2015 SOx Guidance FINAL PDF
2015 SOx Guidance FINAL PDF
2015 SOx Guidance FINAL PDF
1. Introduction………………………………………………………………………………………………………………. Pg. 3
12.7. Disclosures……………………………………………………………………………………………………..Pg. 32
The sections that follow describe Management’s process to execute the annual SOx assessment such that the
SEC requirements are met. AM’s control framework is based upon relevant aspects of the COSO 2013 framework,
which is recognized by the SEC as an appropriate framework. To this extent, beyond the guidelines stated in this
document, proper instructions had been given on points of focus identified following the COSO 2013 gap
assessment performed during 2014. The following sections of Guidance contain instructions for execution of work
in such a way that AM Management can make the SEC-required assertion with confidence, based on documented
evidence of a credible assessment process that supports Management’s conclusions and the 20F assertion.
AM is a very large company with semi-autonomous locations in numerous countries. Although many (by no
means all) of the AM locations use SAP as their financial reporting package, there are over a hundred different
instances of SAP in use. In this environment, it is not possible or practical to follow one rigid prescribed set of
instructions across all entities where SOx assessment work is conducted. This SOx Guidance, then, is just that –
guidance. It contains minimum requirements for execution of program elements and focus areas but has given
Regional SOx Leaders significant latitude in the exact steps to follow in executing the elements of the program.
It is prescriptive in certain aspects of execution (e.g. in definition of minimum acceptable sample sizes). The SOx
Guidance is clear on what is required versus what is recommended. It is the responsibility of the Regional Leaders
to exercise judgment and ensure the AM program is carried out in a credible way such that the SEC requirements
are met and to seek guidance from higher level Management where necessary. Annually, the SOx Guidance
methodology is updated and refined to continue emphasis on the 2013 COSO framework and identified focus
areas.
3|Page
2. Design and Timing of AM Annual SOx Program
As previously noted, AM’s business and finance organization is complex, relies upon a multitude of financial
reporting and operations computer applications, and the Management of individual entities are given significant
latitude in managing their affairs. The AM SOx program is by design flexible enough to accommodate this
company structure, but rigid enough to promote quality and consistency in execution. The program consists of
elements, each of which is required to be executed, and timing, which is to be followed wherever practical but
which may be deviated from in certain circumstances. For example, if a Regional Leader is bringing a new location
into the SOx program for the first time, necessitating training of Management, creation of a first RCM, assistance
to Management in identifying design deficiencies and creating and implementing solutions, testing is unlikely to
start as early as shown on the Program calendar. So long as the overall work program is designed to achieve the
Program’s annual objectives, the scheduling of program elements is within the responsibility and authority of the
SOx Regional Leaders. In terms of execution of program elements, SOx Regional Leader’s may require more work
than prescribed by the Guidance, but not less, without discussion with and concurrence of the Global SOx & IC
Head and the other Regional Leader’s, to ensure consistency and adequacy of approach and execution across
AM.
For 2015, in addition to the program elements, certain focus areas are required to be addressed in every
Region/entity. Guidance will be clear as to what focus areas of coverage are required versus recommended.
Required focus areas include (but are not limited to):
Again, to promote good practices and ensure adequacy and consistency of results across AM, certain details of
execution are prescribed. This includes (but is not limited to), for example, minimum sample sizes, number of
controls to be tested for Rollforward, format of RCM’s, etc. Guidance will be clear as to what execution details
4|Page
are required versus recommended. A homogenized set of templates has been developed available for all units
which is also included in this guidance.
The Global Head of SOx & IC provides oversight and guidance regarding methods and procedures, and direct
interaction with and reporting to Executive Management, external auditors, and the AM Audit Committee. In
2015, with the understanding that Monitoring is part of the internal control process, a SOx Process Quality
Assurance Program has been implemented and will be conducted annually.
Timing of the execution of the program is indicated in the calendar shown below.
GLOBAL CALENDAR: Internal Control & SOx Compliance SOx HIGH-LEVEL WORKPLAN
20XX 20XX
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb
FINALIZE 20XX WORK
Control Testing
- Walkthroughs, Documentation Updates including Global
Focus Areas
- Testing Phase
- Document / Manage Remediation Process
- Remediation Testing
- Rollforward Testing - All Cycles
- Year-end Testing (incl. 20F Process)
- Evaluation of Terminal Deficiencies - Business & ITGC
*RCM needs to be developped with the group template provided
Appendices
a – SOx Global Status Table
5|Page
3. Global Significant Account & Entity Selection Process
Requirement
ArcelorMittal applies a top–down, risk assessment approach, which is a financial risk assessment performed to
comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOx). ArcelorMittal management applies specific
risk factors to determine the units and entities in sample (scope) and evidence required in the assessment of
internal control. At each step, qualitative and quantitative risk factors are used to focus the scope of the SOx
assessment effort and determine the evidence required. Key steps include:
1) Identifying significant financial reporting elements (accounts or disclosures)
2) Identifying material financial statement risks within these accounts or disclosures
3) Determining which entity-level controls would address these risks with sufficient precision
4) Determining which transaction-level controls would address these risks in the absence of precise entity-
level controls
5) Determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope
controls
Note: The term “scope” should not be confused with an attempt to limit what is relevant in terms of the SOx Act.
It is recognized that all internal controls over financial reporting (IFCR) and fraud matters in any entity or element
of ArcelorMittal is “in scope” of SOx. However, it is accepted that it is neither pragmatic nor required to execute
work in every entity of the company nor in every account. In the context of our program, “scope” refers only to
identification and selection of entities and accounts to be included in the annual ArcelorMittal SOx Assessment
Program.
