2007 SOX 404 Testing Guidelines FINAL

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 83
At a glance
Powered by AI
The document provides guidelines for SOX testing at Alcatel-Lucent including the testing process, appendices and key contacts.

The document outlines guidelines for SOX testing including the testing process, responsibilities, frameworks used for evaluation and key contacts.

Management is responsible for the effectiveness of internal controls over financial reporting, evaluating controls using a recognized framework, and providing documentation and conclusion on the effectiveness of controls.

Corporate Audit Services 2007 SOX Testing Guidelines

Date August 2007

2007 SOX Testing Guidelines - Index

Topic 1. General Information 2. Testing Process 3. Appendices

Page(s) 3 17 67

2 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

General Information

3 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2007 SOX Testing Guidelines General Information

Topic 1. General Information 1.1 Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 1.2 What is internal control over financial reporting? 1.3 Responsibilities of Control Owners, SOX PMO and CAS 1.4. SOX PMO Goals and Objectives 1.5. SOX PMO Principles & Assumptions 1.6. SOX PMO Integrated Test Plan 1.7. SOX 404 Work Performed to Date 1.8. SOX 404 Next Steps

Page(s) 5 7 9 10 11 13 15 16

4 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006
The Sarbanes-Oxley Act (the Act) was introduced in July 2002 in response to several major corporate and accounting scandals within large prominent companies such as Enron, WorldCom, Global Crossing, Tyco, etc. The Securities and Exchange Commission (SEC) has explicit authority to establish rules for implementing the various sections of the Act and for enforcement of the Act and related rules. In June 2003, the SEC issued its rules relating to managements responsibilities under Section 404. In June 2004, the SEC approved the adopted US Public Company Accounting Oversight Board (PCAOB) Auditing Standard No.2 An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS2). On May 23, 2007, the SEC approved interpretive guidance regarding managements evaluation of internal control over financial reporting AS5. The key elements affecting the company from a testing perspective are: Only controls that materially impact the financial statements require testing. The external auditors are not evaluating managements evaluation process but are opining directly on internal controls over financial reporting

5 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 (continued)
Under the SECs rules for Section 404 the management of Alcatel-Lucent is required to: Accept responsibility for the effectiveness of internal controls over financial reporting;

Evaluate the effectiveness of internal controls over financial reporting using a recognized control framework;
Support its evaluation of internal controls over financial reporting with sufficient evidence including documentation and testing of key controls; Provide a written conclusion on the effectiveness of internal controls over financial reporting at year-end.

Alcatel-Lucent must comply with the SECs rules pertaining to the Act as a condition of being a listed company in the US.

6 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.2. What is internal control over financial reporting?


The SEC rule defines the term internal control over financial reporting to mean the following: A process designed by, or under the supervision of, the companys principal Executive and principal financial officers, or persons performing similar functions, and effected by the companys board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the companys assets that could have a major effect on the financial statements.

7 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.2. What is internal control over financial reporting? (continued)


The SECs definition of internal control over financial reporting does not encompass the effectiveness and efficiency of a companys operations nor a companys compliance with applicable laws and regulations with the exception of compliance with applicable laws and regulations directly related to the preparation of financial statements.

8 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.3. Responsibilities of Control Owners, SOX PMO and CAS


Control Owners Ensure controls are operating as documented; Communicate with SOX PMO the control readiness for testing; Assist CAS with testing procedures. SOX PMO Document the process between Control Owners, SOX PMO and CAS; Maintain RVR and Protiviti (PGP) portals;

Prepare and coordinate test plan with CAS, and inform CAS of test readiness;
Report test results and project status to Senior Management and A&FC; Report test results to external auditors. CAS Allocate resources available to test controls ready for testing (confirmation through SOX PMO); Test controls and record test results (in RVR and PGP); Report test results to SOX PMO and entity CFO/CEO.
9 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

1.4. SOX PMO Goals and Objectives

To ensure a positive 404 certification for Alcatel-Lucent in 2007


SOX Program provides rapid identification and visibility to deficiencies & remediation status

Incorporate improvements introduced by AS5 & SEC Guidance Maximize Efficiency & Effectiveness
Testing appropriate to risk Monitor progress of testing throughout program

Minimize 2007 auditing costs internal and external


Maximize use of ALU Group Audit work by external auditors Minimize amount of re-visits; i.e. testing a subset of controls in one timeframe, a second wave at a separate time, etc.

Be sensitive to the time constraints of the local business units

10 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.5. SOX PMO Principles & Assumptions


Test scope determined by SOX PMO with input and support of local coordinators SOX PMO will maintain an Integrated Test Plan that is supported and updated by the various sources: o Local SOX Coordinators o Regional SOX PMO Leads o Corporate Audit Services o External Auditors Alcatel-Lucent Corporate Audit Services performs testing on behalf of Management. Testing of XMS expenses and corporate/centralized entity level controls will be performed by the SOX PMO organization External Auditors (E&Y and D&T) will also perform testing, typically and ideally 2 weeks after management completes its testing One round of testing with roll-forward testing of remediated controls (where necessary)

Testing of non-key/secondary controls may be required to the extent they are a compensating control for a failed key/primary control
Requires the approval/concurrence of the Local Coordinator and Regional SOX PMO Lead Any non-key control elevated to in-scope should then have its Control Significance amended to Key
11 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

1.5. SOX PMO Principles & Assumptions (continued)


Once a control is set to Operational Deficiency or Design Deficiency on the basis of testing performed by the External Auditors, CAS or Management/SOX PMO Testing, it must retain this designation until a subsequent test results in a Fully Operating assessment. This is relevant for: Assessment Level in RVR and Control Operating Effectiveness in PGP In 2007 there will be no requirement to test within a 90-day window of the year-end.

