You are on page 1of 83

Corporate Audit Services 2007 SOX Testing Guidelines

Date – August 2007

2007 SOX Testing Guidelines - Index

Topic 1. General Information 2. Testing Process 3. Appendices

Page(s) 3 17 67

2 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

1

General Information

3 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

2007 SOX Testing Guidelines – General Information

Topic 1. General Information 1.1 Overview of section 404 of Sarbanes- Oxley Act and Update from 2006 1.2 What is “internal control over financial reporting”? 1.3 Responsibilities of Control Owners, SOX PMO and CAS 1.4. SOX PMO Goals and Objectives 1.5. SOX PMO Principles & Assumptions 1.6. SOX PMO Integrated Test Plan 1.7. SOX 404 Work Performed to Date 1.8. SOX 404 Next Steps

Page(s) 5 7 9 10 11 13 15 16

4 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

1.1. The external auditors are not evaluating management’s evaluation process but are opining directly on internal controls over financial reporting • • 5 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . the SEC approved interpretive guidance regarding management’s evaluation of internal control over financial reporting – AS5. Global Crossing. The Securities and Exchange Commission (SEC) has explicit authority to establish rules for implementing the various sections of the Act and for enforcement of the Act and related rules. The key elements affecting the company from a testing perspective are: • • Only controls that materially impact the financial statements require testing. Tyco.2 – An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (“AS2”). 2007. etc.Oxley Act and Update from 2006 • The Sarbanes-Oxley Act (the Act) was introduced in July 2002 in response to several major corporate and accounting scandals within large prominent companies such as Enron. In June 2004. the SEC issued its rules relating to management’s responsibilities under Section 404. WorldCom. In June 2003. On May 23. the SEC approved the adopted US Public Company Accounting Oversight Board (“PCAOB”) Auditing Standard No. Overview of section 404 of Sarbanes.

• • • Evaluate the effectiveness of internal controls over financial reporting using a recognized control framework. 6 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .1.Oxley Act and Update from 2006 (continued) Under the SEC’s rules for Section 404 the management of Alcatel-Lucent is required to: • Accept responsibility for the effectiveness of internal controls over financial reporting. Overview of section 404 of Sarbanes. Alcatel-Lucent must comply with the SEC’s rules pertaining to the Act as a condition of being a listed company in the US. Support its evaluation of internal controls over financial reporting with sufficient evidence including documentation and testing of key controls. Provide a written conclusion on the effectiveness of internal controls over financial reporting at year-end.1.

or persons performing similar functions. and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company.2. and other personnel. What is “internal control over financial reporting”? • • The SEC rule defines the term “internal control over financial reporting” to mean the following: A process designed by. use or disposition of the company’s assets that could have a major effect on the financial statements. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles. and effected by the company’s board of directors. • • • 7 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . or under the supervision of.1. in reasonable detail. accurately and fairly reflect the transactions and dispositions of the assets of the company. and Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition. to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: Pertain to the maintenance of records that. management. the company’s principal Executive and principal financial officers.

1. What is “internal control over financial reporting”? (continued) • The SEC’s definition of internal control over financial reporting does not encompass the effectiveness and efficiency of a company’s operations nor a company’s compliance with applicable laws and regulations with the exception of compliance with applicable laws and regulations directly related to the preparation of financial statements. 8 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2.

•Report test results to SOX PMO and entity CFO/CEO. SOX PMO •Document the process between Control Owners. SOX PMO and CAS. •Test controls and record test results (in RVR and PGP). and inform CAS of test readiness. •Maintain RVR and Protiviti (PGP) portals. SOX PMO and CAS Control Owners •Ensure controls are operating as documented. Responsibilities of Control Owners.3. CAS •Allocate resources available to test controls ready for testing (confirmation through SOX PMO). •Assist CAS with testing procedures. •Report test results and project status to Senior Management and A&FC. •Prepare and coordinate test plan with CAS. •Report test results to external auditors.1. 9 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . •Communicate with SOX PMO the control readiness for testing.

SOX PMO Goals and Objectives  To ensure a positive 404 certification for Alcatel-Lucent in 2007  SOX Program provides rapid identification and visibility to deficiencies & remediation status  Incorporate improvements introduced by AS5 & SEC Guidance  Maximize Efficiency & Effectiveness  Testing appropriate to risk  Monitor progress of testing throughout program  Minimize 2007 auditing costs – internal and external  Maximize use of ALU Group Audit work by external auditors  Minimize amount of “re-visits”.1. testing a subset of controls in one timeframe. a second wave at a separate time.e.  Be sensitive to the time constraints of the local business units 10 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .4. etc. i.

SOX PMO Principles & Assumptions  Test scope determined by SOX PMO with input and support of local coordinators  SOX PMO will maintain an Integrated Test Plan that is supported and updated by the various sources: o Local SOX Coordinators o Regional SOX PMO Leads o Corporate Audit Services o External Auditors  Alcatel-Lucent Corporate Audit Services performs testing on behalf of Management. Testing of XMS expenses and corporate/centralized entity level controls will be performed by the SOX PMO organization  External Auditors (E&Y and D&T) will also perform testing.5. typically and ideally 2 weeks after management completes its testing  One round of testing with “roll-forward” testing of remediated controls (where necessary)  Testing of non-key/secondary controls may be required to the extent they are a compensating control for a failed key/primary control  Requires the approval/concurrence of the Local Coordinator and Regional SOX PMO Lead  Any non-key control elevated to “in-scope” should then have it’s Control Significance amended to “Key” 11 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .1.

it must retain this designation until a subsequent test results in a “Fully Operating” assessment. CAS or Management/SOX PMO Testing.5. 12 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . SOX PMO Principles & Assumptions (continued)  Once a control is set to “Operational Deficiency” or “Design Deficiency” on the basis of testing performed by the External Auditors. This is relevant for:  Assessment Level in RVR and  Control Operating Effectiveness in PGP  In 2007 there will be no requirement to test within a 90-day window of the year-end.1.

should  Key input to SOX factor into Date PMO ITP Availability.  Communicates all  Preliminary. informal* subsequent discussions with Local changes to Test Auditors (CAS & External). etc.1. Schedule  Communicates any issues to Regional SOX PMO Lead • Local •Coordinators • Global •SOX •PMO  Maintains centralized.6. 2006 Local Coordinators remediation. national External Auditors* holidays. control and Regional CAS & readiness. Integrated Test Plan (ITP)  Leads discussion with Global External Audit Partners in confirming scheduling  Works with Corporate Group Audit staff to confirm Internal Audit dates  Serves as escalation for scheduling issues  Communicates relevant information and potential issues to Regional and Local personnel Integrated Test Plan * Scheduling should not be considered final until SOX PMO has confirmed with CAS and External Auditors 13 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . SOX PMO Integrated Test Plan  An Integrated Test Plan (ITP) will be maintained by the PMO to ensure coordination and efficient use of resources – both internal and external resources  A centralized ITP is critical to managing costs and resources for the global program  The centralized ITP will be organized by Local Unit and Process Parent or Sub-Process Regional • SOX PMO •Leads •  Key input to Regional SOX  Assesses available dates across all inPMO Lead scope units and  Should include all builds preliminary available dates to provide plan using the ITP flexibility in building the template regional/global plan.  Works in  Documentation conjunction with availability.

rec.00 1 001.002 001.005 Revenue Cycle Revenue Cycle Peilu Cao Peilu Cao 7 APAC ASB 01 001.6.002.013 Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX. and discounts) Credit Mgmt.008 Revenue Cycle Peilu Cao 9 10 11 12 APAC APAC APAC APAC ASB ASB ASB ASB 01 02 03 04 001. SOX PMO Integrated Test Plan (continued) Sample Template – for use by the SOX PMO (Not CAS) A B C D E F G H P Q R S T U V GAS GAS Phase 1 GPO/PMO Phase 1 Field Test Regional Test Ready Field Test Complete PMO Lead Local PMO Lead Date Start Date Date Jennie Tiderman Peilu Cao Jennie Tiderman Peilu Cao Jennie Tiderman Jennie Tiderman Jennie Tiderman EA Phase EA Phase 1 1 Test GAS Test Field Test Complete Status Start Date Date 1 2 3 Region APAC APAC Proce Sub Local Unit ss # Process # ASB ASB 01 01 001.004 001.00 1 Process Name Revenue Cycle Revenue Cycle Sub Process Name Ordering Ordering Management Project / Contract Monitoring Material Management and Delivery Revenue Recognition Billing/Invoice (incl F-ALA rev. Collecting and Reserves F-ALA Access/SOD Revenue Cycle EA Test Status 4 APAC ASB 01 Revenue Cycle Peilu Cao 5 6 APAC APAC ASB ASB 01 01 001.003.1.006 Revenue Cycle Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Jennie Tiderman Peilu Cao 8 APAC ASB 01 001. Other Investments and Intangibles Treasury Management Tax Management General Ledger & Financial Reporting ITGC Managing the entity SOD & Restricted Access Peilu Cao Peilu Cao Peilu Cao Peilu Cao 13 14 15 16 17 18 19 APAC APAC APAC APAC APAC APAC APAC ASB ASB ASB ASB ASB ASB ASB 05 06 07 08 09 10 11 Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao Peilu Cao 14 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

• Integrated test plans prepared for all regions.1. • New controls finalized including Entity Level. • Joint planning meetings between SOX PMO. • Scoping documents reviewed with external auditors (Deloitte & Touche and Ernst & Young). • Process scoping document prepared by SOX PMO. • Control rationalization documents reviewed with external auditors. • Feedback received from external auditors and incorporated into scoping documents. 15 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . • Testing/Reporting process between SOX PMO and CAS agreed. E&Y and CAS. • Feedback received from external auditors on control rationalization. SOX 404 Work Performed to Date • Entity scoping document prepared by SOX PMO. • IS/IT control rationalization meetings. • Control rationalization in Murray Hill for ex-Lucent processes. D&T. • Meeting with D&T in Murray Hill to ensure maximum reliance can be placed on CAS work. • Control rationalization in Paris for ex-Alcatel processes.7.

•Testing of controls and reporting of test results. SOX 404 Next Steps •Protiviti (“PGP”) training – planned for July 24th.1. 16 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .8.

2 Testing Process 17 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

Internal Control Questionnaire (ICQ) 2.4.3.13. Nature of testing 2.2007 SOX Testing Guidelines – Testing Process Topic 2.12.5. Testing Process 2. Sample sizes 2. Test readiness 2. Self Assessment/Management Testing 2.9.11.1. Action/Remediation plans 2.7. CAS deliverables 2.8.2. Documentation of tests 2. Critical Spreadsheets 18 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 Page(s) 19 20 21 22 27 33 38 50 54 58 61 63 65 66 . Deficiencies 2.6. Control Operating Effectiveness (COE) and Assessment Level 2.10.14. What do we test? 2. Summary testing process 2. Process numbers and mapping 2.

Readiness meeting 1 week in advance of testing – SOX PMO. Ensure time has been recorded in Auto Audit 11. Issue Audit Memo to SOX PMO and entity management (by process) 19 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Agree deficiencies with control owner. 8. Summary Testing Process 1. 7. 3. SOX PMO on last day of fieldwork Email SOX PMO verifying RVR/PGP has been updated and test results are available for reporting 10.1. 6. entity CFO. 9. Control owners and CAS – confirm controls to be tested and the status of controls Perform testing – using SOX testing worksheet Save work papers and other documentation in RVR/PGP as completed Update RVR/PGP with test results 5.2. 2. 4. and SOX PMO (when necessary) Update RVR/PGP Assessment Level/Control Operating Effectiveness (COE) Update control owners/SOX PMO with testing status (as necessary) during fieldwork Closing meeting with control owners.