Approach
1) Management identifies locations, significant accounts, disclosures and business processes/sub-processes
that will be subject to SOx procedures. To accomplish this, management starts with the consolidated financial
statements. This information is derived from the consolidated financial statements of the previous fiscal
year-end. Management then performs each step detailed below, ultimately determining the internal control
activities and procedures that address the relevant financial statement assertions:
a) Management determines which locations are individually important (financially significant) in order to
yield sufficient coverage using meaningful quantitative metrics that are reflective of the company’s
specific risks. ArcelorMittal Corporate Management may identify individually important entities to be
those with minimum of $350mln of Assets and/or $350mln of Revenue and select these locations for SOx
testing. In addition, a crosscheck with budget figures is performed to identify if there is any entity with
budget figures reaching the above mentioned thresholds.
b) The following is an example of the suggested maximum consolidated metrics that ArcelorMittal
Corporate Management can use for selecting individually important entities/ business units (such criteria
are subject to change based on management’s annual assessment of business risk):
i. 5% of annual revenues
ii. 5% of pre-tax income
iii. 5% of total assets
iv. 5% of equity (if applicable)
c) The ArcelorMittal top-down risk assessment approach also takes into account qualitative factors (e.g.,
history of financial reporting misstatements, control deficiencies and areas of concern, findings reported
by Internal Assurance, country risk, industry risk, etc. ). As well, management inquires as to significant
changes in operations, management, business (mergers & acquisitions, JVs, expansions), activities
(capital investments), voluntary separation programs, using the following criteria:
i. The nature of the financial statement elements, or components thereof, involved (e.g., suspense
accounts, transactions that involve greater risk, significant disclosures);
6|Page
ii. The susceptibility of assets or liabilities to loss or fraud (i.e., greater susceptibility increases risk);
iii. The subjectivity, complexity, or extent of judgment required to determine the amount involved
(i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate or
off balance sheet commitment, increases risk);
iv. The interaction or relationship of the control with other controls (i.e., the interdependence or
redundancy of the control)
2) Management is required to document how it has interpreted and applied its top-down risk assessment
approach as mentioned in the above section to arrive at the identified locations and controls to be tested as
well as in determining the sufficiency of evidence required (i.e., the timing, nature, and extent of control
testing). This information is then communicated down to the entities and areas.
3) Once an entity has been in scope, except if there is a specific reason with an assessment that there is no risk
and with sign-off of Global Head of SOx & IC, the entity remains in scope even if the values fall below the
thresholds.
7|Page
4. Global Fraud Risk Assessment
Requirement
The fraud risk assessment is performed annually by the Global IC & SOx team to identify potential schemes and
events that need to be addressed as part of the SOx program.
Approach
A. The Global Fraud Risk Assessment is a process inherent to the Risk Assessment. It is performed as part of the
Risk Assessment at the level of each unit and documented in the RA memo; and if applicable in the RCM for
relevant controls.
a) The fraud risk assessment includes and documents the following:
i. Identification of inherent fraud risk.
ii. Assessment of the likelihood and significance of inherent fraud.
iii. Management’s response to the likelihood and potential significance of inherent and residual
fraud risks.
b) The fraud risk assessment requires input from various sources. The Global IC & SOx team conducts the
fraud risk assessment on behalf of management and interviews individuals from across the organization
that have different knowledge, skills, and perspectives on fraud risk. The global fraud risk assessment
process includes interviews of the following members of management:
i. Accounting/Finance personnel, and those familiar with the financial reporting process and
internal controls.
ii. Legal and Compliance personnel
iii. Internal audit personnel – fraud department
B. The Global Head of SOx & IC and the Regional Leader Corporate functions document in a memo the identified
fraud risks and schemes at Group level, the assessment of those for relative likelihood and significance of
occurrence, management’s response, and maps this to the processes and areas that may be impacted,
including the identification of the controls that will need to be tested to validate design and operating
effectiveness.
Appendices
a- AM Global Risk Assessment template
8|Page
5. Significant Account Selection Process
Requirement
Management is required to use quantitative and qualitative factors and select for SOx testing purposes accounts
in which a material error or fraud could occur.
Definition
" ...an account or disclosure is significant if there is a more-than-remote likelihood that the account or disclosure
could contain misstatements that, individually (or when aggregated with other misstatements), could have a
material effect on the financial statements ... significance should not be based solely on a quantitative measure..."
Approach
First, the IC & SOx team has to determine the numerical significance of each Income Statement and Balance Sheet
account based on balance or throughput. Second, perform a qualitative risk assessment of each account. Third,
combine the qualitative and quantitative aspects and select those accounts which are determined could meet
the definition of a significant account. Note: the Significant Account Selection Template must be used in executing
this process to leave a record and to promote consistency. The Template contains instructions not duplicated
here.
b) Qualitative Review of Accounts. On the Consolidated Financial Statements, Rate each account as High,
Moderate OR Low Risk based on Five Factors (transaction type, transaction complexity, disclosure
complexity, susceptibility to loss or fraud, and other specific risk).
i) When performing qualitative review of the accounts, if the fraud risk is rated high and the account is
not selected for testing, justification must be entered into the comment section.
ii) Utilize IA Reports, Risk Assessment Interview results, etc. into account when rating the five factors.
iii) The result will be a Qualitative Risk Assessment Score.
iv) When the risk assessments are complete, the accounts on the significant account selection document
are reviewed and adjustments are made and documented to incorporate the qualitative feedback
received.
a) If the Qualitative Risk Score greater than 1.39 and the account is numerically material then accounts must
be tested
b) If the Qualitative Risk Score greater than 1.40 and the account is numerically significant then accounts
must be tested.
c) If the Qualitative Risk Score greater than 2.00 and the account is numerically inconsequential then the
accounts must be tested.
If the criteria indicate an account is to be tested and there is sufficient and valid rationale to not test the account
that decision may be taken subject to written Regional Leader approval.
9|Page
Selection of Significant IT Applications
Once the significant accounts, relevant business cycles and processes have been selected, the IC & SOx teams
identify and document the related IT applications. For the relevant IT systems identified, the ITGC Framework is
applied.