12 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.6. SOX PMO Integrated Test Plan


An Integrated Test Plan (ITP) will be maintained by the PMO to ensure coordination and efficient use of resources both internal and external resources A centralized ITP is critical to managing costs and resources for the global program The centralized ITP will be organized by Local Unit and Process Parent or Sub-Process
Regional SOX PMO Leads Key input to Regional SOX Assesses available dates across all inPMO Lead scope units and Should include all builds preliminary available dates to provide plan using the ITP flexibility in building the template regional/global plan. Works in Documentation conjunction with availability, 2006 Local Coordinators remediation, control and Regional CAS & readiness, national External Auditors* holidays, etc. should Key input to SOX factor into Date PMO ITP Availability. Communicates all Preliminary, informal* subsequent discussions with Local changes to Test Auditors (CAS & External). Schedule Communicates any issues to Regional SOX PMO Lead Local Coordinators

Global SOX PMO


Maintains centralized, Integrated Test Plan (ITP) Leads discussion with Global External Audit Partners in confirming scheduling Works with Corporate Group Audit staff to confirm Internal Audit dates Serves as escalation for scheduling issues Communicates relevant information and potential issues to Regional and Local personnel

Integrated Test Plan

* Scheduling should not be considered final until SOX PMO has confirmed with CAS and External Auditors
13 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

1.6. SOX PMO Integrated Test Plan (continued) Sample Template for use by the SOX PMO (Not CAS)
A B C D E F G H P Q R S T U V GAS GAS Phase 1 GPO/PMO Phase 1 Field Test Regional Test Ready Field Test Complete PMO Lead Local PMO Lead Date Start Date Date Jennie Tiderman Peilu Cao Jennie Tiderman Peilu Cao Jennie Tiderman Jennie Tiderman Jennie Tiderman EA Phase EA Phase 1 1 Test GAS Test Field Test Complete Status Start Date Date

1 2 3

Region APAC APAC

Proce Sub Local Unit ss # Process # ASB ASB 01 01 001.002 001.002.00 1 001.003.00 1

Process Name Revenue Cycle Revenue Cycle

Sub Process Name Ordering Ordering Management Project / Contract Monitoring Material Management and Delivery Revenue Recognition Billing/Invoice (incl F-ALA rev. rec. and discounts) Credit Mgmt, Collecting and Reserves F-ALA Access/SOD Revenue Cycle

EA Test Status

APAC

ASB

01

Revenue Cycle

Peilu Cao

5 6

APAC APAC

ASB ASB

01 01

001.004 001.005

Revenue Cycle Revenue Cycle

Peilu Cao Peilu Cao

APAC

ASB

01

001.006

Revenue Cycle

Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman

Peilu Cao

APAC

ASB

01

001.008

Revenue Cycle

Peilu Cao

9 10 11 12

APAC APAC APAC APAC

ASB ASB ASB ASB

01 02 03 04

001.013

Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX, Other Investments and Intangibles Treasury Management Tax Management General Ledger & Financial Reporting ITGC Managing the entity SOD & Restricted Access

Peilu Cao Peilu Cao Peilu Cao Peilu Cao

13 14 15 16 17 18 19

APAC APAC APAC APAC APAC APAC APAC

ASB ASB ASB ASB ASB ASB ASB

05 06 07 08 09 10 11

Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao

14 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.7. SOX 404 Work Performed to Date


Entity scoping document prepared by SOX PMO; Process scoping document prepared by SOX PMO; Scoping documents reviewed with external auditors (Deloitte & Touche and Ernst & Young); Feedback received from external auditors and incorporated into scoping documents; Control rationalization in Paris for ex-Alcatel processes; Control rationalization in Murray Hill for ex-Lucent processes; Joint planning meetings between SOX PMO, D&T, E&Y and CAS; IS/IT control rationalization meetings; Control rationalization documents reviewed with external auditors; Feedback received from external auditors on control rationalization; New controls finalized including Entity Level; Meeting with D&T in Murray Hill to ensure maximum reliance can be placed on CAS work; Integrated test plans prepared for all regions; Testing/Reporting process between SOX PMO and CAS agreed.

15 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

1.8. SOX 404 Next Steps


Protiviti (PGP) training planned for July 24th;

Testing of controls and reporting of test results.

16 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

Testing Process

17 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2007 SOX Testing Guidelines Testing Process


Topic
2. Testing Process 2.1. Summary testing process 2.2. Process numbers and mapping 2.3. Test readiness 2.4. What do we test? 2.5. Nature of testing 2.6. Sample sizes 2.7. Documentation of tests 2.8. Deficiencies 2.9. Control Operating Effectiveness (COE) and Assessment Level 2.10. Action/Remediation plans 2.11. CAS deliverables 2.12. Self Assessment/Management Testing 2.13. Internal Control Questionnaire (ICQ) 2.14. Critical Spreadsheets
18 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

Page(s) 19 20 21 22 27 33 38 50 54 58 61 63 65 66

2.1. Summary Testing Process


1. 2. 3. 4. Readiness meeting 1 week in advance of testing SOX PMO, Control owners and CAS confirm controls to be tested and the status of controls Perform testing using SOX testing worksheet Save work papers and other documentation in RVR/PGP as completed Update RVR/PGP with test results

5.
6. 7. 8. 9.

Agree deficiencies with control owner, and SOX PMO (when necessary)
Update RVR/PGP Assessment Level/Control Operating Effectiveness (COE) Update control owners/SOX PMO with testing status (as necessary) during fieldwork Closing meeting with control owners, entity CFO, SOX PMO on last day of fieldwork Email SOX PMO verifying RVR/PGP has been updated and test results are available for reporting

10. Ensure time has been recorded in Auto Audit

11. Issue Audit Memo to SOX PMO and entity management (by process)

19 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.2. Process Numbers and Mappings


The 2007 level 1 process numbers are: Process Number
001 002 003 004 005 006 007 008 009 010 011 012

Process Name
Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX, Other Investments & Intangibles Treasury Management Tax Management General Ledger & Financial Reporting IT General Controls Managing the Entity SOD & Restricted Access Master Data

See also: appendix 9 for details of the sub-process numbers; appendix 10 for the 2006 to 2007 process mappings.
20 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

2.3. Test Readiness


The objective of the Test Readiness process is to provide assurance that locations/processes are test ready to ensure cost containment and maximum efficiency of the program The Test Readiness process consists of:
An assertion prior to testing by the Local Coordinator and CFO that the following milestones have been met:
1. 2. 3. 4. 5. All 2006 deficiencies are remediated RCMs have been updated for changes in business/process, control rationalization, etc. Documentation (examples, process flows, narratives, etc.) have been updated for changes to key controls/processes Control Owners are informed of changes and have received relevant training Control Owners, in general, are ready for testing

Test Readiness Meetings, scheduled by Local SOX Coordinator or designee, are scheduled approximately one week prior to testing. Participants should include, at a minimum, CAS representative, Regional SOX PMO Coordinator, Regional & Local CFO delegate, SOX PMO delegate
Once the Test Readiness Meeting is completed no further SOX tool changes should be made as CAS will begin downloading information to prepare for the audit At the readiness meetings a definitive control list will be provided to CAS by the SOX PMO (including process and control numbers at minimum)
All Rights Reserved Alcatel-Lucent 2007

21 | CAS |2007 SOX Testing Guidelines |July 2007

2.4. What do we test?


CAS is responsible for testing all Key controls (formerly identified as Primary in f-LU) in RVR and PGP with the narrative to be tested with the exception of those controls which will be tested by self assessment or by management testing. The processes CAS will not be testing are XMS expenses and corporate/centralized entity level controls.

