Guidance on performance of walkthroughs SOX PROCESS WALKTHROUGH QUESTIONNAIRE

Business Unit: BU Code: XXXX Walkthrough signoff by: . Insert Position . Date PART A Insert Position Date

INTRODUCTORY GUIDANCE INFORMATION

PURPOSE OF THIS TEMPLATE This purpose of this template is to provide guidance to Business Units in the performance of Walkthroughs associated with Sarbanes-Oxley Act (SOX) compliance requirements. It may also be used by BU management in other matters related to the evaluation of internal controls over financial reporting. This template provides guidance information on a number of matters associated with planning and conducting Walkthroughs and evaluating the results of such walkthroughs. In addition, this template can be used as a mechanism for documenting the results of Walkthroughs. Additional guidance on this matter is provided by the Public Company Accounting & Oversight Board: Auditing Standard No.5 (PCAOB AS5). PURPOSE OF WALKTHROUGH TESTS PCAOB AS5 provides guidance to auditors on the purpose of walkthroughs. is equally useful to management if walkthroughs are conducted. However, this guidance

A walkthrough test aims to trace a transaction from origination through the company's information systems until it is reflected in the company's financial reports. Walkthroughs provide evidence to: Confirm understanding of the process flow of transactions; Confirm understanding of the design of controls; Confirm that the understanding of the process is complete by determining whether all points in the process at which misstatements related to each relevant financial statement assertion that could occur have been identified; Evaluate the effectiveness of the design of controls; and Confirm whether controls have been placed in operation.

As such walkthroughs conducted by management provide additional evidence as to the completeness, accuracy and reliability of documentation prepared by management to support SOX compliance activities. Walkthroughs also assist in forming an opinion on the design effectiveness of internal controls. The external auditor will also be required to conduct walkthroughs to support their S404 opinion.

Guidance on performance of walkthroughs

IS A WALKTHROUGH TEST REQUIRED? The conduct of walkthroughs is not mandatory in relation to confirming the integrity of process, risk and control documentation. However, it is strongly encouraged that BU management ensure walkthroughs are conducted on all Significant Processes to support SOX compliance activities. This may be particularly relevant where: SOX documentation was not completed within a recent timeframe; There have been known major process/system changes within your business; and There have been significant personnel changes within the business that are relevant to matters covered by SOX documentation.

WHEN SHOULD A WALKTHROUGH TEST BE CONDUCTED? There is no rule as to how often walkthroughs should be performed. However, it is recommended that walkthroughs be performed: To support the initial creation of documentation to support SOX compliance. This should be focused on Significant Processes; and Following any major business process changes where process, risk and control documentation is being updated; and At least annually for all Significant Processes as part of the banks annual S404 compliance activities.

WHO SHOULD CONDUCT THE WALKTHROUGH TEST? Ideally, walkthroughs should be conducted by personnel that are not directly involved in the process which is the subject of the walkthrough. In addition, it is useful if the walkthroughs are conducted by someone that has a good working knowledge of the relevant process. Personnel conducting walkthroughs should be conversant with effective documentation of financial processes and associated risks and controls. IS INTERACTION REQUIRED WITH OTHER BUSINESS UNITS? This depends on the nature of the process that is the subject of the walkthrough. If the process being evaluated has significant linkages to other business units then it is likely that you will need to coordinate the conduct of the walkthroughs with the relevant BU. Such coordination may take two main forms:

The walkthrough involves tracing the relevant transaction through the activities and controls performed by the other BU, including interfaces between the relevant BUs. This will require a high level of cooperation and coordination between personnel responsible for the walkthroughs in each BU; or The walkthroughs focuses on the information flow interfaces between BUs. However, no detailed walkthrough is performed in the other business unit in relation to the transaction flows under consideration. Rather, the focus is on the process transaction flow within the originating BU and how financial information is transmitted to and received from other BUs. This approach will require coordination of personnel at the relevant information interfaces within each BU.

This matter requires careful consideration and should be discussed with the Group SOX team and other BU SOX delegates where relevant.