Appendices
a) Significant Account Selection Template
b) IT Landscape Template
10 | P a g e
6. Risk Assessment Process
Requirement
IC & SOx teams conduct an annual Risk Assessment at the beginning of the SOx process, using a standardized
form with a minimum set of questions; evaluate the responses and include relevant concerns in the Significant
Account Selection process.
Process
1) IC & SOx teams schedule individual interviews with selected management and staff, conduct interviews and
record results during the interview session. Upon completion of all interviews IC & SOx teams review the
responses for each question analyzing for trends and outliers. IC & SOx interviewers write their summary of
the response in the last column of the questionnaire.
2) Required positions to be interviewed should be at the lowest level at which the positions exist, and should
include the following: CEO, CFO, CIO, VP Procurement, Treasury Manager, Tax Manager, VP Operations, and
VP Commercial. Other positions to be interviewed include: Controller, VP of Logistics, Head of Legal, and
Accounting Manager.
3) As a final step, IC & SOx interviewers will take the results and create the Summary Memo to be used in
conjunction with the quantitative analysis of accounts in order to select the Significant Accounts for the
coming SOx year.
Appendices
a) Risk Assessment Questionnaire Template (includes two tabs: a questionnaire for business and a
questionnaire for IT management)
b) Risk Assessment Summary Memo
11 | P a g e
7. Standard RCM Requirements
Requirement
Risk and Control Matrix (RCM) is an important component of the body of evidence to support management’s
assertion on Internal Controls over Financial Reporting (ICFR).
Definition
The RCM is a tool used to document all pertinent data about each risk and control in a process, including financial
statement assertions, control description, risks mitigated, COSO components, test procedures, frequency of
occurrence, etc. Aspects of the RCM framework are required for ArcelorMittal SOx Compliance.
Approach
1) IC & SOx teams link results from the Risk Assessment questionnaires and the Significant Account Selection
process to the RCM and rationalize control activities.
2) IC & SOx teams perform the following steps to build out the RCM:
a) Map significant accounts and risk areas to business cycles / processes
b) Map significant accounts to relevant financial statement assertions
c) Identify risks and controls in place that would apply to the identified significant accounts and relevant
financial statement assertions.
d) Review the RCM to identify areas where controls will need to be added and areas where controls can
be rationalized
e) Address assertions:
i. Review the significant accounts to determine which assertions are relevant and link in the
RCM
ii. Review the control activity to determine which assertion is met by the specific control
iii. Review and ensure that each assertion linked to the significant account(s) is addressed by a
key control activity
iv. Determine whether there is adequate coverage of each assertion for each significant
account.
v. Ensure that all relevant risks to achieving assertions are covered by a control activity.
f) Map business cycles/process and control activities to IT applications
3) For 2015, IC & SOx teams are to identify and address certain focus areas that are represented in the RCM
such as:
a) Entity and Unit Level Controls (ELC and ULC)
b) High Level Review Controls
c) Third Party Service Organizations
d) User Access and Authorization
e) Segregation of Duties
f) Information Produced by Entity (IPE)
g) Disclosure Control
h) IT applications
i) Fraud
Appendices
a) Standard RCM Example
b) Business Process & Application Mapping Template
12 | P a g e
8. Documentation & Walkthrough (Test of Design)
Requirement
The SOx Act requires documentation of the annual SOx Assessment Process. Process owners will normally have
documentation of their processes, often in the form of policies, procedures, and/or written work instructions.
This may form the initial basis for SOx Teams’ work, but in itself, is not sufficient for the SOx Assessment Process.
IC & SOx teams must document management’s process for performing relevant processes and transactions to
ensure that they possess a clear understanding of the process steps, can determine risks to successful execution,
can identify control points that mitigate those risks to an acceptable level, and can form a basis for evaluating the
design adequacy of the controls relative to the risks. IC & SOx Teams may determine the form of documentation
they will create, but it must be either a narrative or flowchart. If flowchart format is selected, the IC & SOx team
may determine the particular type to use. Documentation updates and re-verification with process owners must
be conducted annually, at the beginning of the SOx process, or upon a known change in management process
(e.g., installation of a new computer application) or change in management (i.e., process owner).
Documentation
IC & SOx team with Management must document business processes to identify risks within the process and
related internal controls over financial reporting (ICFR), confirm that the ICFRs identified address the risks and
exist, and evaluate the adequacy of the design of ICFR.
1) IC & SOx team documents the business processes in a detailed narrative or flowchart that represents the
successive steps in a company’s business procedure. IC & SOx team documents the process narrative or
flowchart to include inputs, outputs, activity steps, and decision points in order to effectively tell the reader
the step-by-step procedure for a particular business process. The narrative or flowchart is then verified with
the respective process owner(s).
3) Timing: IC & SOx team performs this process before conducting operating effectiveness testing and according
to the Global SOx calendar.
Appendices
IC & SOx team decides the preferred format for process documentation
14 | P a g e
9. Test of Operating Effectiveness (including Rollforward)
Requirement
IC & SOx teams perform testing to evidence the operating effectiveness of ICFRs. The IC & SOx team also performs
Rollforward testing during the 4th quarter of the year. Rollforward is the testing of controls that were previously
tested in the year and found effective and is performed in order to verify that such controls continue to operate
effectively close to year-end.
15 | P a g e
d) Executes the test plans – IC & SOx testers document the key elements of the test and the results in the
detailed test sheet/test work paper. Refer to the Testing Working Paper or Detailed Test Sheet Template.
IC & SOx Managers have a process in place for monitoring progress of work.
e) Evaluates the test results: The IC & SOx Manager, independent of testing, reviews test results and
concludes as to whether the controls are operating effectively to support the financial statement
assertions. If an exception occurs in the testing, the IC & SOx Manager must evaluate the exception to
determine why it occurred, and upon investigation, may determine that the control is not operating
effectively and report a control deficiency in the Gap Summary Report.