Controls classified as Not Designed or Not Documented in RVR are considered as not in place (currently in the action plan) and will not be tested by CAS. Tests will be performed at a later date during the testing of remediated controls. It is the responsibility of the SOX PMO to inform CAS when these controls are ready for testing with the necessary sample size available.
For former Alcatel entities where SAP is used, controls related to segregation of duties and access will be documented and tested with an extraction tool (CheckAud). This tool will provide reporting on who can perform critical transactions or combination of critical transactions. Entity (under the responsibility of each CFO) should interpret whether or not the granted access is acceptable and/or if appropriate compensating controls exist. In this case, testers will verify on a sample basis that they can rely on the review performed by management. Testers need to have a minimum training on SAP ST codes and a good knowledge on the process itself to perform their review. When testers note that CheckAud report has not yet been run and/or analyzed by operational management, this should be reported as a control deficiency. We should also explain to the auditors how they can verify if CheckAud reports have been analyzed.
All Rights Reserved Alcatel-Lucent 2007

22 | CAS |2007 SOX Testing Guidelines |July 2007

2.4. What do we test? (continued)


For former Lucent entities, controls related to segregation of duties and access will be documented and tested in process 11.001 and will be centrally tested. Automated/Configured controls will be tested as part of the business process, based on the following approach: If CAS can verify that the automated control remains unchanged from the previous year by comparing what is documented in FY2006 to what we observe as the process in FY2007, there is no need to reperform the documentation of the screenshots/test the control. The test documentation should reference the work performed verifying that the control is unchanged, plus the previous years test documentation should be attached as evidence of the control operating effectively. If the test was previously performed in a test environment and not in production, evidence is required that the test environment in which the test was performed is an exact replica of the production environment.

If CAS is unable to verify that the automated control remains unchanged from the previous year, normal testing procedures should be performed.
Specific to entities using RVR Note: For all entities in Section 404 scope, SOX coordinators have already performed the following review:

a) Documents attached in RVR show sufficient evidence of the control performed.


b) All controls with a NA status are correctly justified.
All Rights Reserved Alcatel-Lucent 2007

23 | CAS |2007 SOX Testing Guidelines |July 2007

2.4. What do we test? Flowcharts/Narratives


Testers will have to verify the reasonableness of the flowcharts/narratives prepared by local management. A flowchart/narrative is reasonable when it gives a sufficient level of detail on the processing of transactions within the system. The purpose of documenting processes (flowcharting/narrative) is to provide a general overview of the current activities. It is not required to perform walkthroughs to assess the reasonableness of flowcharts/narratives, but walkthroughs are required to ensure the tester understands the process, and if the risk is mitigated by the control. The walkthrough also identifies changes to the process which may have an impact on the documented control(s). If during a walkthrough documentation errors are noted but there is no impact on the control(s) being tested, local management should be informed but no deficiency noted. In 2007 with the merger, internal auditors should pay special attention to the reliability of flowcharts/narratives. Many processes should be updated / modified to reflect the reality, the changes in the systems, etc.

24 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.4. What do we test?


The testers will have to assess the design effectiveness and the operational effectiveness: Design effectiveness: Testers will have to evaluate the description of each control in-place and respect the following process: Does the control identified, if operating effectively, fully mitigate the related risk? If so, control design can be considered effective, and the control will require testing. If not, consider additional controls identified that should be linked to the risk. If gaps remain after all controls have been identified, the control design for that risk is ineffective and should be evaluated accordingly. This will require an action plan from the SOX PMO and control owner. Testing will not be performed on ineffectively designed controls. When concluding, a lack of documented evidence of a control would constitute an ineffectively designed control. Testers must ascertain that controls documented are relevant for all significant Business Divisions in the entity. This evaluation must to be linked with the Financial Statement Assertions, detailed in Appendix 2

25 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.4. What do we test? (continued)


Operational effectiveness: The testers will have to answer to the following questions: Does the control operate as intended? Did we find exceptions during the testing? Does the person performing the control possess the necessary authority according to the local DOA (delegation of authority) to perform the control effectively? Does the control operate for all significant Business Divisions in the entity?

26 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.5. Nature of Testing


RVR Detailed testing guidelines will be available in RVR for each control activity, although where the control wording has changed the test procedures may need to be changed accordingly.

PGP The SOX PMO uploaded all test procedures and audit work papers from RVR into PGP for the former Alcatel controls. The SOX PMO and CAS performed an upload of the former Lucent high level test procedures previously documented on the Test of Control (TOC) spreadsheet into PGP. The upload is expected to populate the majority of high level test procedures, but for those not populated, the previous years TOC should be used to obtain the high level test procedures. All the test procedures should be reviewed to ensure they are relevant for the control being tested. Former Lucent Sample Attribute Worksheets (SAWs) have not been uploaded into the portal and will need to be obtained from the CAS server.
All Rights Reserved Alcatel-Lucent 2007

27 | CAS |2007 SOX Testing Guidelines |July 2007

2.5. Nature of Testing


Re-performance
Re-perform the control activity to determine its operating effectiveness Perform reconciliation using independent data sources Perform independent calculations that mimic the system Enter hypothetical transactions to test an IT system and compare expected results to actual results Documentation should be in sufficient detail to execute the reperformance

L E V E L O F C O M F O R T

Inspection/Examination
Review of evidence, in either electronic or paper form, that a control activity is performed. The level of assurance obtained from such evidence depends on the nature of the control activity and the control objective. Provide detail to be able to duplicate test process and verify result

Observation
Watch an individual perform the control activity or observe group activities such as status meetings, disclosure meetings, etc. More reliable than inquiry Document who, when, what was observed and the outcome

Inquiry
Seek information of knowledgeable persons. Evaluating responses to inquiries is an integral part of the inquiry process. Ascertain whether a control is in place by asking oral or written questions Weakest type of test Must be followed by another test, inquiry alone is not enough Should inquire of more than one person (i.e., corroborate) Documentation considerations - who, when, where, how
All Rights Reserved Alcatel-Lucent 2007

28 | CAS |2007 SOX Testing Guidelines |July 2007

2.5. Nature of Testing Reperformance:


The tester will reperform the application of the control activity to check that the result obtained is the same. Explanation - The repetition of a control performed by an employee or a computer or a system; is often the only way to test an automated control

Documentation requirements - Details of what was done, what items tested. Sufficient to reproduce test.
Example - For checking the valuation of goodwill, the tester might calculate himself the goodwill and compare the result obtained with the managements evaluation Notes - Sample size can be low when combined with examination testing

29 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.5. Nature of Testing Examination:


The tester will inspect relevant documentation such as sales orders, invoices, to evidence the effectiveness of the control activity. Explanation - The inspection of records, documents, reconciliations and reports for evidence that control has been properly applied

Documentation requirements - Who, when , what ?Retain enough details of the test so that it can be duplicated (e.g. order number); also note what evidence was reviewed to verify control was working as indicated (e.g. noted form was signed by authorized person)
Example - if the control is the credit manager reviews and approves all sales orders exceeding a determined amount, tester might select a sample of orders exceeding the limit and examine the evidence of control : based a sample size, we noted that the CPM has completed all proper fields to show evidence of his/her review. His/her approval is supported by a signature. Notes - Easiest way of obtaining evidence of the existence of assets such as cash and inventory.

