2007 sox 404 testing guidelines final

8/4/2019 2007 SOX 404 Testing Guidelines FINAL

http://slidepdf.com/reader/full/2007-sox-404-testing-guidelines-final 1/83

Corporate Audit Services2007 SOX Testing Guidelines

Date – August 2007



All Rights Reserved © Alcatel-Lucent 20072 | CAS |2007 SOX Testing Guidelines |July 2007

2007 SOX Testing Guidelines - Index

Topic Page(s)1. General Information 3

2. Testing Process 17

3. Appendices 67




General Information

1




2007 SOX Testing Guidelines – General Information

Topic Page(s)1. General Information

1.1 Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 5

1.2 What is “internal control over financial reporting”? 7

1.3 Responsibilities of Control Owners, SOX PMO and CAS 9

1.4. SOX PMO Goals and Objectives 10

1.5. SOX PMO Principles & Assumptions 11

1.6. SOX PMO Integrated Test Plan 13

1.7. SOX 404 Work Performed to Date 15

1.8. SOX 404 Next Steps 16




1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006

• The Sarbanes-Oxley Act (the Act) was introduced in July 2002 in response to severalmajor corporate and accounting scandals within large prominent companies such as

Enron, WorldCom, Global Crossing, Tyco, etc. The Securities and ExchangeCommission (SEC) has explicit authority to establish rules for implementing thevarious sections of the Act and for enforcement of the Act and related rules.

• In June 2003, the SEC issued its rules relating to management’s responsibilities underSection 404. In June 2004, the SEC approved the adopted US Public CompanyAccounting Oversight Board (“PCAOB”) Auditing Standard No.2 – An Audit of InternalControl over Financial Reporting Performed in Conjunction with an Audit of Financial

Statements (“AS2”).

• On May 23, 2007, the SEC approved interpretive guidance regarding management’sevaluation of internal control over financial reporting – AS5. The key elementsaffecting the company from a testing perspective are:

• Only controls that materially impact the financial statements require testing.

• The external auditors are not evaluating management’s evaluation process butare opining directly on internal controls over financial reporting




1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006

(continued)

Under the SEC’s rules for Section 404 the management of Alcatel-Lucent is required to:

•

Accept responsibility for the effectiveness of internal controls over financialreporting;

• Evaluate the effectiveness of internal controls over financial reporting using arecognized control framework;

• Support its evaluation of internal controls over financial reporting with sufficientevidence including documentation and testing of key controls;

• Provide a written conclusion on the effectiveness of internal controls over financialreporting at year-end.

Alcatel-Lucent must comply with the SEC’s rules pertaining to the Act as a condition of being a listed company in the US.


http://slidepdf.com/reader/full/2007-sox-404-testing-guidelines-final 7/83All Rights Reserved © Alcatel-Lucent 20077 | CAS |2007 SOX Testing Guidelines |July 2007

1.2. What is “internal control over financial reporting”?

• The SEC rule defines the term “internal control over financial reporting” to mean thefollowing:

• A process designed by, or under the supervision of, the company’s principal Executiveand principal financial officers, or persons performing similar functions, and effectedby the company’s board of directors, management, and other personnel, to providereasonable assurance regarding the reliability of financial reporting and the preparationof financial statements for external purposes in accordance with generally acceptedaccounting principles and includes those policies and procedures that:

• Pertain to the maintenance of records that, in reasonable detail, accurately and fairlyreflect the transactions and dispositions of the assets of the company;

• Provide reasonable assurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with generally accepted accountingprinciples, and that receipts and expenditures of the company are being made only inaccordance with authorizations of management and directors of the company; and

• Provide reasonable assurance regarding prevention or timely detection of unauthorizedacquisition, use or disposition of the company’s assets that could have a major effecton the financial statements.



1.2. What is “internal control over financial reporting”? (continued)

• The SEC’s definition of internal control over financial reporting does not encompass theeffectiveness and efficiency of a company’s operations nor a company’s compliance

with applicable laws and regulations with the exception of compliance with applicablelaws and regulations directly related to the preparation of financial statements.



1.3. Responsibilities of Control Owners, SOX PMO and CAS

•

Ensure controls are operating as documented;•Communicate with SOX PMO the control readiness for testing;

•Assist CAS with testing procedures.

Control Owners

SOX PMO

CAS

•Document the process between Control Owners, SOX PMO and CAS;

•Maintain RVR and Protiviti (PGP) portals;

•Prepare and coordinate test plan with CAS, and inform CAS of test readiness;

•Report test results and project status to Senior Management and A&FC;

•Report test results to external auditors.

•Allocate resources available to test controls ready for testing (confirmation through SOXPMO);

•Test controls and record test results (in RVR and PGP);

•Report test results to SOX PMO and entity CFO/CEO.




1.4. SOX PMO Goals and Objectives

To ensure a positive 404 certification for Alcatel-Lucent in 2007

SOX Program provides rapid identification and visibility to deficiencies & remediation status

Incorporate improvements introduced by AS5 & SEC Guidance

Maximize Efficiency & Effectiveness

Testing appropriate to risk

Monitor progress of testing throughout program

Minimize 2007 auditing costs – internal and external Maximize use of ALU Group Audit work by external auditors

Minimize amount of “re-visits”; i.e. testing a subset of controls in one timeframe, a second

wave at a separate time, etc.

Be sensitive to the time constraints of the local business units




1.5. SOX PMO Principles & Assumptions

Test scope determined by SOX PMO with input and support of local coordinators

SOX PMO will maintain an Integrated Test Plan that is supported and updated by the

various sources:o Local SOX Coordinators

o Regional SOX PMO Leads

o Corporate Audit Services

o External Auditors

Alcatel-Lucent Corporate Audit Services performs testing on behalf of Management.

Testing of XMS expenses and corporate/centralized entity level controls will be

performed by the SOX PMO organization

External Auditors (E&Y and D&T) will also perform testing, typically and ideally 2

weeks after management completes its testing

One round of testing with “roll-forward” testing of remediated controls (where

necessary) Testing of non-key/secondary controls may be required to the extent they are a

compensating control for a failed key/primary control

Requires the approval/concurrence of the Local Coordinator and Regional SOX PMO Lead

Any non-key control elevated to “in-scope” should then have it’s Control Significance

amended to “Key”




1.5. SOX PMO Principles & Assumptions (continued)

Once a control is set to “Operational Deficiency” or “Design Deficiency” on the basis

of testing performed by the External Auditors, CAS or Management/SOX PMO Testing,

it must retain this designation until a subsequent test results in a “Fully Operating”

assessment. This is relevant for:

Assessment Level in RVR and

Control Operating Effectiveness in PGP

In 2007 there will be no requirement to test within a 90-day window of the year-end.




1.6. SOX PMO Integrated Test Plan

An Integrated Test Plan (ITP) will be maintained by the PMO to ensure coordination and efficient

use of resources – both internal and external resources

A centralized ITP is critical to managing costs and resources for the global program

The centralized ITP will be organized by Local Unit and Process Parent or Sub-Process

• Local

•Coordinators

• Regional

• SOX PMO•Leads

•

Global•SOX•PMO

Key input to Regional SOXPMO Lead

Should include allavailable dates to provideflexibility in building theregional/global plan.

