Company X

Planning Document Sarbanes Oxley Compliance

Reporting Period: Year Ending December 31, 2017

 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

TABLE OF CONTENTS

1. Introduction / Background ......................................................................................... 3

2. Approach for Sarbanes Oxley Compliance .............................................................. 4
3. Materiality and Scoping ............................................................................................. 6
4. Compliance Structure ................................................................................................ 7
5. Entity Level Risk and Control Assessment .............................................................. 8
6. Documentation ........................................................................................................... 9
7. Assess Design Effectiveness .................................................................................. 10
8. Assess Operating Effectiveness ............................................................................. 11
9. Remediation .............................................................................................................. 12
10. Process for Executive Certification ........................................................................ 13
11. Exhibits...................................................................................................................... 14
Exhibit 1: Materiality .................................................................................................................. 14

2
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

1. Introduction / Background
Section 404 of the Sarbanes-Oxley Act of 2002 (the Act) requires management of every public Company to file
an internal control report with the annual report. In May 2003, the Securities and Exchange Commission voted to
adopt final rules governing managements reporting on internal control over financial reporting.
Company X. (Company) is required to include a management report on internal controls over financial reporting
that contains the following elements:
A statement of managements responsibility for establishing and maintaining adequate internal controls and
procedures for financial reporting
A statement identifying the framework used by management to evaluate the effectiveness of internal control
over financial reporting
Managements assessment of the effectiveness of internal control over financial reporting as of the end of the
Companys most recent fiscal year; and A statement that this annual report does not include an attestation
report of the companys registered public accounting firm regarding internal control over financial reporting.
(Managements report was not subject to attestation by the companys registered public accounting firm
pursuant to temporary rules of the Securities and Exchange Commission that permits the company to provide
only managements report in this annual report.)
The Section 404 certifications are signed by the CEO and CFO. Management will be required to make its own
assessment for fiscal year ended December 31, 2017.

3
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

2. Approach for Sarbanes Oxley Compliance

COSO updated the 1992 internal controls framework (Old Framework) with a new integrated framework in 2013
(New Framework) in the spirit of continuous improvement, given the extent of change over the last two decades.
While the new framework retained the core definition of internal control and five components of internal control, the
most notable change it brought was the explicit introduction of 17 principles representing fundamental concepts
associated with the five components of internal controls. Supporting each principle are points of focus, representing
important characteristics associated with the principles these points of focus are intended to assist management
in designing, implementing and conducting internal control and in assessing whether relevant principles are present
and functioning.
Together, the components and principles constitute the criteria, and the points of focus provide guidance that will
assist management in assessing whether the components of internal control are present, functioning and operating
together within the organization.
The Company transitioned to the new framework in the preceding two years, making enhancements to existing
documentation to ensure adherence to the defined principles. The Companys approach towards compliance with
the Sarbanes Oxley Act during FY 2017 will largely stay unchanged and will include the following key activities:
Engage Bough to work with management in connection with its Sarbanes Oxley compliance program
Follow the COSO 2013 framework for documenting and testing internal controls, including review of changes
in rules and requirements as needed
Planning and Scoping review documentation to ensure adequate coverage of:
- Significant accounts and disclosures
- Key business processes / cycles and map to significant accounts and disclosures
Entity Level Risk Assessment
Process Level Risk Assessment
- Identify financial statement misstatement risks and relevant assertions for significant accounts
- Identify the control objectives for each key process that mitigates such risks
Documentation Updating
- Update documentation / process narratives for key processes (using prior year documentation and making
edits as necessary)
- Review key controls mitigating the key risks in existing control matrices and document additional controls,
as necessary
- Review and evaluate IT environment and controls in accordance with COBIT
Assess control design effectiveness by performing walkthroughs of key controls
Remediate design gaps, if any, including designing and implementing solutions for control gaps and
weaknesses identified in prior periods
Test operating effectiveness
- Develop / update test plans
- Testing
- Evaluate test results

4
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

Design and implement solutions for control gaps, if any, which may be identified during the testing of operating
effectiveness of controls
Final Evaluation
- Identify, understand and assess deficiencies, including compensating controls
- Assess the likelihood / potential magnitude of misstatement
- Determine classification of deficiencies, if any
- Project Conclusion Memorandum will be prepared to conclude on managements assessment of internal
controls over financial reporting
Reporting
- Reporting of managements assessment on internal controls over financial reporting