30 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.5. Nature of Testing Observation:


The tester will have to observe the control in operation to verify the control is operating as intended. Explanation - Direct viewing of control being performed

Documentation requirements - Who, and what was observed, when it was observed, and the outcome.
Example o Automated: observe field edit check works when invalid data is entered. o Manual: observe the person receiving goods to test the operating effectiveness of inventory management

Notes - More reliable than inquiry. Can be sufficient for some automated controls. Probably not sufficient for key manual controls alone.

31 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.5. Nature of Testing Inquiry :


Tester will have to perform interviews of appropriate employees to assess the validity of the control activity. Please note that inquiry does not provide sufficient evidence of the operating effectiveness of a control. Tester should perform a mix of techniques when assessing controls to achieve audit comfort. Explanation - Ascertain whether a control is in place by asking specific oral and written questions Documentation requirements - Who responded and when? Example - Interview CFO to understand the controls surrounding a particular process. Notes - Weakest type of test, should be followed by another test - at least observation if feasible.

32 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.6. Sample Sizes


Testing sample size is determined by how often the primary controls are performed. Sample size guidelines provided by Alcatel-Lucent management for manual controls are as follows:

Frequency of Performance Annual Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed

2007 Sampling Guidelines 1 1 2 2 5 25 25

Sample Expansion (for single exception)

N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency 25 25

10% of annual number of controls with an upper limit of 25 items*

New controls in place over 90 days use the above sample guidance Automated controls will utilize one sample one positive and one negative test see slide 23 Depending on the External Auditors risk assessment of a process, they will in some cases pull a separate sample to that used by CAS, whereas in other cases they will use the sample pulled by CAS to perform their testing (or a combination of the two).
33 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

2.6. Sample Sizes


For example, a control that occurs multiple times a day should be tested on the basis of a sample of 25 operations over a sufficient period of time to obtain assurance that the control operates effectively. For controls that operate less frequently such as monthly account reconciliations, the auditor should test the control on the basis of a sample of 2 operations. (*): For controls performed ad-hoc, the frequency of tests required is 10% of the annual number of controls performed with an upper in sample size of 25 items to test. For example, an ad-hoc control performed 120 times per year would be tested with a sample size of 12. If it is not possible to evaluate the number of controls performed per year, a sample size of 25 tests should be used. If an exception is noted, an additional sample of maximum 25 items should be selected (take an additional sample based on 10% of the annual number of controls performed, with a cap at 25). If a control has been implemented too recently, its occurrence may not be sufficient to draw the needed and extended sample. In this case, testing will be performed later in the year. Example: for a quarterly control implemented in Q4, testers should conclude that due to the late implementation of the control, they couldnt obtain evidence of its operating effectiveness (to be specifically written in the open text field under evaluation history). To ensure an unbiased sample is tested, a random number generator should be used. This is not compulsory (although it is best practice), and for controls already tested there is no requirement to go back and re-test a new sample (see appendix 12).
All Rights Reserved Alcatel-Lucent 2007

34 | CAS |2007 SOX Testing Guidelines |July 2007

2.6. Sample Sizes - Dealing with exceptions


When we find an exception in our testing of manual or automated controls, we should examine and understand the cause of the exception. In the case of automated controls, the issues will be directly classified as deficiencies. No sample extension will take place. In the case of manual controls operating monthly or less frequently than monthly, exceptions should be treated as deficiencies, because the frequency of the operations is too low to allow for a conclusion. In the case of one exception in the operation of a manual control that operates weekly or more frequently, it may not be a deficiency. To conclude that such an exception is not a deficiency, we should conduct additional testing. A conclusion that an identified exception does not represent a control deficiency is appropriate only if evidence beyond what the tester had initially planned and beyond inquiry supports that conclusion (PCAOB48). The option to conduct additional testing is only available for manual controls operating weekly or more frequently when: Only one exception is observed in the initial sample; The exception is determined not to be an indicator of systematic and recurring exceptions with respect to the control;

35 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.6. Sample Sizes - Dealing with exceptions (continued)


If we determine that it is appropriate to perform additional testing, we should select an additional sample (see the table above). If no further exceptions are noted in the second sample, we may conclude that the single exception from the two samples is acceptable (i.e., the exception rate is negligible) and that the control is operating effectively and no deficiency exists. If one or more additional exceptions are noted in the second sample, we should conclude that a deficiency exists, because the exception rate in the two samples is more than negligible.

Where feasible the additional sample should be tested whilst on site, but if the deficiency is identified during the last day of testing and there is not sufficient time to obtain the additional sample documentation and perform the testing, the control should be identified as a Preliminary Deficiency and the control owner given 2 days to provide the documentation required for testing. If the documentation is provided and the sample is tested with no deficiencies the control status should be changed to Fully Operational, but if the documentation is not provided or there is a deficiency then the control status should be changed to the appropriate deficiency. The SOX PMO and the control owner should be informed of the change in status.
Note : An exception found by and corrected by management is not an exception. This clearly means that the control system is working efficiently (review of approvals of PO for instance).