Documentationavailability, 2006remediation, controlreadiness, nationalholidays, etc. shouldfactor into DateAvailability.

Preliminary, informal*discussions with LocalAuditors (CAS & External).

Communicates any issuesto Regional SOX PMO Lead

Assesses availabledates across all in-scope units and

builds preliminaryplan using the ITPtemplate

Works inconjunction withLocal Coordinatorsand Regional CAS &External Auditors*

Key input to SOXPMO ITP

Communicates allsubsequentchanges to TestSchedule

Maintains centralized,Integrated Test Plan(ITP)

Leads discussion withGlobal External AuditPartners in confirmingscheduling

Works with CorporateGroup Audit staff toconfirm Internal Auditdates

Serves as escalation

for scheduling issues

Communicatesrelevant informationand potential issues toRegional and Localpersonnel

IntegratedTestPlan

* Scheduling should not be considered final until SOX PMO has confirmed with CAS and External Auditors




1.6. SOX PMO Integrated Test Plan (continued)

Sample Template – for use by the SOX PMO (Not CAS)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

A B C D E F G H P Q R S T U V

Region Local Unit

Proce

ss #

Sub

Process # Process Name

Sub Process

Name

Regional

PMO Lead Local PMO Lead

GPO/PMO

Test Ready

Date

GAS

Phase 1

Field Test

Start Date

GAS

Phase 1

Field Test

Complete

Date

GAS Test

Status

EA Phase 1

Field Test

Start Date

EA Phase

1 Test

Complete

Date

EA Test

Status

APAC ASB 01 001.002 Revenue Cycle Ordering

Jennie

Tiderman Peilu Cao

APAC ASB 01

001.002.00

1 Revenue Cycle

Ordering

Management

Jennie

Tiderman Peilu Cao

APAC ASB 01

001.003.00

1 Revenue Cycle

Project / Contract

Monitoring

Jennie

Tiderman Peilu Cao

APAC ASB 01 001.004 Revenue Cycle

Material

Management

and Delivery

Jennie

Tiderman Peilu Cao


Revenue

Recognition

Jennie

Tiderman Peilu Cao


Billing/Invoice

(incl F-ALA rev.

rec. anddiscounts)

JennieTiderman Peilu Cao


Credit Mgmt,

Collecting and

Reserves

Jennie

Tiderman Peilu Cao


F-ALA

Access/SOD

Revenue Cycle

Jennie

Tiderman Peilu Cao

APAC ASB 02 Purchasing Cycle

Jennie

Tiderman Peilu Cao

APAC ASB 03

Human Resources

Management

Jennie

Tiderman Peilu Cao

APAC ASB 04 Inventory Cycle

Jennie

Tiderman Peilu Cao

APAC ASB 05

CAPEX, Other

Investments andIntangibles

JennieTiderman Peilu Cao

APAC ASB 06

Treasury

Management

Jennie

Tiderman Peilu Cao

APAC ASB 07 Tax Management

Jennie

Tiderman Peilu Cao

APAC ASB 08

General Ledger &

Financial Reporting

Jennie

Tiderman Peilu Cao

APAC ASB 09 ITGC

Jennie

Tiderman Peilu Cao

APAC ASB 10 Managing the entity

Jennie

Tiderman Peilu Cao

APAC ASB 11

SOD & Restricted

Access

Jennie

Tiderman Peilu Cao




1.7. SOX 404 Work Performed to Date

• Entity scoping document prepared by SOX PMO;

•Process scoping document prepared by SOX PMO;

• Scoping documents reviewed with external auditors (Deloitte & Touche and Ernst & Young);

• Feedback received from external auditors and incorporated into scoping documents;

• Control rationalization in Paris for ex-Alcatel processes;

• Control rationalization in Murray Hill for ex-Lucent processes;

• Joint planning meetings between SOX PMO, D&T, E&Y and CAS;

• IS/IT control rationalization meetings;

• Control rationalization documents reviewed with external auditors;

• Feedback received from external auditors on control rationalization;

• New controls finalized including Entity Level;

• Meeting with D&T in Murray Hill to ensure maximum reliance can be placed on CAS work;

• Integrated test plans prepared for all regions;

• Testing/Reporting process between SOX PMO and CAS agreed.




1.8. SOX 404 Next Steps

•Protiviti (“PGP”) training – planned for July 24th;

•Testing of controls and reporting of test results.




Testing Process

2




2007 SOX Testing Guidelines – Testing Process

Topic Page(s)

2. Testing Process2.1. Summary testing process 19

2.2. Process numbers and mapping 20

2.3. Test readiness 21

2.4. What do we test? 22

2.5. Nature of testing 272.6. Sample sizes 33

2.7. Documentation of tests 38

2.8. Deficiencies 50

2.9. Control Operating Effectiveness (COE) and Assessment Level 54

2.10. Action/Remediation plans 582.11. CAS deliverables 61

2.12. Self Assessment/Management Testing 63

2.13. Internal Control Questionnaire (ICQ) 65

2.14. Critical Spreadsheets 66




2.1. Summary Testing Process

1. Readiness meeting 1 week in advance of testing – SOX PMO, Control owners andCAS – confirm controls to be tested and the status of controls

2. Perform testing – using SOX testing worksheet

3. Save work papers and other documentation in RVR/PGP as completed

4. Update RVR/PGP with test results

5. Agree deficiencies with control owner, and SOX PMO (when necessary)

6. Update RVR/PGP Assessment Level/Control Operating Effectiveness (COE)

7. Update control owners/SOX PMO with testing status (as necessary) duringfieldwork

8. Closing meeting with control owners, entity CFO, SOX PMO on last day of fieldwork

9. Email SOX PMO verifying RVR/PGP has been updated and test results areavailable for reporting

10. Ensure time has been recorded in Auto Audit

11. Issue Audit Memo to SOX PMO and entity management (by process)




2.2. Process Numbers and Mappings

The 2007 level 1 process numbers are:

See also:

•appendix 9 for details of the sub-process numbers;

•appendix 10 for the 2006 to 2007 process mappings.