2) Records Retention Requirements: The body of evidence (Risk Assessment Memos, account selection process
documents , process documentation, Detailed Test Sheets/test workpapers, supporting documents, control
deficiency reports , IC & SOx Steering Committee Presentations or similar communication to management,
etc.), represent the audit trail for Management’s assessment process and must be preserved in accordance
with ArcelorMittal’s Records Retention requirements. Intranet sites such as SharePoint or similar tools may
be used, but must be backed up and protected from loss and alteration.
16 | P a g e
NOTE: The sample size is the minimum to be performed, may not be decreased, and can be increased at the
request of the Local IC & SOx Manager with the concurrence of the Regional IC &SOx Manager.
Appendices
a) Detailed Test Sheet Example
17 | P a g e
10. Remediation
Requirement
When the IC & SOx team identifies control deficiencies, management and process owners must implement
controls to address the financial statement assertions and risks that are not being met. Remediation and retesting
must occur as soon as practical in order to address the risk of an ineffective control as well as to ensure that the
control can in fact be remediated and retested prior to year-end to avoid a terminal deficiency which may
aggregate with other deficiencies to be something more than a deficiency. The IC & SOx team updates process
documentation and confirms successful implementation of the remediated controls via full sample testing in
order to conclude upon operating effectiveness prior to year-end and before filing the 20F.
Definition
Remediation consists of:
Approach
For the identified control deficiencies, the IC & SOx team works with management/process owners to:
1) Understand the Deficiency: IC & SOx team must document an accurate understanding of the nature and
implications of the deficiency, root cause, as well as its potential impact on the financial statements, and
identify the financial statement assertion(s) that is(are) not being supported as a result of the deficiency.
2) Develop a resolution to remediate it and define remedial actions, ensuring that the remediation activities
comply with the following requirements:
a) Set a due date for the responsible process owner/manager of the control executor to execute
remedial actions that is in line with the overall deadlines set by the Corporate team and/or the
Regional Lead
b) Ensure that remedial actions to address root cause(s) are identified and agreed upon with the action
owner
c) Ensure that agreed actions, once performed, will resolve the control gap identified
d) Ensure that action owners are committed to the deadlines set for each individual item
e) Ensure that each control gap is effectively resolved so that the control will not result in an exception
during remediation testing
f) Report on progress and status of remediation in a timely and reliable manner
g) Ensure that remediation of control design gap is complete/approved after the
walkthrough/verification has confirmed effective implementation
3) Add control deficiency details, including compensating controls, remedial actions, responsible persons, and
due date to the Control Gap Summary Report - “Master STE Report”
4) Monitor remedial actions:
a) Monitor the timely execution of remedial actions by regularly discussing progress with each action
owner
b) Update Control Gap Summary Report - “Master STE Report”
c) Escalate to IC &SOx Regional Lead and site director/controller in cases where deadlines are not met
d) Perform control walkthrough (for design gaps only)
e) Upon confirmation of remediation implementation:
i. Schedule and execute control walkthrough
ii. Test remediated controls
iii. Update SOx documentation (in case of control design gaps)
18 | P a g e
5) Identify whether there is a terminal deficiency (unremediated or not fully tested prior to year-end), by
assessing whether there is a reasonable time period prior to year-end with sufficient sample to perform a
credible test. Compensating controls do not bear on whether it is a deficiency or not; refer to Deficiency
Evaluation Guidance.
6) All control gaps, whether design or operating effectiveness, are reported to Management at the time of
discovery as well as during local Steering Committee or similar SOx status meetings.
Appendices
a) Control Gap Summary Report – “Master STE Report”
19 | P a g e
11. Deficiency Evaluation
Requirement
At year-end, the IC & SOx team is required to evaluate, singly and in aggregation, all open internal control
deficiencies over financial reporting (ICFR) and report the results to management, the audit committee, and/or
the SEC as appropriate. All deficiencies identified through SOx testing, Internal Assurance, and External Auditors
are to be included in the evaluation process.
Definition
A terminal deficiency is one that is not remediated or not fully tested prior to year-end, and therefore cannot be
concluded upon as effective. The deficiency evaluation process is the act of evaluating all terminal deficiencies,
singly and in the aggregate, using both quantitative and qualitative criteria, to determine the severity of the
deficiencies (deficiency only, significant deficiency, or material weakness).
Approach
1) Identify whether there is a terminal deficiency (unremediated or not fully tested prior to year-end).
Compensating controls do not bear on whether or not it is a deficiency (refer to 2.c. below).
3) Perform deficiency aggregation evaluation. The Evaluators need to consider whether deficiencies aggregate
according to one or more of the following key relevant factors:
a) By significant account line
b) By financial statement assertion
c) By major business process
d) By control type or group
e) By period-end
Based on the steps performed in a – e above, the Evaluator decides on the aggregation of the deficiencies
and documents the evaluation.
4) Regional IC & SOx Lead Review: Evaluator’s decisions on all control deficiencies evaluated as terminal
deficiencies will be reviewed and signed off by Regional IC & SOx Leads. Determination of a Material
Weakness will be reviewed and signed off by the Head of Finance for AM.
5) Management Reporting: The Evaluator must communicate the results of his/her evaluation process as
required by the SEC and Auditing Standards: All deficiencies, to management; Significant Deficiencies, to the
20 | P a g e
Audit Committee of the AM Board of Directors; Material Weakness, public disclosure in annual financial
report (20F).
Appendices
Note> The following appendices contain examples of deficiency evaluation. Deficiency evaluation MUST be
documented; the following formats are recommended for use unless the relevant Regional Lead elects a different
form of documentation.
21 | P a g e
12. Supplemental Guidance on Specific Focus Areas
Definition:
1) The concept of ELC (Entity Level Control) / CLC (Corporate Level Control) has been redefined:
a) CLC former concept “Company Level Control” was commonly used designation for Corporate level
activities, for example those directed or managed in the London or Luxembourg headquarters. This
concept will be replaced following the COSO approach by ELC (Entity Level Controls) meaning “entity” as
in ArcelorMittal Group.
b) The former ELC concept was linked to the operating units/entities of the Group such us AM Distribution
France, for example. Today the concept of ULC (Unit Level Controls) is used when discussing this type of
controls as they relate specifically to operating units.
c) Refer to the ELC RCM and ULC RCM located in the appendices of this Guidance.
