Your SlideShare is downloading. ×
  • Like
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply


Published in Lifestyle , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. SOX 404 September 26, 2005
  • 2. Agenda
    • Introduction
    • Levi Strauss & Co
    • Sarbanes Oxley – General
    • SOX program - Levi Strauss Europe
      • Project Organization
      • Roles & Responsibilities
      • Project Documentation
    • Lessons Learned
    • Questions
  • 3. Levi Strauss & Co
  • 4. Levi Strauss & Co Founded in 1853 by Bavarian immigrant Levi Strauss, Levi Strauss & Co. (LS&CO.) is one of the world's largest brand-name apparel marketers with sales in more than 110 countries. There is no other company with a comparable global presence in the jeans and casual pants markets. Our market-leading apparel products are sold under the Levi's®, Dockers® and Levi Strauss Signature™ brands. The company is privately held by descendants of the family of Levi Strauss. Shares of company stock are not publicly traded. The company employs a staff of approximately 8,850 people worldwide, including approximately 1,000 people at its San Francisco, California headquarters.
  • 5. Levi Strauss Europe Levi Strauss Europe is responsible for designing, manufacturing and marketing jeans and casual wear under the Levi's®, Dockers® and Levi Strauss Signature™ brands in the region. We have a network of 9 sales offices, 10 distribution centers and 3 production facilities, employing a total of approximately 3,000 people. Our headquarters are located in Brussels, Belgium. Levi Strauss Europe, Middle East and Africa posted revenues of $1 billion in 2004.
  • 6. Levi’s Brand Invented in 1873, Levi's® jeans are the original, authentic jeans. They are the most successful, widely recognized and often imitated clothing products in the history of apparel. Levi's® jeans have captured the attention, imagination and loyalty of generations of diverse individuals. As the inventor of the category, the Levi's® brand continues to define jeans wear with widest range of products available from quintessential classics, such as the famous Levi's® 501® Original jean to favorite fits and styles in our Red Tab™ and Levi's® Premium collections.
  • 7. Dockers Brand Launched in 1986 in the United States, Dockers® brand products and marketing played a major role in the creation of a new apparel category for men's khaki pants and the shift to casual clothing in the workplace. In 1988, the brand launched Dockers® for Women, a feminine interpretation of Dockers® brand apparel. Today, the Dockers® brand has expanded to more than 50 countries in every region of the world with a complete assortment of stylish and innovative products — including a full line of tops, footwear, outerwear and accessories — for a broad range of consumers.
  • 8. Levi Strauss Signature Brand The Levi Strauss Signature™ brand was launched in 2003 exclusively for consumers who shop in the mass channel. The brand gives value-conscious consumers access to high-quality, affordable and fashionable jeans wear from a company and name they trust. The Levi Strauss Signature™ brand includes a collection of denim and non-denim pants, shirts, skirts and jackets for men, women and children all designed with the high quality construction and craftsmanship that makes Levi Strauss & Co. famous.
  • 9. Sarbanes Oxley 404
  • 10. Sarbanes Oxley 404 Internal Controls
    • Sec. 404 (Annual)
    • Management states responsibility for establishing and maintaining
    • Contains an assessment of the effectiveness
    • Outside auditor performs attestation of management’s assessment
  • 11. COSO/SAS-78 Sarbanes Oxley 404
    • 3 primary objectives
      • Operations
      • Compliance
      • Financial reporting
    • 5 primary components
      • Control environment
      • Risk assessment
      • Control activities
      • Information & communication
      • Monitoring
  • 12. Primary Objectives
    • Operations – business processes, asset protection, security
    • Compliance – legal, regulatory, industry
    • Financial reporting – investors, regulatory, banking, etc.
      • Annual reports
      • 10-Q, 10-K, etc.
