about in paragraph 17.2(a), you point
       out, quite rightly, that:
           "The vast majority of transactions are manually
       entered by a user in branch at the counter ..."
           And then importantly "... by pressing icons on the
       touchscreen", yes?
   A.  Yes.
   Q.  So the significance of that is that the transaction data
       comprises the fact of a press -- one press by an SPM on
       a particular icon, yes, and the significance of that in
       the reference data table being put together so that
       something pops up in the basket, as I mentioned to
       Mr Johnson when he was giving evidence, yes?  You don't
       type in the price of a first class stamp?
   A.  No, absolutely not.  The price of something would be
       calculated for the majority of products.
   Q.  Yes, and that data is in the reference data table,
       isn't it?
   A.  Yes.
   Q.  So in the transaction data there are two elements.
       There is what the SPM has in fact done in terms of
       a keystroke.
   A.  I don't see it in those terms.
   Q.  I understand.
   A.  We see the result of actions at the counter as a basket
       and I think -- so we see the outcome from the counter
       application putting together a basket and it is that
       basket that we then put into the audit trail.
   Q.  Totally understand.  I was just trying to be precise
       about the result that we see, which is the fruit of two
       different pieces of data: there is which icon the SPM
       has pressed on the screen and the relevant reference
       data in the reference data table for that icon.
   A.  If you're looking at something such as a first class
       stamp then yes, I agree.  If you're looking at other
       things then it could be much more complicated.
   Q.  Of course, but for many many things there are --
   A.  Yes.
   Q.  The reason you say "by pressing icons on the
       touchscreen" in paragraph 17.2(a) of your statement, is
       because for quite a lot of transactions that's how it is
   A.  Yes.
   Q.  There are some where the SPM has to actually manually
       enter in what's happening.
   A.  There are some where the subpostmaster has to enter far
       more data, such as on an AP-ADC transaction.  There are
       some where data will come from a PIN pad, there are some
       where data will come from a barcode, weigh scales.
   Q.  Indeed.  And that is the data -- the result of that,
       what's shown in the basket, in the transaction if you
       like, is what's then captured in the BRDB and in due
       course in the audit store.
   A.  Simultaneously.  The first part of that is actually --
       the audit store at that stage is actually simply a table
       in the branch database.
   MR GREEN:  Okay.
           My Lord, would that be a convenient moment for
       a break?
   MR JUSTICE FRASER:  I dare say.  Are you going to be dealing
       with Mr Godeseth for the whole of the afternoon?
   MR GREEN:  I am.
   MR JUSTICE FRASER:  We're going to have a short break,
       Mr Godeseth.  Ten minutes -- or do you want five?
   MR GREEN:  That's fine.
   MR JUSTICE FRASER:  Ten minutes.  We will have a ten minute
       break for the shorthand writers.  If you could come back
       at 10 past.  Same score as before, don't talk to anyone
       about the case.
   A.  Understood, my Lord, thank you.
   (3.00 pm)
                          (Short Break)
   (3.10 pm)
   MR GREEN:  Can we just touch on a couple of brief points in
       relation to transferring and storage of data.  At
       paragraph 19 of your statement at {E2/1/6} you say:
           "Due to the different ways that Legacy Horizon and
       Horizon Online transfer and store data, I address them
       separately below when dealing with integrity of data
       being transferred through Horizon."
           We touched on the information flows in relation to
       third parties already, but that was in the context of
       the BRDB, wasn't it, our discussion we just had before
       the break?
   A.  Yes.
   Q.  And under Legacy Horizon you were on the other side of
       the fence, as it were, to where you are now?
   A.  Yes.
   Q.  Legacy Horizon days.
           If we look at paragraph 34 of your witness statement
       at {E2/1/11}, you make the point that the messaging
       system was responsible for storing all the data in the
       Post Office branch and replicating it to data centres.
       The basic set up is that the counters held data in
       a message store.
   A.  Yes.
   Q.  And the correspondence server also had a message store?
   A.  Yes.
   Q.  And the data inserted at the counter would be replicated
       in the correspondence server message store?
   A.  Correct.
   Q.  And vice versa if there was a --
   A.  If you needed to push data -- Riposte was responsible
       for replicating data to wherever you told it to.
   Q.  Indeed.  At paragraph 43 of your witness statement
       {E2/1/12}, you have mentioned that:
           "[You] understand from Gareth that the audit
       application read every record that was visible to the
       correspondence server ... and wrote a text copy of that
       data to a text file."
           Do you know whether the audit server was hosted by
       Riposte or not?
   A.  The audit server is definitely outside of Riposte.
   Q.  Let's look at the Horizon Next Generation plan X
       document again please, at page 28 {F/299/28}.  Do you
       see under "Audit" at paragraph it says:
           "The audit application remains largely unchanged
       apart from various modifications to the configuration of
       audit collection points throughout the estate.
           "An audit conversion tool will be required to
       convert existing audit data from Riposte to another
       readable/searchable format."
           What is that referring to?
   A.  I think it's just wrong.
   MR JUSTICE FRASER:  You think that's wrong?
   A.  Yes.  Yes, my Lord, because I have seen audit data from
       Riposte days and it is in Riposte attribute language, so
       I -- I can't see how that's right because the audit data
       that I have seen is in Riposte attribute language.
   MR GREEN:  So the audit data that was stored was in Riposte
       attribute language?
   A.  Correct.  It was basically the message store -- it's
       pretty much as simple as a copy of the message store.
   Q.  And in relation to who was managing the Riposte system,
       what was Escher's role?
   A.  Escher provided Riposte software, so they provided the
       software in which Fujitsu deployed applications.
   Q.  And did they provide support for the Riposte software as
       well, or not?
   A.  Yes, they did, but I honestly don't know what the
       contractual relationships were, so I can't really
       comment in any detail on that.
   Q.  You wouldn't have known at the time what the
       arrangements between Escher and Fujitsu were if there
       were problems with Riposte?
   A.  I certainly don't know.  I'm obviously conscious, having
       looked at PEAKs, that there were issues, but I was not
       aware of those at the time.
   Q.  I understand.  You deal with Horizon Online from
       paragraph 20 {E2/1/6} in relation to the accuracy of
       transaction data.  Is it fair to say this is more within
       your own knowledge, this bit of your statement?
   A.  I feel that I know this pretty well, yes.
   Q.  So back on home turf in a sense?
   A.  In that sense, yes.
   Q.  And in paragraph 26 {E2/1/7} you mention the controls
       that were in place.  Do you know whether those controls
       ever failed?  Take the first one, "A basket must balance
       to zero."
   A.  We have checked this.  If you do something on a test
       system to cause a basket not to balance to zero, it
       shows an error.
   Q.  And you mentioned the Journal Sequence Number.  It's
       impossible, isn't it, for the database to accept two
       items with the same JSN number?