Process Numbers and Mappings The 2007 level 1 process numbers are: Process Number 001 002 003 004 005 006 007 008 009 010 011 012 Process Name Revenue Cycle Purchasing Cycle Human Resources Management Inventory Cycle CAPEX.2. •appendix 10 for the 2006 to 2007 process mappings.2. 20 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Other Investments & Intangibles Treasury Management Tax Management General Ledger & Financial Reporting IT General Controls Managing the Entity SOD & Restricted Access Master Data See also: •appendix 9 for details of the sub-process numbers.

CAS representative. scheduled by Local SOX Coordinator or designee. at a minimum. SOX PMO delegate   Once the Test Readiness Meeting is completed no further SOX tool changes should be made as CAS will begin downloading information to prepare for the audit At the readiness meetings a definitive control list will be provided to CAS by the SOX PMO (including process and control numbers at minimum) All Rights Reserved © Alcatel-Lucent 2007 21 | CAS |2007 SOX Testing Guidelines |July 2007 . 5. narratives. Regional SOX PMO Coordinator. Documentation (examples. are ready for testing  Test Readiness Meetings. 3. etc. in general. 2. etc. Participants should include.3. are scheduled approximately one week prior to testing. All 2006 deficiencies are remediated RCM’s have been updated for changes in business/process.) have been updated for changes to key controls/processes Control Owners are informed of changes and have received relevant training Control Owners. Regional & Local CFO delegate. process flows. control rationalization. Test Readiness  The objective of the “Test Readiness” process is to provide assurance that locations/processes are “test ready” to ensure cost containment and maximum efficiency of the program  The Test Readiness process consists of:  An assertion prior to testing by the Local Coordinator and CFO that the following milestones have been met: 1.2. 4.

Testers need to have a minimum training on SAP – ST codes and a good knowledge on the process itself to perform their review. When testers note that CheckAud report has not yet been run and/or analyzed by operational management. testers will verify on a sample basis that they can rely on the review performed by management. What do we test? • CAS is responsible for testing all “Key” controls (formerly identified as “Primary” in f-LU) in RVR and PGP with the narrative “to be tested” with the exception of those controls which will be tested by self assessment or by management testing. • Controls classified as “Not Designed” or “Not Documented” in RVR are considered as not in place (currently in the action plan) and will not be tested by CAS. For former Alcatel entities where SAP is used.2. controls related to segregation of duties and access will be documented and tested with an extraction tool (“CheckAud”). It is the responsibility of the SOX PMO to inform CAS when these controls are ready for testing with the necessary sample size available. This tool will provide reporting on who can perform critical transactions or combination of critical transactions. this should be reported as a control deficiency. Tests will be performed at a later date during the testing of remediated controls. The processes CAS will not be testing are XMS expenses and corporate/centralized entity level controls. We should also explain to the auditors how they can verify if CheckAud reports have been analyzed. In this case. All Rights Reserved © Alcatel-Lucent 2007 • 22 | CAS |2007 SOX Testing Guidelines |July 2007 . Entity (under the responsibility of each CFO) should interpret whether or not the granted access is acceptable and/or if appropriate compensating controls exist.4.

plus the previous years test documentation should be attached as evidence of the control operating effectively. • If CAS is unable to verify that the automated control remains unchanged from the previous year.4. normal testing procedures should be performed. SOX coordinators have already performed the following review: • • a) Documents attached in RVR show sufficient evidence of the control performed. b) All controls with a “NA” status are correctly justified. All Rights Reserved © Alcatel-Lucent 2007 23 | CAS |2007 SOX Testing Guidelines |July 2007 . based on the following approach: • If CAS can verify that the automated control remains unchanged from the previous year by comparing what is documented in FY2006 to what we observe as the process in FY2007.2. there is no need to reperform the documentation of the screenshots/test the control. If the test was previously performed in a test environment and not in production. The test documentation should reference the work performed verifying that the control is unchanged. Specific to entities using RVR – Note: • For all entities in Section 404 scope. Automated/Configured controls will be tested as part of the business process.001 and will be centrally tested. evidence is required that the test environment in which the test was performed is an exact replica of the production environment. What do we test? (continued) • • For former Lucent entities. controls related to segregation of duties and access will be documented and tested in process 11.

The purpose of documenting processes (flowcharting/narrative) is to provide a general overview of the current activities. The walkthrough also identifies changes to the process which may have an impact on the documented control(s). local management should be informed but no deficiency noted. What do we test? – Flowcharts/Narratives • Testers will have to verify the reasonableness of the flowcharts/narratives prepared by local management. A flowchart/narrative is reasonable when it gives a sufficient level of detail on the processing of transactions within the system. Many processes should be updated / modified to reflect the reality. If during a walkthrough documentation errors are noted but there is no impact on the control(s) being tested. and if the risk is mitigated by the control. • 24 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . internal auditors should pay special attention to the reliability of flowcharts/narratives. but walkthroughs are required to ensure the tester understands the process.4. the changes in the systems. In 2007 with the merger. etc.2. It is not required to perform walkthroughs to assess the reasonableness of flowcharts/narratives.

and the control will require testing. Testing will not be performed on ineffectively designed controls. consider additional controls identified that should be linked to the risk. If not. a lack of documented evidence of a control would constitute an ineffectively designed control. fully mitigate the related risk? If so. This will require an action plan from the SOX PMO and control owner.2. the control design for that risk is “ineffective” and should be evaluated accordingly. detailed in Appendix 2 • • 25 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . if operating effectively. This evaluation must to be linked with the Financial Statement Assertions. Testers must ascertain that controls documented are relevant for all significant Business Divisions in the entity. control design can be considered “effective”. What do we test? The testers will have to assess the design effectiveness and the operational effectiveness: Design effectiveness: • • • • Testers will have to evaluate the description of each control in-place and respect the following process: Does the control identified. When concluding.4. If gaps remain after all controls have been identified.

What do we test? (continued) Operational effectiveness: The testers will have to answer to the following questions:   Does the control operate as intended? Did we find exceptions during the testing? Does the person performing the control possess the necessary authority according to the local DOA (delegation of authority) to perform the control effectively? Does the control operate for all significant Business Divisions in the entity? 26 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .4.2.

Former Lucent Sample Attribute Worksheets (SAW’s) have not been uploaded into the portal and will need to be obtained from the CAS server.5. Nature of Testing RVR  Detailed testing guidelines will be available in RVR for each control activity. but for those not populated. PGP  The SOX PMO uploaded all test procedures and audit work papers from RVR into PGP for the former Alcatel controls. The upload is expected to populate the majority of high level test procedures. The SOX PMO and CAS performed an upload of the former Lucent high level test procedures previously documented on the “Test of Control” (TOC) spreadsheet into PGP.2. the previous years TOC should be used to obtain the high level test procedures. All the test procedures should be reviewed to ensure they are relevant for the control being tested. All Rights Reserved © Alcatel-Lucent 2007   27 | CAS |2007 SOX Testing Guidelines |July 2007 . although where the control wording has changed the test procedures may need to be changed accordingly.

2.5. Nature of Testing
Re-performance
• • • • • Re-perform the control activity to determine its operating effectiveness Perform reconciliation using independent data sources Perform independent calculations that mimic the system Enter hypothetical transactions to test an IT system and compare expected results to actual results Documentation should be in sufficient detail to execute the reperformance

L E V E L O F C O M F O R T

Inspection/Examination
• Review of evidence, in either electronic or paper form, that a control activity is performed. • The level of assurance obtained from such evidence depends on the nature of the control activity and the control objective. • Provide detail to be able to duplicate test process and verify result

Observation
• Watch an individual perform the control activity or observe group activities such as status meetings, disclosure meetings, etc. • More reliable than inquiry • Document who, when, what was observed and the outcome

Inquiry
 Seek information of knowledgeable persons. Evaluating responses to inquiries is an integral part of the inquiry process.  Ascertain whether a control is in place by asking oral or written questions  Weakest type of test  Must be followed by another test, inquiry alone is not enough  Should inquire of more than one person (i.e., corroborate)  Documentation considerations - who, when, where, how
All Rights Reserved © Alcatel-Lucent 2007

28 | CAS |2007 SOX Testing Guidelines |July 2007

2.5. Nature of Testing Reperformance:
The tester will reperform the application of the control activity to check that the result obtained is the same. • Explanation - The repetition of a control performed by an employee or a computer or a system; is often the only way to test an automated control


• •

Documentation requirements - Details of what was done, what items tested. Sufficient to reproduce test.
Example - For checking the valuation of goodwill, the tester might calculate himself the goodwill and compare the result obtained with the managements evaluation Notes - Sample size can be low when combined with examination testing

29 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

2.5. Nature of Testing Examination:
The tester will inspect relevant documentation such as sales orders, invoices, … to evidence the effectiveness of the control activity. • Explanation - The inspection of records, documents, reconciliations and reports for evidence that control has been properly applied

Documentation requirements - Who, when , what ?Retain enough details of the test so that it can be duplicated (e.g. order number); also note what evidence was reviewed to verify control was working as indicated (e.g. noted form was signed by authorized person)
Example - if the control is “the credit manager reviews and approves all sales orders exceeding a determined amount”, tester might select a sample of orders exceeding the limit and examine the evidence of control : “based a sample size, we noted that the CPM has completed all proper fields to show evidence of his/her review. His/her approval is supported by a signature.” Notes - Easiest way of obtaining evidence of the existence of assets such as cash and inventory.

30 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

2.5. Nature of Testing Observation:
The tester will have to observe the control in operation to verify the control is operating as intended.  Explanation - Direct viewing of control being performed

Documentation requirements - Who, and what was observed, when it was observed, and the outcome.
Example o Automated: observe field edit check works when invalid data is entered. o Manual: observe the person receiving goods to test the operating effectiveness of inventory management

Notes - More reliable than inquiry. Can be sufficient for some automated controls. Probably not sufficient for key manual controls alone.

31 | CAS |2007 SOX Testing Guidelines |July 2007

All Rights Reserved © Alcatel-Lucent 2007

should be followed by another test .Interview CFO to understand the controls surrounding a particular process.2.5. Notes .at least observation if feasible. Please note that inquiry does not provide sufficient evidence of the operating effectiveness of a control.Who responded and when? Example . Tester should perform a mix of techniques when assessing controls to achieve audit comfort. 32 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .Ascertain whether a control is in place by asking specific oral and written questions Documentation requirements . • • • • Explanation .Weakest type of test. Nature of Testing Inquiry : Tester will have to perform interviews of appropriate employees to assess the validity of the control activity.

whereas in other cases they will use the sample pulled by CAS to perform their testing (or a combination of the two). Sample size guidelines provided by Alcatel-Lucent management for manual controls are as follows: Frequency of Performance Annual Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed 2007 Sampling Guidelines 1 1 2 2 5 25 25 Sample Expansion (for single exception) N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency N/A: Classify as deficiency 25 25 10% of annual number of controls with an upper limit of 25 items*  New controls in place over 90 days use the above sample guidance  Automated controls will utilize one sample – one positive and one negative test –see slide 23  Depending on the External Auditors risk assessment of a process.6. Sample Sizes  Testing sample size is determined by how often the primary controls are performed.2. 33 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . they will in some cases pull a separate sample to that used by CAS.