5
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

3. Materiality and Scoping

Materiality is used to identify significant accounts and to determine the financial impact of key control exceptions.
Its based on the assumption that a reasonable investor would not be influenced in investment decisions by a
fluctuation in net income less than or equal to 5%, including a series of fluctuations in financial statement line items,
as long as the net change was less than or equal to 5%. Working materiality levels for control deficiencies are based
on PCAOB Auditing Standard (principally AS2 and AS5) which requires significant control deficiencies and material
weaknesses to be reported to the Audit Committee under Section 302.
Materiality for the Company has been determined at $244,575 considering the extrapolated financial performance
and statements for the period ended December 31, 2015 using 5% of net income as the basis for such calculations,
excluding the impact of one-time special
The key processes of the Company that have been determined to be in scope for FY 2017 are listed below:
S. No. Process
1 Revenue Recognition & Accounts Receivables
2 Purchasing and Accounts Payable
3 Treasury
4 General Accounting and Financial Reporting
5 Taxation
6 Human Resources and Payroll

In addition to the above, based on qualitative considerations, management also decided to include into the scope
of internal controls, the process around covenant compliance.

6
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

4. Compliance Structure
The Companys compliance structure along with the roles and responsibilities of individuals is listed below:
Executive Officers (CEO, President and CFO)
- Ultimate ownership of the project
- Ensure continuous support and visibility for SOX compliance
- Provide day-to-day support and an executive point of contact for project issues and deliverables review /
feedback
- Oversee the project and provide assistance for on-going compliance efforts
- Provide assistance in gaining access to internal or external resources needed to successfully complete the
SOX compliance project
- Continuously appraise the progress of the SOX compliance project
Process Owners
- Provide subject matter expertise and representative input regarding internal control process design and
operation for the functional area they represent
- Responsible for documentation update and control assessment
- Monitor and report changes on a quarterly basis
External Consultants
- Support management in the following:
o Project planning and scoping
o Guidance on SOX compliance and developments
o Review of design, testing controls and operating effectiveness assessment
o Review of changes, document updates and development of overall policies
Audit Committee
- Oversee the Companys Sarbanes Oxley Compliance Program

7
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

5. Entity Level Risk and Control Assessment

The COSO Internal Control Integrated Framework requires that risks and controls be assessed at both the entity
and the activity level. The Company has process narratives and control matrices to support its assessment at the
activity level. As part of the entity level controls assessment, the Company relies on the completion of questionnaires
and / or on existence of certain key elements / components in the organization. The Company currently documents
its controls as they related to each of the following components of COSO in a narrative. Management will review
such documentation and evaluate the adequacy of controls against best practices as part of its entity level controls
assessment in FY 2017:
Control Environment: Sets the tone for internal controls (i.e. structure and discipline)
Risk Assessment: The entitys identification and analysis of relevant risks to achieving its objectives
Control Activities: Includes the policies and procedures that help ensure management directives are carried out
Information and Communication: Processes and systems that support the identification, capture and exchange
of information
Monitoring: Consists of the processes that assess the quality of internal controls

Adequate evidence will be obtained to support managements assertions on the effectiveness of the entity level
controls. This will include completing questionnaires based on inputs / responses received from select members of
senior management.

8
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

6. Documentation
The Company will review its documentation of key processes and make an effort to identify and optimize key
controls while making sure that control objectives are met effectively. The steps that will be followed are as follow:
Update procedures and controls for significant processes
Review mapping of control objectives to financial statement line items and ensure that relevant assertions are
addressed
Ensure that control objectives are met effectively within each process / sub-process
Establish new controls where necessary to meet key assertions

9
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

7. Assess Design Effectiveness

Tests of design effectiveness are concerned with whether a control is capable, if operating effectively, of preventing
or detecting significant misstatement in the related financial statements; and whether the entity is using the control.
The Company will perform walkthroughs across processes to assess the design effectiveness of controls as part of
its Sarbanes Oxley process for the current year; since there havent been significant changes to the processes and
controls from earlier years,
The procedures that the Company will perform to obtain audit evidence regarding the design of controls in 2017
include the following:
Inspection of documents and records, and
Inquiries of appropriate entity personnel

The following will be considered in connection with testing the design:

The risks that the control helps to mitigate
The frequency of the control
Competence / experience of the person performing the control (if manual control)
The nature and size of misstatements the control is likely to detect

10
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

8. Assess Operating Effectiveness

The key controls will be tested in order to validate that the controls are operating effectively. Tests of controls will
include observation, inquiry, inspection and re-performance. The results of the testing will be summarized and
retained to facilitate reviews by management.
Subsequent to the completion of the control testing, the Company will identify control gaps and opportunities to
improve the efficiency and effectiveness of its processes and internal control structure.
For Information Technology, a review of the general computer controls and the application controls will be performed
during the current year, with compensating or complementary controls, including activity level manual controls,
being identified for the deficient / non-existent information technology controls.