   A.  Correct.
   Q.  Can we look please at {F/590/7}.  Just to orientate you
       in this, perhaps we can go to the first page, I'm sorry
       {F/590}.  You will see that this is PEAK PC0195561.  Do
       you see that?
   A.  Yes.
   Q.  And if we go to page 7 {F/590/7} and we look at
       24 March 2010 at 14.45.49, which is the middle one, do
       you see there:
           "Time-outs were the underlying cause of the issue
       and that there were long delays waiting on the DB ..."
           That's the database, yes?
           "... to process the 4 requests."
   A.  Mm-hm.
   Q.  "In this case two of the requests were committed and two
       correctly detected that the transaction had already
       succeeded.  There is an issue with the 2 commits because
       this shouldn't have happened.  However the behaviour of
       the OSR from CTR 25.07 onwards is to roll the
       transaction back on a time-out.  In this scenario all
       the requests would have failed and no reconciliation is
           "We would like to find the root cause of the issue
       as to how the duplicate entry was committed in the DB."
           Now, I know you were working on other things
       in March 2010, but were you aware of any problems with
       items with a duplicate JSN number, Journal Sequence
       Number, being committed to the database?
   A.  I'm not sure this is saying we had duplicate JSNs, but
       I would obviously have to check the detail and no,
       I wasn't aware.
   Q.  You weren't aware of that problem generally?
   A.  No.
   Q.  Okay.  And you were here I think for Mr Dunks' evidence
       this morning.
   A.  Mm-hm.
   Q.  Paragraph 32 of your witness statement {E2/1/10} says:
           "I am not aware of any instances where data
       retrieved from the audit store differs from other
       sources of data, nor am I aware of any instances where
       the integrity checks described in paragraph 30 have
       revealed any issues."
   A.  Yes.
   Q.  Were you aware that there had been duplication of data
       identified in Seema Misra's case?
   A.  Misra I believe was on the old system.
   Q.  Yes, legacy.
   A.  Yes.  So no, I was not aware of that.
   Q.  In terms of ARQ figures, can we look at paragraph 31 of
       your witness statement please {E2/1/10}.  You say there:
           "I have been informed by my colleague Jason Muir
       (Operational Security Manager in Security Operations
       Team) that the number of ARQs issued since the 2014/15
       financial year is as follows ..."
           And you then say one ARQ equals one month of an
       individual branch data so one Post Office request for
       data could have multiple ARQs, yes?
   A.  Yes.
   Q.  Just to explain what the figures are.  And you have
       a footnote to that which says:
           "These figures do not include the ARQs that Fujitsu
       has issued in relation to these proceedings."
           So is it actually -- where did you get that
       information from?
   A.  From Jason.
   Q.  So what did you ask him?
   A.  Personally I didn't ask him anything.  This was
       information that was being requested to go into the
       witness statement, so I'm confident that it is correct.
       I have no particular motive in providing that
   Q.  I'm just trying to -- I'm not talking about motive, I'm
       just trying to identify how it has ended up in your
       witness statement.
   A.  I was effectively asked to put it in.
   Q.  So did Jason Muir actually inform you of this in
       response to any requests from you?
   A.  No.
   Q.  Because that saves me asking the next question which was
       why didn't you ask him for earlier years.
           Now, can we just look at the years that we've got
       there, 31.1 to 31.4.  When you were shown the
       information that you were to put into your witness
       statement you must have noticed that it only went from
       the 14/15 year to the 17/18 year.
   A.  I didn't pay it any particular attention.
   Q.  But you have been dealing with Legacy Horizon which
       pre-dates 2010 --
   A.  That's true.
   Q.  -- in the same witness statement, so you must have had
       in mind what the chronological sweep of this witness
       statement was supposed to deal with, mustn't you?
   A.  I'm afraid I didn't do my job in that case.
   MR GREEN:  Can we move now to --
   MR JUSTICE FRASER:  Just before you move off that, can you
       think of any reason why there should be a cut off at the
       beginning of 2014, in terms of the system, or the way it
       worked, or anything?
   A.  I can't think of any reason why that information would
       not be available further back.
   MR GREEN:  Can we deal with the problem management procedure
       now.  Can we look please at {F/1692}.  This appears to
       be a Fujitsu document.  We see at the bottom "Fujitsu
       restricted" and "Copyright Fujitsu Limited 2017".  The
       title of the document is "Post Office Account - Customer
       service problem management procedure" and can we please
       go -- if you note the "abstract" there:
           "To describe and document the customer service
       problem management process."
           Now, you are the chief architect, aren't you, in
       relation to the responsibility for changes being made to
       the system being implemented without prejudicing the
       continued operation of the system?  That's what you say
       in your witness statement?
   A.  Yes, that's right.
   Q.  And this is a recent document which relates specifically
       to the Post Office account.  Is this a document you have
       seen before?
   A.  I can't honestly say.  It's certainly not one that I'm
       particularly familiar with.
   Q.  Okay.  Let's have a look, if we may please, at page 8
       {F/1692/8}.  You will see just under 1.1 "Process
       objective and scope":
           "The objective of this document is to define the
       process for problem management in the POA environment to
       support the contracted infrastructure and application
       services described in the HNG-X contract.  Other
       infrastructure and services used by POA to provide and
       support delivery of the HNG-X contract are also in scope
       of the process."
           Now, just pausing there for a second, POA is the
       Post Office account team at Fujitsu, isn't it?
   A.  Correct.
   Q.  Then it says:
           "For the purpose of this document a problem is
       defined as the unknown underlying root cause of one or
       more incidents."
   A.  Yes.
   Q.  "The problem management process covers both reactive and
       proactive functions of problem management."
   A.  Yes.
   Q.  Now, if one is to have a robust system it's important,
       isn't it, to make informed assessments of where problems
       lie based on the relevant information that was
   A.  Yes.
   Q.  And it's important to capture and track that in a way
       that can readily be analysed, is that fair?
   A.  Yes.
   Q.  And that seems to be at least consistent, if not the aim
       of this procedure, yes?
   A.  Agreed, yes.
   Q.  Let's look please at the document history on page 4
       please {F/1692/4}.  We can see that the draft document
       was updated in 2007 and we can see various changes going
       in and out and various revisions going forward on that
       basis.  If we go over the page {F/1692/5}, we can see up
       to a date in September 2017, yes?
   A.  Yes.
   Q.  Now, can I just give you the context in which this
       document has come to the fore, so that you can see it
       clearly.  The two experts both comment on it.  If we go
       please to {D2/1/96}, this is Mr Coyne's report.  We get
       to paragraph 5.156 there and it is clear from that
       paragraph that Mr Coyne was working on the basis that
       the problem management procedure had actually been acted
       upon and you can see there, at 5.156, he says:
           "The Post Office account customer service problem
       management procedure document ..."