SOx Testing
The general principles of testing ELC’s and ULC’s are the same as those for testing of other types of controls.
Inquiry, observation, inspection/examination and re-performance, or some combination of these is an acceptable
testing process. Due to the pervasive nature of these controls and their importance in setting the “tone at the
top”, ELC’s cannot be tested by inquiry only. ELC’s and ULC’s will be tested on an annual basis, as soon in the SOx
process as is practical. For those ULC tested at local level, the units will be required to provide a written sign-off
of the testing results to the respective Regional Lead who in turn will signoff to Corporate SOx.
On an annual basis, ELC will be tested centrally with support of Internal Assurance.
Appendices:
a) ELC Framework
b) ULC Framework
22 | P a g e
12.2 High Level Review Controls
Requirement
High level review controls are often used in place of lower level transactional controls for SOx assessment
purposes and therefore great care must be taken to conclude on the design and operating effectiveness of such
controls. All regions/entities IC & SOx teams are required to execute work documenting such; all deficiencies
must either be remediated immediately by Management or the IC & SOx teams cannot use such controls for their
SOx assessment, but must select alternative controls for testing.
Concept
The main purpose of the framework of Internal Control over Financial Reporting is to ensure its reliability.
Reliability means that, with reasonable assurance, it can be asserted that the financial reporting is free of any
material misstatements. The purpose of High-level review controls is to act as a second-level of defense, to timely
identify and correct any (material) misstatements which were not identified by controls performed at a
transaction-/process-level.
In few cases, high-level review controls will stand-alone, providing sufficient comfort that an accounting assertion
is properly met.
High-level review controls focus on determining the reasonableness of the (financial) information and an in-depth
follow-up investigation when this information shows an excessive deviation compared to another reference
information. This reference information can be prior-period actual information, budget or forecast information,
external information or a combination of these.
SOx Testing
For assessing the design effectiveness, the IC & SOx team considers the following criterions:
1) Written instructions provided to reviewers for how to conduct the review (timing, who is to perform,
reports/data to be used, formats of review materials/presentations, definitions of terms as well as of
calculations, level of precision required, etc.), all of which are evidence of Design.
23 | P a g e
2) Level of precision: a control designed to identify unexplained deviations over Euro 10 mio. is obviously less
effective than a control designed to cover amounts over Euro 1 mio. Setting of appropriate deviation
thresholds is an essential part of the control design.
3) Periodicity: a monthly control frequency will give more assurance than a quarterly one.
4) Level of follow-up: without follow-up and (if necessary) correction of any misstatement in the financial
accounts, no control is effective
5) Suitability of the reference used for comparison. Budget information can be used for comparison, but while
doing so, it must be clear whether the underlying assumptions are still matching reality.
For control design effectiveness, it is equally important that the proper execution of the control is evidenced. This
can be, for example, through minutes of management review meetings with conclusions, decisions and any action
points, but also by visible remarks and notes left on the report itself. As a high-level review control by default
relies on a report, IPE related controls might be equally relevant.
Lastly, the timing of the control execution (including completion of the analysis and explanation of any significant
deviations) is critical. A review can only be considered as effective for the last closing period in case it is concluded
before BPM closure.
24 | P a g e
12.3 Third Party Service Organizations
Requirement
Management retains responsibility for internal controls over activities outsourced to third parties. Management
must demonstrate that relevant controls exist over information sent to third parties, over activities performed
by third parties, and over work received from third parties. The IC & SOx team identifies and tests Management’s
controls over relevant third parties as required.
Definition
The entity (or segment of an entity) that provides services to a user organization. A User Organization is the entity
that uses a service organization and whose financial statements are being audited.
Management is to have a process in place to monitor and track service provider activities annually. Management
has various ways to assure themselves that third parties have necessary ICFR in place (e.g., SOC1 reports) and to
assure itself that it has appropriate controls around third parties in place.
SOx Testing
The IC & SOx team tests Management’s process and approach in place to monitor and track service provider
activities annually. This includes:
1) The IC & SOx team works with management to identify the service organizations used by the Entity that
perform significant functions that affect ICFR or present an opportunity for fraud to occur.
2) The IC & SOx team works with management to identify the activities performed by the service organizations
that have an ICFR impact
3) The IC & SOx team then creates an inventory listing of service organizations & documents the processes with
the owners of those areas to identify the service organizations to be tested for SOx purposes (see Third Party
Service Organization Matrix in the Appendix).
4) The IC & SOx team documents Management’s process and tests the design and operating effectiveness of
Management’s controls (IC & SOx team does not test the third parties themselves). This could include
Management’s:
a) Review of a SOC1 report as defined by SSAE 16 vs. ISAE 3042
b) Documentation and mapping of controls listed in the SOC1 report, including client control considerations
c) Tests of the controls at the service organization, including client control considerations
d) Contract with an audit firm to perform agreed upon procedures
e) Controls over completeness and accuracy of data sent to third parties based on user considerations, and
the review (at least reasonability) of work received back from third parties.
5) Understanding the SSAE 16 SOC 1 Type 2 Report – If the IC & SOx team elects to review the SOC1 reports
received by Management, they should understand the way in which such reports are produced. The IC & SOx
team needs to review the SOC1 reports and clearly understand certain aspects in order to conclude on the
design and operating effectiveness related to ICFR:
a) Period covered & Scope of audit
i. Bridge/comfort letters
b) User control considerations
c) Audit Opinion
25 | P a g e
d) Testing exceptions and remediation performed – needs to be closely monitored to ensure the proper
remediation took place was tested effectively
Appendices
a) Third Party Service Organization Matrix
26 | P a g e
12.4 User Access and Authorization
Requirement
A management process to control access to an organization’s assets, systems, data and applications is a
fundamental internal control. Management is required to have procedures in place to ensure that only
appropriately authorized individuals can access, update, or change information within the electronic systems or
programs as well as physical access to a building, computer room, or server. Management is also required to
have a process in place to review and approve any changes to levels of access or authorization and ensure they
are appropriate and documented (e.g. User Access Recertification). This includes when a person joins the
company, leaves the company, or their duties change.