36 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.6. Samples Sizes - Minimum Operating Periods and Test Samples for Remediated Controls
This guidance only applies if the remediated control will operate over a period of less than 90 days until the year end date. For controls that will operate over a period of 90 days or more (i.e. put into operation before October 1, you should continue using the regular sample size guidance see slide 33).
Frequency of Performance Annual & Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed Minimum Time Period/ Number of Times of Operation for Remediated Control as of the End of Fiscal Year Minimum Number of Items to Be Tested for Remediated Controls

N/A 2 quarters* 2 months 5 weeks 20 days 25**

N/A 2 2 2 10 25**

Assessed on a case by case basis using risk based approach to determine the appropriate sample sizes

* Includes 4th quarter as one of the quarters ** Must operate at least 25 times over a minimum 15 day period

Note - The population/sample used to test a remediated control has to be subsequent to the date on which the control was remediated.
37 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests


Former Alcatel and former Lucent had very different approaches regarding the retention of test documentation. Former Alcatel test documentation was retained in RVR

Former Lucent test documentation was retained on an IA server

For 2007: Europe - all non IT control testing will be recorded in RVR, with the exception of Centralized/Corporate Entity Level Controls (these will be recorded in PGP and will be tested by the SOX PMO) APAC all non IT control testing will be recorded in RVR NAR and CASA all non IT control testing will be recorded in PGP IT control testing in all regions will be recorded in either RVR or PGP depending on the location of the control and where the control is recorded (RVR or PGP)

The new AS5 rules pertaining to Section 404 do not require Alcatel-Lucents external auditors to evaluate the CAS testing, although the external auditors will be relying on the work performed by CAS to reduce their testing. The reliance they will be placing on the work of CAS will be dependant on the process, with less reliance on higher risk category 1 areas such as revenue, IT, and financial controls.
38 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests (continued)


The current testing strategy of the External Auditors is: Category 1 processes - perform 70% independent testing and 30% reperformance testing

Category 2 processes perform at least 30% * independent testing, and at the most 70%** reperformance testing.
* This percentage may be higher based on local risks identified ** All control activities not addressed by independent testing will be tested by reperformance. All control activities will be tested by the external auditor.

It is therefore important that the documentation of the tests performed is of the highest quality. In addition, it is important to clarify with the local external auditors their requirements for our work papers to do reperformance. A meeting with the local external auditors should take place in advance of testing to clarify their requirements, specifically the retention of documentation allowing them to reperform our work, and if they require copies or original documentation.

39 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of the tests (continued)


All testing will be recorded using the CAS SOX Testing Worksheet see appendix 11 for a soft copy of the document All SOX Testing Worksheets are to be retained in RVR or PGP.

40 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of the tests (continued)


It is critical in the SOX testing process to evidence the testing work performed. The documentation must ensure the Reperformance can be performed by the external auditors. They should be able to realize the same test, with the same document(s), and come to the same conclusion. For 2006 it was agreed with the f-Alcatel external auditors that paper files nor scanned documents would be retained, but the documentation would take place on an Excel spread sheet on which the references of the tested items would be reported see below:
reference of the control invoice # A200401000001 A200401002379 A200401053434 A200403002379 A200401078801 etc etc sort # 01.10.C040 approval 1 X 2 X 3 DEFICENCY 4 X 5 X etc etc delivery date X X X X X shipping address X X X X X billing dates price X X X X X X X X X X quantity X X X X X paym ent terms X X X X X delivery terms X X X X X acceptance terms PO # X X X X X X X X X X

This document reported all the references (e.g. an invoice number) of the documents tested and the items of the data that were reviewed (for example approval, shipping address). In 2007 this information should be recorded as part of the CAS SOX Testing Worksheet. For 2007 the external auditors informed the SOX PMO that if CAS testing documentation included copies of audit evidence, either electronically in the portals or hard copy files, this would be one way to reduce their fees. CAS should therefore (where feasible) retain electronic or hard copies of supporting documentation. If the documentation is too voluminous, only specific pages relevant to the testing should be retained, and control owner asked to keep the additional documentation to one side in preparation for the external auditors reperformance testing. Detailed supporting documentation should be retained for all deficiencies
All Rights Reserved Alcatel-Lucent 2007

41 | CAS |2007 SOX Testing Guidelines |July 2007

2.7. Documentation of tests - RVR


a) From the home page, click on the icon below:
Controls documentation and testing 16 evaluation(s) to be completed

b) Click on the icon GO to select the process you have to test.


Evaluation Entity Period Status % Completed Print Owner

01 Revenue management

CIT

2004
2004

In Progress 39%
In Progress 100%

Arnaudo Laurent
Arnaudo Laurent

02 Purchasing management - 01 Order CIT processing

42 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests RVR (continued)


c) Then click on control testing icon to access the fields dedicated to testing documentation. The following information will be necessary:

43 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests RVR (continued)


Test description: Detailed testing plans will be available for all former Alcatel controls in RVR, although testers need to ensure that the test plan is still relevant and that the control procedures have not changed since 2006. The following information should also be reported in this field: Type of testing (for example reperformance or examination). Source of data (for example journal of entries) Sample size Who performed it? Indicate in this field the name of the tester. When was it performed? Indicate the date at which the test was completed.

44 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests RVR (continued)


Comments on testing: This field is for detailed comments on testing. It will be used to comment on results, especially in case of controls declared as not passed. Conclusion: Choose the appropriate conclusion for the test (passed / not passed). Passed means the test was a success. Documentation: Use the Browse functionality to attach the work papers and other documentation.

(See Appendix 7 for a more detailed RVR presentation)

45 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests - RVR Test Result Example

SOX PMO are working with the RVR company to determine the best methodology to update & distinguish External Auditor results in RVR.

46 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests PGP


(See Appendix 6 for PGP presentation)

47 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of tests - PGP Test Result Example

Finding is only considered final once GAS manager has approved at which time he sets Status to Complete and checks Completed box Only at this time will COE be updated by GAS (COE in separate area under the generic control)

1 2 3 4 5 6

1 2 3

First entered by local tester

First entered as Finding Status Pending GAS Mgmt Approval Then flipped to Finding Status Complete by GAS manager Updated by GAS manager

48 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.7. Documentation of Tests Comparison of RVR and PGP


Both Corporate Audit Services and External Auditor results will be entered into PGP or RVR Corporate Audit Services will be responsible for updating testing results for their testing
RVR Field Test Area Step # Test Description & Comments on Conclusion Who Performed It? When Was it Performed? Documentation Conclusion Test Name Test Description Test Results Tester 1) Period Test Started, 2) Period Test Ended Attachments Test Result Summary Test Type Status As is - no issue Narrative/Free Form Narrative/Free Form As is - no issue As is - no issue As is - no issue TBD GAS, EY, DT, Mgmt Not Started Pending GAS Mgmt Review Complete As is - no issue Please see following charts 2006 RVR utilized Passed/Failed, PGP had multiple selections such as "Control Not Performed" Protiviti Field 2007 Recommendation Notes

PGP is a validated PGP user

Completed (Checkmark) Control (generic) Area Assessment Level Control Operating Effectivess

49 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.8. Deficiencies
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned function, to prevent or detect misstatements on a timely basis (PCAOB 4).
DEFICIENCY REASON A control necessary to cover the risk is missing. OR An existing control is not properly designed so that, even if the controls operate, the objective is not always met. A properly designed control does not operate as intended. OR The person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

DESIGN

OPERATION

For each design or operational control deficiency, an action plan is required by the local process/control owners and leadership. This has to be entered in RVR or PGP. This is not the responsibility of CAS.