           Which he footnotes:
           "... identifies the process metrics and key
       performance indicators required for measuring the
       effectiveness of the process and service specifically in
       relation to problem management.  The problem management
       procedure is set out in more detail at appendix E ...
       relevant to this section and issue 6 are the metrics and
       KPIs to measure/control and reduce the risk of failure
       to detect, correct and remedy Horizon errors and bugs."
           Now, if we go please to page 97 over the page
       {D2/1/97} and we look at 5.157, he says:
           "From the above, it is my opinion that Post Office
       should be aware of all recorded bugs/errors/defects in
       addition to those previously acknowledged by them, from
       the process metrics compiled above."
           So what Mr Coyne seems to have inferred is that the
       problem management process had been implemented and
       there would be feedback from Fujitsu to Post Office
       about what errors and bugs -- that seems to be the basis
       he is proceeding on, doesn't it, on the face of it?
   A.  On the face of it, certainly.
   Q.  And if we go now to {D3/7/81} we can see Dr Worden --
       this is his second report and he appears to be working
       on the basis also that the problem management procedure
       had been brought in.  If we look at the third column he
       says -- so it is row 21, it relates to 5.156, which is
       Mr Coyne's paragraph I just showed you, the extract of
       Mr Coyne's paragraph is there, and then if you look on
       the right-hand side under "Commentary" you will see:
           "This document is a rather high level and generic
       description of the problem management process.
           "It is difficult to extract a clear picture from
       this document of how the process works in practice.
       For instance, there are listed about 20 types of process
       input and 20 types of process output.  It is hard to
       discern from these long lists which inputs and outputs
       were most important.
           "As another indication of its generic nature, the
       words 'bug', 'defect', 'software' and 'reference data'
       never occur in the document.  The word 'error' does
       occur.  Errors are discussed generically not as specific
       types of error such as errors in Horizon."
           So both experts appear to be approaching it on the
       basis that it had been acted upon.
           Now, if we look at {F/1692/10}, going back to the
       problem management document at page 10, we can see what
       the relevant metrics are.  Now, those are competent
       professional metrics that you would expect to see in
       a policy of this sort, aren't they?
   A.  Yes.
   Q.  You can see that what's proposed there is:
           "The following metrics, to be reported monthly, will
       be used to measure effectiveness of the process and
       drive performance of the process and overall service in
           That's the way it is going to work?
   A.  Yes.
   Q.  And were you aware, as you are one of the key people at
       Fujitsu, that Mr Coyne had asked for documents to be
       provided which he thought should exist based on the
       problem management procedure?  Did you know -- did that
       come to your attention at all?
   A.  It has not come to my attention.
   Q.  Well, I will take it quite quickly.  Let's have a look
       at {D2/5/22}.  This is a request for information and
       a response and you can see that in relation to this --
       in the Post Office response to requests for information,
       if we go down to page 26 {D2/5/26} you will see in the
       left-hand column at the bottom:
           "Please provide how many times (and over what
       period) the 'problem management process' has recorded
       the potential for a system or software error?"
           And then in the column with Post Office's response:
           "Post Office objects to this request.  Fujitsu
       believes that it does not record problems in such a way
       that would allow this to be determined without
       retrospectively carrying out detailed analyses."
           And so forth.  Over the page:
           "This would require a disproportionate effort and
           You have addressed this issue at paragraph 63 of
       your witness statement at {E2/7/16}, haven't you?
   A.  I have.
   Q.  And what you have explained there -- in your second
       witness statement this is.  What you say there is:
           "I have spoken to my colleague Steve Bansal,
       Fujitsu's senior service delivery manager, who has
       informed me that the Post Office account customer
       service problem management procedure document was
       introduced by Saheed Salawu, Fujitsu's former Horizon
       lead service delivery manager and that Saheed Salawu
       left the Fujitsu Post Office account in
       around February 2013, before the new procedure had been
       implemented.  I understand from Steve that
       Saheed Salawu's replacement did not wish to implement
       the changes and therefore the records referred to by
       Mr Coyne in paragraphs 5.157 to 5.159 of his report do
       not exist, as we continued to follow the previous
       existing reporting methodology."
           Now, can we just unpack that slowly.  Who was
       Saheed Salawu's replacement?
   A.  I don't know.  As you can tell I'm a bit vague on this
       area.  I remember Saheed, I don't know whether it was
       Tony Wicks who took over from him or somebody else.
   Q.  Because when we go back to the document itself, at
       {F/1692/4}, here is the "Summary of changes and reason
       for issue".  The document's history goes back to 2007,
       doesn't it?
   A.  Yes.
   Q.  And it looks like it was issued for approval in 2014,
       doesn't it?
   A.  Well, it was issued for approval on 9 December 2013,
   MR JUSTICE FRASER:  "Issued for approval" appears in
       a number of places I think.
   A.  Yes and the convention is that when you go to a ".0"
       version then that's one that is being issued for
   MR JUSTICE FRASER:  Hence 2.0, April 2008;
       3.0, December 2013; 4.0, July 2014?
   A.  Yes.
   MR JUSTICE FRASER:  And that's why they are all ".0" because
       they are all issued for approval?
   A.  They should all be issued for approval, yes.
   MR GREEN:  And that is after the date when you say Mr Salawu
   A.  I think so because I think Saheed left in 2013, so it
       looks as though it was Tony Wicks who came in to take
       on -- take up from him.
   Q.  So can you explain to his Lordship what the procedure
       for adopting a policy or procedure of this sort is?
   A.  I'm afraid not.  It's governance within the account
       team.  I am certainly no expert on that aspect of it.
   Q.  Okay, because when we go over the page {F/1692/5} in
       2017 we see no comments from review cycle.  It is still
       being dealt with in 2017 and we can see the name of
       Tony Wicks for review comments, can't we?
   A.  Yes.
   Q.  Requested by 14 December 2017.  Is he the person we
       would really have to ask about this?
   A.  If my suppositions are correct then it looks as though
       Tony Wicks is the man who has driven this.
   MR JUSTICE FRASER:  He is the what, sorry?
   A.  He would be the man who has driven this.
   MR GREEN:  And he is the person we would really have to ask
       about what happened after February 2013?
   A.  Yes, if my suppositions are right that he took over from
   MR JUSTICE FRASER:  Well, would you like to look at page 1
       {F/1692}.  What does "Approval authorities" mean?
   A.  Approval -- sorry, that would be Steve Bansal who would
       sign it off.
   MR GREEN:  Let's look at the Legacy Horizon reporting system
       because in your paragraph 63 -- if we can just go back
       to that {E2/7/16} -- you say there in the last line of
           "... we continued to follow the previous existing
       reporting methodology."