Process Number Process Name

001 Revenue Cycle

002 Purchasing Cycle

003 Human Resources Management

004 Inventory Cycle

005 CAPEX, Other Investments & Intangibles

006 Treasury Management007 Tax Management

008 General Ledger & Financial Reporting

009 IT General Controls

010 Managing the Entity

011 SOD & Restricted Access

012 Master Data




2.3. Test Readiness

The objective of the “Test Readiness” process is to provide assurance that

locations/processes are “test ready” to ensure cost containment and maximum

efficiency of the program

The Test Readiness process consists of:

An assertion prior to testing by the Local Coordinator and CFO that the followingmilestones have been met:

1. All 2006 deficiencies are remediated

2. RCM’s have been updated for changes in business/process, control rationalization,

etc.3. Documentation (examples, process flows, narratives, etc.) have been updated for

changes to key controls/processes

4. Control Owners are informed of changes and have received relevant training

5. Control Owners, in general, are ready for testing

Test Readiness Meetings, scheduled by Local SOX Coordinator or designee, are scheduled

approximately one week prior to testing. Participants should include, at a minimum,

CAS representative, Regional SOX PMO Coordinator, Regional & Local CFO delegate, SOXPMO delegate

Once the Test Readiness Meeting is completed no further SOX tool changes should

be made as CAS will begin downloading information to prepare for the audit

At the readiness meetings a definitive control list will be provided to CAS by the

SOX PMO (including process and control numbers at minimum)




2.4. What do we test?

• CAS is responsible for testing all “Key” controls (formerly identified as “Primary” inf-LU) in RVR and PGP with the narrative “to be tested” with the exception of those

controls which will be tested by self assessment or by management testing. Theprocesses CAS will not be testing are XMS expenses and corporate/centralized entitylevel controls.

• Controls classified as “Not Designed” or “Not Documented” in RVR are considered asnot in place (currently in the action plan) and will not be tested by CAS. Tests willbe performed at a later date during the testing of remediated controls. It is theresponsibility of the SOX PMO to inform CAS when these controls are ready for

testing with the necessary sample size available.

• For former Alcatel entities where SAP is used, controls related to segregation of duties and access will be documented and tested with an extraction tool(“CheckAud”). This tool will provide reporting on who can perform criticaltransactions or combination of critical transactions. Entity (under the responsibilityof each CFO) should interpret whether or not the granted access is acceptable

and/or if appropriate compensating controls exist. In this case, testers will verify ona sample basis that they can rely on the review performed by management. Testersneed to have a minimum training on SAP – ST codes and a good knowledge on theprocess itself to perform their review. When testers note that CheckAud report hasnot yet been run and/or analyzed by operational management, this should bereported as a control deficiency. We should also explain to the auditors how theycan verify if CheckAud reports have been analyzed.




2.4. What do we test? (continued)

• For former Lucent entities, controls related to segregation of duties and access will bedocumented and tested in process 11.001 and will be centrally tested.

• Automated/Configured controls will be tested as part of the business process, based on thefollowing approach:

• If CAS can verify that the automated control remains unchanged from the previous yearby comparing what is documented in FY2006 to what we observe as the process inFY2007, there is no need to reperform the documentation of the screenshots/test thecontrol. The test documentation should reference the work performed verifying that

the control is unchanged, plus the previous years test documentation should beattached as evidence of the control operating effectively. If the test was previouslyperformed in a test environment and not in production, evidence is required that thetest environment in which the test was performed is an exact replica of the productionenvironment.

• If CAS is unable to verify that the automated control remains unchanged from theprevious year, normal testing procedures should be performed.

Specific to entities using RVR – Note:

• For all entities in Section 404 scope, SOX coordinators have already performed thefollowing review:

• a) Documents attached in RVR show sufficient evidence of the control performed.

• b) All controls with a “NA” status are correctly justified.




2.4. What do we test? – Flowcharts/Narratives

• Testers will have to verify the reasonableness of the flowcharts/narratives preparedby local management. A flowchart/narrative is reasonable when it gives a sufficient

level of detail on the processing of transactions within the system. The purpose of documenting processes (flowcharting/narrative) is to provide a general overview of the current activities. It is not required to perform walkthroughs to assess thereasonableness of flowcharts/narratives, but walkthroughs are required to ensure thetester understands the process, and if the risk is mitigated by the control. Thewalkthrough also identifies changes to the process which may have an impact on thedocumented control(s). If during a walkthrough documentation errors are noted but

there is no impact on the control(s) being tested, local management should beinformed but no deficiency noted.

• In 2007 with the merger, internal auditors should pay special attention to thereliability of flowcharts/narratives. Many processes should be updated / modified toreflect the reality, the changes in the systems, etc.




2.4. What do we test?

The testers will have to assess the design effectiveness and the operationaleffectiveness:

Design effectiveness:

• Testers will have to evaluate the description of each control in-place and respect thefollowing process:

• Does the control identified, if operating effectively, fully mitigate the related risk? If so, control design can be considered “effective”, and the control will require testing.

• If not, consider additional controls identified that should be linked to the risk.

• If gaps remain after all controls have been identified, the control design for that risk is“ineffective” and should be evaluated accordingly. This will require an action plan fromthe SOX PMO and control owner. Testing will not be performed on ineffectivelydesigned controls.

•

When concluding, a lack of documented evidence of a control would constitute anineffectively designed control. Testers must ascertain that controls documented arerelevant for all significant Business Divisions in the entity.

• This evaluation must to be linked with the Financial Statement Assertions, detailed inAppendix 2




2.4. What do we test? (continued)

Operational effectiveness: The testers will have to answer to the following questions:

Does the control operate as intended? Did we find exceptions during the testing?

Does the person performing the control possess the necessary authority according to

the local DOA (delegation of authority) to perform the control effectively? Does the

control operate for all significant Business Divisions in the entity?




2.5. Nature of Testing

RVR

Detailed testing guidelines will be available in RVR for each control activity, although

where the control wording has changed the test procedures may need to be changed

accordingly.

PGP

The SOX PMO uploaded all test procedures and audit work papers from RVR into PGPfor the former Alcatel controls.

The SOX PMO and CAS performed an upload of the former Lucent high level test

procedures previously documented on the “Test of Control” (TOC) spreadsheet into

PGP. The upload is expected to populate the majority of high level test procedures,

but for those not populated, the previous years TOC should be used to obtain thehigh level test procedures. All the test procedures should be reviewed to ensure they

are relevant for the control being tested.

Former Lucent Sample Attribute Worksheets (SAW’s) have not been uploaded into the

portal and will need to be obtained from the CAS server.





Observation• Watch an individual perform the control activity or observe group activities such as status meetings, disclosure

meetings, etc.

• More reliable than inquiry

• Document who, when, what was observed and the outcome

Inspection/Examination • Review of evidence, in either electronic or paper form, that a control activity is performed.

• The level of assurance obtained from such evidence depends on the nature of the control activity andthe control objective.

•Provide detail to be able to duplicate test process and verify result

Re-performance • Re-perform the control activity to determine its operating effectiveness

• Perform reconciliation using independent data sources

• Perform independent calculations that mimic the system

• Enter hypothetical transactions to test an IT system and compare expected results to actual results

• Documentation should be in sufficient detail to execute the reperformance

Inquiry Seek information of knowledgeable persons. Evaluating responses to inquiries is an integral part of the inquiry

process.

Ascertain whether a control is in place by asking oral or written questions

Weakest type of test

Must be followed by another test, inquiry alone is not enough

Should inquire of more than one person (i.e., corroborate)

Documentation considerations - who, when, where, how

LEVEL

OF

COMFOR T





Reperformance:

The tester will reperform the application of the control activity to check that the resultobtained is the same.

