2007 SOX 404 Testing Guidelines FINAL
2007 SOX 404 Testing Guidelines FINAL
2007 SOX 404 Testing Guidelines FINAL
Page(s) 3 17 67
General Information
Topic 1. General Information 1.1 Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 1.2 What is internal control over financial reporting? 1.3 Responsibilities of Control Owners, SOX PMO and CAS 1.4. SOX PMO Goals and Objectives 1.5. SOX PMO Principles & Assumptions 1.6. SOX PMO Integrated Test Plan 1.7. SOX 404 Work Performed to Date 1.8. SOX 404 Next Steps
Page(s) 5 7 9 10 11 13 15 16
1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006
The Sarbanes-Oxley Act (the Act) was introduced in July 2002 in response to several major corporate and accounting scandals within large prominent companies such as Enron, WorldCom, Global Crossing, Tyco, etc. The Securities and Exchange Commission (SEC) has explicit authority to establish rules for implementing the various sections of the Act and for enforcement of the Act and related rules. In June 2003, the SEC issued its rules relating to managements responsibilities under Section 404. In June 2004, the SEC approved the adopted US Public Company Accounting Oversight Board (PCAOB) Auditing Standard No.2 An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS2). On May 23, 2007, the SEC approved interpretive guidance regarding managements evaluation of internal control over financial reporting AS5. The key elements affecting the company from a testing perspective are: Only controls that materially impact the financial statements require testing. The external auditors are not evaluating managements evaluation process but are opining directly on internal controls over financial reporting
1.1. Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 (continued)
Under the SECs rules for Section 404 the management of Alcatel-Lucent is required to: Accept responsibility for the effectiveness of internal controls over financial reporting;
Evaluate the effectiveness of internal controls over financial reporting using a recognized control framework;
Support its evaluation of internal controls over financial reporting with sufficient evidence including documentation and testing of key controls; Provide a written conclusion on the effectiveness of internal controls over financial reporting at year-end.
Alcatel-Lucent must comply with the SECs rules pertaining to the Act as a condition of being a listed company in the US.
Prepare and coordinate test plan with CAS, and inform CAS of test readiness;
Report test results and project status to Senior Management and A&FC; Report test results to external auditors. CAS Allocate resources available to test controls ready for testing (confirmation through SOX PMO); Test controls and record test results (in RVR and PGP); Report test results to SOX PMO and entity CFO/CEO.
9 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
Incorporate improvements introduced by AS5 & SEC Guidance Maximize Efficiency & Effectiveness
Testing appropriate to risk Monitor progress of testing throughout program
Testing of non-key/secondary controls may be required to the extent they are a compensating control for a failed key/primary control
Requires the approval/concurrence of the Local Coordinator and Regional SOX PMO Lead Any non-key control elevated to in-scope should then have its Control Significance amended to Key
11 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
* Scheduling should not be considered final until SOX PMO has confirmed with CAS and External Auditors
13 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
1.6. SOX PMO Integrated Test Plan (continued) Sample Template for use by the SOX PMO (Not CAS)
A B C D E F G H P Q R S T U V GAS GAS Phase 1 GPO/PMO Phase 1 Field Test Regional Test Ready Field Test Complete PMO Lead Local PMO Lead Date Start Date Date Jennie Tiderman Peilu Cao Jennie Tiderman Peilu Cao Jennie Tiderman Jennie Tiderman Jennie Tiderman EA Phase EA Phase 1 1 Test GAS Test Field Test Complete Status Start Date Date
1 2 3
Proce Sub Local Unit ss # Process # ASB ASB 01 01 001.002 001.002.00 1 001.003.00 1
Sub Process Name Ordering Ordering Management Project / Contract Monitoring Material Management and Delivery Revenue Recognition Billing/Invoice (incl F-ALA rev. rec. and discounts) Credit Mgmt, Collecting and Reserves F-ALA Access/SOD Revenue Cycle
EA Test Status
APAC
ASB
01
Revenue Cycle
Peilu Cao
5 6
APAC APAC
ASB ASB
01 01
001.004 001.005
APAC
ASB
01
001.006
Revenue Cycle
Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman
Peilu Cao
APAC
ASB
01
001.008
Revenue Cycle
Peilu Cao
9 10 11 12
01 02 03 04
001.013
Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX, Other Investments and Intangibles Treasury Management Tax Management General Ledger & Financial Reporting ITGC Managing the entity SOD & Restricted Access
13 14 15 16 17 18 19
05 06 07 08 09 10 11
Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao
Testing Process
Page(s) 19 20 21 22 27 33 38 50 54 58 61 63 65 66
5.
6. 7. 8. 9.