All Rights Reserved © Alcatel-Lucent 2007 • • • 34 | CAS |2007 SOX Testing Guidelines |July 2007 . and for controls already tested there is no requirement to go back and re-test a new sample (see appendix 12). Example: for a quarterly control implemented in Q4. If a control has been implemented too recently. with a cap at 25).6. This is not compulsory (although it is best practice). the frequency of tests required is 10% of the annual number of controls performed with an upper in sample size of 25 items to test. testing will be performed later in the year.2. a random number generator should be used. its occurrence may not be sufficient to draw the needed and extended sample. an additional sample of maximum 25 items should be selected (take an additional sample based on 10% of the annual number of controls performed. In this case. testers should conclude that due to the late implementation of the control. they couldn’t obtain evidence of its operating effectiveness (to be specifically written in the open text field under “evaluation history”). a control that occurs multiple times a day should be tested on the basis of a sample of 25 operations over a sufficient period of time to obtain assurance that the control operates effectively. an ad-hoc control performed 120 times per year would be tested with a sample size of 12. a sample size of 25 tests should be used. For controls that operate less frequently such as monthly account reconciliations. If an exception is noted. For example. To ensure an unbiased sample is tested. the auditor should test the control on the basis of a sample of 2 operations. If it is not possible to evaluate the number of controls performed per year. (*): For controls performed ad-hoc. Sample Sizes • For example.

because the frequency of the operations is too low to allow for a conclusion. To conclude that such an exception is not a deficiency. “A conclusion that an identified exception does not represent a control deficiency is appropriate only if evidence beyond what the tester had initially planned and beyond inquiry supports that conclusion” (PCAOB48). No sample extension will take place. • The exception is determined not to be an indicator of systematic and recurring exceptions with respect to the control. In the case of one exception in the operation of a manual control that operates weekly or more frequently. • 35 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .6. The option to conduct additional testing is only available for manual controls operating weekly or more frequently when: • Only one exception is observed in the initial sample. we should conduct additional testing.Dealing with exceptions • • • When we find an exception in our testing of manual or automated controls. it may not be a deficiency. exceptions should be treated as deficiencies. In the case of automated controls. Sample Sizes . we should examine and understand the cause of the exception. the issues will be directly classified as deficiencies. In the case of manual controls operating monthly or less frequently than monthly.2.

The SOX PMO and the control owner should be informed of the change in status.. Sample Sizes . the control should be identified as a “Preliminary Deficiency” and the control owner given 2 days to provide the documentation required for testing. we may conclude that the single exception from the two samples is acceptable (i. • 36 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . we should conclude that a deficiency exists. because the exception rate in the two samples is more than negligible.Dealing with exceptions (continued) • If we determine that it is appropriate to perform additional testing. the exception rate is negligible) and that the control is operating effectively and no deficiency exists. This clearly means that the control system is working efficiently (review of approvals of PO for instance). we should select an additional sample (see the table above). Note : An exception found by and corrected by management is not an exception. but if the documentation is not provided or there is a deficiency then the control status should be changed to the appropriate deficiency.2. If one or more additional exceptions are noted in the second sample.6. If the documentation is provided and the sample is tested with no deficiencies the control status should be changed to “Fully Operational”. • Where feasible the additional sample should be tested whilst on site. If no further exceptions are noted in the second sample.e. but if the deficiency is identified during the last day of testing and there is not sufficient time to obtain the additional sample documentation and perform the testing.

e. For controls that will operate over a period of 90 days or more (i. put into operation before October 1.2.Minimum Operating Periods and Test Samples for Remediated Controls This guidance only applies if the remediated control will operate over a period of less than 90 days until the year end date. 37 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Frequency of Performance Annual & Semi-Annual Quarterly Monthly Weekly Daily Multiple Times per Day Ad-hoc/As-Needed Minimum Time Period/ Number of Times of Operation for Remediated Control as of the End of Fiscal Year Minimum Number of Items to Be Tested for Remediated Controls N/A 2 quarters* 2 months 5 weeks 20 days 25** N/A 2 2 2 10 25** Assessed on a case by case basis using risk based approach to determine the appropriate sample sizes * Includes 4th quarter as one of the quarters ** Must operate at least 25 times over a minimum 15 day period Note .The population/sample used to test a remediated control has to be subsequent to the date on which the control was remediated. Samples Sizes .6. you should continue using the regular sample size guidance – see slide 33).

• Former Alcatel test documentation was retained in RVR • Former Lucent test documentation was retained on an IA server For 2007: • Europe . Documentation of tests Former Alcatel and former Lucent had very different approaches regarding the retention of test documentation.all non IT control testing will be recorded in RVR. with the exception of Centralized/Corporate Entity Level Controls (these will be recorded in PGP and will be tested by the SOX PMO) APAC – all non IT control testing will be recorded in RVR NAR and CASA – all non IT control testing will be recorded in PGP IT control testing in all regions will be recorded in either RVR or PGP depending on the location of the control and where the control is recorded (RVR or PGP) • • • The new AS5 rules pertaining to Section 404 do not require Alcatel-Lucent’s external auditors to evaluate the CAS testing.7. with less reliance on higher risk “category 1” areas such as revenue.2. The reliance they will be placing on the work of CAS will be dependant on the process. IT. 38 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . although the external auditors will be relying on the work performed by CAS to reduce their testing. and financial controls.

A meeting with the local external auditors should take place in advance of testing to clarify their requirements. 39 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Documentation of tests (continued) The current testing strategy of the External Auditors is: • Category 1 processes .2. * This percentage may be higher based on local risks identified ** All control activities not addressed by independent testing will be tested by reperformance. specifically the retention of documentation allowing them to reperform our work.perform 70% independent testing and 30% reperformance testing • Category 2 processes – perform at least 30% * independent testing. and if they require copies or original documentation. It is therefore important that the documentation of the tests performed is of the highest quality. and at the most 70%** reperformance testing. In addition. it is important to clarify with the local external auditors their requirements for our work papers to do reperformance.7. All control activities will be tested by the external auditor.

2. 40 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Documentation of the tests (continued) • • All testing will be recorded using the CAS SOX Testing Worksheet – see appendix 11 for a soft copy of the document All SOX Testing Worksheets are to be retained in RVR or PGP.7.

If the documentation is too voluminous.10. For 2006 it was agreed with the f-Alcatel external auditors that paper files nor scanned documents would be retained. only specific pages relevant to the testing should be retained.C040 approval 1 X 2 X 3 DEFICENCY 4 X 5 X etc… etc… delivery date X X X X X shipping address X X X X X billing dates price X X X X X X X X X X quantity X X X X X paym ent terms X X X X X delivery terms X X X X X acceptance terms PO # X X X X X X X X X X • • This document reported all the references (e. but the documentation would take place on an Excel spread sheet on which the references of the tested items would be reported – see below: reference of the control invoice # A200401000001 A200401002379 A200401053434 A200403002379 A200401078801 etc … etc … sort # 01. an invoice number) of the documents tested and the items of the data that were reviewed (for example “approval”. Detailed supporting documentation should be retained for all deficiencies All Rights Reserved © Alcatel-Lucent 2007 • • 41 | CAS |2007 SOX Testing Guidelines |July 2007 . and come to the same conclusion. The documentation must ensure the “Reperformance” can be performed by the external auditors. this would be one way to reduce their fees. “shipping address”…). Documentation of the tests (continued) • It is critical in the SOX testing process to evidence the testing work performed. with the same document(s). They should be able to realize the same test. CAS should therefore (where feasible) retain electronic or hard copies of supporting documentation. For 2007 the external auditors informed the SOX PMO that if CAS testing documentation included copies of audit evidence. and control owner asked to keep the additional documentation to one side in preparation for the external auditors reperformance testing.2. either electronically in the portals or hard copy files.g. In 2007 this information should be recorded as part of the CAS SOX Testing Worksheet.7.

Evaluation Entity Period Status % Completed Print Owner 01 Revenue management CIT 2004 2004 In Progress 39% In Progress 100% Arnaudo Laurent Arnaudo Laurent 02 Purchasing management .7.01 Order CIT processing 42 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2. Documentation of tests . click on the icon below: Controls documentation and testing 16 evaluation(s) to be completed • b) Click on the icon “GO” to select the process you have to test.RVR • a) From the home page.

• The following information will be necessary: 43 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2.7. Documentation of tests – RVR (continued) • c) Then click on “control testing” icon to access the fields dedicated to testing documentation.

although testers need to ensure that the test plan is still relevant and that the control procedures have not changed since 2006. • • • • • • • 44 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2. Documentation of tests – RVR (continued) • • Test description: Detailed testing plans will be available for all former Alcatel controls in RVR. The following information should also be reported in this field: Type of testing (for example “reperformance” or “examination”). When was it performed? Indicate the date at which the test was completed.7. Source of data (for example journal of entries) Sample size Who performed it? Indicate in this field the name of the tester.

7. Documentation: Use the Browse functionality to attach the work papers and other documentation. especially in case of controls declared as “not passed”. Passed means the test was a success. Conclusion: Choose the appropriate conclusion for the test (passed / not passed).2. (See Appendix 7 for a more detailed RVR presentation) 45 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . It will be used to comment on results. Documentation of tests – RVR (continued) • • • • • Comments on testing: This field is for detailed comments on testing.

7.2. 46 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Documentation of tests .RVR Test Result Example SOX PMO are working with the RVR company to determine the best methodology to update & distinguish External Auditor results in RVR.

2.7. Documentation of tests – PGP •(See Appendix 6 for PGP presentation) 47 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

Documentation of tests .7.PGP Test Result Example  Finding is only considered final once GAS manager has approved at which time he sets Status to Complete and checks Completed box Only at this time will COE be updated by GAS (COE in separate area under the generic control) 1 2 3 4 5 6 1 2 3  First entered by local tester 5   4  First entered as Finding Status – Pending GAS Mgmt Approval Then “flipped” to Finding Status – Complete by GAS manager Updated by GAS manager 6  48 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2.

DT.no issue As is . EY.no issue As is . Mgmt Not Started Pending GAS Mgmt Review Complete As is . 2) Period Test Ended Attachments Test Result Summary Test Type Status As is .no issue Please see following charts 2006 RVR utilized Passed/Failed.no issue Narrative/Free Form Narrative/Free Form As is .2. Documentation of Tests – Comparison of RVR and PGP  Both Corporate Audit Services and External Auditor results will be entered into PGP or RVR  Corporate Audit Services will be responsible for updating testing results for their testing RVR Field Test Area Step # Test Description & Comments on Conclusion Who Performed It? When Was it Performed? Documentation Conclusion Test Name Test Description Test Results Tester 1) Period Test Started.7.no issue TBD GAS. PGP had multiple selections such as "Control Not Performed" Protiviti Field 2007 Recommendation Notes PGP is a validated PGP user Completed (Checkmark) Control (generic) Area Assessment Level Control Operating Effectivess 49 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

OR An existing control is not properly designed so that. the objective is not always met. DEFICIENCY REASON A control necessary to cover the risk is missing. 50 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . DESIGN OPERATION • For each design or operational control deficiency. This has to be entered in RVR or PGP. an action plan is required by the local process/control owners and leadership. even if the controls operate. OR The person performing the control does not possess the necessary authority or qualifications to perform the control effectively. Deficiencies • “A control deficiency exists when the design or operation of a control does not allow management or employees. This is not the responsibility of CAS. in the normal course of performing their assigned function. A properly designed control does not operate as intended.2. to prevent or detect misstatements on a timely basis” (PCAOB 4).8.

