BRS Alert – Section 404 Quality and Documentation

DISTRIBUTION BRS PROFESSIONALS

DATE 15 July 2004
ISSUER Thomas Bussa
FUNCTION EYG Business Risk Services—BRS 404 Methodology

The purpose of this BRS Alert is to provide additional guidance on qua lity and
documentation standards for Sarbanes Oxley Section 404 Advisory Engagements for
non-audit clients.

Introduction

Section 404 of the Sarbanes-Oxley Act of 2002 requires management to evaluate the
effectiveness of its internal control over financia l reporting and for the company’s
independent auditors to report on both management’s assessment and on the
effectiveness of control. PCAOB Auditing Standard No. 2 provides guidance to audit
firms as to the nature, scope and level of work necessary to issue an opinion. PCAOB
Standard No. 2 describes the elements of management’s assessment process that the
independent auditor must evaluate, and also indicates that management should have
sufficient evidence, including documentation, to support its assessment.

In our engagements to assist management, we provide advice, project management,

process documentation, and evaluations of the design effectiveness and proper
operation of internal controls through testing.

Management cannot outsource responsibility for its assessment. Therefore, we should

have appropriate evidence in our working papers to support that management was
involved in each of the critical decision points within the process. We should take all
steps necessary to make sure that we are not put in a position of decision-making
regarding setting the scope of the assessment, as well as, control evaluation and
remediation. Management will use our work for the purposes of making its
assessment. The company’s independent auditor will review our wor k as part of the
assessment of management’s process. It is essential, therefore, that we maintain the
highest standards of quality and that we seek to appropriately limit the firm’s risk.

This BRS alert outlines our policies in certain key areas of a Section 404 assistance
engagement. An implementation section accompanies each policy to assist
engagement teams with compliance with the policy. It is important to note, however,
that unless specific guidance exists to the contrary, our normal policies and
procedures (such as those covering client and engagement acceptance, engagement
letters, documentation, review and reporting) apply fully to our work in 404 assistance
engagements. Common sense and professional judgment must be applied in
determining the application of these standards to our work.
BRS Alert – Section 404 Quality and Documentation - continued

Engagement Letters and The Scope and Nature Of Our Work

Policy

Our engagement letter should properly reflect the nature and scope of the work we
have agreed to perform for our client. Where our work ultimately differs significantly
from the terms described in our engagement letter, for whatever reasons, we should
examine whether there is a need to draft an amendment to the original scope of
services as outlined in the engagement letter, prepare a supplemental engagement
letter or prepare a new engagement letter. Where the change does not materially affect
the contractual relationship between Ernst & Young and the client (i.e., the scope of
services outlined in the engagement letter were provided to the client with minor
deviations, scope of process documentation was increased, findings and
recommendations report was not provided), it is sufficient to prepare a memo to the
file outlining the change to the scope of our services and the reason for the change.

If changes to an engagement letter involve altering the terms of our standard Section
404 engagement letter to properly reflect the work we are performing, these changes
should be referred to the BRS Global Director for review and approval prior to
issuance of the engagement letter to the client. In addition, engagement teams should
consult with General Counsel’s Office and the BRS Global Center for requested
changes to the terms and conditions of the engagement. Evidence of this consultation
should be maintained in your workpapers.

Implementation

Because many of our engagement letters were drafted before the deferral of the
effective dates for Section 404 compliance, our scope of work as outlined in the
engagement letter might not always properly align with the deliverables we will be
providing. If the engagement letter states in the scope of services section that we are
issuing findings and recommendations reports, and we have not done so to date, we
need to understand if we have failed to fulfill our contractual obligation with the
client. This is accomplished by considering the following: 1) whether the client
agreed with and accepted our process documentation as the expected deliverable from
the performance of our procedures; 2) whether the client was satisfied with our work
product; and, 3) whether the engagement team avoided providing recommendations,
in any form whatsoever, for the control gaps and weaknesses highlighted in the
process documentation or testing provided to the client. If the answer to eac h of the
above questions is yes, then we should prepare a memo to the file indicating that the
client did not expect a report of findings and recommendations.