50 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.8. Deficiencies (continued)


When a deficiency has been identified and agreed with the control owner and the SOX PMO, the control owner and the SOX PMO will identify any applicable Compensating Controls, present them for approval to the entitys CFO (respectively CIO for IT general controls), and if agreed, record them in the action plan in RVR/PGP. All compensating controls will be recorded in RVR/PGP: Non Key controls will be upgraded to Key New controls will need to be documented by management Compensating controls will be tested by CAS whilst in the field if time permits, or by management. It is recommended to limit as much as possible the creation of new compensating controls and improve the operating effectiveness of existing controls in RVR/PGP. The existence of one or more compensating controls does not eliminate the deficiency. The effect of compensating controls is to be taken into account when assessing the severity of a misstatement occurring and not being prevented or detected. That is, compensating controls are relevant only in the determination of whether a deficiency is a moderate deficiency or a major deficiency this determination is the responsibility of the SOX PMO and NOT CAS.

51 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.8. Deficiencies - How do we qualify as a deficiency


A minor deficiency is a deficiency, which is not classified as moderate or major. A moderate deficiency is a control deficiency that adversely affects the companys ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles. A moderate deficiency could be a single deficiency, or a combination of deficiencies, that results in a more than remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected. A major deficiency is a major deficiency or a combination of major deficiencies, that results in more than a remote likelihood than a major misstatement of the annual or interim financial statements will not be prevented or detected.
Classification of Deficiency Likelihood of Misstatement either remote or => ---------Less than a 5% to 10% chance Potential Magnitude of Misstatement Inconsequental ---------Less than M 5 More than inconsequental ---------From M 5 to M 40 High ---------Greater than M 40

SOX PMO to provide new thresholds when available

Minor Deficiency

Moderate Deficiency

Major Deficiency

More than remote ---------More than a 5% to 10% chance

52 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.8. Deficiencies - How do we qualify as a deficiency (continued)


Assess Likelihood and Magnitude (= severity) Testers must evaluate control deficiencies and determine whether the deficiencies, individually or in combination, are moderate deficiencies or major deficiencies. The evaluation of the significance of a deficiency should include both quantitative (refer to the above table) and qualitative factors. Qualitative factors are items related to integrity, ethical values, fraud, authority, responsibility, competency of employees, staffing, etc. Testers should evaluate the significance of a deficiency in internal control over financial reporting initially by determining the following: the likelihood that a deficiency, or a combination of deficiencies, could result in a misstatement of an account balance or disclosure; and the magnitude of the potential misstatement resulting from the deficiency or deficiencies. The assessment of likelihood should be based on past years occurrences. Did we notice such deficiencies in the past? How often did it occur? The qualification of deficiencies will be reported in an audit memo (see 2.7) and not in RVR. It represents internal audit professional judgment. This qualification of deficiencies will be presented and discussed with the SOX project leader and related accountable operational management before the closing meeting with the CFO (respectively CIO for IT general controls).

Note : Qualification of control deficiencies is performed when a control has been tested. Testers will not assess the severity of not designed / not documented controls for which an action plan is ongoing.
All Rights Reserved Alcatel-Lucent 2007

53 | CAS |2007 SOX Testing Guidelines |July 2007

2.9. Control Operating Effectiveness (COE) and Assessment Level


Corporate Audit Services is accountable for updating Control Operating Effectiveness (PGP) and/or Control Assessment Level (RVR) based on CAS-based test outcomes. Both RVR and PGP will utilize standardized selections see Control Operating Effectiveness and Assessment Level - Selections 2007 slide 57 Based on the test results the auditor has to determine the result for the control being tested. If one of the test steps fails/ is recorded as not passed the auditor has to determine if the test step has a significant impact on the financial statements. If it is determined that this is not the case the control can (in some instances) still be deemed as fully operating. For instances where this occurs, the auditor should include in their work papers the basis of reporting the control fully operating and ensure that the testing lead/manager is in agreement with the conclusion reached. Where it is determined that there is a significant impact on the financial statements, the control should be assessed as not operating. In RVR, it is compulsory to update the evaluation history to keep track of the outstanding work to be performed. To update this data, the tester will have to select the evaluation history icon and select the adequate status. The other fields on the screen do not need to be completed by testers. For details of entering COE in PGP see PGP training slides in appendix 6.

54 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.9. Control Operating Effectiveness (COE) and Assessment Level (continued)


When testers note that the control is not well designed rather than not operating they should use the design deficiency option rather than operational deficiency.

SOX PMO is accountable for updating Control Operating Effectiveness (PGP) and/or Control Assessment Level (RVR) based on External Auditor based test outcomes (only deficiencies will be entered).
The most recent test result rules, for example: If CAS tests resulted in a Fully Operating assessment and an External Auditor subsequently deemed the control to have an Operational Deficiency the Operational Deficiency would override the CAS result.

Former Alcatel units also utilized Control Steps in their RCMs Control Steps are the localized details of a generic control
In PGP, Control Steps are identified by the Control Name convention which is the control number followed by Step #; e.g. C040.Step.001; C210.Step.002, etc. In addition, Control Significance is set to 3. Step. PGP: Generic controls will be updated for Control Operating Effectiveness in 2007; Control Steps will not (they will retain the system default of *None Selected. This is consistent with RVR which does not assess Control Steps.

55 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.9. Control Operating Effectiveness (COE) and Assessment Level (continued) Selections 2006

PROTIVITI Operating Effectiveness Selections (Portal: Control Level) Not Tested Tested Effective Operational Deficiency - 1 Test Results Selections (Portal: Test Detail Level) None None Lack of formal evidence Control not performed Control not ready Risk not mitigated Missing risk and/or control (as above) None None None N/A

RVR Assessment Level Selections Not Tested Fully Operating

Explanations At the inception of the SOX 2007 program all controls will appear as "Not Tested". This is the default value. Control design is effective (it mitigates identified risks) and is also operating effectively (control is being performed as designed). Formal evidence could not be provided to support the control activity. However, some "informal" evidence that the control was performed is available. Control activity not performed as required, auditee cannot provide "informal evidence" that control was performed. Control owner is not ready or not available for testing, or the control is not documented accurately enough to test. The documented control as designed does not mitigate identified risk.