51 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Deficiencies (continued) •When a deficiency has been identified and agreed with the control owner and the SOX PMO. •The existence of one or more compensating controls does not eliminate the deficiency. The effect of compensating controls is to be taken into account when assessing the severity of a misstatement occurring and not being prevented or detected. or by management. •It is recommended to limit as much as possible the creation of new compensating controls and improve the operating effectiveness of existing controls in RVR/PGP. compensating controls are relevant only in the determination of whether a deficiency is a moderate deficiency or a major deficiency – this determination is the responsibility of the SOX PMO and NOT CAS. That is.8. present them for approval to the entity’s CFO (respectively CIO for IT general controls). the control owner and the SOX PMO will identify any applicable Compensating Controls.2. record them in the action plan in RVR/PGP. •All compensating controls will be recorded in RVR/PGP: •Non Key controls will be upgraded to Key •New controls will need to be documented by management •Compensating controls will be tested by CAS whilst in the field if time permits. and if agreed.

Classification of Deficiency Likelihood of Misstatement either remote or => ---------Less than a 5% to 10% chance Potential Magnitude of Misstatement Inconsequental ---------Less than M€ 5 More than inconsequental ---------From M€ 5 to M€ 40 High ---------Greater than M€ 40 • SOX PMO to provide new thresholds when available Minor Deficiency Moderate Deficiency Major Deficiency More than remote ---------More than a 5% to 10% chance 52 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . or report external financial data reliably in accordance with generally accepted accounting principles. A moderate deficiency is a control deficiency that adversely affects the company’s ability to initiate.2. that results in a more than remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected. or a combination of deficiencies. that results in more than a remote likelihood than a major misstatement of the annual or interim financial statements will not be prevented or detected. A major deficiency is a major deficiency or a combination of major deficiencies.8. record. process. Deficiencies . A moderate deficiency could be a single deficiency.How do we qualify as a deficiency • • A minor deficiency is a deficiency. which is not classified as moderate or major. authorize.

ethical values. This qualification of deficiencies will be presented and discussed with the SOX project leader and related accountable operational management before the closing meeting with the CFO (respectively CIO for IT general controls). competency of employees. are moderate deficiencies or major deficiencies. It represents internal audit professional judgment. individually or in combination. fraud. Testers should evaluate the significance of a deficiency in internal control over financial reporting initially by determining the following: the likelihood that a deficiency. All Rights Reserved © Alcatel-Lucent 2007 53 | CAS |2007 SOX Testing Guidelines |July 2007 . The assessment of likelihood should be based on past years’ occurrences. Testers will not assess the severity of not designed / not documented controls for which an action plan is ongoing. The evaluation of the significance of a deficiency should include both quantitative (refer to the above table) and qualitative factors.8. Did we notice such deficiencies in the past? How often did it occur? The qualification of deficiencies will be reported in an audit memo (see § 2.7) and not in RVR. Qualitative factors are items related to integrity.How do we qualify as a deficiency (continued) • • Assess Likelihood and Magnitude (= severity) Testers must evaluate control deficiencies and determine whether the deficiencies. etc.2. and the magnitude of the potential misstatement resulting from the deficiency or deficiencies. staffing. could result in a misstatement of an account balance or disclosure. Deficiencies . or a combination of deficiencies. responsibility. • • • • Note : Qualification of control deficiencies is performed when a control has been tested. authority.

2. If one of the test steps fails/ is recorded as “not passed” the auditor has to determine if the test step has a significant impact on the financial statements. Control Operating Effectiveness (COE) and Assessment Level  Corporate Audit Services is accountable for updating Control Operating Effectiveness (PGP) and/or Control Assessment Level (RVR) based on CAS-based test outcomes. For instances where this occurs. Where it is determined that there is a significant impact on the financial statements. it is compulsory to update the evaluation history to keep track of the outstanding work to be performed.9. the auditor should include in their work papers the basis of reporting the control “fully operating” and ensure that the testing lead/manager is in agreement with the conclusion reached. the tester will have to select the “evaluation history” icon and select the adequate status. To update this data. If it is determined that this is not the case the control can (in some instances) still be deemed as “fully operating”.  For details of entering COE in PGP see PGP training slides in appendix 6. the control should be assessed as “not operating”. The other fields on the screen do not need to be completed by testers.  In RVR.Selections 2007 slide 57  Based on the test results the auditor has to determine the result for the control being tested. Both RVR and PGP will utilize standardized selections – see Control Operating Effectiveness and Assessment Level . 54 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

for example:  If CAS tests resulted in a “Fully Operating” assessment and an External Auditor subsequently deemed the control to have an “Operational Deficiency” the “Operational Deficiency” would override the CAS result. 55 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .Step. Step”. C210.002. e.2.  SOX PMO is accountable for updating Control Operating Effectiveness (PGP) and/or Control Assessment Level (RVR) based on External Auditor based test outcomes (only deficiencies will be entered). This is consistent with RVR which does not assess Control Steps.001. Control Steps will not (they will retain the system default of *None Selected.g.  PGP: Generic controls will be updated for Control Operating Effectiveness in 2007.   Former Alcatel units also utilized “Control Steps” in their RCM’s – “Control Steps” are the localized details of a “generic” control  In PGP.Step. In addition. Control Significance is set to “3.9. etc. Control Steps are identified by the Control Name convention which is the control number followed by Step #. The most recent test result “rules”. Control Operating Effectiveness (COE) and Assessment Level (continued)  When testers note that the control is not well designed rather than not operating they should use the “design deficiency” option rather than “operational deficiency”. C040.

Control occurs once a year and has not been performed as of testing date.3 Design Deficiency . Not Operating 2 0 0 6 Operational Deficiency . Therefore the control cannot be tested. Use this if partial sample passes or not tested due to sample size.2. Maximum 5 days in category. then escalation is required. such as a new control. Control owner is not ready or not available for testing.1 Design Deficiency .1 Test Results Selections (Portal: Test Detail Level) None None Lack of formal evidence Control not performed Control not ready Risk not mitigated Missing risk and/or control (as above) None None None N/A RVR Assessment Level Selections Not Tested Fully Operating Explanations At the inception of the SOX 2007 program all controls will appear as "Not Tested". Formal evidence could not be provided to support the control activity. Control activity not performed as required. Control Operating Effectiveness (COE) and Assessment Level (continued) Selections 2006 PROTIVITI Operating Effectiveness Selections (Portal: Control Level) Not Tested Tested Effective Operational Deficiency . Control design is effective (it mitigates identified risks) and is also operating effectively (control is being performed as designed). 56 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . some "informal" evidence that the control was performed is available.2 Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control Not Documented Not Designed Risk has not been indentified. This is the default value. The event that would trigger the need for the control activity to be performed has not occurred from the beginning of the fiscal year until the date of audit. The documented control as designed does not mitigate identified risk. auditee cannot provide "informal evidence" that control was performed.9. or the control is not documented accurately enough to test. or existing risk does not have an identified primary control. However.2 Operational Deficiency . Not enough testable evidence has been accumulated to perform test on a control. IA or PwC finding under dispute by PMO and/or Process Owner.

Therefore the control cannot be tested. This is the default value. Control Operating Effectiveness and Assessment Level . auditee cannot provide "informal evidence" that control . Indicates NEW control that is being established in RVR and is still in-progress for design and documentation. such as a new control. Control owner is not ready or not available for testing. = Only relevant for RVR. In RVR. excluding dependent controls. The event that would trigger the need for the control activity to be performed has not occurred from the beginning of the fiscal year until the date of audit. Use this if partial sample passes or not tested due to sample size. a *KEY* generic control that is "Not Applicable" for a particular local entity. 2 0 Operational Deficiency 0 7 Design Deficiency Not Documented/Ready Preliminary Deficiency Insufficient Sample No Triggering Event Annual Control N/A Missing 57 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . . . Not enough testable evidence has been accumulated to perform test on a control. = Considered deficiency for reporting purposes. Control occurs once a year and has not been performed as of testing date.Selections 2007 PROTIVITI / RVR Operating Effectiveness/ Assessment Level Selections Not Tested Fully Operating Explanations At the inception of the SOX 2007 program all controls will appear as "Not Tested".2.Control activity not performed as required.Risk has not been indentified. . Need further discussion with regard to whether this is considered a deficiency or not IA or EA finding under dispute by PMO and/or Process Owner.Formal evidence could not be provided to support the control activity.9. or the control is not documented accurately enough to test. Maximum 5 days in category. or existing risk does not have an identified primary control. action/plans should be created in all cases. Control design is effective (it mitigates identified risks) and is also operating effectively (control is being performed as designed). then escalation is required. * Deficiency metric will be calculated using the total number of deficiencies (operational plus design) divided by the total number of controls tested (tested effective plus total deficiencies). However. some "informal" evidence that the control was performed is available.The documented control as designed does not mitigate identified risk.

10. o Remediation of deficiencies in a timely and accurate manner is an important aspect of the SOX program and therefore this area will also be a key area of management reporting in 2007 58 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .  The general expectation is that remediation/action plan due date will be 5 business days after the audit closes – although it is definitely recognized that there may be cases where an extended remediation period is required.Not CAS. o Execute action plans o Set Action Plan Status in SOX tool to “Complete” and enter completion date in the ActnPlanRvwSgnOffDate (PGP) – there is no completion date equivalent in RVR.  SOX PMO will monitor and track the progress of the remediation plans and inform CAS once there is a sufficient sample to test the remediated control. Action/Remediation Plans  All Control (generic) deficiencies must have an associated remediation Action Plan o Includes CAS. Local CFO. Regional Coordinators etc. At that point the status in the SOX Tool should be set to “inprogress” o Secure the appropriate approvals from the necessary parties – Local Management.  When a deficiency is logged the following process should be followed to create the Action Plan (This is not the responsibility of CAS): o Finalized remediation plan should be updated in Comments Field (RVR) or Action Plan Description Field (PGP). managing and closing remediation action plans in RVR and PGP . External Auditor and Management identified deficiencies  Local process/control owners and leadership have accountability for entering.2.

Action/Remediation Plans (continued) .PGP Required Required Required 59 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .10.2.

Action/Remediation Plans (continued) .10.RVR Required Required 60 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .2.

2007. it was the SOX PMO’s responsibility to communicate the test dates with the local management and control owners. Based on the Company’s SOX approach in 2007 with the PMO being responsible for the project. would customize the model. Regional Audit Directors. • In the former Lucent audit announcement letters were not sent out in 2006. • On completion of testing a process. if needed. • 61 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . CAS will send an email to the SOX PMO informing them that either RVR or PGP is updated with the test results and is ready for reporting.2. Corporate Audit Services Deliverables • It has been agreed that all testing will be performed in 2007 by Corporate Audit Services with the exception of Annual Controls performed on or after December 31. Audit Announcement Letters • In the former Alcatel an audit announcement letter was sent in 2006 to the entity’s CFO/CEO before the SOX work commenced (refer to the example in appendix 3).11. These controls will be tested in Q1 2008. it is their responsibility to communicate the test dates to the control owners and others as necessary based on the integrated test plan.