           Is that a reporting methodology with which you're
   A.  No.
   Q.  So that's what he -- you've got all of that from Steve?
   A.  I got -- basically I got this from Steve.
   Q.  And you don't really know what the reporting methodology
   A.  Not in any detail at all.
   Q.  Do you imagine it ought to be documentary, or would it
       be oral, or ...?
   A.  I imagine it happening via the service review meetings
       that Steve chairs.  We have regular sessions with ATOS,
       with other suppliers, but I have not -- I can't remember
       actually going to one.  I'm aware that there are
       meetings with Post Office and ATOS to talk about service
   Q.  Okay.  Let's look in paragraph 64 where you are dealing
       with the service review book.  You say:
           "When Legacy Horizon was in place problem management
       was reported in a specific section within the service
       review book (SRB)."
           Is that something you also got from Steve or
       something that you knew about yourself?
   A.  No, that is from Steve.  I have probably seen service
       review book outputs in the past but ...
   Q.  That was a fairly high level review of problem
       management and (inaudible) main problems, was it?
   A.  Very high level, yes.
   Q.  If we look please at your paragraph 65 {E2/7/16}, is
       this still Steve Bansal?
   A.  Yes.
   Q.  So how far down does that go?  Is this all -- just give
       us a feel for how far down we go.
   A.  I think to the bottom of the page.
   Q.  To the bottom of the page, I see.
           In paragraph 65 you say that:
           "From September 2010 these SRBs reported metrics
       only against contractual service level agreements ...
       and as there are no contractual SLAs for problem
       management, it is not covered in the SRB reports
       between ... 2010 and 2014."
           That's right, is it?  That's what you understand
       from Steve?
   A.  That's certainly what I understand from Steve.
   Q.  Okay.  I mean wouldn't Post Office want to know the sort
       of information that would be conveyed from that sort of
       reporting procedure?
   A.  I would imagine so and I did not attend the meetings
       with Post Office and ATOS so ...
   Q.  There's only so far we can take it?
   A.  Yes.
   Q.  And you say at paragraph 66 {E2/7/16} -- and
       I appreciate this is also from Steve Bansal:
           "For the years 2014 to 2017 there are annual problem
       review reports ..."
   A.  Yes.
   Q.  Is that system still in place in 2018?
   A.  I just do not know.
   MR JUSTICE FRASER:  I'm having grave difficulty with
       following this at what might be called face value, which
       is why I'm just interrupting.  Is the import or the
       summary of your paragraph 63 to 66 that these types of
       metrics are only available between the years you have
       identified in those paragraphs and that Fujitsu doesn't
       keep them, or hasn't kept them for years outside the
       ones identified in those paragraphs?
   A.  I don't know the answer to that, my Lord.  I don't know
       whether there were records available.  I would have to
       speak in far more detail to Steve and others to
       ascertain that.
   MR JUSTICE FRASER:  But I thought you had already spoken to
       Steve about this?
   A.  I was looking for a high level response on a specific
       issue that was being requested.
   MR JUSTICE FRASER:  And what specific issue was that?
   A.  I think it was raised by Mr Coyne.
   MR JUSTICE FRASER:  Insofar as you can remember, do you
       remember what it was?
   A.  It was simply looking for -- my recollection of it was
       that he was concerned that Saheed had suggested an
       improvement to problem management and was looking for
       the evidence that that had been implemented and when
       I spoke to Steve and said "Did we implement this?" he
       said no.
   MR JUSTICE FRASER:  All right.  Mr Green.
   MR GREEN:  If we look at {F/1420}, this is headed "2014 POA
       problem management - problem review", do you see that?
   A.  I do.
   Q.  It is called version 1.0, at the bottom right-hand side,
       which suggests it has been issued for approval and we
       see "Document status: for approval".
   A.  Yes.
   Q.  Again Mr Bansal's name under "Approval authorities".
       Was this one actually implemented, or do you not know?
   A.  I don't know.
   Q.  Have a quick look at page 6 {F/1420/6}.  I'm going to
       have to take this quite quickly, Mr Godeseth, because
       it's obviously not something you're familiar with, but
       this appears to contemplate undertaking a trend analysis
       and so forth to review the knowledge database, review
       problems and so forth, and if we go to page 7
       {F/1420/7}, on the face of it looks as if there are
       considerations, for example, of specific problems that
       have in fact occurred.  Do you see that?
   A.  Yes.
   Q.  So on the face of it it does look from this document as
       if there is a problem management review document with
       some actual problems in it, although it seems to be
       issued for approval.  Is this something you know
       anything about?
   A.  No.
   Q.  Just quickly then, very briefly, if you look at page 13
       please {F/1420/13}.  If we look in the middle stripe,
       A1939577.  Do you see that?
   A.  Yes.
   Q.  It mentions First Rate.  Who are First Rate?
   A.  First Rate Exchange Services are, I believe, a joint
       venture owned by Post Office and Bank of Ireland, but
       they provide foreign -- they provide bureau services.
   Q.  And they say:
           "First Rate has identified an anomaly over the way
       Horizon reversed transactions are recorded and polled
       through to them."
           Is this something that came to your attention at
   A.  No.
   Q.  Because it does seem to have been fixed in counter
       release for R9.
   A.  Yes.
   Q.  Release 9?
   A.  I don't remember what date release 9 was.  It would have
       been on my watch, but ...
   Q.  It's not something you remember particularly?
   A.  No.
   Q.  And you don't remember having seen this document either?
   A.  No.
   Q.  If we look at {F/1497}, this one is the "2015 POA
       problem management - problem review" and if we look at
       page 7 there {F/1497/7}, do you recognise this one at
       all or not?
   A.  I think I do from the recent review, but I couldn't be
       certain without checking it in more detail.
   Q.  Because it is in the same format as the previous one,
       isn't it?
   A.  Yes.
   Q.  And in the bottom stripe we see A10821106:
           "Transaction discrepancies can occur during the
       rem-in process especially when transferring cash from
       one branch to another (eg between their main branch to
       their outreach branch)."
           Can we go back up very kindly.  And then under
           "The underlying cause of this problem is that
       a logout before a user has fully logged on, then
       subsequently a pouch is rem-in manually, then after the
       rem-in slip has been printed, the same screen is
       redisplayed and if the user press enter again,
       a duplicate will occur.  A code fix has been developed
       and is in release 12.88 hot fix."
           Does that ring any bells?
   A.  That sounds like Dalmellington -- is it Dalmellington?
   Q.  Yes, it is the Dalmellington bug, isn't it?
           And it doesn't capture how many branches were
       affected, does it, that report?
   A.  That's true.
   Q.  It doesn't capture how long it took to find?
   A.  No.
   Q.  It doesn't capture the financial amounts involved?
   A.  No.
   Q.  So is it fair to say that that report is not
       a particularly rigorous or robust treatment of recording
       the problem, its extent and duration and effect?