Not Operating

2 0 0 6

Operational Deficiency - 2 Operational Deficiency - 3 Design Deficiency - 1 Design Deficiency - 2 Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control

Not Documented

Not Designed Risk has not been indentified, or existing risk does not have an identified primary control. IA or PwC finding under dispute by PMO and/or Process Owner. Maximum 5 days in category, then escalation is required. Not enough testable evidence has been accumulated to perform test on a control, such as a new control. Use this if partial sample passes or not tested due to sample size. The event that would trigger the need for the control activity to be performed has not occurred from the beginning of the fiscal year until the date of audit. Therefore the control cannot be tested. Control occurs once a year and has not been performed as of testing date.

56 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.9. Control Operating Effectiveness and Assessment Level - Selections 2007


PROTIVITI / RVR Operating Effectiveness/ Assessment Level Selections Not Tested Fully Operating Explanations At the inception of the SOX 2007 program all controls will appear as "Not Tested". This is the default value. Control design is effective (it mitigates identified risks) and is also operating effectively (control is being performed as designed). - Formal evidence could not be provided to support the control activity. However, some "informal" evidence that the control was performed is available. - Control activity not performed as required, auditee cannot provide "informal evidence" that control - The documented control as designed does not mitigate identified risk. - Risk has not been indentified, or existing risk does not have an identified primary control. Control owner is not ready or not available for testing, or the control is not documented accurately enough to test. Need further discussion with regard to whether this is considered a deficiency or not IA or EA finding under dispute by PMO and/or Process Owner. Maximum 5 days in category, then escalation is required. Not enough testable evidence has been accumulated to perform test on a control, such as a new control. Use this if partial sample passes or not tested due to sample size. The event that would trigger the need for the control activity to be performed has not occurred from the beginning of the fiscal year until the date of audit. Therefore the control cannot be tested. Control occurs once a year and has not been performed as of testing date. In RVR, a *KEY* generic control that is "Not Applicable" for a particular local entity. Indicates NEW control that is being established in RVR and is still in-progress for design and documentation. = Considered deficiency for reporting purposes; action/plans should be created in all cases. = Only relevant for RVR. * Deficiency metric will be calculated using the total number of deficiencies (operational plus design) divided by the total number of controls tested (tested effective plus total deficiencies), excluding dependent controls.

2 0

Operational Deficiency

0
7

Design Deficiency Not Documented/Ready Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control N/A Missing

57 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.10. Action/Remediation Plans


All Control (generic) deficiencies must have an associated remediation Action Plan o Includes CAS, External Auditor and Management identified deficiencies Local process/control owners and leadership have accountability for entering, managing and closing remediation action plans in RVR and PGP - Not CAS. The general expectation is that remediation/action plan due date will be 5 business days after the audit closes although it is definitely recognized that there may be cases where an extended remediation period is required. When a deficiency is logged the following process should be followed to create the Action Plan (This is not the responsibility of CAS): o Finalized remediation plan should be updated in Comments Field (RVR) or Action Plan Description Field (PGP). At that point the status in the SOX Tool should be set to inprogress o Secure the appropriate approvals from the necessary parties Local Management, Local CFO, Regional Coordinators etc. o Execute action plans o Set Action Plan Status in SOX tool to Complete and enter completion date in the ActnPlanRvwSgnOffDate (PGP) there is no completion date equivalent in RVR. SOX PMO will monitor and track the progress of the remediation plans and inform CAS once there is a sufficient sample to test the remediated control. o Remediation of deficiencies in a timely and accurate manner is an important aspect of the SOX program and therefore this area will also be a key area of management reporting in 2007
58 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

2.10. Action/Remediation Plans (continued) - PGP

Required Required

Required

59 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.10. Action/Remediation Plans (continued) - RVR

Required

Required

60 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.11. Corporate Audit Services Deliverables


It has been agreed that all testing will be performed in 2007 by Corporate Audit Services with the exception of Annual Controls performed on or after December 31, 2007. These controls will be tested in Q1 2008. Audit Announcement Letters In the former Alcatel an audit announcement letter was sent in 2006 to the entitys CFO/CEO before the SOX work commenced (refer to the example in appendix 3). Regional Audit Directors, if needed, would customize the model. In the former Lucent audit announcement letters were not sent out in 2006, it was the SOX PMOs responsibility to communicate the test dates with the local management and control owners. Based on the Companys SOX approach in 2007 with the PMO being responsible for the project, it is their responsibility to communicate the test dates to the control owners and others as necessary based on the integrated test plan. On completion of testing a process, CAS will send an email to the SOX PMO informing them that either RVR or PGP is updated with the test results and is ready for reporting.

61 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.11. Corporate Audit Services Deliverables (continued)


Corporate Audit Services will issue an Audit Memo (refer to the 2006 model in Appendix 4) for each process reviewed (HR, CAPEX, ). This memo will mainly be distributed to local management and the SOX PMO. Alcatel-Lucent HQ senior management will receive a consolidated report issued by each RAD, covering a complete entity. In the audit memo, Corporate Audit Services should state briefly the work performed (refer to audit objectives section), include a summary of the testing results by operating effectiveness category, and include a table detailing all controls not operating effectively, including explanations. All audit memos will be gathered and analyzed by the SOX PMO to highlight most significant issues within the organization. The SOX Steering Committee will determine whether deficiencies are significant or material. The SOX Steering Committee will also resolve any Preliminary Deficiencies where the Control Owner/PMO do not agree with a CAS finding. AutoAudit (CAS database) will record all man days spent on SOX, with man days being recorded at a minimum by process level within an entity. Issuance of SOX audit memos and reports should follow existing CAS procedures for pre-issuance reviews, approvals, numbering and archiving.

62 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.12. Self Assessment/Management Testing


SOX PMO/Management will test XMS expenses and corporate/centralized entity level controls. SOX PMO/Management will develop the test procedures, sample size, etc. and communicate to CAS. SOX PMO will enter the results of these tests according to documented standards but distinguished by Test Type Management Test (in addition, the Tester will be a non-GAS tester).

Management testing will only be entered when final and therefore entered with Finding Status Complete and checked complete

63 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.12. Self Assessment/Management Testing (continued)


The processes to be tested by the SOX PMO, self assessment or by management testing are XMS expenses and corporate/centralized entity level controls.