    Sarbanes Oxley 404
  • 13. Control Environment
    • Top level control - refers to management and organizational integrity
    • AKA “tone at the top”
    • Non-process related controls
      • Codes of conduct
      • Specified remedial actions
      • Management attitude towards oversight
    Sarbanes Oxley 404
  • 14. Risk Assessment
    • Determine control objectives
    • Prioritize requirements
    • Identify risks
    • Determine likelihood
    • Manage risk
    Sarbanes Oxley 404
  • 15. Control Objectives
    • C-I-A
    • Confidential – private information is not disclosed
    • Integrity - information is not altered or corrupted
    • Available – information is not lost, erased or stolen
    Sarbanes Oxley 404
  • 16. Control Objectives Sarbanes Oxley 404
    • A-V-A-T
    • Authentic – acknowledged and verified
    • Valid – confirmed, approved and authorized
    • Accurate – re-computed, balanced and complete
    • Timely – expeditious, proper period
  • 17. Information & Communication
    • Does not refer to computer systems
    • Refers to overall identification, capture and exchange of information
    • Reports and analyses – external & internal information sources
    • Channels exist to report improprieties
    • Timely and appropriate follow-up actions are taken by management
    Sarbanes Oxley 404
  • 18. Monitoring
    • Evidence exists that internal control systems continues to function
    • Internal/external information corroborate performance & events
    • Physical/perpetual comparisons are made – inventory, assets, etc.
    • Separate evaluations are made – scope & frequency
    • Deficiencies are reported
    Sarbanes Oxley 404
  • 19. Identify Risks
    • Internal and external threats
    • Authorized and unauthorized actions
    • Intentional and unintentional (mistakes) activities
    Sarbanes Oxley 404
  • 20. Determine Likelihood
    • Aggregate level
      • Cumulative effect
    • Transaction level
      • Individual effect
    • System level
      • Environmental effect
    Sarbanes Oxley 404
  • 21. Manage Risk
    • Accept or ignore risk
    • Transfer risk (insurance policies)
    • Reduce or mitigate risk
      • Measure and manage
      • Teach and train
      • Reduce – take action and safeguard
    Sarbanes Oxley 404
  • 22. Control Activities
    • Preventative, detective and corrective
    • Organizational
      • Hiring, training & supervision (oversight)
      • Segregation – separation of duties
    • Systems
      • Physical/logical – access & authorization
      • Process controls – sequencing, balances
    Sarbanes Oxley 404
  • 23. Controls Testing
    • Design and operations
      • Inquiries of appropriate personnel
      • Observation regarding application of controls
      • Inspection of documents, reports, electronic files
      • Re-performance – application of controls
    Sarbanes Oxley 404
  • 24. Reporting
    • Measure non-compliance
    • Determine magnitude of potential risk
    • Substantiate risk of noncompliance
    • Report findings – qualified/unqualified
    Sarbanes Oxley 404
  • 25. SOX program - Levi Strauss Europe Project Organization
  • 26. SOX 404 - LSE
    • Management provides their evaluation of internal controls over financial reporting in their 10-K … KPMG audits the evaluation.
    • KPMG will perform a single, integrated audit:
      • Standards for the independent audit state this is an Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements
    • One opinion related to Audit of Financial Statements
    • Two opinions related to Internal Control Over Financial Reporting, Sarbanes-Oxley § 404
        • Management’s Assessment
        • Effectiveness of Internal Control
  • 27. Project Organization SOX 404 - LSE Exec Sponsors LSE Project Management Brussels UK Germany Italy Spain France LS&CO. Project Management Location Coordinators Management Reviewers Process Owners Walkthrough Performers Finance Support
  • 28. SOX program - Levi Strauss Europe Roles & Responsibilities
  • 29. SOX 404 - LSE
    • Executive Sponsors
    • Who: LSE Staff Members
    • What:
    • Empower the organization to meet SOX deadlines and deliverables
    • Promote the projects priority
    • Meet periodically (min. once, max, twice a month) to review current status, next steps and any blocks that require executive intervention
    • Sign Off on LSE financial reporting controls and 404 management assessment process as of Nov 30, 2004.