   A.  I think that's a fair comment.
   Q.  Can we turn now please to understand a little bit better
       the issues around balancing transactions that we touched
       on earlier and can we first look please at {F/1692}.
       This is another Tony Wicks Post Office account customer
       service problem management procedure document.  Now --
       we will perhaps come back to that.
           Let me take you forward, if I may -- or back in the
       bundle to {F/425} and just show you this to get the
       chronology.  If you see at the top, the title on the top
       is, "Host BRDB transaction correction tool low level
       design."  Do you see that?
   A.  Yes.
   Q.  And this is the low level design document, isn't it, for
       the branch database transaction correction tool?
   A.  Yes.
   Q.  And it says "Document status: draft" and the "Approval
       authorities" is Graham Allen.  Do you know Graham Allen?
   A.  I do.
   Q.  Do you work with him?
   A.  Yes.
   Q.  And the author and department it says Rajesh Shastri.
       Do you work with him?
   A.  I don't recognise his name.
   Q.  And if we just go forward to page 5 {F/425/5} we can see
       that the document history shows the draft version being
       produced in October 2007 and then, 29 September 2009,
       "Add transaction correction journal auditing".  Do you
       know what transaction correction journal auditing is?
   A.  Sorry, where are we?
   Q.  Sorry, bottom of the 0.2 table.
   A.  29 September 2009, yes.
   Q.  Now, this was a tool that was being developed for
       Horizon Online, wasn't it?
   A.  Yes.
   Q.  And if we go to page 8 {F/425/8}, under "Overview" it
       explains that:
           "This document provides the low level design for the
       branch database transaction correction tool module.  The
       utility will allow SSC to correct transactions by
       inserting balancing records to
       transactional/accounting/stock tables in the BRDB
       system.  It will also audit the changes made.  There
       will be no updating/deleting of records in the branch
           And then it says:
           "Warning: the use of this powerful tool has inherent
       risks.  If the SQL statement is incorrect or badly
       written, it is possible to cause unintended
       consequences, some of which may cause serious problems
       to the branch database.  It is expected that only
       a small number of skilled staff will run this tool and
       that they will have detailed guidance as to when and how
       to use the tool."
           Now, are you familiar personally with the use of
       this tool in Horizon Online?
   A.  I've never seen it used because I was -- the one time it
       was used, as we have already established, I was
       elsewhere.  I have had pretty lengthy conversations with
       Gareth Seemungal about how this tool is put together, so
       I feel that I understand how it works.
   Q.  Pretty lengthy conversations with ..?
   A.  Gareth Seemungal.
   Q.  Let's look at the "Solution components".  It says there
       are five main components to the solution.  There is the
       UNIX shell script.  There is the PL/SQL package.
           "A set of template files, one for each transaction
       table for which balancing transactions are allowed to be
       inserted.  Each file contains a template for an SQL
       insert statement for the table in question.  This makes
       it easier for users to produce new transaction files by
       basing them on the template files."
           And then there is the possibility for branch
       seeding, new branches to be processed by the tool, and
       the bottom one:
           "Transaction correction journal auditing - a new
       process generates audit files for the input day's
       audible transaction correction records.  See section 5
       for details."
           Now, just taking this in stages, the seed records,
       in the penultimate bullet point there in red, last
       line -- do you see that?
   A.  Yes.
   Q.  The seed records have a node ID of 99?
   A.  Yes.
   Q.  Now, that's like having a branch ID number -- a counter
       number of greater than 32, isn't it?
   A.  That is the counter number that this transaction would
       be recorded against because the node ID is the counter.
   Q.  Exactly.  Now, just clarifying where we are, we have
       seen what you will and will not be able to do in 1.1, so
       it will allow SSC to correct transactions by inserting
       balancing records to transactional/accounting or stock
       tables in the BRDB system, also audit the changes made,
       "There will be no updating/deleting of records in the
       branch database."  So this is the design for the tool?
   A.  Yes.
   Q.  So insertions of balancing records, yes; auditing, yes;
       no updating or deleting of records.
   A.  Correct.
   Q.  And that's actually reflected, at least to some extent
       we will see -- just trace it through.  Let's look at the
       objects because identifying the permitted database
       objects is important to identifying the scope of
       potential application of the tool with this design,
       isn't it?
   A.  Absolutely.
   Q.  So we look at paragraph 2.4.1 on page {F/425/9}, the
       next page, and we see there's a table there.  2.4 is the
       objects used.  We will just go through these carefully.
       2.4.1, "Database objects used", so in the database
       objects tables, these are the object names to which the
       specific functions that we are concerned with have
       access, yes?
   A.  Yes.
   Q.  Okay, let's have a look.  You can see there's the BRDB
       operational exceptions table?
   A.  Yes.
   Q.  The system parameters table?
   A.  Yes.
   Q.  FAD hash outlet mapping table?
   A.  Yes.
   Q.  The process audit table?
   A.  Yes.
   Q.  Process audit sequence table?
   A.  Yes.
   Q.  Transaction correction tool journal table -- sorry,
       "process audit sequence" was a sequence.
   MR JUSTICE FRASER:  Yes, I don't think that's a table.
   MR GREEN:  Yes, that's actually a sequence, which we will
       come back to.  My mistake.
           The transaction correction tool journal table, the
       FAD hash current instance table, transaction correction
       tool control table, branch info table and then -- branch
       operators exception sequence, is that?
   MR JUSTICE FRASER:  "Operational" I imagine.
   MR GREEN:  Or "operational".
   MR JUSTICE FRASER:  Is that right, Mr Godeseth, do you
   MR GREEN:  Something like that.
   A.  I --
   MR JUSTICE FRASER:  Or you don't know?
   A.  I don't know to that level.
   MR GREEN:  Okay.  And then we see what the privileges
       granted are:
           "The following transaction tables have been granted
       INSERT privileges ..."
           "... to OPS$SUPPORTTOOLUSER.  The transaction
       correction statement is only allowed to insert into
       these tables."
   A.  Yes.
   Q.  And it identifies effectively all the important
       transactions tables and --
   A.  I think there are probably another two or three on the
       next page.
   Q.  On the next page, exactly, I was just going to take you
       there {F/425/10}.  Plus the events table.
   A.  Yes.
   Q.  Session data, you see that as well?
   A.  Yes.
   Q.  And at 2.4.2, the files used, it says:
           "The process uses the following files:
           "Transaction file containing an SQL INSERT statement
       that creates the required balancing transaction."
           So this would be where there is one half of
       a transaction missing another half of a transaction?
   A.  Yes.
   Q.  And the insert statement, the "SQL INSERT" statement
       effectively goes in and puts in the missing other side
       of that transaction?