Sampling Guidance
The following is the guidance for sample sizes relative to the frequency of the performance of the control activity,
irrespective of the risk rating of the process.
Number of
Frequency of Control Performance
samples
Quarterly 2
Monthly 4
Weekly 8
Daily 25
Continuously / Recurring 30

Exceptions
When exceptions are noted, management will either expand the extent of testing or identify and test other
compensating and complementary controls.

11
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

9. Remediation
In the event that control testing results in certain control gaps between the desired and actual control performance,
design deficiencies or other exceptions, the Company will identify such gaps and exceptions and design control
improvements and / or new controls as appropriate.
All exceptions identified during the course of testing will be updated on a summary sheet for each process subject
to tests. Management will identify compensating / complementary controls and ascertain that such controls are
functioning properly.

12
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

10. Process for Executive Certification

The completion of the tasks discussed in this planning document will support the Section 404 certifications by the
Companys CEO and CFO. The following tasks will be completed in obtaining the certifications:
Summarize and present the results of the Section 404 compliance process, including the results of internal
control testing
Draft certification language and obtain approval of corporate legal counsel on the certification language
Obtain physical signatures for the certifications
File signed certifications with the Companys annual report on Form 10-K
The Company will maintain adequate supporting documentation and will summarize the results of the procedures
along with its assessment of the individual controls. Any exceptions or suggested improvements will be addressed
accordingly. Company information will be made available to the external auditors, as needed, to enable them to
place reliance on such information in connections with their testing, if any.
Ongoing Plan
The Company will review and update its Section 404 plan, as needed, based on new professional guidance and
interpretations, as well as changes to the Companys operations and internal controls. Internal reviews of the plan
will occur before test work commences. A new plan will be adopted each year in advance of the next years
certification process.

_______________________________________

CEO

_______________________________________
Chief Financial Officer

13
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

11. Exhibits
Exhibit 1: Materiality
Application of Materiality
In determining materiality, the Company considers the guidance provided in the summary to Staff Accounting
Bulletin No. 99, Materiality, which states, This bulletin expresses the views of the staff that exclusive reliance on
certain quantitative benchmarks to assess materiality in preparing financial statements and performing audits of the
financial statements is inappropriate; misstatements are not immaterial simply because they fall beneath a
numerical threshold. Thus, due significance is being placed on the non-quantitative factors also.
Under Section 302 / 404, the Company shall review the disclosure controls and procedures, identify all control
exceptions and
Determine which are internal control deficiencies
Assess each deficiencys impact on the fair presentation of their financial statements
Identify and report significant control deficiencies or material weaknesses to the Board of Directors, Audit
Committee and to the Companys independent auditor

Exceptions to General Rules

While the above section details the rationale to determine the materiality for scoping purposes, the types of financial
statement effects or exceptions are being categorized into:
The actual financial statement misstatement or error
An internal control deficiency caused by the failure in design or operation of a control
A large variance in an accounting estimate compared with the actual amount
Financial fraud by management or other employees affecting the companys reported financial position and
operations results.

Exception 1: Misstatements or Errors

Actual financial statement misstatements or errors are considered uncorrected / unrecorded misstatements. These
errors can be categorized into:
Incorrectly recorded financial statement amounts. Transactions recorded incorrectly because they are in the
wrong amount or the wrong account. The latter could lead to being improperly accounted for in accordance with
GAAP.
Financial statement amounts that should have been recorded but were not. These misstatements can be
computed to an exact dollar amount. The materiality evaluation process would be to review each item
individually and then all items in the aggregate.
The above errors might be identified by the Companys independent auditors during the course of their financial
audit, or as part of the Sarbanes Oxley testing performed by the management or the independent auditors. Any
uncorrected / unrecorded misstatement that approaches 1% of revenue could cause material misstatement in the
Companys financial statements. Appropriate qualitative analysis would be undertaken to determine whether a
material misstatement actually occurred. In reviewing the materiality of uncorrected / unrecorded misstatements,
errors will fall in one of three rangesinconsequential, consequential or material misstatements.

14
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

Small uncorrected / unrecorded misstatements having no consequence on the financial statements would not be
considered, based on the premise that only a small number of these items exist. A large number of like errors would
be accumulated and be considered as a single error.