  • 30. SOX 404 - LSE
    • Internal Audit
    • Who: European Internal Auditor
    • What:
    • Serve as SOX Champion – urging the timely completion of accurate documentation and prudent remediation of identified weaknesses
    • Provide SOX training
    • Partner with EY to perform testing and evaluation of controls, prior to location sign off
    • Clarify input on controls and risk definitions/concepts
    • Supply test plan formats and guidelines
    • Perform quality reviews and monitor after Phase II, III and IV as to completeness of documentation
  • 31. SOX 404 - LSE
    • SOX Project Manager
    • Who: Finance person who oversees the entire European SOX project
    • What:
    • Collaborate closely with the LS&CO SOX Project Manager and Location Coordinators
    • Serve as Europe’s primary SOX contact/advisor
    • Identify blocking issues and propose resolutions
    • Drive, track and report progress to Executive Sponsors and SOX Team
    • Perform Quality Assessments
    • Safeguard consistency of documentation across European affiliates
  • 32. SOX 404 - LSE
    • Location Coordinator
    • Who: Person who is able to drive the SOX agenda
    • What:
    • Ensure the completeness and timeliness of the SOX documentation
    • Maintain the remediation log
    • Maintain and keep the LSE Location Map up-to-date posted on the SOX 404 website
    • Coordinate and collect the SOX documentation for transmission to the LSE/US SOX Project Manager
    • Be the main SOX contact within the location and with the LSE SOX Project Manager
    • Own the locations share of the SOX website
    • Sign Off for each business process for each phase as to complete and accurate documentation
    • Review weekly status reports with location senior management.
  • 33. SOX 404 - LSE
    • Management Reviewer
    • Who: Person who has the ability to influence the level of control of the process
    • What:
    • Perform and/or guide appropriate testing to monitor that controls are working effectively and results are documented.
    • Proactively work with managers and staff to address areas of control deficiencies
    • Ensure/monitor that as processes change, appropriate controls are implemented
    • Be involved in reviewing the results of walkthrough and control testing results
    • Reinforce managers and staff responsibilities for the design of controls, execution of controls as designed and monitoring of their effectiveness
    • Maintain and validate high level controls within their area of accountability
    • Sign Off for each business process for each phase as to complete and accurate documentation
  • 34. SOX 404 - LSE
    • Process Owner
    • Who: Person who is accountable for and has the best knowledge and overview of the way of working and controls of the entire process
    • What:
    • Conduct walkthroughs of processes and sub-processes to validate all aspects of the control environment
    • Perform controls validation tests and control self-assessments.
    • Evaluate and conclude on design (walk-through results and documentation) and operating effectiveness (control testing)
    • Review testing results with management
    • Active involvement in remediation – that issues ARE resolved
    • Ensure that control design gaps are corrected
    • Ensure actions to correct ineffectively executed controls are completed and sustained.
    • If processes are changing, ensure that appropriate controls are implemented
    • Sign Off for each business process for each phase as to complete and accurate documentation
  • 35. SOX 404 - LSE
    • Walkthrough Performer
    • Who: Person who is not affiliated (independent) with the process that they are walking through. They must be able to understand the entire process as well as the controls
    • What:
    • Read through the walkthrough package then prepare and perform the walkthrough
    • Compare the actual flow of the process with the documented flow of the process
    • Determine whether processes are designed appropriately
    • Assess whether the key controls are designed effectively
    • Determine whether any key controls have been missed
    • Confirm whether the overall documentation is correct
  • 36. SOX 404 - LSE
    • Finance Support
    • Who: Finance person who supports non-finance Process Owners
    • What:
    • Assist the non-finance Process Owners in building and creating the SOX documentation
  • 37. SOX program - Levi Strauss Europe Project Documentation
  • 38. Project Documentation SOX 404 - LSE
    • Overview/Purpose
    • Review and Update Documentation
      • High-Level Flowcharts
      • Process Flowcharts
      • Process Narratives
      • Risk & Control Matrices
      • Segregation of Duties Tables
      • Walkthrough Documents
      • QA Reviews
      • Test Plans
      • Gap Tables
      • Status Reporting