   A.  Yes.
   Q.  And the method on the next page, page 11 {F/425/11}:
           "Having logged into their own UNIX user, the SSC
       team members will change directory ... and place their
       transaction file in the ... subdirectory.  They will
       then invoke BRDBX015 manually.  The shell script module
       will be owned by the UNIX user 'supporttooluser'."
           And then it explains what the module will do and the
       insert statement and so forth and you see that set out
       at 3.1 in the method.
   A.  Yes.
   Q.  Now can we go forward please from there to look at
       {H/218} please.  This is a letter from Wombles to
       Freeths about the request for disclosure of the audit
       records for the use of the tool and it says:
           "This log is produced in relation to the use of
       balancing transactions via the transaction correction
       tool as described in paragraph 58 of Mr Godeseth's first
       witness statement."
           And you were describing in your paragraph 58 the
       tool we have just been looking at, weren't you?
   A.  Yes.
   Q.  And let's look at what the audit table shows in terms of
       number of non-zero audit files.  We can see there 2010,
       46,000 files -- 47,000 nearly, and one file with more
       than zero content and then you can see 322, 553, 122,
       129, 228, 420, so in total -- over the page -- over the
       period: 2,297 {H/218/2}.
           Now, just to give you the context of what's being
       said, if you go back a page what's said in the middle of
       that letter there is:
           "Fujitsu have extracted the data from 2010 to 2019
       and provided the following explanation for the
       documents.  It should be noted that Relativity is not
       able to recognise 0KB documents since these do not
       contain any data and therefore disclosure can only be
       provided of the 2,297 files which contain data.  We
       understand from Fujitsu that a 0KB file is produced
       where there was no logged activity.  A disclosure list
       is enclosed."
           So that's the explanation for the difference between
       46,976 and 1, yes?
   A.  Yes.
   Q.  And when we go over the page please {H/218/2}, it says:
           "Each document is associated with a single SQL
       statement which made a database correction.  There are
       two different types of correction shown in the
       files - the SQL statements for each are of the form:
           "1.  Update OPS$BRDB.brdb_rx_recovery_transactions
       SET settlement_complete_time stamp = ..."
           And then the "INSERT INTO" command.
           It says:
           "Type 1 reflects the action taken to reset the
       recovery flag on a transaction.  This will have no
       effect on branch accounts (see footnote 58 in our letter
       of response ...)"
           Which says:
           "Several hundred other balancing transactions have
       been used but not in a manner that would affect branch
       accounting.  These were generally used to 'unlock'
       a stock unit within a branch."
           Do you see that?
   A.  Yes.
   Q.  Were you asked about the explanations that are being
       given here, or would it be someone else at Fujitsu who
       would know about this?
   A.  This would have been written by others but I'm fully
       aware of it.
   Q.  And then it says:
           "Type 2 reflects the action taken to insert
       a Balancing Transaction ..."
           It has a big "B" and a big "T", "Balancing
           "... where it changes transaction data in the main
       transactional tables.  This will affect branch
   A.  Yes.
   Q.  So what is being said there in relation to type 1 is
       that the 2,296 other uses of the tool have been used
       mostly to unlock a stock unit within a branch and not in
       a way which would affect branch accounts.
   A.  Correct.
   Q.  And then there is one which it is accepted did accept
       a branch account and that's the first one.
   A.  Yes.
   Q.  And that's your understanding too?
   A.  That is absolutely my understanding.  The only way you
       would be allowed to write into those tables listed is
       using this tool and that would be listed as a balancing
   Q.  Just looking at the command that's being used for
       number 1, it's not an insert command, is it?
   A.  I'm not sufficiently au fait with Oracle to -- sorry,
       the first one, no, it says it is an update so ...
   Q.  Yes, and the point is, if we go back please to the low
       level design which I took you to with some care at
       {F/425/8}, it is clear, isn't it, from this design
       that -- if we look at the last part of 1.1, the last
       sentence of that first paragraph:
           "There will be no updating/deleting of records in
       the branch database."
   A.  Yes, it says that.
   Q.  If we look on the next page, page 9 {F/425/9}, you can
       see in-between the two tables:
           "The following transaction tables have been granted
       insert privileges ..."
   A.  Yes.
   MR JUSTICE FRASER:  Where are you reading?
   MR GREEN:  Between the two tables, my Lord, at the bottom,
       "The following transaction tables have been granted
       insert privileges ..."
   MR GREEN:  And that means that people who have the
       privileges of the "OPS$SUPPORTTOOLUSER" are allowed to
       run SQL insert commands, aren't they?
   A.  The intention of this tool is to allow a set of people
       to run a transaction which will insert records into one
       or more of those tables and it will be audited.
   MR GREEN:  Well, that's not an answer to my question.
   MR JUSTICE FRASER:  I don't think it's even vaguely in the
       field of answering the question, with respect.  Do you
       want to put it again, Mr Green?
   MR GREEN:  This tool is confined to a privilege to insert,
       isn't it, as described here?
   A.  I think so, yes.
   Q.  And we don't see the necessary database object fields
       table for correcting in the manner suggested --
   A.  For the locks.
   Q.  For the locks, do we?
   A.  I can't contradict you on that, so no.
   Q.  So it is clear, isn't it, that the use of the tool has
       now gone way beyond what we find in this low level
       design document, is that fair?
   A.  Certainly there are -- there is tooling which is based
       on this which has two aspects to it, certainly, so
       I think I'm agreeing with you.
   MR GREEN:  Yes.  Now, if we look at {H/2/25} --
   MR JUSTICE FRASER:  Just before you move off, just to clear
       it up for me, can we look at page 11 {F/425/11}.  Now,
       I accept that this is in Oracle, I think, these
       commands, and if you don't -- I'm sure you've got at
       least a basic knowledge of some Oracle --
   A.  I hope so but ...
   MR JUSTICE FRASER:  I'm sure your knowledge of Oracle is far
       wider than mine, but I do understand it a little bit,
       but if you look at the second paragraph under "Method"
       do you see it says:
           "The module will read the contents of the input
       transaction file, which will be in the form of an SQL
       insert statement."
   A.  Yes.
   MR JUSTICE FRASER:  "Only a single insert statement is
       allowed and (after an optional introductory comment) it
       must start with the 'insert into' clause."
   A.  Yes.
   MR JUSTICE FRASER:  Am I right that you would then expect to
       see the block capitals command at the beginning of the
   A.  I think it is telling me that I would see an "insert
       into" one of those tables and then whatever data had to
       be inserted into that table.
   MR JUSTICE FRASER:  Yes and the insert would be part of the
       command, wouldn't it?
   A.  The insert would be in the SQL script because what I'm
       trying to do is to get a record into that table.
   MR JUSTICE FRASER:  Thank you very much.  That's how
       I understood it but I just wanted to check it.