Guidance on performance of walkthroughs

WHAT NEEDS TO BE DOCUMENTED? Documentation should be sufficient to enable an independent party to understand the nature of the Walkthrough conducted, the approach undertaken and the procedures performed and the outcomes achieved. Documentation would typically include:

An outline of the approach in the walkthrough; Details of the personnel conducting the walkthroughs, location, time etc; Description of the procedures including observation, inspection, inquiry or re-performance; Details of any personnel interviewed; Details of documents/reports sighted as part of the walkthrough. You may also wish to retain copies of such documentation. Details of any exceptions noted and how these have been addressed.

It is recommended that walkthrough documentation be structured in a logical format and indexed to facilitate subsequent review by the external auditors.

Guidance on performance of walkthroughs PART B: PERFORMING THE WALKTHROUGH

The following tables detail the specific matters that should be considered when performing the Walkthrough. The Walkthrough focuses on the completeness and accuracy of documentation supporting process description and risk and control analysis. The Walkthrough tested should undertake the procedures indicated in the Description column. The method by which these procedures are commenced should be detailed in the Confirmed By column e.g. observation, enquiry, re-performance etc. Document Ref indicates where the supporting information prepared/obtained by the walkthrough tester is filed for future review. PRELIMINARY PROCEDURE Determine the subject of the walkthrough DESCRIPTION Confirm the process (and associated risks and controls) that are the subject of the Walkthrough. This should be confirmed with the relevant B SOX delegate and CFO/SFC. Consider whether the scope includes process elements performed by other BUs. Ensure that the walkthrough tester has sufficient knowledge of the process. Preparatory work should include: Initial discussion with BU personnel and relevant SOX delegate Review of existing SOX documentation Review of other relevant material e.g. Group Audit reports Following initial review of existing documentation, walkthrough tester may request examples of process and/or control documentation from the BU Sample transactions are selected to enable a walkthrough tester to take the transaction through the nominated process and to enable confirmation of process elements and the incidence of control activities, particularly Key Controls. Select a sample of transactions to be tested. Sufficient transactions should be selected to enable adequate coverage of different transaction flows (where relevant). Transactions should also be selected by reference to money value, date of transaction, source of transaction. CONFIRMED BY DOCUMENT REF

Understand the nature of the process

Request relevant activity and control related documents Select transaction(s) to be subject to Walkthrough

Page 4

Guidance on performance of walkthroughs PROCESS DOCUMENTATION PROCEDURE Process Elements DESCRIPTION Are all key process elements appropriately described? Are process elements in a logical order and do they represent the actual sequence of the transaction flow? Are the linkages between sub-processes properly described and reflective of actual transaction flows? Is it clear what happens to rejected transactions at each point in the process flow? Are the departments/personnel responsible for each process element accurately described? Are the key IT applications (including enduser applications) accurately described and at the correct point in the process flow? Are there any IT applications that have not been included in the process flows? Does the documentation properly describe the key documents/reports that are used in the process? Identify any amendments that are required in relation to the Process Flowcharts. CONFIRMED BY DOCUMENT REF CONFIRMED BY WORKPAPER REF

Responsible persons IT Applications

Input/Output Documentation Results RISK MATRIX PROCEDURE Risk description

DESCRIPTION For each Key Risk, verify the point of occurrence of the risk and the accuracy of the description (what can go wrong) Consider whether there are any key risks that have not been identified. Consider whether descriptions of the following are reasonable for each Key Risk: Impact Likelihood Relevant Financial Statement Assertion Identify any amendments that are required in relation to the Risk Matrix.

Risk Attributes

Results

Page 5

Guidance on performance of walkthroughs CONTROL MATRIX PROCEDURE Description of control DESCRIPTION CONFIRMED BY DOCUMENT REF

Control attributes

Observe the actual implementation of Key Controls and review supporting materials and audit trails. Do the identified Key Controls operate in the manner described? Consider whether descriptions of the following are accurate for each Key Control: Frequency Control owner Manual vs. automated Detective vs. preventive Confirm that the control owner has the appropriate skills and experience to undertake the control activity. Through observation and enquiry, confirm that there is appropriate evidence of the operation of each Key Control. For automated controls, liaison with IT may be required. Identify any amendments that are required in relation to the Control Matrix.

Control owner Evidence of control

Results

Page 6