For new engagements when preparing our engagement letter when the client indicates
that it does not want a findings and recommendations report as a deliverable, we
should modify the wording in the engagement letter to read as follows: “We will
issue a findings and recommendations report only if you request recommendations
from us, in any form, rega rding remediation of identified control gaps and weaknesses
from our procedures.”

Page 2 of 7
BRS Alert – Section 404 Quality and Documentation - continued

If we are only providing loaned staff to a client to assist them with their Section 404
compliance efforts, the scope of services section of our engagement letter should be
modified as follows:

We have been engaged to provide personnel who will support the

activities of the Company's employees in connection with the project
on a "loaned staff" basis. Our personnel will assist in the preparation
of the Company's documentation and testing of internal controls over
financial reporting. Accordingly, the Company will designate a
management-level employee to be responsible for providing general
directions to the loaned staff, who are working directly under the
direction of management. Work assignments and related scope of the
work performed is solely under the direction of management. Neither
Ernst & Young nor the individual loaned staff are making any
determination nor recommendations as to the type of work performed
or scope of work performed. Conclusions as to the design or operating
effectiveness of internal controls over financial reporting and the
implementation of any changes in internal controls over financial
reporting resulting from work performed is solely the responsibility of
management. Documents and other work product produced by the
loaned staff in connection with the Services will constitute the internal
work product of the Company, and the Company shall not reference
E&Y (including, without limitation, by using E&Y’s name or the
names of any global E&Y-associated firm) in any way with respect to
such work product. Given the loaned-staff nature of the Services,
E&Y will not subject the work product to its normal practices of
partner level review and quality control, and E&Y assumes no
responsibility with respect to the final work product. To the extent
that any of the loaned staff signs or initials any work product
(including, without limitation, work papers), it will be deemed to be
for identification purposes only.

It is very important that the engagement letter signed by the client properly mirrors
the scope of services that we have been engaged to provide. Thus, the scope of
services provisions of the standard 404 engagement letter should be tailored to reflect
only those services that we have been engaged to perform.

If a new engagement letter is needed, it should be obtained from the BRS Global
Center or the Americas General Counsel's Office.

Working Paper Documentation—Where We Work In Joint Teams

Po licy

When working with client staff as part of a joint team, we maintain responsibility for
the quality of the work done by our staff, unless we have a signed engagement letter

Page 3 of 7
BRS Alert – Section 404 Quality and Documentation - continued

stating that the work of our staff will be performed at management’s directio n and
reviewed by management. To support the work that we have performed, we should
maintain sufficient working paper documentation evidencing the work and review
procedures we have performed.

Implementation

Our working papers which might consist of print outs from the client’s software
package or manually prepared working papers (e.g., memos to the file, process
narratives and flowcharts, and risks and control matrices) can be maintained
electronically in EY/AWS or in hard copy Our working papers should be properly
archived at the end of the engagement.

Review And Approval Procedures

Policy

All engagements require timely involvement by the engagement executives. This

means that the engagement executives should review all forms of client deliverable s
prior to being provided to the client, and be involved in discussions with the client
regarding materiality, establishing scope, testing, etc. where our deliverable is
essentially our knowledge. In situations where we have a contract simply to provide
resources that are working totally at the client’s direction, there is no need for our
review and approval of working papers. Where we work in a joint team and have a
significant role in the procedures performed and responsibility for the output, we
should consider the need for all working papers prepared by E&Y staff to be
subjected to the normal review process prior to providing documentation to the client.

Implementation

Evidence of timely involvement by our engagement executives should be documented

in our working papers. For example, we should prepare memos to the file
documenting agreements reached in meetings with the client and the external auditors.
Such memos or other documentation should be reviewed and signed off by the
engagement executive. In addition, appropriate executive involvement is also
evidenced by documentation of detailed or second level reviews of the work
performed.