Agree deficiencies with control owner, and SOX PMO (when necessary)
Update RVR/PGP Assessment Level/Control Operating Effectiveness (COE) Update control owners/SOX PMO with testing status (as necessary) during fieldwork Closing meeting with control owners, entity CFO, SOX PMO on last day of fieldwork Email SOX PMO verifying RVR/PGP has been updated and test results are available for reporting
11. Issue Audit Memo to SOX PMO and entity management (by process)
Process Name
Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX, Other Investments & Intangibles Treasury Management Tax Management General Ledger & Financial Reporting IT General Controls Managing the Entity SOD & Restricted Access Master Data
See also: appendix 9 for details of the sub-process numbers; appendix 10 for the 2006 to 2007 process mappings.
20 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
Test Readiness Meetings, scheduled by Local SOX Coordinator or designee, are scheduled approximately one week prior to testing. Participants should include, at a minimum, CAS representative, Regional SOX PMO Coordinator, Regional & Local CFO delegate, SOX PMO delegate
Once the Test Readiness Meeting is completed no further SOX tool changes should be made as CAS will begin downloading information to prepare for the audit At the readiness meetings a definitive control list will be provided to CAS by the SOX PMO (including process and control numbers at minimum)
All Rights Reserved Alcatel-Lucent 2007
Controls classified as Not Designed or Not Documented in RVR are considered as not in place (currently in the action plan) and will not be tested by CAS. Tests will be performed at a later date during the testing of remediated controls. It is the responsibility of the SOX PMO to inform CAS when these controls are ready for testing with the necessary sample size available.
For former Alcatel entities where SAP is used, controls related to segregation of duties and access will be documented and tested with an extraction tool (CheckAud). This tool will provide reporting on who can perform critical transactions or combination of critical transactions. Entity (under the responsibility of each CFO) should interpret whether or not the granted access is acceptable and/or if appropriate compensating controls exist. In this case, testers will verify on a sample basis that they can rely on the review performed by management. Testers need to have a minimum training on SAP ST codes and a good knowledge on the process itself to perform their review. When testers note that CheckAud report has not yet been run and/or analyzed by operational management, this should be reported as a control deficiency. We should also explain to the auditors how they can verify if CheckAud reports have been analyzed.
All Rights Reserved Alcatel-Lucent 2007
If CAS is unable to verify that the automated control remains unchanged from the previous year, normal testing procedures should be performed.
Specific to entities using RVR Note: For all entities in Section 404 scope, SOX coordinators have already performed the following review:
PGP The SOX PMO uploaded all test procedures and audit work papers from RVR into PGP for the former Alcatel controls. The SOX PMO and CAS performed an upload of the former Lucent high level test procedures previously documented on the Test of Control (TOC) spreadsheet into PGP. The upload is expected to populate the majority of high level test procedures, but for those not populated, the previous years TOC should be used to obtain the high level test procedures. All the test procedures should be reviewed to ensure they are relevant for the control being tested. Former Lucent Sample Attribute Worksheets (SAWs) have not been uploaded into the portal and will need to be obtained from the CAS server.
All Rights Reserved Alcatel-Lucent 2007
L E V E L O F C O M F O R T
Inspection/Examination
Review of evidence, in either electronic or paper form, that a control activity is performed. The level of assurance obtained from such evidence depends on the nature of the control activity and the control objective. Provide detail to be able to duplicate test process and verify result
Observation
Watch an individual perform the control activity or observe group activities such as status meetings, disclosure meetings, etc. More reliable than inquiry Document who, when, what was observed and the outcome
Inquiry
Seek information of knowledgeable persons. Evaluating responses to inquiries is an integral part of the inquiry process. Ascertain whether a control is in place by asking oral or written questions Weakest type of test Must be followed by another test, inquiry alone is not enough Should inquire of more than one person (i.e., corroborate) Documentation considerations - who, when, where, how
All Rights Reserved Alcatel-Lucent 2007
Documentation requirements - Details of what was done, what items tested. Sufficient to reproduce test.
Example - For checking the valuation of goodwill, the tester might calculate himself the goodwill and compare the result obtained with the managements evaluation Notes - Sample size can be low when combined with examination testing
Documentation requirements - Who, when , what ?Retain enough details of the test so that it can be duplicated (e.g. order number); also note what evidence was reviewed to verify control was working as indicated (e.g. noted form was signed by authorized person)
Example - if the control is the credit manager reviews and approves all sales orders exceeding a determined amount, tester might select a sample of orders exceeding the limit and examine the evidence of control : based a sample size, we noted that the CPM has completed all proper fields to show evidence of his/her review. His/her approval is supported by a signature. Notes - Easiest way of obtaining evidence of the existence of assets such as cash and inventory.
Documentation requirements - Who, and what was observed, when it was observed, and the outcome.