• Explanation - The repetition of a control performed by an employee or a computeror a system; is often the only way to test an automated control

• Documentation requirements - Details of what was done, what items tested.Sufficient to reproduce test.

• Example - For checking the valuation of goodwill, the tester might calculate himself the goodwill and compare the result obtained with the managements evaluation

• Notes - Sample size can be low when combined with examination testing





Examination:

The tester will inspect relevant documentation such as sales orders, invoices, … toevidence the effectiveness of the control activity.

• Explanation - The inspection of records, documents, reconciliations and reports forevidence that control has been properly applied

• Documentation requirements - Who, when , what ?Retain enough details of the testso that it can be duplicated (e.g. order number); also note what evidence was

reviewed to verify control was working as indicated (e.g. noted form was signed byauthorized person)

• Example - if the control is “the credit manager reviews and approves all sales ordersexceeding a determined amount”, tester might select a sample of orders exceedingthe limit and examine the evidence of control : “based a sample size, we noted thatthe CPM has completed all proper fields to show evidence of his/her review. His/herapproval is supported by a signature.”

• Notes - Easiest way of obtaining evidence of the existence of assets such as cash andinventory.





Observation:

The tester will have to observe the control in operation to verify the control is operating

as intended.

Explanation - Direct viewing of control being performed

Documentation requirements - Who, and what was observed, when it was observed,

and the outcome.

Example

o Automated: observe field edit check works when invalid data is entered.

o Manual: observe the person receiving goods to test the operating effectiveness of inventory management

Notes - More reliable than inquiry. Can be sufficient for some automated controls.

Probably not sufficient for key manual controls alone.





Inquiry :

Tester will have to perform interviews of appropriate employees to assess the validity of the control activity. Please note that inquiry does not provide sufficient evidence of the operating effectiveness of a control. Tester should perform a mix of techniqueswhen assessing controls to achieve audit comfort.

• Explanation - Ascertain whether a control is in place by asking specific oral andwritten questions

• Documentation requirements - Who responded and when?

• Example - Interview CFO to understand the controls surrounding a particular process.

• Notes - Weakest type of test, should be followed by another test - at leastobservation if feasible.

2 6 S l Si




2.6. Sample Sizes

Frequency of

Performance

2007

Sampling

Guidelines

Sample Expansion

(for single exception)

Annual 1 N/A: Classify as deficiency

Semi-Annual 1 N/A: Classify as deficiency

Quarterly 2 N/A: Classify as deficiency

Monthly 2 N/A: Classify as deficiency

Weekly 5 N/A: Classify as deficiency

Daily 25 25

Multiple Times per Day 25 25

Ad-hoc/As-Needed 10% of annual number of controls with an upper limit of 25 items*

New controls in place over 90 days use the above sample guidance

Automated controls will utilize one sample – one positive and one negative test –see slide 23

Depending on the External Auditors risk assessment of a process, they will in some cases pull a

separate sample to that used by CAS, whereas in other cases they will use the sample pulled by

CAS to perform their testing (or a combination of the two).

Testing sample size is determined by how often the primary controls are performed. Sample size

guidelines provided by Alcatel-Lucent management for manual controls are as follows:




2.6. Sample Sizes

• For example, a control that occurs multiple times a day should be tested on the basisof a sample of 25 operations over a sufficient period of time to obtain assurance thatthe control operates effectively. For controls that operate less frequently such asmonthly account reconciliations, the auditor should test the control on the basis of asample of 2 operations.

• (*): For controls performed ad-hoc, the frequency of tests required is 10% of theannual number of controls performed with an upper in sample size of 25 items totest. For example, an ad-hoc control performed 120 times per year would be testedwith a sample size of 12. If it is not possible to evaluate the number of controls

performed per year, a sample size of 25 tests should be used. If an exception isnoted, an additional sample of maximum 25 items should be selected (take anadditional sample based on 10% of the annual number of controls performed, with acap at 25).

• If a control has been implemented too recently, its occurrence may not be sufficientto draw the needed and extended sample. In this case, testing will be performedlater in the year. Example: for a quarterly control implemented in Q4, testers should

conclude that due to the late implementation of the control, they couldn’t obtainevidence of its operating effectiveness (to be specifically written in the open textfield under “evaluation history”).

• To ensure an unbiased sample is tested, a random number generator should be used.This is not compulsory (although it is best practice), and for controls already testedthere is no requirement to go back and re-test a new sample (see appendix 12).




2.6. Sample Sizes - Dealing with exceptions

• When we find an exception in our testing of manual or automated controls, weshould examine and understand the cause of the exception.

• In the case of automated controls, the issues will be directly classified asdeficiencies. No sample extension will take place.

• In the case of manual controls operating monthly or less frequently than monthly,exceptions should be treated as deficiencies, because the frequency of theoperations is too low to allow for a conclusion.

•

In the case of one exception in the operation of a manual control that operatesweekly or more frequently, it may not be a deficiency. To conclude that such anexception is not a deficiency, we should conduct additional testing. “A conclusionthat an identified exception does not represent a control deficiency is appropriateonly if evidence beyond what the tester had initially planned and beyond inquirysupports that conclusion” (PCAOB48). The option to conduct additional testing is onlyavailable for manual controls operating weekly or more frequently when:

• Only one exception is observed in the initial sample;

• The exception is determined not to be an indicator of systematic and recurringexceptions with respect to the control;




2.6. Sample Sizes - Dealing with exceptions (continued)

• If we determine that it is appropriate to perform additional testing, we should selectan additional sample (see the table above). If no further exceptions are noted in the

second sample, we may conclude that the single exception from the two samples isacceptable (i.e., the exception rate is negligible) and that the control is operatingeffectively and no deficiency exists. If one or more additional exceptions are notedin the second sample, we should conclude that a deficiency exists, because theexception rate in the two samples is more than negligible.

• Where feasible the additional sample should be tested whilst on site, but if thedeficiency is identified during the last day of testing and there is not sufficient timeto obtain the additional sample documentation and perform the testing, the controlshould be identified as a “Preliminary Deficiency” and the control owner given 2 daysto provide the documentation required for testing. If the documentation is providedand the sample is tested with no deficiencies the control status should be changed to“Fully Operational”, but if the documentation is not provided or there is a deficiencythen the control status should be changed to the appropriate deficiency. The SOXPMO and the control owner should be informed of the change in status.

• Note : An exception found by and corrected by management is not an exception. Thisclearly means that the control system is working efficiently (review of approvals of PO for instance).

2.6. Samples Sizes - Minimum Operating Periods and Test Samples for




Remediated Controls

Frequency of

Performance

Minimum Time Period/Number of Timesof Operation for

Remediated Control as of the End of Fiscal Year

Minimum Number of Items to BeTested for Remediated Controls

Annual & Semi-Annual N/A N/A

Quarterly

2 quarters* 2Monthly 2 months 2

Weekly 5 weeks 2

Daily 20 days 10

Multiple Times per Day 25** 25**

Ad-hoc/As-NeededAssessed on a case by case basis using risk based approach to

determine the appropriate sample sizes

* Includes 4th quarter as one of the quarters

** Must operate at least 25 times over a minimum 15 day period

This guidance only applies if the remediated control will operate over a period of less

than 90 days until the year end date. For controls that will operate over a period of 90

days or more (i.e. put into operation before October 1, you should continue using the

regular sample size guidance – see slide 33).