Determining Sample Sizes

Policy

Our sample of items for testing identified controls should be derived from the entire
population of transactions over which the control is performed, including all
applicable locations/reporting units. While it is more efficient to select the sample of

Page 4 of 7
BRS Alert – Section 404 Quality and Documentation - continued

items for testing from the broader population, we should segregate that population and
select individual samples of items for testing when: 1) we determine the controls we
plan to test are not applied uniformly across the broader population; 2) the controls
are subject to differing risks; or, 3) the controls are not common to the larger
processes and population. In essence, each item in the population should have an
equal chance of being selected for testing. The sample sizes will need to be
determined between the PMO leader and external audit provider.

Implementation

Based on the type of controls being tested, we believe the following represent
appropriate benchmarks for the sample sizes.

Nature of Control and Frequency of Minimum Number of Items to Test

Performance

Manual control, performed many times At least 25

per day

Manual control, performed daily At least 25

Manual control, performed weekly At least 5

Manual control, performed monthly At least 2

Manual control, performed quarterly At least 2

Manual control, performed annually Test annually

Programmed control Test one application of each

programmed control for each type of
transaction if supported by effective IT
general controls (that have been tested);
otherwise test at least 25

IT general controls Follow guidance above for manual and

programmed aspects of IT general
controls

In selecting our sample for testing from the population, the project team should use
EY/Random to select an unbiased, independent sample. EY/Random can be accessed
from the Start menu, then select AABS, then Other AABS Tools, then EY/Random .

Page 5 of 7
BRS Alert – Section 404 Quality and Documentation - continued

Reporting

Policy

Where we are not required to provide the client with a written report of findings and
recommendations, we should not provide similar information informally or in any
other way (i.e., Power Point presentations or within the risk and control matrices or
equivalent documents). Our standard report format includes certain elements
designed to help us manage our risk more effectively and is designed to be consistent
with the nature of the work we have been engaged to perform. Without the benefit of
all of the elements of our standard written report of findings and recommendations,
the client might perceive that we are providing some level of assurance on the
processes we have documented or the controls we have tested.

When issuing a findings and recommendations report, our BRS Review and Approval
Summary form must be completed and maintained in our working papers. The pre-
issuance reviewer for our 404 engagements must be a partner or principal who has
been pre-approved in accordance with our policies and procedures.

Implementation

If the engagement team is providing the client with completed process documentation
(i.e., process narratives and flowcharts accompanied with a risk and control matrix
that identifies control weaknesses and ga ps), but we do not provide a recommendation
for remediation, a findings and recommendations report is not required. To the extent
that the risk and control matrix includes an assessment of the control as effective or
ineffective, our working papers should be explicit that this assessment is based on
design effectiveness and not operating effectiveness.

If the engagement team is requested to provide recommendations for the control

weaknesses and gaps identified, this communication should be in a findings and
recommendations report.

The documentation that we provide to our clients outlining the results of our testing
procedures should refrain from making conclusions regarding the operating
effectiveness of the control. Our documentation should only include our findings
(e.g., the facts from the results of our testing). [the conclusion as to the effectiveness
is solely management’s responsibility.] For instance, no exceptions noted, or out of
25 tested 2 items contained an error with the details of the error or underlying
documentation to support the error. Management can take the results of our work to
evaluate the operating effectiveness of the individual controls and the overall process,
which will encompass taking into consideration company level and information
technology general controls.

Page 6 of 7
BRS Alert – Section 404 Quality and Documentation - continued

Documentation Of Advice Provided To Clients

Policy

Where we provide verbal advice particularly associated with judgmental areas such as
materiality, setting the scope of management’s assessment, and the classification of
control deficiencies, we should include appropriate documentation in our working
papers. Our documentation should include the issue that management has raised, if
any, our response, and any intended actions as a result of it. These discussions should
include an engagement executive and the memo to the file should be subjected to our
normal review procedures.

We should retain on our files copies of any material such as Power Point slides used
to present our advice, with appropriate notations or other documentation addressing
the above points.

Where we attend important meetings such as those of a program or project Steering

Group, minutes or action plans or some other record should be prepared and a copy
retained in our working papers. Where we believe the minutes or other record of the
meetings omit important matters or fail to appropriately address an important aspect,
we should bring this to the attention of management.

Questions

All questions regarding our documentation and quality standards should be forwarded
to Kevin Sheehan in the BRS Global Center.

Page 7 of 7