All audit memos will be gathered and analyzed by the SOX PMO to highlight most significant issues within the organization. In the audit memo. approvals.11. and include a table detailing all controls not operating effectively. include a summary of the testing results by “operating effectiveness” category. • • • 62 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . The SOX Steering Committee will also resolve any Preliminary Deficiencies where the Control Owner/PMO do not agree with a CAS finding. AutoAudit (CAS database) will record all man days spent on SOX. The SOX Steering Committee will determine whether deficiencies are significant or material. Alcatel-Lucent HQ senior management will receive a consolidated report issued by each RAD. covering a complete entity. Corporate Audit Services Deliverables (continued) • Corporate Audit Services will issue an Audit Memo (refer to the 2006 model in Appendix 4) for each process reviewed (HR. This memo will mainly be distributed to local management and the SOX PMO. Issuance of SOX audit memos and reports should follow existing CAS procedures for pre-issuance reviews. CAPEX. Corporate Audit Services should state briefly the work performed (refer to audit objectives section). including explanations.2. …). with man days being recorded at a minimum by process level within an entity. numbering and archiving.

etc. Self Assessment/Management Testing  SOX PMO/Management will test XMS expenses and corporate/centralized entity level controls.  Management testing will only be entered when final and therefore entered with “Finding Status – Complete” and checked complete 63 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .12. the Tester will be a non-GAS tester).  SOX PMO/Management will develop the test procedures. sample size. and communicate to CAS.2.  SOX PMO will enter the results of these tests according to documented standards but distinguished by Test Type “Management Test” (in addition.

Self Assessment/Management Testing (continued)  The processes to be tested by the SOX PMO.2.12. 64 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . self assessment or by management testing are XMS expenses and corporate/centralized entity level controls.

2.13.  Depending on responses to the questionnaires action plans or tests may result  Central SOX PMO will administer the ICQ and track progress and escalate issues via the SOX Council  Questionnaire under development  ICQ will be issued shortly 65 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . Internal Control Questionnaire (ICQ)  Applicable for Tier 3 entities and out-of-scope processes for Tier 2 entities  Will be facilitated via the Protiviti Governance Portal “Assessment Manager” (formerly TSA)  PGP will issue questionnaires via e-mail to local CFO’s. track and report progress and provide reporting capability for response summaries. etc.

Please refer to this file to determine the critical spreadsheets in scope for the testing of each process. the critical spreadsheets for f-Lucent have been reduced from 118 in FY06 to 20 in FY07. The file as per appendix 13 will also be posted in PGP. then FY07/Critical Spreadsheets/F-Lucent (PGP)) • For each critical spreadsheet identified there is an associated control (column F). If there are any other critical spreadsheets in PGP for f-Lucent processes other than those per appendix 13. and all documentation relating to the testing of the critical spreadsheet should be saved in PGP under the associated control. The control owners have been advised that it is their responsibility to verify that only the FY2007 in scope spreadsheets are included in RVR. control owner. Before testing a process the in scope spreadsheets should be confirmed with the control owners. and this should be checked to ensure there are no changes before testing commences (to view the file go to the left-hand side of the PGP welcome screen. etc). f-Alcatel • Critical spreadsheets are retained in RVR on the same basis as FY2006 with all spreadsheets being retained under one control. Critical Spreadsheets f-Lucent • As a result of the current year's rationalization.14. they do not require testing in FY2007. process & control reference. as the portal documentation regarding critical spreadsheets has not been fully updated to reflect the current scoping status.e.2. 66 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 . See appendix 13 which provides further details relating to these 20 spreadsheets (i.

3 Appendices 67 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

2007 SOX Testing Guidelines .2006 to 2007 Process mapping 69 70 72 73 74 75 76 77 78 79 Page(s) Appendix 11 – SOX testing worksheet Appendix 12 – Random Number Generator Appendix 13 – f-Lucent in scope critical spreadsheets 68 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 80 81 82 .Scoping document Appendix 2 – Financial statement assertions Appendix 3 – Audit Announcement Letter template Appendix 4 – Audit Memo template Appendix 5 – Testing decision tree Appendix 6 – PGP training Appendix 7 – RVR training Appendix 8 – Key SOX contacts Appendix 9 – 2007 Sub-process numbers Appendix 10 .Appendices Topic 3. Appendices Appendix 1 .

APPENDIX 1 : Scoping Document 69 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

or undisclosed items. Valuation: an asset or liability is recorded at an appropriate carrying value (B/S). They can be looked as objectives of Internal Control. liabilities. Compliance with SOX 404 requires we address all the assertions. management asserts that property is recorded at historical cost and that such cost is systematically allocated to appropriate accounting periods. a transaction or event is recorded at the proper amount and revenue or expense is allocated to the proper period (P/L). Similarly. management asserts that trade accounts receivable included in the balance sheet are stated at net realizable value. management asserts that all purchases of goods and services are recorded and are included in the financial statements.APPENDIX 2: Financial Statement Assertions • We assess risks of major misstatement at an assertion level by considering the different types of potential misstatements that may occur and then design audit procedures that are responsive to those risks. Similarly. management asserts that sales in the income statement represent the exchange of goods or services with customers for cash or other consideration. management asserts that finished goods inventories in the balance sheet are available for sale. Similarly. For example. Existence: an asset or a liability exists at a given date (B/S). For example. transactions or events. Completeness: there are no unrecorded assets. For example. a recorded transaction or event that pertains to the client actually took place during the period (P/L). management asserts that notes payable in the balance sheet include all such obligations of the entity All Rights Reserved © Alcatel-Lucent 2007 • • • 70 | CAS |2007 SOX Testing Guidelines |July 2007 .

Segregation of duties: strategy to provide an internal check on performance through separation of custody of assets from accounting personnel. and disclosed in accordance with the applicable financial reporting framework. separation of authorization of transactions from custody of related assets. All Rights Reserved © Alcatel-Lucent 2007 • • • 71 | CAS |2007 SOX Testing Guidelines |July 2007 . use or disposition of the company’s assets that could have a major effect on the financial statements. For example. For example.APPENDIX 2: Financial Statement Assertions (continued) • Rights and obligations: an asset or a liability pertains to the client at a given date. management asserts that CAPEX operations are duly authorized. For example. described. Presentation and disclosure: an item is classified. For example. separation of operational responsibilities from record keeping responsibilities. management asserts that obligations classified as long-term liabilities in the balance sheet will not mature within one year. management asserts that amounts capitalized for leases in the balance sheet represent the cost of the entity's rights to leased property and that the corresponding lease liability represents an obligation of the entity. management asserts that employees in charge of creating new suppliers do not have the ability to initiate disbursements. Authorization / safeguarding of assets: policies and procedures that provide reasonable assurance regarding protection or timely detection of unauthorized acquisitions. management asserts that amounts presented as restructuring charges in the income statement are properly classified and described. Similarly.

APPENDIX 3: Audit Announcement Letter Template 2006 SOX Testing Announcement Letter 2007 General Announcement Letter Template 72 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 4: Audit Memo Template 2007 SOX Audit Memo Template 73 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

74 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .APPENDIX 5: f-Alcatel Testing Decision Tree Note – the attached 2006 document shows remediation action plans as the responsibility of CAS. remediation action plans are the responsibility of the SOX PMO and the Control Owners – NOT CAS. In FY2007.

APPENDIX 6: PGP Training A training document is located on the Protiviti Portal at the following address (bottom of the page): http://ihprotiviti01.ndc.lucent.com/SOAPortal/ 75 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 7: RVR Training 76 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

EMEA •Jennie Tiderman – ASB and APAC •Bob Moogan .Scoping/Integrated test plan/SAS70's •Jill Clark and Mary Ann Imroth – PGP and RVR CAS •Laurent Arnaudo – Overall responsibility for SOX testing •Craig Harlow – SOX Strategy •Peter Green – SOX PMO and CAS Liaison •Rich Braithwaite – IT Testing •Henk van Beveren and Sophie Neron-Berger – Testing in EMEA •Kris Lemmens and Sushil George – Testing in ASB and APAC •Gautam Patankar and Vig Menon – Testing in NAR and CASA 77 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .APPENDIX 8: Key SOX Contacts and Responsibilities SOX PMO •Cathy Carroll – SOX Compliance •Alan Kilyk – SOX PMO/Project Management •Scott Greenfield .NAR •Stephan Vantomme .

APPENDIX 9: 2007 Sub-Process Numbers 78 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 10: 2006 to 2007 Process Mapping 79 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 11: SOX Testing Worksheet 80 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 12: Random Number Generator 81 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

APPENDIX 13: Former Lucent in Scope Critical Spreadsheets 82 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

alcatel-lucent.www.com 83 | CAS |2007 SOX Testing Guidelines |July 2007 All Rights Reserved © Alcatel-Lucent 2007 .

8 00/0/ .

79078 24398 008  /. 6:.8  .

90.79078 :894507.843041906:.557457..07.90.5574.80-.:/089 6:..94 /090723090..8992084..232:2/.      880880/43.908.5074/ 490 %0545:.7907.88:8378-.80-.943.250808 3.80/.

894-08:-806:03994 90/.90/.90 :.43974.039  .87020/.90/  $ $ %0893:/0308:  #98#0807.9043.7020/..0/.8.43974.250:80/949089.90.

0870.30/43.47/0/3#'# 9900.:2039..943.8709./.7/390 70903943419089/4.9434190898 47207.  4.5574.:2039.:2039.07 47  W :7450 .3807.943.8709.0594341 0397.07/1107039.4397490893-070.943  W W 47207.90.30/3#'# 47207:.3/147207:.0399089/4.343%..0/.:2039.039..909089/4.

47/0/3!!.870..94:9009073.90 :.3/07090.0430778 .47547.43974908933.4397490893-070.88:.090790893 %070.47/0/ #'#47!! W W W %030$7:085079.3/13..9090$90893 .9047 .039 809073.:.:/9478940.088 9088 70.0439748 9080-070.3394$0..47/0/3#'# #.343904741$-0/0503/.3.4397490893-070.70..0/.439748   $ $ %0893:/0308:  #98#0807.343%.47/0/3!! %.903990.:/9478-0 70343904750714720/-$9470/:.90 :.3.3/$ .039  .343%.....47/0/30907#'#47!!/0503/3 43904. . .03:0 % .43974870.9434190.090 -05.943 /4349706:70.43974..394390574.70438-070.3/ -090890/-90$ ! ! .3.

.908349.43974./.3.:7703990893897.08808 5071472 3/0503/03990893..  4.80/434.90.990/4.:2039.//943 9825479.:/94788 W W .:/947884:/9.03./4.507894/4705071472.0/.990 2489  705071472.3/ 705071472.9047574.3.:/9478907 706:70203981474:7475.3.3/..9 3.039  .-007-..9.94341909089850714720/84190 0896:.0419089394.3.//70880/-3/0503/03990893-090890/- 705071472.....0 200939904.05.9041909073. 09073..43974.090893 %8507.:2039..3/190706:70.09073.:/947 989070147025479.9.71907 706:7020398 850.039..943  $ $ %0893:/0308:  #98#0807.02.0 90893 .:2039.943..3.90 :.89  3/0503/03990893 .9434190898 .907090394341/4.908-090890/-9009073.3994.450847473.719904.4393:0/ %0..0 ..1.9047574.788/03910/ .399.08808 5071472.:2039.4390294 7050714724:747 .

039  .4393:0/ W W 90893-070.:2039 $ %08934780098.5503/ 147.0/.30/3#'#47!!   $ $ %0893:/0308:  #98#0807.47/0/:8390$$ %0893478009 800.8419.90 :.7094-0709.  4.:2039.943419090898 .454190/4..