Note - The population/sample used to test a remediated control has to be subsequent to

the date on which the control was remediated.




2.7. Documentation of tests

Former Alcatel and former Lucent had very different approaches regarding theretention of test documentation.

• Former Alcatel test documentation was retained in RVR

• Former Lucent test documentation was retained on an IA server

For 2007:

• Europe - all non IT control testing will be recorded in RVR, with the exception of

Centralized/Corporate Entity Level Controls (these will be recorded in PGP andwill be tested by the SOX PMO)

• APAC – all non IT control testing will be recorded in RVR

• NAR and CASA – all non IT control testing will be recorded in PGP

• IT control testing in all regions will be recorded in either RVR or PGP dependingon the location of the control and where the control is recorded (RVR or PGP)

The new AS5 rules pertaining to Section 404 do not require Alcatel-Lucent’s externalauditors to evaluate the CAS testing, although the external auditors will berelying on the work performed by CAS to reduce their testing. The reliance theywill be placing on the work of CAS will be dependant on the process, with lessreliance on higher risk “category 1” areas such as revenue, IT, and financialcontrols.




2.7. Documentation of tests (continued)

The current testing strategy of the External Auditors is:

•

Category 1 processes - perform 70% independent testing and 30% reperformancetesting

• Category 2 processes – perform at least 30% * independent testing, and at themost 70%** reperformance testing.

* This percentage may be higher based on local risks identified

** All control activities not addressed by independent testing will be tested byreperformance. All control activities will be tested by the external auditor.

It is therefore important that the documentation of the tests performed is of thehighest quality.

In addition, it is important to clarify with the local external auditors theirrequirements for our work papers to do reperformance. A meeting with the localexternal auditors should take place in advance of testing to clarify theirrequirements, specifically the retention of documentation allowing them toreperform our work, and if they require copies or original documentation.




2.7. Documentation of the tests (continued)

• All testing will be recorded using the CAS SOX Testing Worksheet – see appendix 11for a soft copy of the document

• All SOX Testing Worksheets are to be retained in RVR or PGP.




2.7. Documentation of the tests (continued)

• It is critical in the SOX testing process to evidence the testing work performed. Thedocumentation must ensure the “Reperformance” can be performed by the external auditors.They should be able to realize the same test, with the same document(s), and come to the same

conclusion.

• For 2006 it was agreed with the f-Alcatel external auditors that paper files nor scanneddocuments would be retained, but the documentation would take place on an Excel spread sheeton which the references of the tested items would be reported – see below:

• This document reported all the references (e.g. an invoice number) of the documents tested andthe items of the data that were reviewed (for example “approval”, “shipping address”…).In 2007 this information should be recorded as part of the CAS SOX Testing Worksheet.

• For 2007 the external auditors informed the SOX PMO that if CAS testing documentation includedcopies of audit evidence, either electronically in the portals or hard copy files, this would be oneway to reduce their fees. CAS should therefore (where feasible) retain electronic or hardcopies of supporting documentation. If the documentation is too voluminous, only specific pagesrelevant to the testing should be retained, and control owner asked to keep the additionaldocumentation to one side in preparation for the external auditors reperformance testing.

• Detailed supporting documentation should be retained for all deficiencies

reference of the control 01.10.C040

invoice # sort # approval delivery

date shipping

address billing

dates price quantity payment

terms delivery

terms acceptance

terms PO # A200401000001 1 X X X X X X X X X X A200401002379

2

X

X

X

X

X

X

X

X

X

X

A200401053434 3 DEFICENCY X X X X X X X X X A200403002379 4 X X X X X X X X X X A200401078801 5 X X X X X X X X X X etc … etc… etc … etc…




2.7. Documentation of tests - RVR

• a) From the home page, click on the icon below:

• b) Click on the icon “GO” to select the process you have to test.

Controls documentation and testing

16 evaluation(s) to be completed

Evaluation Entity Period Status % Completed Print Owner

01 Revenue management CIT 2004 In Progress 39% Arnaudo Laurent 02 Purchasing management - 01 Orderprocessing CIT 2004 In Progress 100% Arnaudo Laurent

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?displayStakeHoldersToFillAndValidate=true&fromTasksList=true&prevPath=%2Fjsp%2FdisplayTasks.do&reload=bpxvaukcfkoicxbdwfwb

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodStakeHolderName&reload=sgsdklqoqlikzrttlmcj


https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?displayStakeHoldersToFillAndValidate=true&fromTasksList=true&prevPath=%2Fjsp%2FdisplayTasks.do&reload=gvzfsqayogryscwrzdbo


https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodEntityName&reload=cqfwzfhkmrmthielazir

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodPeriodName&reload=obhlqievpqagqyicgdqb

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodStatus&reload=stuylegcpjfznhvzfadp

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodValidated&reload=xyvejidmfallxluzhvtb

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodPrintableVersion&reload=hecdeldiwaknhxlasynu

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodResponsableName&reload=oiirqkgcedsttztikcqv

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodResponsableName&reload=oiirqkgcedsttztikcqv

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodPrintableVersion&reload=hecdeldiwaknhxlasynu

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodValidated&reload=xyvejidmfallxluzhvtb

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodStatus&reload=stuylegcpjfznhvzfadp

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodPeriodName&reload=obhlqievpqagqyicgdqb

https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?action=listNotify&reportingEntityPeriodsTable.tableModel.columnSorted=reportingEntityPeriodEntityName&reload=cqfwzfhkmrmthielazir


https://aww-rvr.alcatel.com/rvrprod/jsp/editStakeHoldersFromEntity.do?displayStakeHoldersToFillAndValidate=true&fromTasksList=true&prevPath=%2Fjsp%2FdisplayTasks.do&reload=gvzfsqayogryscwrzdbo







2.7. Documentation of tests – RVR (continued)

• c) Then click on “control testing” icon to access the fields dedicated to testingdocumentation.

• The following information will be necessary:





• Test description:

•

Detailed testing plans will be available for all former Alcatel controls in RVR,although testers need to ensure that the test plan is still relevant and that thecontrol procedures have not changed since 2006. The following information shouldalso be reported in this field:

• Type of testing (for example “reperformance” or “examination”).

• Source of data (for example journal of entries)

• Sample size

• Who performed it?

• Indicate in this field the name of the tester.

• When was it performed?

•

Indicate the date at which the test was completed.





• Comments on testing:

•

This field is for detailed comments on testing. It will be used to comment on results,especially in case of controls declared as “not passed”.

• Conclusion:

• Choose the appropriate conclusion for the test (passed / not passed). Passed meansthe test was a success.

• Documentation: Use the Browse functionality to attach the work papers and otherdocumentation.