Business Management has the responsibility to ensure that changes are communicated to IT so that the ability
to access and change data is appropriate. Business Management also has the responsibility to ensure that system
profiles are carefully designed to be free of relevant segregation of duties conflicts (including conflicting
authorizations within the profile and conflicts amongst other profiles), and should be reviewed and monitored at
a minimum annually. IT Management has the responsibility for profile administration in accordance with
business requirements and sound, established security procedures.
Definition
User access is the right to have access to physical units of property as well as the ability to log in to an application,
database, or component of infrastructure (e.g., server, intranet, etc.). Management should ensure employees
have the access they need to fulfill their responsibilities – and no more. In general, persons approving access to
systems, applications, and databases should not have the ability to process transactions enabling access.
Additionally, persons who have access to make program changes to applications in test environments may not
have access to move such changes into the production environment. Also, the number of persons with
“superuser” or “basis” levels of access should be strictly limited. The work performed by such super-users should
be independently reviewed and signed-off.
Authorization is the right to execute transactions, either manually or within the application, database, or
component of infrastructure, e.g., server, intranet, etc. For example, the delegation of authority can be manual,
programmed, or both. Employees should have authorizations only within those applications, data, and/or
infrastructure necessary to perform their jobs. And the authorization should be for only those transactions
necessary. System profiles are groupings of functionalities to suit various users’ job responsibilities (e.g. sales
person, accounts payable clerk, fixed asset manager, lead accountant, etc.). A profile defines what a person can
do when he/she has access. Proper access and authorization controls protect both the company and the
employees and help to prevent potential segregation of duties conflicts from ever arising.
Access defines “where”, whereas authorization defines “what”. Meaning, “once I have access, what do I have
the ability to do?” Authorizations are usually managed through creation and assignment of system profiles, which
contain a bundle of transaction-level authorizations.
SOx Testing
The IC & SOx Teams have the responsibility to test Management’s controls to evidence that they are designed
and operating effectively by:
1) Validating that Management has a formal (documented) process and approach in place to review User Access
and Authorization.
2) Identifying applications/systems that are significant for IC & SOx testing user access and authorization.
27 | P a g e
3) Confirming that the documented User Access, and Authorization Review process and procedures are
effectively designed through performing a walkthrough and test of one. These documents are subject to the
IPE guidance and testing (refer to section 12.6).
4) Performing operating effectiveness testing to ensure the User Access and Authorization Review is being
performed as designed, including selecting a sample of users/profiles/roles to validate that:
a) Frequency is aligned with policy.
b) The designed process was followed, including that appropriate conflict resolution steps took place.
c) User Access and Authorization Review Process was approved by the appropriate personnel.
d) Confirming that changes to access and authorizations required as a result of the management review
process have been timely and correctly processed.
5) Communicating any design or operating effectiveness deficiencies to Management and working with them
to implement an appropriate remediation action plan.
6) Re-testing any deficiencies once remediated in order to close the deficiency.
Appendix
a) User Access & Authorization Detailed Test Sheet Example
28 | P a g e
12.5 Segregation of Duties
Requirement
Where practical, duties and responsibilities shall be organized such that duties are segregated. When
Management appropriately segregates duties, both system and non-system, material errors and/or fraud can be
prevented or detected in a timely manner. In cases, apart from Mandatory Conflicts, where duties cannot be
appropriately segregated, Management is required to implement and execute compensating controls that reduce
the risk of errors or fraud to an acceptable level. Management should determine an appropriate frequency for
review based on risk. Where practical, Management should perform individual SOD review when new access and
authorizations are granted to an employee; however, at minimum, an annual general SOD review to identify
conflicts should be performed and those conflicts should be eliminated or mitigated as soon as possible.
Definition
Segregation of duties is a process whereby job responsibilities of individuals are separated in such a way that no
one person or small group of persons can both create and conceal errors or fraudulent activities without
prevention or timely detection. One needs to be aware that conflicts may exist between physical and system
authorizations, and controls should be in place to prevent this. The general concept of SOD is to separate custody
of assets (access), record keeping, authorization, and review/reconciliation in each business process. Segregation
of duties is one of the most fundamental, preventive, and effective internal controls in combating employee
and/or third party fraud.
SOx Testing
IC & SOx Teams have the responsibility to test Management’s controls to evidence that they are designed and
operating effectively by:
1) Validating that Management has a formal (documented) process and approach in place to review SOD.
2) Testing Management’s SOD Review process and procedures to validate the process is effectively designed
and operating effectively, including that:
a) The process was executed for individuals upon granting access/authorizations and the general SOD
review was executed periodically, but no less than annually.
b) A pre-determined, properly constructed (complete and accurate) SOD Matrix is utilized. SOD conflicts
that are relevant to ICFR and fraud are identified and tested.
c) The design of the process and reports (to ensure that both automated and manual conflicts are included)
d) All appropriate conflict resolution steps took place (removal of access (for mandatory conflicts, at
minimum) or implementation/identification of compensating controls)
e) Management has identified and monitors compensating controls for significant conflicts (IC & SOx Teams
may select a relevant sample of compensating controls to evidence operating effectiveness)
f) The SOD Review Process was approved by the appropriate personnel
3) Communicating any design or operating effectiveness deficiencies to Management and working with them
to implement an appropriate remediation action plan.
4) Re-testing any deficiencies once remediated in order to evidence effectiveness of design and operation.
