Microgen - stock.adobe.com

Post Office scandal inquiry’s expert IT witness ‘troubled’ by his findings

Controversial Post Office Horizon system lacked the integrity required to trust accounting data and contained ‘joke’ coding akin to an ‘overly engineered mousetrap’, inquiry told

The Post Office IT scandal inquiry’s appointed expert IT witness was “troubled” by the lack of integrity of data from the Horizon system that was used to send people to prison.

During his investigations, Charles Cipione said he was also “disturbed” by some of the development team’s practices.

The Post Office Horizon scandal public inquiry has been told there were thousands of errors, with multiple causes, in the Horizon computer system at the centre of a major miscarriage of justice. Huge numbers of errors existed from the roll-out of the software, from ICL/Fujitsu, in thousands of Post Office branches, which began in 1999.

But despite being faced with claims from subpostmasters that the Horizon system was causing unexplained accounting shortfalls – first revealed by Computer Weekly in 2009 – the Post Office said this was not the case and told subpostmasters that they were the only ones having problems.

It was not until a High Court case, which ended two decades later in December 2019, that the Post Office admitted to the existence of errors. Fujitsu kept quiet throughout this period, while subpostmasters who were blamed for shortfalls had their lives ruined, with hundreds prosecuted and many sent to jail, and many more made bankrupt or forced to close their businesses.

One of the most important features of the Horizon system was sending accounting data to the Post Office from branches. Cipione, a managing director in the risk advisory practice at global consulting firm AlixPartners, said it was fundamental to the system that this data had integrity.

Cipione’s latest evidence, on 17 November, came a month after he appeared at the beginning of phase 2 of the public inquiry looking into the early days of the Horizon system, including its procurement, technical details and corporate knowledge.

ICL/Fujitsu and the Post Office had agreed to meet certain levels of roll-out of Horizon for payments to be made or accepted. Anything that might hinder this, such as software errors, were known as acceptance incidents (AIs).

One of these, AI376, which involved accounting integrity, was singled out by Cipione. He explained that providing data with integrity to the Post Office was one of Horizon’s main purposes. “This is why this one caught my eye,” he said.

“The Horizon system, while it is not the official accounting system for the Post Office, is the source of all information for the accounting of the Post Office.”

The inquiry heard that the Post Office and Fujitsu had agreed to go ahead with the roll-out before the AI376 error was fixed, with a reliance on processes and tools, but no new software, to deal with issues.

Asked by inquiry barrister Jason Beer why this stood out for him, Cipione said: “The integrity of the accounting data that is being sourced from the Horizon system is an extremely fundamental concept and probably the most important feature that the Horizon system should deliver. The fact that this is still an issue troubles me when I read about it. If that data doesn’t have integrity, the system is not performing its proper function.”

Cipione said that from the documents he had seen, he was not sure how the AI376 issue was closed. “I know it’s a big deal as I kept reading about it, but then it’s closed without commentary on whether it was fixed and perfect,” he said. “I did not derive anything from the material I read about what happened to allow that AI to be closed.”

He said AI376 should not have been closed until the team considered it perfect. “There is no perfect system, there are always opportunities for new errors to be brought into a computer system,” he said. “Perfect is not an achievable goal, but you should think it is perfect.”

More than 700 former subpostmasters were prosecuted by the Post Office for crimes such as theft and fraud, based on data from Horizon. Over 80 have so far had wrongful convictions overturned.

Earlier this week, former Fujitsu development manager David McDonnell described the team developing the electronic point-of-sale service (EPOSS) system as a “joke of the building” with unqualified staff engaged in poor software development practices. He was part of a taskforce set up to investigate problems with the Post Office EPOSS system and a co-author of a report it produced on the system’s development.

Cipione was asked about the EPOSS team and the highly critical report about them. He said he was “disturbed” by the practices of the team developing the EPOSS software, describing some of the code as appearing to be a “joke”.

He said: “It was disturbing to read that report.  If everything in here is as represented, it would indicate to me that, number one, there was no design at least for the EPOSS section of the Horizon system and, considering that is what a lot of the errors were that specifically led to the imbalance issues, that’s fait accompli. If you’re not going to design something properly, it’s not going to work properly.”

Cipione added: “So, first of all, there has to be a good design process. Second, that design process has to be aligned with a very well-known set of requirements from the sponsors.  Only when those two things are done can you start thinking about the construction and development of the software. Otherwise, it’s very difficult to make sure that the system does what your customers want it to do.” 

Cipione was shown an example of code written from the EPOSS system, which had been highlighted by the task force report. He said: “This is terrible code. It’s like an overly engineered mousetrap. This had to be a joke. I mean, this had to be a joke, because this is a ridiculous set of code.”

In his evidence, Cipione said 45% of errors were recognised by ICL as relating to the design or development of Horizon. This included development/code, development/low-level design, development/reference data. Other errors were caused by inadequate subpostmaster training on Horizon and hardware problems, including connection failures. 

Computer Weekly first reported on problems with the Horizon system in 2009, when it made public the stories of a group of subpostmasters (see timeline of articles below).

Read all Computer Weekly’s articles about the scandal since 2009

Read more on IT for retail and logistics