690647.3994909089384:/-0709.94384:/-0709.9434:/9..47..2 039 90728             /0.3.:2039.45108 984:/-0430 .:/9478705071472.04190.:/9478314720/90$ ! 9.51.847.3.  09.943944308/035705.30/ -:990/4.250 .  4..3/.33.-09470.1.05.91:.07 /.4...0.:2039.  '4.5574.5 W     .30/ .08 700.:20397054790/.059.90 :.4508418:554793/4.907010703./01.09071008 $84:/90701470 07010.3.300.0908.1 %:.1 690647.30/147.08 #98#0807.7.3905479..043.5 .0                            09.:2039.4.07 90728        .:843  47 9.090908934750714720/ %0 /4.5574..4393:0/ W 98.08 0  ...4.039  W W  $ $ %0893:/0308:  .3/.91$90893/4.9.9.33..03:2-07 4190/4.556.0/.:/94789.6675.907010703./03.94.943419090898 ..9743.399       5.47/0/..  8479    /0.5.3.9..907070.:2039.8.209089 9908.0 .7/.794190$$ %0893478009 47  9009073..9470/:.5071083478.9009073.700/9901 .08419090890/90284:/-07054790/ 800-04 7010703./03..7/ ..908 57.9433.:203984:/-0709.51.56..43..42094908.4..:/90.00/ 1470.. 09.0 090700.090893 09.85.55:9.330/ /4.43974 3.:2039 8 .03.                                                       6:.3-050714720/-9009073.  8553..390$ 90893574.4..:2039.95.9: 64.3/ 9090284190/./506997.088940..:2039890890/.80/9400590.08570. 69.//7088  3 9831472.90   8553 -3 ./8009 43.9 .8-0 709.0 90728 !                         W %8/4.20 .3.450841..9431479009073.943 190/4.//7088 /.94384:/-070.9438944.5675.:2039.9743.9432:89038:7090 #05071472.77.439744307.0/8:554793/4..:2039..:/0/ .564469. /4.613.:/9478  %084:/-0.79./1:73.//943.:2039.4:234:8 43850.0   09.20/4..4.

9  4..56 '4./ 1:73.:2039.02039  7/07 % 574.1  69 0647.425090/ W .9  4.9434190898 #'# W ..:../ 1:73.  56  4469 .4390.:/4 .3.  0..56.  0.556.  0./ 1:73.  .0949089 425090/ '4.  0.  .1  69 0647.556.1  69 0647.9  4./ 1:73.6 94800.9  4.556.43-04 '4.:2039.  0.  0.56  '4.56.943 8 94-0.9  4.:.  56  4469 .0883 '4.1  69 0647.  0.:7039 73.4390..556.556.3.  0.9:8 %     !739 '4./ 1:73.56.56.1  69 0647.56..6 '4. 4.556.039  ..  4.  56  439748/4.1  69 0647. 56.1  69 0647.56 56  4469 . 56.02039 '4.43  ./ 1:73.03:0 2. 307 73. 56.1  69 0647..  $ $ %0893:/0308:  #98#0807.9  4../ 1:73.556.9  4.:/4 .6 399 !074/ $9.990574.56.943.0 .9  4.:7039 3!747088  3!747088   !:7. 742904205.556./ 1:73.0/.943 #0.0884:.  4.3/90893 0.  .90 :.56..832..

.943-030.4394.9434190898 #'# .90 :.:2039....7  $ $ %0893:/0308:  #98#0807.:2039.90/9490893 /4.0889010/8/0/.0/. %03.4393:0/ W .4397490893 .943 W %0144331472.088..039  .  4.43 .

-0147.425090/ W W W W W W W  $ $ %0893:/0308:  #98#0807.38-0.039  ..9.8.9090/.9434190898 #'# ...84-07054790/39810/ %504190893 1470.:2039.041/.0349.43974574.75943 09.250 705071472..9039810/903.  4.204190908907  03.94:9089078300/94038:709... 1470.94384:/ .3.2504:73.0 47 0.147207.90.4397483#'#  .0/:708.8950714720/ 3/.39..4393:0/ W W %089/08.90.909089.25080 450714720/9 3/.3889700..0/.9.0/908935.23.3/9.0  %0144331472.99090895.943 $4:7.30/83..41039708 $.990 ..90 :.

557457.90.:2039.9434190898 #'# .70/.8 3495.880/ 43.0/..:843 448090.8041.3.43.42203943708:98  0850.  4..4393:0/ W W W W W 42203984390893 %810/8147/09..439748/0.880/.:843147909089 5.42203984390893 9-0:80/94.

90 :..039  .90475.5078...2470/09.3495.38 909089.943  $ $ %0893:/0308:  #98#0807.8.943  $005503/147.0/#'#5708039.8:.088 4.994.880/ !.:2039.:2039.943.943&809074801:3.880/20.0/.3/4907 /4.99.

9434190898 #'#%089#08:9.425.0/.  4.250 $ ! .90 :.70473 990#'# .394 /090723090-089 2094/4494 :5/..:/947 708:983#'#  $ $ %0893:/0308:  #98#0807.90 /893:8 9073.039  .:2039.

0/.:2039..9434190898 !! W $005503/147!!5708039.  4.943  $ $ %0893:/0308:  #98#0807.90 :.039  .

0/.:3/07 900307.5574.. 43.70.07   $ $ %0893:/0308:  #98#0807.9 .0.83/3$9.92008098 $9.90..9434190898 !!%089#08:9.:2039.250 3/3843 .90/- $  3 805.3.90 :.90/-$2.039  .8 425090/-4 3.9:8 !03/3$29 5574.8.07 .3.438/070/13.7.  4.9:8 425090-$ 2.998920  -0:5/.9:894425090 .43974           789039070/-4. %03 1550/ 943/3$9.3.0/...0$2.3/.908907  789039070/.07 &5/.

784341#'#.790/   !074/%0893/0/ 99. $905 %08908.89!0714720/ 4.94341%0898 425.77.20398 88 3488:0 .20 %08908.:843 4!0714720/9 03.75943 42203984343.08.:/947708:98-0039070/394!!47#'# 47547.08-07085438-0147:5/.3/!! 4947547..90:/9$07..9390893708:9814790790893 #'# 0/ %08970.:2039.9..75943 %089#08:98 %08907  !074/%089$9.3/9073.  4.0.90:/9$07.:2039.943 %089.

700472 .9.77.0.

700472 88 3488:0 88 3488:0 88 3488:0  #'#:90/ !.880/.

9:8 425090/ 0.93110. 8808820390.039  .7 % %089%50 $  % 29 49$9.42203/.790/ !03/3$29 #0.0/ !!.2....808001443 .7 43974 0307..9 0/  #0.94388:.0 43974 507./.:843 %089#08:9$:22.088  $ $ %0893:/0308:  #98#0807.../ 2:950800.90 :.9.798 $9. 70.0/.0 425090 88 3488:0 !0.90/!!:807 43.8 4397449!0714720/ !749.943 4908 !!8.

.5 .03190 ..02039470254008 3903472.920-.1.9 0./1:73.9.33..03947/090.4.943894507147290.51.88  !  '4.07907882883 # 30893. 69.613.51.9.4:7804150714723907.943 94570.902039843.43974/40834954880889030.38706:70/-90 4..03..43974/408349.91:..088.439740110.55:9.943.90 904-0.94341.5675.90.56.08 W .439748 4507.:9479476:. .92889...9 .3.94.4.3..4397430..08349.83903/0/ # %05078435071472390.4.43974/01.6675......9: 64.3.439748349574507/0830/849.088../506997.03.4./083474507.9435.1 %:.7 .43974/408349 4507.4 2...77.574.  01.5  $ #$  .690647.4.556.0.03.43974/01.794.088.9.8830/ 1:3.08980390/083474507.8209 !#%  574507/0830/.0 W 470.564469.1 690647..

4397443078.894-0039070/3#'#47!!  %88349907085438-941$  $ $ %0893:/0308:  #98#0807.039  .90 :.0/..3/0../0785 %8.

  01. .93 439748 5708039902147.3/.700/990.47/902390.4393:0/ W03.03.9435.0 147%0307.9.-0425038.3.5574./01.55.33#'#.3/90$ ! /0391.3/1..700/ 70.08 .439744307.3/90$  ! 90..94900399 8  70850.8-003/03910/.439748 .439744307..03..

47/0/3#'#.!!  W.425038.439748-070.93.

3.93.!! W430.3.02039 W425038.03088410893.:20390/-2.82:.439748 ../0/940 W0.439748300/94-0/4.3/2574.85488-090.4397483#'#.439748-090890/-$8939010/1920507298 47- 2.70.42203/0/9429.930110.9.02039 W9870.9434130.439748-0:57.425038.0904507.93.

4:3903.3943390/090723.3/ % $  $ $ %0893:/0308:  #98#0807. 98/090723.9438907085438-94190$ !  .9020394.039  .90 /01.2.93.943410907.439748.  %00110.03.8..!! W%008903..425038..90 :.03.2889.93 .425038.03.03394.98 .8808839080.9090/01.70700.439748894-09..3/349-03570.079 41./01.0390/47/090.041430472470.439748/408349023.425038.03.47..90/ %.941.47/01.:773.93.24/07.0/.

0.03..24709.47/ 574.90472..39:/041 889.4:/-0.03.508 24/07.9708:98324709.9.43806:039.42-3.-3./.3  4709.473907213. 0889.943412./506997.9020398349-0570.3.33.9: 64.03.5 .824/07..9020394190. W W 2347/01..3.:9470 70.556.03.1 690647. 4709.110.881..47/..3.03.3.3.039  .77.0390/47/090.47/01.9079..088 4770547909073.690647.33.. 8..8810/.0390/47/090.3 8 . 8./1:73.4..8349.4739072 13.55:9.902039 090770249047 0889.9001.43806:039.472889..91:.9824709.2.13.94 ... 044/41889.3.03.0  $ $ %0893:/0308:  #98#0807.3.-99439.9..-0 4/07.94341 01.90/01.03.89..90/  '4.47/01.03.4.3.564469.4..830/01.03.03.613.47/01.03.08  9. 742 94   70.33:. 8.5675.3.3.6675.9.94.03./0 3097084/8 03..43806:039. .. 70.89.902039 3.0590/..9.9890.03.24:39349-0 570.5 W .51..47.1 %:.8..90 ..4:393573.03.51. .9.2889.1.08 9.56.9 ./01./01.42-3. 34701.33.94341/01.33:./.3   $ ! 94574..4.47 24/07..0 !49039..4701.9020394190 .90/  2..425...  01.3702490 4709.3702490044/9.0/.03.090307. 47..3..90203989..9708:98 3.90 :.94 .43974/01.702490044/9...3.90 /01. 69.0780.2.08 4/406:..03.

