Sarbanes Oxley Act CLOSING MEMORANDUM

General information and instructions:

In order to ensure that the findings of our walkthroughs and testing have been communicated to the
control owners in a concise and standardized manner, we have initiated a process Closing
Memorandum.

The SOA Closing Memorandum should be completed by the BCA responsible for each process once
the work over the process is finalized. The SOA Closing Memorandum is intended to provide a
summary of all significant findings, exceptions and recommendations noted during the
walkthroughs or testing and will aid in facilitating the closing meetings with the control owners. If
no findings or recommendations have been noted, the SOA Closing Memorandum is still required
to be completed as a means of informing the owners that no specific items were noted as a result of
our procedures.

Under each of the sections below, you will find specific instructions as to the nature of the
documentation expected. Note that these instructions/comments are in bold, blue font and should be
removed from the final document.

Note that the SOA Closing Memorandum should be completed after the completion of initial testing
(or at a time determined by the Manager) for each walkthrough and testing performed per process
and includes the findings of all controls related to the process.

1 Lexmark Confidential
SOA Closing Memorandum

Process: (Note the process and whether a walkthrough or testing was

performed)

Geography and company code: (Insert Geo and/or name of company concerned)

Prepared by: (Insert name of the preparer)

To: (Insert distribution list)

Date: (Insert date)

Corporate Business Controls performed (insert “walkthrough” or “testing”) over the (insert the name
of the process) process during (insert month and year).

Our objective was to ensure that the critical controls as noted in the (insert the name of the process)
control matrix operate according to our understanding and expectations and remain effective.

Our procedures included inquiries with key personnel as well as observation and reperformance of
critical controls on a sample basis. Additional wording can be included to describe the scope of work if
appropriate (i.e. we reviewed by US and EMEA controls related to ….).

All controls will be subject to update testing during the 4th quarter to ensure that the controls
functioned properly throughout the year.

Summary of results

Based on the work performed, we noted…

(Here, the BCA should write a brief summary of the findings while keeping in mind that the
exceptions report will be attached to the memo and will provide specific details of the issues and
their proposed resolutions. The following is an example Khalix Access Revalidation Testing:

“We noted some control issues requiring management’s attention. The core issue noted was user
listings utilized for access revalidations and segregation of duty reviews do not contain the privileges
assigned to the user. Current listings contain user roles or groups which do not contain sufficient
detail for an adequate review of user access or an assessment of segregation of duties to be
performed and relied upon to effectively mitigate the associated risks.”)

Observations and Management Responses

Refer to Appendix 1 for a complete list of the findings over the (insert the name of the process)
process.

2 Lexmark Confidential
(Here, the BCA will attach a copy of the completed exceptions report for the process and will
distribute the memo and attachment by email to all control owners of the process, subsequent to the
BCA Manager’s review.)

Cc: Optional 1 Optional 2

3 Lexmark Confidential
Appendix A: Detailed SOA 404 Findings and Management Response

Process Issue Management Action Close Owner

Reviewed Response Date

4 Lexmark Confidential