Appendices
a) Segregation of Duties Matrix
b) Segregation of Duties Results Tracker
29 | P a g e
12.6 Information Produced by Entity (IPE)
Requirement
Management is required to ensure and demonstrate that relevant information used throughout a business
process is complete and accurate. This would include the required minimum standards that Management has in
place for protecting the integrity, confidentiality, and accuracy of financial data contained within significant end-
user developed applications, including spreadsheets. Management should have a process in place to ensure that
applications and other end-user computing mechanisms such as spreadsheets used to prepare or support entries
to ArcelorMittal financial records are properly designed and operating effectively, protected from intentional or
unintentional alteration, and that access is properly restricted to those that use the applications or spreadsheets
in the performance of their duties.
The requirement of the IC & SOx team is to test how Management ensured and demonstrated that relevant
internal control over financial reporting (ICFR) information used was complete and accurate information.
Definition
IPE is information produced by the entity and used in the execution of a business process. IPE is often used for
Management review purposes and as such it is frequently used in ICFR. When used as part of ICFR, the
effectiveness of an internal control depends on the accuracy and completeness of the IPE and it is also considered
audit evidence. There are various types of IPE, for example: a standard “out of the box” report, a parameter
driven report, custom developed report, information from an end-user controlled application or database, and
an excel spreadsheet and manually prepared documents.
1) Identify IPE - Determine if the relevant control uses IPE and understand which aspects of the IPE are important
to the effectiveness of the relevant control. To assist in this determination, complete the IPE section
questions in the Standard RCM. For each relevant control where IPE is used, an IPE test plan is to be
completed each year.
2) Testing Management’s Process – Determine whether the control (user) sufficiently validates the accuracy
and completeness of the IPE through usage or whether the control (user) is dependent upon other controls.
Based on the results of the questions from the RCM, determine the testing approach:
a) Validate through usage – Process of using the IPE to validate the accuracy and completeness to a
reasonable level. It is the tester’s conclusion, as documented in the detailed testing sheet that will be
used to reach that determination.
b) Verification of IPE - If Management cannot validate the IPE through usage, then Management is required
to verify the accuracy and completeness of the IPE through other procedures. The IC & SOx team is to
test Management’s process to verify the accuracy by testing the following:
i. Management’s verification of the configuration is correct (applies to automated and manual
reports).
ii. Management’s verification of the arithmetic is correct (mathematically accurate).
iii. Management verification of the user entered parameters are correct.
IT change management procedures may have an impact on baselining configuration or mathematical
accuracy of reports but cannot be used to baseline user defined parameters or to satisfy the
30 | P a g e
completeness aspect of IPE. In case that formal ITGC procedures were documented and tested only after
development of particular report which has been identified as IPE, management is required to
(re)execute the user’s acceptance testing to formally verify the configuration of the report (item
selection, mathematical algorithm, etc.).
c) Testing IPE relevant end-user computing applications and/or spreadsheets to validate that:
i. There are controls in place for protecting the integrity, confidentiality, and accuracy of financial
data contained within significant end user developed applications, including spreadsheets.
ii. Applications used to prepare or support entries to the financial records are:
1) Correct in their design and operation
2) Protected from intentional or unintentional alteration
3) Controlled through restricting access to those that use the spreadsheets or applications
in the performance of their duties.
3) The IC & SOx team is to test Management’s process to verify the completeness of IPE. For example
Management may perform one or both of the following processes, which can then be tested:
a) Management may have implemented additional transaction level controls within the process attending
to ensure completeness of transaction processing. The IC & SOx team may identify such controls and
verify their operating effectiveness.
b) Or, Management may attempt to demonstrate completeness of data by performing positive and negative
testing, IC & SOx team may then test Management process for operating effectiveness.
Appendices
a) IPE Detailed Test Sheet
31 | P a g e
12.7 Disclosure Controls
Requirement
ArcelorMittal is required to establish and maintain procedures and controls that are designed and operating
effectively to ensure that its financial statements disclose both non-financial and financial information necessary
to report material information relating to the company and its consolidated subsidiaries on a timely basis in
periodic reports filed with the SEC.
Definitions
Footnotes and disclosures are part of the public financial reports to provide explanation for activities which have
significantly influenced the Company’s financial results. If information is significant enough to cause a
stakeholder, regulator, or potential investor to alter his/her opinion of the Company’s relevant financial
information, then it must be disclosed in the public financial reports. Not properly disclosing information or an
error in a footnote is considered a financial error. Examples of footnotes and disclosure information include off
balance sheet commitments, related parties, turnover by market value (KPI), aging of trade receivables, employee
benefits, operating and capital leases, and certain elements of tax and treasury.
SOx Testing
The IC & SOx Teams have the responsibility to test Management’s process to identify and report relevant
information such as commitments that are not reported in the financial statements and should be disclosed per
MAP and evidence that such controls are designed and operating effectively by:
1) Validating that Management has a formal (documented) process and approach in place to identify and review
disclosures and footnotes.
2) Testing Management’s disclosure processes and procedures to validate the processes are effectively
designed and operating effectively, including:
a) Obtaining evidence that demonstrates that all relevant disclosure packages have been completed,
including evidence that completeness and accuracy of disclosure information is confirmed with the
source departments/areas and is based on the data from the account system (depending on
disclosure) prior to reporting in BPM.
b) For the relevant disclosures and footnotes, obtaining evidence that the disclosure/footnote
information is completely and accuracy captured in the applicable template/BPM, in accordance with
MAP and Corporate instructions.
c) Obtaining evidence that the disclosure/footnote amount is correctly reported for the appropriate
accounting period, trace to source documents where applicable.
d) Obtaining evidence that the review of the disclosures/footnotes is performed by an independent
person, and that a review is performed prior to recording in BPM.