:/92024 800V   .439744.9./:.9478.90/.-4.3/3493 #'# 9705708039839073./01.041.1.03.:08 17.:7 %06:..3..08 -057080390/.:..0 8:.9.-0 ..43974/01.48320093990  70850.2889. 705479339./01....8-00390890/  %089078349.03.4250903.08 %0 0.1.42-3.43974.94341/01..943 .  01.43974/01.08  %0.9090831.439748 490 ":.80/435.39:/0 4190549039..03.90203941.3//0907230090790/01..9434190831.03.:/0-496:.08850714720/03.3.94341/01.94341.:9479 7085438-9 .90/01.9.4:39-.473.94341/01.08 /0349.4:39.:/ .03./01.3/.1.03..03.7024/07.08472.890.083905.4393:0/ W W 88088044/.-/090723390144390044/ 9. 47.90/9439079  09.84:/3..3.01.90.041.03./07...48:70.03.03.08 4/406:.07941349/0830/.9.943.:.079 %0890782:890.3.02039-0147090.08  3/.0 147% 0307..8.03..03.3.39:/0 80./01.08.2..113 09.01..:880/990$ 5740.-0 4507.047 /8.4:/708:93.410254008 89..9.1.0713.89441903//94..9478 ":.880889080.3/6:.9.08 .3/902..2889.09.3./01.47/01..:7703.339073.0 701079490 . 47/01..03.3//8.399..:/2039 %86:.3.03.88088203941044/84:/-0-.:.902039708:93174290/01.03.42-3.90.03.. .08-07054790/3.:/9574108843.9.78 4. .70902870.3/70. %08907884:/0.

349/4.9435.90 :.:20390/...439748147.0/.039  W W W W  $ $ %0893:/0308:  .3 .384343 #98#0807..

9.93110.0 47547..93110.3/8808820390.4:39.03088 !! .  43974 507.9343974 507.3/.-0147:5/..9.088.90:/9$07.03088   ..

0 #'# -.4208  49#'#.3/.80/43$ -.47439748808820390.43974 -0390890/ 143041909089890581.8.93 110.:/947.9438  8/0 .80/90894:9.3/!!:9089.03088.894/090723090708:914790.9.9438 80043974 507.3/8808820390.0 $00.80/43909089708:9890.7/0/800.

3 38420 389.9439013.:78  90.990908930.08 89-0/0020/.8 3495..3.3/038:709..870.9020398 198/0907230/9.8 1:4507.43974 1:4507..3925.:/947 .93 47389./..894/090723019090898905.93 .:/94784:/3.998834990.3.8841705479390.43974.880/ 90.3.507890-..8090. 89.831.8.08070984..:/03907475.47/0/.

831.425:84794:5/.:.:84370..990 0.3.9020398 90.9089.039  .70020399 90.7003/4349300/94-0..990.94389479400597..9438947 .0/..9098/.3/800..5503/  $ $ %0893:/0308:  #98#0807.93 3#'# 98.9.3.89.8 3494507.3925.338/083.9 439013.841039073 3!!800!!97.90 :.0 94800.0/ 07098/0907230/9..43.90900.425090/-9089078 47/09.2.43.9:8 %0 490710/843908.0783..:.990708.880880/.3/34794-050714720/ %4:5/. 90908907.4397484:/-0.../06:.4190 4:989.

  43974 507.0 .03.943.9079../01..9.3/8808820390.9.03088 !! . $ ! 8.3/.93110.-0147:5/.3 4507.03088   .4397483490/0830/7.93110.93 9084:/:8090 /083/01.4393:0/ 03908907834909.990.9343974 507.33494507.03.9079. 459437.4:39.

20.39073..890.039  .438890399 #'#. 4:/4.70904.90/ %88.030883 43974 $9058349 90709.3 507..03.03943.43974 3:2-071440/-$9050    $905  $905  09.0399089708:9 7:08 1470.9.943.439748-0:5/.43.0//09.0/.70/03910/-9043974.43974 43974$9058  3!! 43974$9058.8808843974$9058  $ $ %0893:/0308:  #98#0807.:/947 8:-806:039/0020/90.:941 430$00. 90 507.4208 43 /01.. .80/90894:9.880882039.47 439748808820390./408349.01.80/439073.08-0039070/ %0248970.90:398.0 #'# -.4397494.0880994  $905 !!0307.84:90/ 43974 $9058 3907# 8 .03.943.03.90 :.3.93 .39088902/01.01..//943 43974 $31..3/.077/090$708:9 47207.. : 507.93110. 3.0.:/947-. 0307.90/14743974 507.250 1$90898708:90/3.841.

9.0 430 430 . 0.9.03.%08909.03088 $00.0 .4393:0/ $00.90/ 88378.01.93110.3/.9438 !479. 0.93110.9438 !479.03088   .0 507./03.0 4397434950714720/ 4397434970./ #834929.411472.943.439740.9438  !# %'% 507.  43974 507.  %089#08:98 $00..3/8808820390.9.0 49%0890/ %0890/110.

43974 .47 .0 430 430 430 .8.-4.

07 8420 31472.250 4%7073.439748-0350714720/.43974.3/03910/572..0 $00.  507.90/03910/78 49 507./0/948:5547990./03.43974..8/0830/ 472.43974.849%0890/ %88 90/01..039 33:.90034:949089 %0/4..43974 47!13/3:3/07/85:90-! .7..-014790893 4790..0..01.:9.9.09.8/0830//40834929.03.:20390/ 490830/ #8.01.09...:7.0 929.850714720/8.850714720/ 439744307834970.4:/349-0574.43974 494./031472..9.-0  43974./03.059434190$  5747.:20390/.2.9438 49%0890/ : 507.93 5.9 40.9 .:/900.0 .0.03.550..908/03910/788 .0.039$.03.93   507.930110.844507.  !7023.439748349/4.9.3/.0./03..:0 43974/08380110.7.439748.03..943.8349-0033/03910/ 47089378/408349.0.  08301.9.3/8../47349.934950714720/.943.:20390/ .3.  08301. 38:11. #'# 880882039 0.43974.701.9438 9903.03.990.8706:70/ .3349574.

79.3/..30.7./03.:770/174290-0333419018.47!74.88084734990890//:0948.039  .:/9 %070147090.994-050714720/.9438706:70/ 49034:9089.:2:.0/.84190893/.2:2/.9041.088 307 .0..43974 &809815.. .90  $ $ %0893:/0308:  #98#0807....0399.94:/970790300/14790.43974.7:3990/.43974 .-00..9.8.8..0.25080 %00.2505.8349 4.0.9047 90308.8349-00350714720/.90/945071472908943.90 :...83 .3349-090890/ 439744.43974 8:.8-003..0..:7843.

3/8808820390.03088.0 $00.9.93110.  43974 507.9438  !# %'%.

#'# 507.93110.03088.9.

.:8843970.7/940907988.90034:949089  00/1:7907/8..844507..93 5.07 842031472../031472.3349574.908/03910/788 ./03.550.7.059434190$  5747..-014790893 4790.8/0830//40834929.43974..0 $00.9438 9903.0 .0.43974.930110./47349./01.8706:70/ .43974 %0/4.990 .439748.:20390/..3/./0/948:5547990.0 929.9.9..439748349/4.849%0890/ %8890/01..43974 439744307834970.0./03.-0  43974.3/03910/572.:9.:0 43974/08380110.03.09.3/8.43974..90/03910/78 #8.4:/349-0574. 8808820390.9.9.9438 49%0890/ : 507.9.47349 4713/3:3/07/85:90-! .8349-0033/03910/ 47089378/408349./03.850714720/8.:20390/.0..:/900.9 40.438/070/.:7.0.2.8/0830/ 472.934950714720/.3.439748-0350714720/ .0..09..7..

.7...0.:..088 307 .908.03.2505.88084734990890//:0948.5.3/.43974 &8098 15.994-050714720/./03.943  507.8..0.01.9047 90308.0..-00.98-03089.:7843.0.:20390/...9.2:2/..0399.90/945071472908943.3349-090890/ 439744.943.9438 706:70/ 49034:9089.439749.83494.30.. 08301.:2039.94:/970790300/14790.43974 8:..:770/174290-033341 9018.47!74.79.8349-00350714720/..3/8893 5747088147/083.:/9 %070147090.:2:.7:3990/.-0147.84190893/.43974..90 3#'# .8-003.9041.439749..984955.74. 494.0399 3/.8.43974.79...03.  0307.-80/3#'#.83.3//4.25080 %00.

 38:11.039$.250 4%7073.701.039 33:.43974 .#0./  !7023.03.

.943.03.14770547935:754808. 883 438/070//01.

08 0.0/.3:2-0741/01.03..43974890890/ 90890/0110.90/3..05:8949.70.5:8/083 /.439748   $ $ %0893:/0308:  #98#0807.808  3700.08 4507.943..90/:8390949.039  ...5.:/3/0503/039.03.2097.:. 3:2-0741.03.-0.3884:/-0../01./0/-90949.9.39147#'# 01.90 :.

943.  .

3.08 4.03.3 4 3.082:89.#020/..03.02039/03910//01.574.:/947.:/08$ 9073.943!.0.943.38 43974 0307.943!.3/..088. /01.884..3.90/7020/.

3/!! 49$ %00307..3.4397443078.9.3..94389.0..943.-9147039073 2.943.383#'#.4837020/.9435...97020/.3/0.4:39./0785.050.3/ .

.850.3/:0/.920.1907 90.9090.$3 11.7908 4.808070.384:/-0:5/.3/9070147098.9435.943!.70..9006:..083.90.94341/01.557457..947809.3$9.4250943/.  #043.30903/0/ 7020/.39.3..902..412.0 90708.02039 4.990702.84-0..3 08.0/.90/.90-0-:83088/.325479./01.3 %88349907085438-941$  4 3.90390 .03.250949089907020/.5574.:7.90 !!  9070834.9435074/8706:70/ 03.4250943/.9435.33078.9435.3/31472$43.:90.8.3/97.94190 $ 5747.3/03907.3/...3#.430/9.38.38 $09.93!.9:8390$ %4484:/-080994 3 5747088 $0.8:11..0/7020/.943!.90/342203980/ #'# 47.954399089.3.08884:/-01440/94.943!.-0.70.4808 .90 :.759430/ !! 99.2.9435.:7090..0398.0393#'# 4 4 4 $ ! 243947.9:83$ 94494 425090 ...088.43974 4 #020/.840/901443574.94:98/0139070.0.447/3.817429030.039  ..0203970547933    $ $ %0893:/0308:  #98#0807.70. 0.90574708841907020/.75.:/9.03.

  .943.

039  .#020/.0/..943!.90 :.4393:0/ !! #06:70/ #06:70/ #06:70/  $ $ %0893:/0308:  #98#0807.38 .

  .943.

90 :.0/.#020/.4393:0/ #'# #06:70/ #06:70/  $ $ %0893:/0308:  #98#0807.039  .38 .943!..

90:/9$07.089900.  47547.080.880393 9490 0399 8 .9.43974850714720/4347.90893-050714720/3 -47547.02-07    %080.90.07.334:3.3.:/9.02039099078 W 390147207.0203909907...19070..8-003.059434133:.700/9.439748-090890/3"  :/9334:3.90:/9 $07.-08 W 9.

9089490.088.90909089/.890$ ! 87085438-994.9490$ !  3147239029./1477054793 W  $ $ %0893:/0308:  #98#0807.422:3.:894209024/0 W 390147207:.4397443078 .302..90909089/.43974 43078.0/ 7010794900. 2.90/9909089708:98..:/970.90907#'#47!!8:5/.2503 .3/49078.. -0147090$ 47.80/4390425.039  .3 990! -037085438-0147 905740.9478 1300/0/ 4:/.90/90895.039.42509434190893.7-.5503/ #043.334:3.422:3..:/9.42203.90 :.830..0/.0203909907807034980394:93  9 .5574.9 989077085438-994.574.02039.3.088 $803/.3  W 3.3/8 70.3 8$ .9089904.3/.80/43903907.