           Right, Mr Green, over to your H reference.
   MR GREEN:  I'm very grateful.
           If we look at {H/2/25}.  Now, at 5.16.3 you will
           "Fujitsu (not Post Office) has the capability to
       inject a new 'transaction' into a branch's accounts.
       This is called a balancing transaction.  The balancing
       transaction was principally designed to allow errors
       caused by a technical issue in Horizon to be corrected:
       an accounting or operational error would typically be
       corrected by way of a transaction correction.
       A balancing transaction can add a transaction to the
       branch's accounts but it cannot edit or delete other
       data in those accounts.  Balancing transactions only
       exist within Horizon Online ... and so have only been in
       use since around 2010.  Their use is logged within the
       system and is extremely rare.  As far as Post Office is
       currently aware a balancing transaction has only been
       used once to correct a single branch's accounts (not
       being a branch operated by one of the claimants)."
           Then 5.16.4:
           "Database and server access and edit permission is
       provided, within strict controls ... to a small,
       controlled number of specialist Fujitsu ...
       administrators.  As far as we are currently aware,
       privileged administrator access has not been used to
       alter branch transaction data.  We are seeking further
       assurance from Fujitsu on this point."
           Now, this letter was in 2016.  Can you remember
       being asked about these matters in 2016 at all, or was
       it not directed to you?
   A.  I don't remember any specific requests, but I have been
       working in this sort of area for a long time so -- yes.
   Q.  Okay.  And in your witness statement you have also
       referred to only one use of the tool, the point you have
       made orally as well.
   A.  Correct.
   Q.  For a balancing transaction purpose.
   A.  For a balancing transaction.
   Q.  Can we please look now at {F/590}.  7 March 2010 is the
       target date.  We're looking at PEAK 0195561, which we
       have already identified, and you will see this relates
       to 4 March 2010 and this time we're going to look on the
       first page, at the second box down, and you will see
       there call 2083169:
           "PM was trying to transfer out 4,000 pds.  The
       system crashed.  PM was issued with 2 x 4,000 pds
           Do you see that?
   A.  Yes.
   Q.  And that's repeated at the bottom of that page.
           If we go forward please to page 3 {F/590/3},
       10 March 2010 at 8.51, which is the third box down,
       Cheryl Card:
           "After discussion with Gareth Jenkins, the suggested
       correction is to negate the duplicate transfer out by
       writing 2 lines to the BRDB_RX_REP_SESSION and
       BRDB_RX_EPOSS_TRANSACTIONS tables, with:
           "1) Product 1, Quantity 1, Amount 4,000.00, Counter
       mode ID 7 ... 2), Product 6276, Quantity -1, Amount
       4,000.00 ... This should be done using the transaction
       correction tool.  An OCP approved by POL will be
           Now, just focusing on your time at Post Office,
       I think at this time you're not really working on
       Horizon any more, are you?
   A.  Correct.
   Q.  Did you hear on the grapevine of anyone at Post Office
       being asked for authorisation for this sort of thing to
       be done?
   A.  No.
   Q.  Once you arrived at Fujitsu did you have any involvement
       in seeking approval, or discussions with Gareth Jenkins
       about anything like this being done?
   A.  No.
   Q.  Did you know that Post Office's approval had been sought
       for this particular transaction?
   A.  No.
   Q.  If we go forward please to page 9 {F/590/9},
       22 April 2010:
           "I have gone through the counter logs, OSR logs and
       the DB dumps provided in the PEAK.  Let's analyse this
       from scratch."
           Pausing here, you have acknowledged under legacy
       there were sometimes problems with duplications within
       the Riposte system, yes?
   A.  Yes.
   Q.  But we're not dealing with that system here, we're
       dealing with Horizon Online, aren't we?
   A.  Yes.  If it mentions OSR, certainly.
   Q.  Okay.  The second paragraph of that says:
           "PEAK has been raised when a clerk attempted to
       transfer out of 4,000.00 from stock unit BB to MS.  Due
       to a system problem the transfer out doubled up, so when
       the transfer in was done on counter 1 at 16.15, it was
       for 8,000.00.  The branch now has a lot of [£4,000]."
           Do you see that?
   A.  Yes.
   Q.  And there's then some discussion and then if we come
       down to:
           "But, I have noticed that the retried request [with
       an ID] ... was ignored by time out monitor in the
       [Branch Access Layer] side and continued to execute.
       But from the OSR.log file and OSR message log,
       I couldn't find this request was failed due to the
       duplicate JSN record in the journal table (which was
       expected and the normal behaviour of OSR), didn't happen
       in this case.
           "I have requested for the journal table dump to
       check whether duplicate JSN entries exists in the table.
       But from the DB dump I couldn't find any duplicates."
           Now, the whole point of JSN entries is that they
       should not duplicate and if they are duplicates they
       should not be committed to the database; that's right,
       isn't it?
   A.  Yes.  And I think you will see there that the retried
       requests failed because there was already a journal
       record in the database with that JSN.
   Q.  Well, let's just follow this through, if we may.  If we
       look now please at {F/594}, you will see that this is
       PEAK 0195962.  Do you see that?  This is Cheryl Card
   A.  Yes.
   Q.  And if we just go down to the yellow bar it says:
           "The transaction correction tool has now been used
       in live.  The templates for use with this tool need to
       be updated to correct some details."
   A.  Yes.
   Q.  So the idea was to have templates so that the scripts
       wouldn't have too many errors in them when they were
   A.  Yes.
   Q.  And that PEAK refers in turn, we can see -- if we look
       at {F/1095} please.  We can see this is the OCP 25882.
       Can you just tell his Lordship what an OCP is?
   A.  Operational Change Process I believe.
   Q.  And there's also an OCR, isn't there?
   A.  Yes, that is Operational Change Request, as I understand
   Q.  And one is for the change to the front end and one is to
       change the back-end.  The OCP is for the front end and
       the OCR is --
   A.  I don't know.
   Q.  You don't know.  If we look at this document at
       {F/1095}, the branch 226542 transfer out doubled up.  We
       can see:
           "Due to a system fault, the branch did
       a transfer out of £4,000 and a corresponding transfer in
       of £8,000.
           "Justification: correct a loss of £4,000 at the
       branch due to a system fault ... extra detail: the
       transfer in details were incorrectly doubled up when
       they were written to the BRDB.  This needs to be
       corrected using the transaction correction tool."
           Do you see that?
   A.  Yes.
   Q.  Now, on the face of it this appears to be consistent
       with at least one use of the transaction correction tool
       for one balancing transaction, yes?
   A.  Yes.
   Q.  And are you aware of any reason why Post Office couldn't
       have just used a transaction correction for £4,000 to
       correct the SPM's position?