64 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.13. Internal Control Questionnaire (ICQ)


Applicable for Tier 3 entities and out-of-scope processes for Tier 2 entities Will be facilitated via the Protiviti Governance Portal Assessment Manager (formerly TSA)

PGP will issue questionnaires via e-mail to local CFOs, track and report progress and provide reporting capability for response summaries, etc.
Depending on responses to the questionnaires action plans or tests may result Central SOX PMO will administer the ICQ and track progress and escalate issues via the SOX Council Questionnaire under development ICQ will be issued shortly

65 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2.14. Critical Spreadsheets


f-Lucent As a result of the current year's rationalization, the critical spreadsheets for f-Lucent have been reduced from 118 in FY06 to 20 in FY07. See appendix 13 which provides further details relating to these 20 spreadsheets (i.e. process & control reference, control owner, etc). Please refer to this file to determine the critical spreadsheets in scope for the testing of each process, as the portal documentation regarding critical spreadsheets has not been fully updated to reflect the current scoping status. The file as per appendix 13 will also be posted in PGP, and this should be checked to ensure there are no changes before testing commences (to view the file go to the left-hand side of the PGP welcome screen, then FY07/Critical Spreadsheets/F-Lucent (PGP))

For each critical spreadsheet identified there is an associated control (column F), and all documentation relating to the testing of the critical spreadsheet should be saved in PGP under the associated control. If there are any other critical spreadsheets in PGP for f-Lucent processes other than those per appendix 13, they do not require testing in FY2007.
f-Alcatel Critical spreadsheets are retained in RVR on the same basis as FY2006 with all spreadsheets being retained under one control. The control owners have been advised that it is their responsibility to verify that only the FY2007 in scope spreadsheets are included in RVR. Before testing a process the in scope spreadsheets should be confirmed with the control owners.
66 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

Appendices

67 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

2007 SOX Testing Guidelines - Appendices


Topic 3. Appendices Appendix 1 - Scoping document Appendix 2 Financial statement assertions Appendix 3 Audit Announcement Letter template Appendix 4 Audit Memo template Appendix 5 Testing decision tree Appendix 6 PGP training Appendix 7 RVR training Appendix 8 Key SOX contacts Appendix 9 2007 Sub-process numbers Appendix 10 - 2006 to 2007 Process mapping 69 70 72 73 74 75 76 77 78 79 Page(s)

Appendix 11 SOX testing worksheet


Appendix 12 Random Number Generator Appendix 13 f-Lucent in scope critical spreadsheets
68 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

80
81 82

APPENDIX 1 : Scoping Document

69 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 2: Financial Statement Assertions


We assess risks of major misstatement at an assertion level by considering the different types of potential misstatements that may occur and then design audit procedures that are responsive to those risks. They can be looked as objectives of Internal Control. Compliance with SOX 404 requires we address all the assertions. Existence: an asset or a liability exists at a given date (B/S), a recorded transaction or event that pertains to the client actually took place during the period (P/L). For example, management asserts that finished goods inventories in the balance sheet are available for sale. Similarly, management asserts that sales in the income statement represent the exchange of goods or services with customers for cash or other consideration. Valuation: an asset or liability is recorded at an appropriate carrying value (B/S), a transaction or event is recorded at the proper amount and revenue or expense is allocated to the proper period (P/L). For example, management asserts that property is recorded at historical cost and that such cost is systematically allocated to appropriate accounting periods. Similarly, management asserts that trade accounts receivable included in the balance sheet are stated at net realizable value. Completeness: there are no unrecorded assets, liabilities, transactions or events, or undisclosed items. For example, management asserts that all purchases of goods and services are recorded and are included in the financial statements. Similarly, management asserts that notes payable in the balance sheet include all such obligations of the entity
All Rights Reserved Alcatel-Lucent 2007

70 | CAS |2007 SOX Testing Guidelines |July 2007

APPENDIX 2: Financial Statement Assertions (continued)


Rights and obligations: an asset or a liability pertains to the client at a given date. For example, management asserts that amounts capitalized for leases in the balance sheet represent the cost of the entity's rights to leased property and that the corresponding lease liability represents an obligation of the entity. Presentation and disclosure: an item is classified, described, and disclosed in accordance with the applicable financial reporting framework. For example, management asserts that obligations classified as long-term liabilities in the balance sheet will not mature within one year. Similarly, management asserts that amounts presented as restructuring charges in the income statement are properly classified and described. Segregation of duties: strategy to provide an internal check on performance through separation of custody of assets from accounting personnel, separation of authorization of transactions from custody of related assets, separation of operational responsibilities from record keeping responsibilities. For example, management asserts that employees in charge of creating new suppliers do not have the ability to initiate disbursements. Authorization / safeguarding of assets: policies and procedures that provide reasonable assurance regarding protection or timely detection of unauthorized acquisitions, use or disposition of the companys assets that could have a major effect on the financial statements. For example, management asserts that CAPEX operations are duly authorized.
All Rights Reserved Alcatel-Lucent 2007

71 | CAS |2007 SOX Testing Guidelines |July 2007

APPENDIX 3: Audit Announcement Letter Template

2006 SOX Testing Announcement Letter

2007 General Announcement Letter Template

72 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 4: Audit Memo Template


2007 SOX Audit Memo Template

73 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 5: f-Alcatel Testing Decision Tree


Note the attached 2006 document shows remediation action plans as the responsibility of CAS. In FY2007, remediation action plans are the responsibility of the SOX PMO and the Control Owners NOT CAS.

74 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 6: PGP Training


A training document is located on the Protiviti Portal at the following address (bottom of the page):

http://ihprotiviti01.ndc.lucent.com/SOAPortal/

75 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 7: RVR Training

76 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 8: Key SOX Contacts and Responsibilities


SOX PMO
Cathy Carroll SOX Compliance Alan Kilyk SOX PMO/Project Management Scott Greenfield - NAR Stephan Vantomme - EMEA

Jennie Tiderman ASB and APAC


Bob Moogan - Scoping/Integrated test plan/SAS70's Jill Clark and Mary Ann Imroth PGP and RVR

CAS
Laurent Arnaudo Overall responsibility for SOX testing Craig Harlow SOX Strategy Peter Green SOX PMO and CAS Liaison Rich Braithwaite IT Testing Henk van Beveren and Sophie Neron-Berger Testing in EMEA Kris Lemmens and Sushil George Testing in ASB and APAC Gautam Patankar and Vig Menon Testing in NAR and CASA
77 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007

APPENDIX 9: 2007 Sub-Process Numbers

78 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 10: 2006 to 2007 Process Mapping

79 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 11: SOX Testing Worksheet

80 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 12: Random Number Generator

81 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

APPENDIX 13: Former Lucent in Scope Critical Spreadsheets

82 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

www.alcatel-lucent.com

83 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved Alcatel-Lucent 2007

You might also like