90:/9$07.080.2...3.9.3.0/-90$ ! 9492489 831.9047 .3..0203970.:/92024 47547.70831.03.847084. . %0$ $90073 4229900.:/0..080709043974 307.90-701904750714720/ 7010794.4393:0/ W 47547.90/70547988:0/-0.-08 ..0.4250900399  390.07.02039.3/90$ ! .39472.3:/9024 701079490 24/03 5503/ 1470.9070/.3-0 /897-:90/944.4384/.9.439748349 4507.:/94-0.4.:/0.073.0884:/89..03088 .3!7023.0.:/305.943 3.3.90 :..930110.3.# .943 %0$ $900734229900 /09072300907/01.:/920248-0.701.00/ # !  %820242.08870.3988:08939047..90:/9$07.9.0 3.90:/9$07.039"80347 2..0.3/.7419090893708:98- 4507...-0/09..930110.907.9.  47547.03.0880.0888:0.08.8:22.9438  .3/3.574.3.

039  .$13/3 :94:/9 $/.47/0/.30399 88:.070.! /4349.0/.0880.7009..7.-.9..8 3:2-073.232:2-574.90 :.3/705479884:/1440893$574.3/.88503943$  92.3.:/9 20248.08  .3.041$ .093..47/.80 70.3/.9.0/:708147570 88:.3 W W W  $ $ %0893:/0308:  #98#0807.2.8-03 70.5574.3/.

  $01880882039.

02039%0893 $ ! ..3.

47547..3.020399089$0503808.3/.90.

0/03990.0..439748 $ ! .0397.

.3/. .3.422:3.90 :.9094$ $ ! 0390790708:9841908090898.02039/0.:20390/89.3/.7/8-:9/893:80/- %089%50 .47/394/4..3.343 $908907 .0.3/.3.0/:708 8.3/90701470 039070/9 3/3$9.0/.//943 90%08907-0...9:8 425090 ..02039%089  3.25080 09.039  .045909089574.020399089343-0 039070/0313.425090  $ $ %0893:/0308:  #98#0807..0/.

  $01880882039.

0880894-090890/-90$ ! 801.88088203947-2.0203990893 .02039%0893 .47547.3.3.90..70$0503808.4393:0/ %0574.3/.

0/.039  .0/03990.90 :...0397.0.439748  $ $ %0893:/0308:  #98#0807.

70:3/07/0.08808147%07039908 -01.9435.450574.073..9088:08.. 8 97.3/574.94..3/705479 5747088..  39073..-0147%07039908.5747088.708:9 0397..0/.944..708../23890790"..0 2.$ ! .90 :./07054793.07  147207%$ !!88:06:089433. 0503/34370854380894906:089433.0452039 "-088:0/8479  $ $ %0893:/0308:  #98#0807. 880882039.0!479.70 " 55..3847908982.3/4:9 41 8.708 09.3..039  .90/.3/08.-9147708543808:22. ":089433.3/97.3.708.5..9.. 90$ 4:3.43974":089433.90!749..

708:94190.7 87./80098.94370../80098 1 :.943 90.79.90/947010./4.:770398.0/17423 94 3  $00.990.453 89.439747010703.807010794981094/090723090.8570.308-0147090893.5503/.0/94038:709070.3/8/04190!!0.7003 903 .0-00370/:.9:8 %010.4501479090893410..79.42203. !0..:2039..870.0.039 .8905479./08 1:7907/09..09010 49490019 ./80098 38./800981471 :.0  .08 94.93949080 8570./80098  0 574.8570.3/9884:/-0 .$570.943.088 .8570.7034..5503/.  79..8507.574.4208.439744307 09.574.84-054890/3!! .8349-0031::5/.7/3 .79.:770390.039 W 8..088 .

/80098.. $570.79.

4:23  .9989077085438-994.884./80098./800984:/-0 8.939490908934190..90/. 8570.30/3#'#43908.43974 .039  .0/./80098.88.8570.:2039.8 9.43974 19070.574.39480507.0/3!!:3/07 90.0-003 ...8570.:/0/3#'# 0147090893.79. :.039574.450 8570.703.0880849079.34907.5503/ 90 /4349 706:70908933  1 .3.884./80098-03709.90 :.4397443078././80098 84:/-0.4508570.90/.79.80/9.. 8570..70709.94370.90 W 79./4../800983!!1471 :.30/:3/07430..0889038.43974 %0.79.431720/990.70.94390 38../8009/03910/90708.8570..4397443078  $ $ %0893:/0308:  #98#0807.0719....039 !!  W 470.20-.3/.

90 :.039  .. 5503/.08  $ $ %0893:/0308:  #98#0807.0/.

3.8570.90 :.947 5503/ 1 :.33 5503/ #'#97.88079438 5503/ :/9334:3.0883:2-078 5503/   94 !74.98 5503/  $:- 574.0/.453/4. $ %0893:/0308 5503/.89.0 8              .08 5503/ $.039  !...902039.450.:2039 5503/ 3.79.33 5503/ 0$ .08 %45.0882...8439700 5503/ !!97.03938.90 5503/ %0893/0.3/42:2-070307.02039099079025./80098  $ $ %0893:/0308:  #98#0807.  5503/.90 5503/ :/90249025.439.553 5503/ $ 90893478009 5503/ #.

4534.!! $.:2039 &"&0675 6045..

90 :..039  .0/.  $ $ %0893:/0308:  #98#0807.

9.88079438 8903.438/07390 /1107039950841549039.707085438.0841 39073.03/.880947.0949480788 %0.84-0.90 .472889.:7.43974 425.09$  706:7080.9.-90898.!!3.2889.3..90203989.90..$9.3-0440/.0.9.0/:7089.3.0-.:/9 574.3/903/083.90203988079438 W 0.88079430..902039...9.//7088.3.3.4.88088788412.92.

039.38.70.9:.389490.0/:73905074/ !.$ ..0399.95079..943 470..47/0/97.9445.

943.438/07.-9870.:8942078147..47/0/..089.98.3.8807989.:.083903.3.7 2.90.3..02039.8807989.880947..420 89..70..08009 . 47 0.0394708390-.250 2.557457.3.902039705708039900.-01478.9.:0 .3.02039.0 $2.847 4907..91380/44/83...943 '.304144/847807.773.

47/0/..3/70.90/94905745075074/ !.4.$ .03:0470503808 .38.943470.039870.990574507..24:39. 97.

02039.88098 .8807989.3/.:0 4250903088 9070..7  2.7070.90/.489888902..7034:370.080093.02039.4:398 70.90.:/0.3.9.480/9028 470.08.47/0/..250 2.3/9.90 :.0/. 4-.997.8:.-0390-.98:.3.:/0/390-..7089.930970.3.8807989.0.489.95745079 870.5:7.47/0/...250 2./0.943841900399 #98#0807.7 2..38.-908 97.8807989.98947..8807989.90/94 .3/ 807.02039.3.-03.8084144/8...557457.47/0/.3.02039.9020398 $2..4:3935074/8 $2..0398 47 :3/8. 470...4.703.3..3...08009.-0.89..9349085.:/0/39013.9438470..039  W W W  $ $ %0893:/0308:  .9...

2047 470.-908390-..94341900399 !708039.7085438-908174270.3.250 2...3.7041.-95079.0 90.3.7-0/ .902039.8810/.880947.3.-013.94341 4507.808390-.9:70934300.0 80093492.!!3..42089.7.94381742.943.-97057080398.94-.38.59.34-..943.8807989.:947.7083903..3.3.0/1470.55.339073.880981742.990 ..3.7.3//8.$9.48:70.:894/41..943.9438 .90  470.7.250  2.94341 .02039.902540083..480/3 .0.90/.3//08.03/.9:73.3//8..8810/ ..7 $2.0990.90203988079438 .9.47/..3.389490.48941900399 8798940..3/9..93308:55078/4349..4:39350784330 805..47/00537085438-908 470.02039.94341.870897:.9438.250  2.39028.80.88098 805.02039..435071472./0.7-0/ $070.0974: 805.24:398.3.0 800970570803990..:894/4170.7 2.80/5745079.3.3/4-.94341/:908897.8807989.9434197.-99439.70.4393:0/ W #98.705479317.8807989.9.47708543/30.843 9072.90/8-:78020398  :947.9.8807989.3..9094574.24:398 57080390/.039.70574507..8810/ /08.02039.

2.02039.9574.7/357490.88:7.3.8807989.0.3 8.9.9020398 470..3.039  W W W  $ $ %0893:/0308:  .89.8809854.:9470/  #98#0807.-0.8.7/341.9439013.3./0 70.3/574.70/:.6:89438 :8047/85489434190.90 :.880989.250 2.08.47 0110..:9470/ .070.94347920/090.94341:3.10:.9! 4507.843...9438.0/.425.0/:7089.4:/.

90   $ $ %0893:/0308:  #98#0807.0203909907%025.0203909907 5565045.!!:/9334:3.039  .90 :.. .90  $ %0893334:3.334:3.9  0307.0/.0203909907%025..

0/.90  $ :/9024%025.90 :.  $ $ %0893:/0308:  #98#0807.039  ..!!:/9024%025.90 &"1. 46'473..

90 :.039  .:20398487020/..943..9435.0/ /4.99..70907085438-94190$ !  .9435..38..50:65 '9  $ $ %0893:/0308:  #98#0807.!!1 .943.8907085438-9 41$ 3  7020/.843%700 490 90.90%08930.0/.38.3/9043974 3078  %$ ':.

33 97.33/4.9901443.90/4390!749.!!!!%7...0  995.9!479.:203984.//7088 -4994241905.

.

5749.039 .9  3/. :.42.

$ !479..

##'9.65...55 #9:5.

.90 :.%'  $ $ %0893:/0308:  #98#0807.039  .0/.

33 %%'9.!!#'#%7..90 :.55 #9:5..65  $ $ %0893:/0308:  #98#0807..0/.039  .

.774 $ 425.!!0$ 439.3.3/#085438-908 $ ! W.98.0 W.3 $ ! .9.

9.02039 W$.453.3/! W4-44.3.!740.394220  W0330%/072.3 $.499700310/ # W$905.3 $.3'.

3907.3.90/90895.

7..2!.0703.7.9.7332749 !!.07.3/! W.:/4 .3/'0343 %08933#.3/$.3/$  $ $ %0893:/0308:  #98#0807.90 :.30.74 $ $97..:9.0/.9.3/$:80470 %08933$.039  .90 W!09077003 $ ! .843 W#.3/.$$ 8 W.3/$4500743 0707 %08933 W78022038.90 %%0893 W03.7.:703973..7085438-9147$ 90893 W7.3/#'# $ W.3.

088:2-078 &/.!! $:- !74.

90 :.#960:: !4/9:  $ $ %0893:/0308:  #98#0807..0/.039  .

0/.90 :.088..039  .!!  94 !74.775  $ $ %0893:/0308:  #98#0807.553 #960:: .

0/.039  .5 692:.  $ $ %0893:/0308:  #98#0807.!!$ %0893478009 &&"':..90 :.

90 :.!!#..5164!4/9 59.3/42:2-070307.039  .947 %.69  $ $ %0893:/0308:  #98#0807..0/.

1:.$570.:  $ $ %0893:/0308:  #98#0807. 9.0.039  ../80098 694905.45079.0/.90 :.0393$.3&79..!!47207:.

. .0/.90 :..90 :..42  $ $ %0893:/0308:  #98#0807.039 .039  .