(See Appendix 7 for a more detailed RVR presentation)

2.7. Documentation of tests - RVR Test Result Example




p

SOX PMO are working

with the RVRcompany todetermine the bestmethodology toupdate & distinguishExternal Auditorresults in RVR.




2.7. Documentation of tests – PGP

•(See Appendix 6 for PGP presentation)

2.7. Documentation of tests - PGP Test Result Example




p

Finding is onlyconsidered finalonce GAS managerhas approved atwhich time he setsStatus to Complete

and checksCompleted box

Only at this time willCOE be updated byGAS (COE inseparate area underthe generic control)

2

1

3

4

5

6

2

1

3

First entered by local tester

4

First entered as Finding Status – Pending GAS MgmtApproval

Then “flipped” to Finding Status – Complete by GASmanager

5

6 Updated by GAS manager

2 7 Documentation of Tests – Comparison of RVR and PGP




2.7. Documentation of Tests – Comparison of RVR and PGP

Both Corporate Audit Services and External Auditor results will be entered into PGP or RVR

Corporate Audit Services will be responsible for updating testing results for their testing

RVR Protiviti

Field Field 2007 Recommendation Notes

Step # Test Name As is - no issue

Test Description & Comments on Conclusion Test Description Narrative/Free Form

Test Results Narrative/Free Form

Who Performed It? Tester As is - no issue PGP is a validated PGP user

When Was it Performed?1) Period Test Started,

2) Period Test Ended As is - no issue

Documentation Attachments As is - no issue

Conclusion Test Result Summary TBD

2006 RVR utilized

Passed/Failed, PGP had

multiple selections such as

"Control Not Performed"

Test Type GAS, EY, DT, Mgmt

Status

Not Started

Pending GAS Mgmt

Review

Complete

Completed (Checkmark) As is - no issue

Assessment Level Control Operating EffectivessPlease see following

charts

Test Area

Control (generic) Area




2.8. Deficiencies (continued)

•When a deficiency has been identified and agreed with the control owner and the SOXPMO, the control owner and the SOX PMO will identify any applicable Compensating

Controls, present them for approval to the entity’s CFO (respectively CIO for IT generalcontrols), and if agreed, record them in the action plan in RVR/PGP.

•All compensating controls will be recorded in RVR/PGP:

•Non Key controls will be upgraded to Key

•New controls will need to be documented by management

•Compensating controls will be tested by CAS whilst in the field if time permits, or bymanagement.

•It is recommended to limit as much as possible the creation of new compensating controlsand improve the operating effectiveness of existing controls in RVR/PGP.

•The existence of one or more compensating controls does not eliminate the deficiency.The effect of compensating controls is to be taken into account when assessing the severityof a misstatement occurring and not being prevented or detected. That is, compensatingcontrols are relevant only in the determination of whether a deficiency is a moderatedeficiency or a major deficiency – this determination is the responsibility of the SOX PMOand NOT CAS.




2.8. Deficiencies - How do we qualify as a deficiency

• A minor deficiency is a deficiency, which is not classified as moderate or major.

•

A moderate deficiency is a control deficiency that adversely affects the company’sability to initiate, authorize, record, process, or report external financial datareliably in accordance with generally accepted accounting principles. A moderatedeficiency could be a single deficiency, or a combination of deficiencies, that resultsin a more than remote likelihood that a misstatement of the annual or interimfinancial statements that is more than inconsequential in amount will not beprevented or detected.

• A major deficiency is a major deficiency or a combination of major deficiencies,that results in more than a remote likelihood than a major misstatement of theannual or interim financial statements will not be prevented or detected.

Classification of

DeficiencyLikelihood of Misstatement

Potential Magnitude of

Misstatement

Minor Deficiency

either remote or =>

----------Less than a 5% to 10% chance

Inconsequental

----------Less than M€ 5

Moderate Deficiency

More than inconsequental

----------

From M€ 5 to M€ 40

Major Deficiency

High

----------

Greater than M€ 40

More than remote

----------

More than a 5% to 10% chance

SOX PMO to providenew thresholdswhen available




2.8. Deficiencies - How do we qualify as a deficiency (continued)

• Assess Likelihood and Magnitude (= severity)

• Testers must evaluate control deficiencies and determine whether the deficiencies,individually or in combination, are moderate deficiencies or major deficiencies. Theevaluation of the significance of a deficiency should include both quantitative (refer to theabove table) and qualitative factors. Qualitative factors are items related to integrity,ethical values, fraud, authority, responsibility, competency of employees, staffing, etc.

• Testers should evaluate the significance of a deficiency in internal control over financialreporting initially by determining the following: the likelihood that a deficiency, or acombination of deficiencies, could result in a misstatement of an account balance ordisclosure; and the magnitude of the potential misstatement resulting from the deficiencyor deficiencies.

• The assessment of likelihood should be based on past years’ occurrences. Did we noticesuch deficiencies in the past? How often did it occur?

• The qualification of deficiencies will be reported in an audit memo (see § 2.7) and not inRVR. It represents internal audit professional judgment. This qualification of deficiencies

will be presented and discussed with the SOX project leader and related accountableoperational management before the closing meeting with the CFO (respectively CIO for ITgeneral controls).

• Note : Qualification of control deficiencies is performed when a control has been tested.Testers will not assess the severity of not designed / not documented controls for which anaction plan is ongoing.




2.9. Control Operating Effectiveness (COE) and Assessment Level

Corporate Audit Services is accountable for updating Control Operating Effectiveness

(PGP) and/or Control Assessment Level (RVR) based on CAS-based test outcomes.

Both RVR and PGP will utilize standardized selections – see Control OperatingEffectiveness and Assessment Level - Selections 2007 slide 57

Based on the test results the auditor has to determine the result for the control

being tested. If one of the test steps fails/ is recorded as “not passed” the auditor

has to determine if the test step has a significant impact on the financial

statements. If it is determined that this is not the case the control can (in some

instances) still be deemed as “fully operating”. For instances where this occurs,

the auditor should include in their work papers the basis of reporting the control

“fully operating” and ensure that the testing lead/manager is in agreement with

the conclusion reached. Where it is determined that there is a significant impact

on the financial statements, the control should be assessed as “not operating”.

In RVR, it is compulsory to update the evaluation history to keep track of the

outstanding work to be performed. To update this data, the tester will have

to select the “evaluation history” icon and select the adequate status. The

other fields on the screen do not need to be completed by testers.

For details of entering COE in PGP see PGP training slides in appendix 6.




2.9. Control Operating Effectiveness (COE) and Assessment Level (continued)

When testers note that the control is not well designed rather than not operating

they should use the “design deficiency” option rather than “operational deficiency”.

SOX PMO is accountable for updating Control Operating Effectiveness (PGP) and/or

Control Assessment Level (RVR) based on External Auditor based test outcomes (only

deficiencies will be entered).

The most recent test result “rules”, for example:

If CAS tests resulted in a “Fully Operating” assessment and an External Auditorsubsequently deemed the control to have an “Operational Deficiency” the

“Operational Deficiency” would override the CAS result.