Example o Automated: observe field edit check works when invalid data is entered. o Manual: observe the person receiving goods to test the operating effectiveness of inventory management
Notes - More reliable than inquiry. Can be sufficient for some automated controls. Probably not sufficient for key manual controls alone.
Frequency of Performance Annual Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed
N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency 25 25
New controls in place over 90 days use the above sample guidance Automated controls will utilize one sample one positive and one negative test see slide 23 Depending on the External Auditors risk assessment of a process, they will in some cases pull a separate sample to that used by CAS, whereas in other cases they will use the sample pulled by CAS to perform their testing (or a combination of the two).
33 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
Where feasible the additional sample should be tested whilst on site, but if the deficiency is identified during the last day of testing and there is not sufficient time to obtain the additional sample documentation and perform the testing, the control should be identified as a Preliminary Deficiency and the control owner given 2 days to provide the documentation required for testing. If the documentation is provided and the sample is tested with no deficiencies the control status should be changed to Fully Operational, but if the documentation is not provided or there is a deficiency then the control status should be changed to the appropriate deficiency. The SOX PMO and the control owner should be informed of the change in status.
Note : An exception found by and corrected by management is not an exception. This clearly means that the control system is working efficiently (review of approvals of PO for instance).
2.6. Samples Sizes - Minimum Operating Periods and Test Samples for Remediated Controls
This guidance only applies if the remediated control will operate over a period of less than 90 days until the year end date. For controls that will operate over a period of 90 days or more (i.e. put into operation before October 1, you should continue using the regular sample size guidance see slide 33).
Frequency of Performance Annual & Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed Minimum Time Period/ Number of Times of Operation for Remediated Control as of the End of Fiscal Year Minimum Number of Items to Be Tested for Remediated Controls
N/A 2 2 2 10 25**
Assessed on a case by case basis using risk based approach to determine the appropriate sample sizes
* Includes 4th quarter as one of the quarters ** Must operate at least 25 times over a minimum 15 day period
Note - The population/sample used to test a remediated control has to be subsequent to the date on which the control was remediated.
37 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
For 2007: Europe - all non IT control testing will be recorded in RVR, with the exception of Centralized/Corporate Entity Level Controls (these will be recorded in PGP and will be tested by the SOX PMO) APAC all non IT control testing will be recorded in RVR NAR and CASA all non IT control testing will be recorded in PGP IT control testing in all regions will be recorded in either RVR or PGP depending on the location of the control and where the control is recorded (RVR or PGP)
The new AS5 rules pertaining to Section 404 do not require Alcatel-Lucents external auditors to evaluate the CAS testing, although the external auditors will be relying on the work performed by CAS to reduce their testing. The reliance they will be placing on the work of CAS will be dependant on the process, with less reliance on higher risk category 1 areas such as revenue, IT, and financial controls.
38 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
Category 2 processes perform at least 30% * independent testing, and at the most 70%** reperformance testing.
* This percentage may be higher based on local risks identified ** All control activities not addressed by independent testing will be tested by reperformance. All control activities will be tested by the external auditor.
It is therefore important that the documentation of the tests performed is of the highest quality. In addition, it is important to clarify with the local external auditors their requirements for our work papers to do reperformance. A meeting with the local external auditors should take place in advance of testing to clarify their requirements, specifically the retention of documentation allowing them to reperform our work, and if they require copies or original documentation.
This document reported all the references (e.g. an invoice number) of the documents tested and the items of the data that were reviewed (for example approval, shipping address). In 2007 this information should be recorded as part of the CAS SOX Testing Worksheet. For 2007 the external auditors informed the SOX PMO that if CAS testing documentation included copies of audit evidence, either electronically in the portals or hard copy files, this would be one way to reduce their fees. CAS should therefore (where feasible) retain electronic or hard copies of supporting documentation. If the documentation is too voluminous, only specific pages relevant to the testing should be retained, and control owner asked to keep the additional documentation to one side in preparation for the external auditors reperformance testing. Detailed supporting documentation should be retained for all deficiencies
All Rights Reserved Alcatel-Lucent 2007
01 Revenue management
CIT
2004
2004
In Progress 39%
In Progress 100%
Arnaudo Laurent
Arnaudo Laurent
SOX PMO are working with the RVR company to determine the best methodology to update & distinguish External Auditor results in RVR.
Finding is only considered final once GAS manager has approved at which time he sets Status to Complete and checks Completed box Only at this time will COE be updated by GAS (COE in separate area under the generic control)
1 2 3 4 5 6
1 2 3
First entered as Finding Status Pending GAS Mgmt Approval Then flipped to Finding Status Complete by GAS manager Updated by GAS manager
Completed (Checkmark) Control (generic) Area Assessment Level Control Operating Effectivess
2.8. Deficiencies
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned function, to prevent or detect misstatements on a timely basis (PCAOB 4).