   A.  If we -- the only reason that we would need to use the
       branch transaction tool is if I got a one-sided
   Q.  If you got a one-sided transaction?
   A.  Yes.
   Q.  Let's look, if we may please, at {F/485/1}.  This is
       PEAK PC0175821.  Do you see that?
   A.  Yes.
   Q.  And the call status on the right is "Closed - solicited
       known error."  Do you know when that code is used or
   A.  No.
   Q.  If you look down on 19 February 2009 at 17.39.40, can
       you see:
           "There are two sides to the problem relating to
       these transactions.  The first is where all five SC
       transactions missing core data as described in the
       above-mentioned KEL."
   A.  Yes.
   Q.  That's one aspect of the problem in this PEAK:
           "Second is absence of equal but opposite
       (ie settlement) lines.  See PC0152014 for a similar
       problem and how problem was resolved."
   A.  Yes.
   Q.  "For the first problem, I have used the TRT to insert
       the missing data ie Region, Margin, Margin Product and
           Now, pausing there, what does it look to you is
       going on here?
   A.  It looks to me as though we are inserting into a totally
       different database because it is TMS_RX so this is
       the -- this is not the branch database.
   Q.  No.  And also they seem to be using the transaction
       repair tool.
   A.  Yes.
   Q.  Rather than the transaction correction tool.
   A.  Which I think would be what I have referred to as the
       TIP(?) repair tool.
   Q.  Yes?
   A.  And TMS is -- yes, it's not part of the BRDB.
   Q.  But what we do see -- and this is in February 2009, so
       this is Horizon Online, isn't it?
   A.  It could be ... 2009 was migration, so I don't for
       certain know without looking further at whether this was
       old or new.
   Q.  Would they be using the TIP repair tool with
       Legacy Horizon?
   A.  Yes, the TIP repair tool has been used -- it was
       basically moved across from legacy onto BRDB.  It
       fulfils the same function.  It sits inside the -- I'm
       sorry, I have forgotten the name of the database, but it
       sits inside -- yes, TPS.
   MR GREEN:  Okay.  Let's just take it --
   MR JUSTICE FRASER:  Do you want to continue with this one
       now to the end?
   MR GREEN:  My Lord, if I may.  I will try and take it
   MR JUSTICE FRASER:  Well, yes, but don't take it quickly as
       in speaking so quickly the witness can't really follow
   MR GREEN:  I'm grateful.
   MR JUSTICE FRASER:  I don't want you to feel under pressure
       of time at all on this, Mr Godeseth, so ...
   A.  Thank you, my Lord.
   MR GREEN:  If we look at 19 February 2009, 17.39.40, which
       is the line we were looking at, do you see the two sides
       of the problem relating to these transactions and we
       just read this text?
   A.  Yes.
   Q.  "The first is where all five SC transactions missing
       core data as described in the above-mentioned KEL."
   A.  Yes.
   Q.  And that appears to be the KEL reference at the top of
       the page, "KEL obengc3120K", yes?
   A.  Yes.
   Q.  And the second point is the absence of equal but
       opposite settlement lines.  So what you've got there in
       the data is not a zero sum basket, in the data.  There's
       half of it missing, isn't there?
   A.  That's what it appears to be saying, so to do it full
       justice I would want to spend more time looking at it
       but I  ...
   MR GREEN:  I understand.  Well, perhaps -- I don't know
       whether it would be --
   MR JUSTICE FRASER:  How many pages are there in this PEAK?
   MR GREEN:  There are only three, my Lord, but you do have to
       look at the KEL.  I wonder if it would be fair to the
       witness if he could be provided with a copy of this and
       a copy of the PEAK 0152014 and KEL 017510 overnight so
       he can consider those.
   MR JUSTICE FRASER:  Well, rather than just grandly say "Yes
       he shall be provided", let's work out who is going to
       provide it to him.
   MR GREEN:  He is not our witness, but we would be happy to
       do anything we can.
   MR JUSTICE FRASER:  You are cross-examining him.
   MR GREEN:  Of course.
   MR JUSTICE FRASER:  Just pause one second.
           Mr De Garr Robinson, it seems to me the witness
       ought to be allowed to see those documents.
   MR DE GARR ROBINSON:  Absolutely, my Lord.  This illustrates
       the difficulty, particularly with using Magnum for this
       kind of cross-examination.
   MR DE GARR ROBINSON:  I'm not complaining, but it would be
       helpful and, my Lord, it would also be helpful it seems
       to me if the witness is also given a copy of PC0175821.
   MR JUSTICE FRASER:  That's exactly what I was then about to
       suggest because they are linked and the same problem has
       arisen in that PEAK as well.
           Mr Green, is the quickest and easiest way for you --
       have you got unmarked copies?
   MR GREEN:  I don't, my Lord.  I have only got mine marked
   MR JUSTICE FRASER:  Have either of you got the facility to
       print those documents relatively promptly?
   MR GREEN:  We can go back to chambers and print them off.
   MR DE GARR ROBINSON:  My Lord, we might be able to print
       them off in a room we have just around --
   MR JUSTICE FRASER:  Perfect.  I'm going to leave it to your
       two joint good offices.
           Mr Godeseth, unlike the usual warning "don't talk to
       anyone about the case", you are allowed to talk to each
       of these two gentlemen who are going to give you the
       documents to look at.
   A.  Thank you, my Lord.
   MR JUSTICE FRASER:  I'm in no way limiting the time that you
       look at them, it is completely up to you, you're going
       to resume at 10.30 tomorrow, but just in terms of common
       sense I wouldn't sit and stare at them every minute
       between now and 10.30 tomorrow morning and that's not me
       being flippant, everyone reacts differently when they
       are presented with documents in the middle of their
       evidence and I don't really want you to come back in the
       morning having spent however many hours there are
       between now and then just staring at endless PEAKs.
   A.  Thank you, my Lord.
   MR JUSTICE FRASER:  But other than that, please don't talk
       to anyone about the case.
   A.  Understood.
   MR JUSTICE FRASER:  Does that deal with that issue?
   MR GREEN:  My Lord, yes.
   MR JUSTICE FRASER:  I don't think there is anything else?
       No.  So far as tomorrow is concerned ..?
   MR GREEN:  We are going to be finishing with Mr Godeseth in
       the morning and then we don't know the position in
       relation to Mr Membery and then we will finish with
       Mr Parker.
   MR JUSTICE FRASER:  I will leave you to discuss that between
       yourselves.  Just let me know in the morning.
   MR GREEN:  Most grateful.
   MR JUSTICE FRASER:  So there's no housekeeping or anything
       of that nature and I shall see everyone and you as well,
       Mr Godeseth, at 10.30 tomorrow.
   A.  Thank you very much.
   (4.33 pm)
        (The court adjourned until 10.30 am on Thursday,
                         21 March 2019)