Former Alcatel units also utilized “Control Steps” in their RCM’s – “Control Steps”

are the localized details of a “generic” control

In PGP, Control Steps are identified by the Control Name convention which is the control

number followed by Step #; e.g. C040.Step.001; C210.Step.002, etc. In addition, ControlSignificance is set to “3. Step”.

PGP: Generic controls will be updated for Control Operating Effectiveness in 2007; ControlSteps will not (they will retain the system default of *None Selected. This is consistent with

RVR which does not assess Control Steps.



2.9. Control Operating Effectiveness and Assessment Level - Selections 2007




p g

2

0

0

7

Operating Effectiveness/

Assessment Level

Selections

Explanations

Not Tested At the inception of the SOX 2007 program all controls will appear as "Not Tested". This is the default value.

Fully Operating Control design is effective (it mit igates identified risks) and is also operating effectively (control is being performedas designed).

Operational Deficiency

- Formal evidence could not be provided to support the control activity. However, some "informal" evidence that the

control was performed is available.

- Control activity not performed as required, auditee cannot provide "informal evidence" that control

Design Deficiency- The documented control as designed does not mitigate identified risk.

- Risk has not been indentified, or existing risk does not have an identified primary control.

Not Documented/ReadyControl owner is not ready or not available for testing, or the control is not documented accurately enough to test.

Need further discussion with regard to whether this is considered a deficiency or not

Preliminary DeficiencyIA or EA finding under dispute by PMO and/or Process Owner. Maximum 5 days in category, then escalation is

required.

Insufficient SampleNot enough testable evidence has been accumulated to perform test on a control, such as a new control. Use this

if partial sample passes or not tested due to sample size.

No Triggering EventThe event that would trigger the need for the control activity to be performed has not occurred from the beginning of

the fiscal year until the date of audit. Therefore the control cannot be tested.

Annual Control Control occurs once a year and has not been performed as of testing date.

N/A In RVR, a *KEY* generic control that is "Not Applicable" for a particular local entity.

Missing Indicates NEW control that is being establ ished in RVR and is st il l in-progress for design and documentation.

= Considered deficiency for reporting purposes; action/plans should be created in all cases.

= Only relevant for RVR.

* Deficiency metric will be calculated using the total number of deficiencies (operational plus design) divided by the total

number of controls tested (tested effective plus total deficiencies), excluding dependent controls.

PROTIVITI / RVR




2.10. Action/Remediation Plans

All Control (generic) deficiencies must have an associated remediation Action Plan

o Includes CAS, External Auditor and Management identified deficiencies

Local process/control owners and leadership have accountability for entering, managing andclosing remediation action plans in RVR and PGP - Not CAS.

The general expectation is that remediation/action plan due date will be 5 business days after

the audit closes – although it is definitely recognized that there may be cases where an extended

remediation period is required.

When a deficiency is logged the following process should be followed to create the Action Plan

(This is not the responsibility of CAS):

o Finalized remediation plan should be updated in Comments Field (RVR) or Action PlanDescription Field (PGP). At that point the status in the SOX Tool should be set to “in-

progress”

o Secure the appropriate approvals from the necessary parties – Local Management, Local

CFO, Regional Coordinators etc.

o Execute action plans

oSet Action Plan Status in SOX tool to “Complete” and enter completion date in theActnPlanRvwSgnOffDate (PGP) – there is no completion date equivalent in RVR.

SOX PMO will monitor and track the progress of the remediation plans and inform CAS oncethere is a sufficient sample to test the remediated control.

o Remediation of deficiencies in a timely and accurate manner is an important aspect of the

SOX program and therefore this area will also be a key area of management reporting in

2007




2.10. Action/Remediation Plans (continued) - PGP

Required

Required

Required




2.10. Action/Remediation Plans (continued) - RVR

Required

Required




2.11. Corporate Audit Services Deliverables

• It has been agreed that all testing will be performed in 2007 by Corporate AuditServices with the exception of Annual Controls performed on or after December 31,

2007. These controls will be tested in Q1 2008.• Audit Announcement Letters

• In the former Alcatel an audit announcement letter was sent in 2006 to theentity’s CFO/CEO before the SOX work commenced (refer to the example inappendix 3). Regional Audit Directors, if needed, would customize the model.

•

In the former Lucent audit announcement letters were not sent out in 2006, itwas the SOX PMO’s responsibility to communicate the test dates with the localmanagement and control owners.

Based on the Company’s SOX approach in 2007 with the PMO being responsible forthe project, it is their responsibility to communicate the test dates to the controlowners and others as necessary based on the integrated test plan.

•

On completion of testing a process, CAS will send an email to the SOX PMOinforming them that either RVR or PGP is updated with the test results and isready for reporting.




2.11. Corporate Audit Services Deliverables (continued)

• Corporate Audit Services will issue an Audit Memo (refer to the 2006 model inAppendix 4) for each process reviewed (HR, CAPEX, …). This memo will mainly be

distributed to local management and the SOX PMO. Alcatel-Lucent HQ seniormanagement will receive a consolidated report issued by each RAD, covering acomplete entity.

• In the audit memo, Corporate Audit Services should state briefly the work performed(refer to audit objectives section), include a summary of the testing results by“operating effectiveness” category, and include a table detailing all controls notoperating effectively, including explanations.

• All audit memos will be gathered and analyzed by the SOX PMO to highlight mostsignificant issues within the organization. The SOX Steering Committee willdetermine whether deficiencies are significant or material. The SOX SteeringCommittee will also resolve any Preliminary Deficiencies where the ControlOwner/PMO do not agree with a CAS finding.

• AutoAudit (CAS database) will record all man days spent on SOX, with man days being

recorded at a minimum by process level within an entity. Issuance of SOX auditmemos and reports should follow existing CAS procedures for pre-issuance reviews,approvals, numbering and archiving.

2.12. Self Assessment/Management Testing




SOX PMO/Management will test XMS expenses and corporate/centralized entity level controls.

SOX PMO/Management will develop the test procedures, sample size, etc. and communicate to CAS.

SOX PMO will enter the results of these tests according to documented standards but distinguished by

Test Type “Management Test” (in addition, the Tester will be a non-GAS tester).

Management testing will only beentered when final and thereforeentered with “Finding Status – Complete” and checked complete

2.12. Self Assessment/Management Testing (continued)




The processes to be tested by the SOX PMO, self assessment or by management testing

are XMS expenses and corporate/centralized entity level controls.




2.13. Internal Control Questionnaire (ICQ)

Applicable for Tier 3 entities and out-of-scope processes for Tier 2 entities

Will be facilitated via the Protiviti Governance Portal “Assessment Manager”

(formerly TSA)

PGP will issue questionnaires via e-mail to local CFO’s, track and report

progress and provide reporting capability for response summaries, etc.