DEFICIENCY REASON A control necessary to cover the risk is missing. OR An existing control is not properly designed so that, even if the controls operate, the objective is not always met. A properly designed control does not operate as intended. OR The person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
DESIGN
OPERATION
For each design or operational control deficiency, an action plan is required by the local process/control owners and leadership. This has to be entered in RVR or PGP. This is not the responsibility of CAS.
Minor Deficiency
Moderate Deficiency
Major Deficiency
Note : Qualification of control deficiencies is performed when a control has been tested. Testers will not assess the severity of not designed / not documented controls for which an action plan is ongoing.
All Rights Reserved Alcatel-Lucent 2007
SOX PMO is accountable for updating Control Operating Effectiveness (PGP) and/or Control Assessment Level (RVR) based on External Auditor based test outcomes (only deficiencies will be entered).
The most recent test result rules, for example: If CAS tests resulted in a Fully Operating assessment and an External Auditor subsequently deemed the control to have an Operational Deficiency the Operational Deficiency would override the CAS result.
Former Alcatel units also utilized Control Steps in their RCMs Control Steps are the localized details of a generic control
In PGP, Control Steps are identified by the Control Name convention which is the control number followed by Step #; e.g. C040.Step.001; C210.Step.002, etc. In addition, Control Significance is set to 3. Step. PGP: Generic controls will be updated for Control Operating Effectiveness in 2007; Control Steps will not (they will retain the system default of *None Selected. This is consistent with RVR which does not assess Control Steps.
2.9. Control Operating Effectiveness (COE) and Assessment Level (continued) Selections 2006
PROTIVITI Operating Effectiveness Selections (Portal: Control Level) Not Tested Tested Effective Operational Deficiency - 1 Test Results Selections (Portal: Test Detail Level) None None Lack of formal evidence Control not performed Control not ready Risk not mitigated Missing risk and/or control (as above) None None None N/A
Explanations At the inception of the SOX 2007 program all controls will appear as "Not Tested". This is the default value. Control design is effective (it mitigates identified risks) and is also operating effectively (control is being performed as designed). Formal evidence could not be provided to support the control activity. However, some "informal" evidence that the control was performed is available. Control activity not performed as required, auditee cannot provide "informal evidence" that control was performed. Control owner is not ready or not available for testing, or the control is not documented accurately enough to test. The documented control as designed does not mitigate identified risk.
Not Operating
2 0 0 6
Operational Deficiency - 2 Operational Deficiency - 3 Design Deficiency - 1 Design Deficiency - 2 Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control
Not Documented
Not Designed Risk has not been indentified, or existing risk does not have an identified primary control. IA or PwC finding under dispute by PMO and/or Process Owner. Maximum 5 days in category, then escalation is required. Not enough testable evidence has been accumulated to perform test on a control, such as a new control. Use this if partial sample passes or not tested due to sample size. The event that would trigger the need for the control activity to be performed has not occurred from the beginning of the fiscal year until the date of audit. Therefore the control cannot be tested. Control occurs once a year and has not been performed as of testing date.
2 0
Operational Deficiency
0
7
Design Deficiency Not Documented/Ready Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control N/A Missing
Required Required
Required
Required
Required
Management testing will only be entered when final and therefore entered with Finding Status Complete and checked complete
PGP will issue questionnaires via e-mail to local CFOs, track and report progress and provide reporting capability for response summaries, etc.
Depending on responses to the questionnaires action plans or tests may result Central SOX PMO will administer the ICQ and track progress and escalate issues via the SOX Council Questionnaire under development ICQ will be issued shortly
For each critical spreadsheet identified there is an associated control (column F), and all documentation relating to the testing of the critical spreadsheet should be saved in PGP under the associated control. If there are any other critical spreadsheets in PGP for f-Lucent processes other than those per appendix 13, they do not require testing in FY2007.
f-Alcatel Critical spreadsheets are retained in RVR on the same basis as FY2006 with all spreadsheets being retained under one control. The control owners have been advised that it is their responsibility to verify that only the FY2007 in scope spreadsheets are included in RVR. Before testing a process the in scope spreadsheets should be confirmed with the control owners.
66 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
Appendices
80
81 82
http://ihprotiviti01.ndc.lucent.com/SOAPortal/
CAS
Laurent Arnaudo Overall responsibility for SOX testing Craig Harlow SOX Strategy Peter Green SOX PMO and CAS Liaison Rich Braithwaite IT Testing Henk van Beveren and Sophie Neron-Berger Testing in EMEA Kris Lemmens and Sushil George Testing in ASB and APAC Gautam Patankar and Vig Menon Testing in NAR and CASA
77 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved Alcatel-Lucent 2007
www.alcatel-lucent.com