  • 39. Process Owner to Support Process Flowchart Risk and Controls Matrix Segregation of Duties Table Complete Walkthrough, Test Plans, and Doc. Updates Review Process Documentation Final Review and Sign Off Update Process Documentation Process Owner Walkthrough Performer Process Narrative Review Walkthrough Package Completed Walkthrough Package Completed Test Plans Updated Process Documents Management Reviewer High-Level Flowchart SOX Team Reviewer QA Review Post Final Doc. to Handysoft
  • 40. Documenting Controls at the Process, Transaction, and Application Level SOX 404 - LSE
  • 41. SOX 404 - LSE
    • Asking “What Can Go Wrong” questions assists in:
      • Identifying points within transaction flow where there could be failure to achieve financial reporting objectives (including failure due to fraud)
      • Points where errors can occur that could result in misstatements in the financial statements
      • Identifying the additional questions that need to be answered to identify the appropriate controls required to cover off our financial statement assertions
      • Demonstrating this linkage = Section 404 compliance; essentially, this is why we are documenting and testing internal controls
  • 42. Identify Key Controls SOX 404 - LSE
    • The SOX team has worked with the overall process owners to review and validate the key controls
    • Key controls are:
      • The set of controls that are relied upon by management to prove the validity of its assertions underlying significant accounts, transactions and disclosures reported in the financial statements, and
      • Controls that can be tested
    • A control at the operating level needed to mitigate a “What Can Go Wrong” is a key control
    • Note: Key controls do not have to exist for EVERY risk within EVERY subprocess. Some key controls may sufficiently address the relevant assertions across several subprocesses.
  • 43.
    • As a reminder, the flowchart is…
        • Pictorial representation of the flow of transactions for a process, including risks and control points.
        • LS&Co.’s flowcharts have been created using the Visio program.
    SOX 404 - LSE
  • 44. SOX 404 - Controls
    • Authorization (P) – Control ensures activities are completed by individuals with proper authority
    • Segregation of Duties (P) – Control ensures proper separation between responsibilities for authorization, custody of assets, recordkeeping, and reconciliation activities
    • Reconciliation (D) – Control provides for comparison and validation of records and related balances to an independent source, with follow-up and resolution of differences
    • Management Review (P/D) – Control provides for management’s analytical review of specific activities and their outcomes for appropriateness, with necessary action taken to follow-up on unusual or exception items
    • Non -management review (P/D) -Control provides for an analytical review by non-management - peer review, supervisory review of specific activities and their outcome for appropriateness, with necessary action taken to follow up on unusual or exception items.
    • Exception/Edit/Control Reports (D) – Reports are generated (may or may not be system-generated) and reviewed to support key control activities, with responsibility assigned for review and follow-up
  • 45. SOX 404 - Controls
    • Access (P) - Controls to ensure the ability to complete certain activities (input, authorization, review, etc.) are restricted to individuals on a need-to-know basis
    • Interface/Conversion controls (P) - Controls to ensure data is accurately and completely input, processed, or output within a system or with interfaces with other systems
    • Configuration Parameters (P) - "Switches" and/or mapping set in the system that can be turned on/off to sure data against inappropriate processing. Also, can be account mapping related to how a transaction is mapped to the G/L and then to the Financial Statements.
    • Policies/Procedures - Documented policies which describe company guidelines meant to generate compliance with external rules and regulations as well as provide internal consistency. Procedures are a control used to provide guidance and educate performers and reviewers of activities.
  • 46. SOX 404 – High Level Process
    • Documention
      • Document process, identify risks & controls
    • Validation
      • Validate that key risks are covered in the process, check whether controls are working effectively
    • Remediation
      • Take corrective action when controls are not designed properly or are not working as designed
    • Testing
      • Test controls by taking samples from population period
    • Reporting
      • Report control platform to management
    Report Remediate Validate Document Test
  • 47. Lessons Learned
  • 48. Lessons Learned - LSE
    • Project must be driven by the local organization
    • Have a common reporting tool in place from the start
    • Standardize processes
    • Obtain full commitment from non-financial management
    • Pre-define standard risks & controls
    • Get involvement from Auditing
    • IT support and commitment
    • Desktop applications
  • 49. Questions