Depending on responses to the questionnaires action plans or tests may result

Central SOX PMO will administer the ICQ and track progress and escalate issues via

the SOX Council Questionnaire under development

ICQ will be issued shortly




2.14. Critical Spreadsheets

f-Lucent

• As a result of the current year's rationalization, the critical spreadsheets for f-Lucent

have been reduced from 118 in FY06 to 20 in FY07. See appendix 13 which providesfurther details relating to these 20 spreadsheets (i.e. process & control reference,control owner, etc). Please refer to this file to determine the critical spreadsheetsin scope for the testing of each process, as the portal documentation regardingcritical spreadsheets has not been fully updated to reflect the current scopingstatus. The file as per appendix 13 will also be posted in PGP, and this should bechecked to ensure there are no changes before testing commences (to view the file

go to the left-hand side of the PGP welcome screen, then FY07/CriticalSpreadsheets/F-Lucent (PGP))

• For each critical spreadsheet identified there is an associated control (column F),and all documentation relating to the testing of the critical spreadsheet should besaved in PGP under the associated control. If there are any other criticalspreadsheets in PGP for f-Lucent processes other than those per appendix 13, theydo not require testing in FY2007.

f-Alcatel

• Critical spreadsheets are retained in RVR on the same basis as FY2006 with allspreadsheets being retained under one control. The control owners have beenadvised that it is their responsibility to verify that only the FY2007 in scopespreadsheets are included in RVR. Before testing a process the in scope spreadsheetsshould be confirmed with the control owners.




Appendices

3

2007 SOX Testing Guidelines - Appendices




2007 SOX Testing Guidelines - Appendices

Topic Page(s)

3. Appendices

Appendix 1 - Scoping document 69

Appendix 2 – Financial statement assertions 70

Appendix 3 – Audit Announcement Letter template 72

Appendix 4 – Audit Memo template 73

Appendix 5 – Testing decision tree 74

Appendix 6 – PGP training 75

Appendix 7 – RVR training 76

Appendix 8 – Key SOX contacts 77

Appendix 9 – 2007 Sub-process numbers 78

Appendix 10 - 2006 to 2007 Process mapping 79

Appendix 11 – SOX testing worksheet 80

Appendix 12 – Random Number Generator 81

Appendix 13 – f-Lucent in scope critical spreadsheets 82




APPENDIX 1 : Scoping Document

l




APPENDIX 2: Financial Statement Assertions

• We assess risks of major misstatement at an assertion level by considering thedifferent types of potential misstatements that may occur and then design audit

procedures that are responsive to those risks. They can be looked as objectives of Internal Control. Compliance with SOX 404 requires we address all the assertions.

• Existence: an asset or a liability exists at a given date (B/S), a recorded transactionor event that pertains to the client actually took place during the period (P/L). Forexample, management asserts that finished goods inventories in the balance sheetare available for sale. Similarly, management asserts that sales in the incomestatement represent the exchange of goods or services with customers for cash or

other consideration.

• Valuation: an asset or liability is recorded at an appropriate carrying value (B/S), atransaction or event is recorded at the proper amount and revenue or expense isallocated to the proper period (P/L). For example, management asserts that propertyis recorded at historical cost and that such cost is systematically allocated toappropriate accounting periods. Similarly, management asserts that trade accountsreceivable included in the balance sheet are stated at net realizable value.

• Completeness: there are no unrecorded assets, liabilities, transactions or events, orundisclosed items. For example, management asserts that all purchases of goods andservices are recorded and are included in the financial statements. Similarly,management asserts that notes payable in the balance sheet include all suchobligations of the entity

APPENDIX 2 Fi i l S A i ( i d)




APPENDIX 2: Financial Statement Assertions (continued)

• Rights and obligations: an asset or a liability pertains to the client at a given date.For example, management asserts that amounts capitalized for leases in the balance

sheet represent the cost of the entity's rights to leased property and that thecorresponding lease liability represents an obligation of the entity.

• Presentation and disclosure: an item is classified, described, and disclosed inaccordance with the applicable financial reporting framework. For example,management asserts that obligations classified as long-term liabilities in the balancesheet will not mature within one year. Similarly, management asserts that amountspresented as restructuring charges in the income statement are properly classified

and described.

• Segregation of duties: strategy to provide an internal check on performance throughseparation of custody of assets from accounting personnel, separation of authorization of transactions from custody of related assets, separation of operational responsibilities from record keeping responsibilities. For example,management asserts that employees in charge of creating new suppliers do not havethe ability to initiate disbursements.

• Authorization / safeguarding of assets: policies and procedures that providereasonable assurance regarding protection or timely detection of unauthorizedacquisitions, use or disposition of the company’s assets that could have a majoreffect on the financial statements. For example, management asserts that CAPEXoperations are duly authorized.

APPENDIX 3 A dit A t L tt T l t




APPENDIX 3: Audit Announcement Letter Template

2006 SOX Testing Announcement Letter

2007 General Announcement Letter Template

APPENDIX 4 A dit M T l t




APPENDIX 4: Audit Memo Template

2007 SOX Audit Memo Template

APPENDIX 5 f Al t l T ti D i i T




APPENDIX 5: f-Alcatel Testing Decision Tree

Note – the attached 2006 document shows remediation action plans as the responsibility

of CAS. In FY2007, remediation action plans are the responsibility of the SOX PMOand the Control Owners – NOT CAS.

APPENDIX 6: PGP T i i g




APPENDIX 6: PGP Training

A training document is located on the Protiviti Portal at the following address (bottom of the page):

http://ihprotiviti01.ndc.lucent.com/SOAPortal/

APPENDIX 7: RVR Training






APPENDIX 7: RVR Training

APPENDIX 8: Key SOX Contacts and Responsibilities




APPENDIX 8: Key SOX Contacts and Responsibilities

SOX PMO

CAS

•Cathy Carroll – SOX Compliance

•Alan Kilyk – SOX PMO/Project Management

•Scott Greenfield - NAR

•Stephan Vantomme - EMEA

•Jennie Tiderman – ASB and APAC

•Bob Moogan - Scoping/Integrated test plan/SAS70's

•Jill Clark and Mary Ann Imroth – PGP and RVR

•Laurent Arnaudo – Overall responsibility for SOX testing

•Craig Harlow – SOX Strategy

•Peter Green – SOX PMO and CAS Liaison

•Rich Braithwaite – IT Testing

•Henk van Beveren and Sophie Neron-Berger – Testing in EMEA

•Kris Lemmens and Sushil George – Testing in ASB and APAC

•Gautam Patankar and Vig Menon – Testing in NAR and CASA

APPENDIX 9: 2007 Sub Process Numbers




APPENDIX 9: 2007 Sub-Process Numbers

APPENDIX 10: 2006 to 2007 Process Mapping




APPENDIX 10: 2006 to 2007 Process Mapping

APPENDIX 11: SOX Testing Worksheet




APPENDIX 11: SOX Testing Worksheet

APPENDIX 12: Random Number Generator




APPENDIX 12: Random Number Generator

APPENDIX 13: Former Lucent in Scope Critical Spreadsheets




APPENDIX 13: Former Lucent in Scope Critical Spreadsheets



www.alcatel-lucent.com