Appendices
a) Disclosure Control Detailed Test Sheet
32 | P a g e
13. Global Reporting
Requirement:
Regional Managers are required to provide quarterly updates on the progress of work against the Global SOx
Calendar (in the Global Status Table template) and the detailed report of control deficiencies (using the Control
Gap Summary – “STE” file). It is very important that the reporting file is completed properly and accurately with
the mandatory columns, otherwise the information coming out from the graphs will not be accurate. For
example, the “Remediation Date” column should be completed correctly so that gaps are aged properly.
Gap Reporting
On a quarterly basis the following analysis will be performed at Corporate level:
Status of open and closed gaps (business and ITGC) per regions and by quarters. This will help to have
the evolution of the open and close gaps during the year.
Aging of open gaps (business and ITGC) per regions. The SOx team is to encourage management to close
a control deficiency as soon as practical given facts and circumstances of each deficiency, root cause, and
necessary action to implement. Then the SOx team should test the remediated control at first available
instance.
o A design control deficiency can be closed with a test of one.
o An operating control deficiency is not considered to be closed until a full sample has been tested
and can be concluded upon (refer to sample size guidance in Section 9).
Each Regional Lead should execute a process such that deficiencies identified from Management testing, external
auditors, and by Internal Assurance which have been assessed to have an impact on ICFR and/or fraud should be
reported in a timely manner.
Depending on the ongoing SOx activities during the year and the 20F filing date, the reporting frequency may
vary from quarterly to monthly, or weekly. Reporting deadline will be communicated in due course by Sox IC
Corporate.
Each IC & SOx team should utilize the gap report template (Control Gap Summary – “STE”) to enter all gaps
identified and agreed with Management. Gap information entered will be utilized to assess the potential severity
of an open control gap on an interim basis and year end and produce global status of the gaps for the Sox Regional
Leads meeting, and segment CFOs. The deficiency template has been designed to log in deficiencies and
communicate to Corporate. Based on the status of deficiencies reported in the template, gap analysis will be
performed, summarized and then reported to Head of SOx, the Sox Regional Leads and segment CFOs.
Appendices
a) Global Status Table
b) Control Gap Summary – “STE”
33 | P a g e
14. Quality Assurance Review
Introduction
The SOx Act of 2002 requires Management to conduct an assessment of ICFR and Fraud controls and, based on
this assessment process, to make an assertion regarding the design and operating effectiveness of the Company’s
overall ICFR and Fraud controls. This assessment is to be supported by evidence that supports the conclusion
Management has come to regarding the overall effectiveness of ICFR and Fraud controls.
Management’s assessment process is separate from the examination and conclusion of the DE and OE of specific
control activities and should not be confused with the assessment of such. Given the statutory nature of the SOx
requirement, Management’s process to conduct and evidence the assessment must be well-designed, executed
as designed, and carried out consistently and completely across the various entities of the Company. With the
understanding that Monitoring is part of the internal control process, and that unmonitored processes inevitably
degrade over time, a SOx Process Quality Assurance Program has been implemented and will be conducted
annually.
The overall AM SOx program methods and procedures are embodied in a set of Guidance documents which are
annually reviewed and updated by a subset of SOx staff serving as Technical Office and then reviewed and
approved by Global SOx Head and Regional General Managers and Managers. The Guidance is intentionally more
principles-based than prescriptive because AM is a very diverse company, operating various businesses in many
countries of the world, in a federated or decentralized manner. Therefore, the SOx assessment process must be
flexible enough to accommodate different situations which are best known to SOx staff closer to the businesses
than is possible at the center. This reality is counterbalanced by the need to have a documented, complete,
accurate, and above all credible SOx assessment worldwide. Management who make the ICFR assertion, external
auditors who rely upon the IC and SOx Teams’ work, and regulators must have assurance of this credibility.
The AM SOX Guidance, then, is composed of Program Elements (e.g., Risk Assessment, Significant Account
Selection, Walkthrough and Documentation, Testing, etc.) and various templates used to support the Elements.
In addition, certain focus areas, such as SOD, IPE, and others, are also required to be covered in the SOx
assessment process in every Region. Further, some details of execution of Elements and focus areas are
prescribed in the Guidance, for example, minimum sample sizes, some aspects of RCM format, and the minimum
number of controls to be tested in Rollforward. The Guidance is clear regarding what Elements are prescribed,
i.e. required to be executed, and which templates and other aspects of Execution are prescribed. Whatever is not
prescribed in Guidance is left to the experience and judgment of the Regional GM’s to execute as they think best.
The intent of the Annual SOx QAR program is to enable consistency and quality; not to challenge management’s
assessment, nor to second-guess GM’s judgment in non-prescribed areas of execution, nor perform detailed
reviews of minute, insignificant details. The program will follow the design of the Guidance, i.e. it will be
composed of principles-based elements and prescribed actions. The overarching objective of QAR is to answer
the following: First, have the required Elements and focus areas of the SOx process been executed, and where
34 | P a g e
details of execution are requirements, were those requirements met? Second, does the evidence collected to
support the SOx teams’ testing conclusions actually support the conclusions reached such that AM Management
can credibly make the required assertion regarding the DE and OE of ICFR and Fraud controls?
High-level process: Program Manager Kickoff announcement to SOx organization followed by Data
Request, Review of Data, Preparation, Validation, Publication of QAR Report. Monthly Follow-up on
identified Non-Conformances with reporting to Global SOx Head and Regionals
Execution Details:
o Sample-based selection of entities for QAR, 3per region at minimum, with 2 of the 3 selected by
respective Region heads and 1 by Global head.
o For consistency and repeatability, templates will be used for conducting and recording/reporting
QAR testing
o A scoring process will be employed, using the ISO concept of Conforming or Non-Conforming in
so far as practicable
o Areas for Improvement may be identified which are suggestions beyond those which are Non-
Conformances
o Non-Cooperation, as in case of failure to deliver testable documents timely, will be considered
evidence of Non-Conformance and referred to Global SOx Head for resolution
Appendices
c) QAR Timeline
d) QAR Information Request
e) QAR Work Program
35 | P a g e