Exception 2: Internal Control Deficiencies

An internal control deficiency caused by the failure of a control, is required to be disclosed by sections 302 and 404.
PCAOB Auditing Standards (principally AS2 and AS5), An Audit of Internal Control over Financial Reporting
Performed in Conjunction with an Audit of Financial Statements, defines the materiality levels SEC registrants
should use to determine the materiality of control deficiencies.
Any internal control failure could be a control deficiency. Such deficiencies could be the result of a failure in control
design or operation. A design deficiency will occur due to insufficient amount of internal control or control activities
to achieve a control objective; an operating deficiency will occur when an adequately designed control does not
operate effectively. According to Auditing Standard No. 2, such deficiencies can be significant deficiencies or
material weaknesses if they result in a large enough impact on the financial statements.
There is a three-part materiality range for materiality levels based on Auditing Standards.
Control deficiencies shall be considered consequential if they would result in more than a remote likelihood that a
misstatement of the Companys annual or interim financial statements that is more than inconsequential will not be
prevented or detected. All consequential control deficiencies shall be reported to the Audit Committee under
Sarbanes-Oxley section 302 paragraph 5(a).
Inconsequential control deficiencies fall short of the consequential range.
A significant deficiency causing a material misstatement shall constitute a material weakness. According to the
PCAOB definition, a material weakness is a significant deficiency or combination of significant deficiencies that
result in more than a remote likelihood that a material misstatement of the annual or interim financial statements
will not be prevented or detected.
The working materiality ranges for both uncorrected / unrecorded misstatements and for control deficiencies shall
thus range from inconsequential to consequential to material misstatements.
Uncorrected / unrecorded misstatements generally are related to control deficiencies. However, the amount of the
uncorrected / unrecorded misstatement is not necessarily the amount of the deficiency. While the amount of the
uncorrected / unrecorded misstatement is exactly the amount of the unrecorded transactions, the control deficiency
is based on the dollar volume of transactions that could have gone unrecorded before such an error was found,
based on the mitigating controls that eventually would have detected and prevented such mistakes.
Management realizes the importance of designing adequate mitigating controls in the Companys overall internal
control plan, such that any time a control fails, there exist effective mitigating (compensating) controls that will
prevent the resulting potential financial statement error from becoming material.
The materiality of the control deficiency shall be determined based on the potential financial statement misstatement
that could have occurred, regardless of whether one actually happened and irrespective of the dollar error of any
actual financial statement mistake.
Quantitative factors play a large role in determining the potential misstatement that could have resulted from an
existing control deficiency. The PCAOB focused specifically on the likelihood of a misstatement occurring.

Exception 3: Accounting Estimates

Because estimation processes are evaluated based on their adequacy, an accounting estimation shall not be
deemed to result in a control deficiency or an uncorrected / unrecorded misstatement if the same is reasonable in
light of the following:

15
 Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017

Available information
Industry norms
Review and approval of the management and independent auditors
As long as the estimation process is reasonable, it shall not be concluded that a control deficiency exists when the
actual amount is compared with the estimate, regardless of how large the variance.
Only if the estimation process is flawed, broken or unreasonable would a control deficiency be deemed to exist.

Exception 4: Fraud
Managements intent is to be able to fairly present in all material respects the results of operations and condition of
assets when recording any accounting entries into the Companys books and records. Any frauds shall be disclosed
in accordance with the requirements prescribed in Sarbanes Oxley Act section 302.
Section 302 paragraph 5 (b) requires disclosure of any fraud, whether or not material, involving the management
or other employees who have a significant role in its internal controls to be reported to the independent auditors
and the Audit Committee, with a disclosure to this effect.
Sarbanes Oxley Section 303(a), Improper Influence on Conduct of Audits, says it is unlawful for any officer or
director of an issuer, or any other person acting under their direction, to take any action to fraudulently influence,
coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an
audit of the financial statements of that issuer for the purpose of rendering such financial statements materially
misleading.
Staff Accounting Bulletin No. 99 explains, a material misrepresentation is not tied to the amount of the
misrepresentation but rather occurs whenever there was intent to misrepresent the registrants financial position
and results of operations and such a misrepresentation occurred.
Section 303(a) concerns fraud performed for the Company by management or employees who intended to
materially misrepresent the entitys financial position and results of operations.
A fraud on the part of an employee(s) or management that is against the Company follows the normal uncorrected
/ unrecorded misstatements and control deficiency materiality rules and levels. A fraud by management or
employee(s) that is for the Company falls under section 303(a).
http://www.sec.gov/interps/account/sab99.htm

16