levis
DESCRIPTION
TRANSCRIPT
LSE Finance - May 2005 1
SOX 404
September 26, 2005
LSE Finance - May 2005 2
Agenda
► Introduction
► Levi Strauss & Co
► Sarbanes Oxley – General
► SOX program - Levi Strauss Europe
Project Organization
Roles & Responsibilities
Project Documentation
► Lessons Learned
► Questions
LSE Finance - May 2005 3
Levi Strauss & Co
LSE Finance - May 2005 4
Levi Strauss & Co
Founded in 1853 by Bavarian immigrant Levi Strauss, Levi Strauss & Co. (LS&CO.) is one of the world's largest brand-name apparel marketers with sales in more than 110 countries. There is no other company with a comparable global presence in the jeans and casual pants markets. Our market-leading apparel products are sold under the Levi's®, Dockers® and Levi Strauss Signature™ brands.
The company is privately held by descendants of the family of Levi Strauss. Shares of company stock are not publicly traded.
The company employs a staff of approximately 8,850 people worldwide, including approximately 1,000 people at its San Francisco, California headquarters.
LSE Finance - May 2005 5
Levi Strauss Europe
Levi Strauss Europe is responsible for designing, manufacturing and marketing jeans and casual wear under the Levi's®, Dockers® and Levi Strauss Signature™ brands in the region.
We have a network of 9 sales offices, 10 distribution centers and 3 production facilities, employing a total of approximately 3,000 people. Our headquarters are located in Brussels, Belgium.
Levi Strauss Europe, Middle East and Africa posted revenues of $1 billion in 2004.
LSE Finance - May 2005 6
Levi’s Brand
Invented in 1873, Levi's® jeans are the original, authentic jeans. They are the most successful, widely recognized and often imitated clothing products in the history of apparel. Levi's® jeans have captured the attention, imagination and loyalty of generations of diverse individuals.
As the inventor of the category, the Levi's® brand continues to define jeans wear with widest range of products available from quintessential classics, such as the famous Levi's® 501® Original jean to favorite fits and styles in our Red Tab™ and Levi's® Premium collections.
LSE Finance - May 2005 7
Dockers Brand
Launched in 1986 in the United States, Dockers® brand products and marketing played a major role in the creation of a new apparel category for men's khaki pants and the shift to casual clothing in the workplace.
In 1988, the brand launched Dockers® for Women, a feminine interpretation of Dockers® brand apparel.
Today, the Dockers® brand has expanded to more than 50 countries in every region of the world with a complete assortment of stylish and innovative products — including a full line of tops, footwear, outerwear and accessories — for a broad range of consumers.
LSE Finance - May 2005 8
Levi Strauss Signature Brand
The Levi Strauss Signature™ brand was launched in 2003 exclusively for consumers who shop in the mass channel. The brand gives value-conscious consumers access to high-quality, affordable and fashionable jeans wear from a company and name they trust.
The Levi Strauss Signature™ brand includes a collection of denim and non-denim pants, shirts, skirts and jackets for men, women and children all designed with the high quality construction and craftsmanship that makes Levi Strauss & Co. famous.
LSE Finance - May 2005 9
Sarbanes Oxley 404
LSE Finance - May 2005 10
Sarbanes Oxley 404
Internal Controls
Sec. 404 (Annual)► Management states responsibility for
establishing and maintaining► Contains an assessment of the effectiveness► Outside auditor performs attestation of
management’s assessment
LSE Finance - May 2005 11
Sarbanes Oxley 404
COSO/SAS-78
► 3 primary objectives Operations Compliance Financial reporting
► 5 primary components Control environment Risk assessment Control activities Information & communication Monitoring
LSE Finance - May 2005 12
Primary Objectives
► Operations – business processes, asset protection, security
► Compliance – legal, regulatory, industry► Financial reporting – investors, regulatory,
banking, etc. Annual reports 10-Q, 10-K, etc.
Sarbanes Oxley 404
LSE Finance - May 2005 13
Control Environment
► Top level control - refers to management and organizational integrity
► AKA “tone at the top”► Non-process related controls
Codes of conduct Specified remedial actions Management attitude towards oversight
Sarbanes Oxley 404
LSE Finance - May 2005 14
Risk Assessment
► Determine control objectives► Prioritize requirements► Identify risks► Determine likelihood► Manage risk
Sarbanes Oxley 404
LSE Finance - May 2005 15
Control Objectives
C-I-A► Confidential – private information is not
disclosed► Integrity - information is not altered or corrupted► Available – information is not lost, erased or
stolen
Sarbanes Oxley 404
LSE Finance - May 2005 16
Sarbanes Oxley 404
Control Objectives
A-V-A-T► Authentic – acknowledged and verified► Valid – confirmed, approved and authorized► Accurate – re-computed, balanced and complete► Timely – expeditious, proper period
LSE Finance - May 2005 17
Information & Communication
► Does not refer to computer systems► Refers to overall identification, capture and
exchange of information► Reports and analyses – external & internal
information sources► Channels exist to report improprieties► Timely and appropriate follow-up actions are
taken by management
Sarbanes Oxley 404
LSE Finance - May 2005 18
Monitoring
► Evidence exists that internal control systems continues to function
► Internal/external information corroborate performance & events
► Physical/perpetual comparisons are made – inventory, assets, etc.
► Separate evaluations are made – scope & frequency
► Deficiencies are reported
Sarbanes Oxley 404
LSE Finance - May 2005 19
Identify Risks
► Internal and external threats► Authorized and unauthorized actions► Intentional and unintentional (mistakes)
activities
Sarbanes Oxley 404
LSE Finance - May 2005 20
Determine Likelihood
► Aggregate level Cumulative effect
► Transaction level Individual effect
► System level Environmental effect
Sarbanes Oxley 404
LSE Finance - May 2005 21
Manage Risk
► Accept or ignore risk► Transfer risk (insurance policies)► Reduce or mitigate risk
Measure and manage Teach and train Reduce – take action and safeguard
Sarbanes Oxley 404
LSE Finance - May 2005 22
Control Activities
► Preventative, detective and corrective► Organizational
Hiring, training & supervision (oversight) Segregation – separation of duties
► Systems Physical/logical – access & authorization Process controls – sequencing, balances
Sarbanes Oxley 404
LSE Finance - May 2005 23
Controls Testing
► Design and operations Inquiries of appropriate personnel Observation regarding application of controls Inspection of documents, reports, electronic files Re-performance – application of controls
Sarbanes Oxley 404
LSE Finance - May 2005 24
Reporting
► Measure non-compliance► Determine magnitude of potential risk► Substantiate risk of noncompliance► Report findings – qualified/unqualified
Sarbanes Oxley 404
LSE Finance - May 2005 25
SOX program - Levi Strauss Europe
Project Organization
LSE Finance - May 2005 26
SOX 404 - LSE
Management provides their evaluation of internal controls over financial reporting in their 10-K … KPMG audits the evaluation.
KPMG will perform a single, integrated audit:
Standards for the independent audit state this is an Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements
One opinion related to Audit of Financial Statements
Two opinions related to Internal Control Over Financial Reporting, Sarbanes-Oxley §404
1. Management’s Assessment
2. Effectiveness of Internal Control
LSE Finance - May 2005 27
SOX 404 - LSE
Exec SponsorsExec
Sponsors
LSE ProjectManagementLSE ProjectManagement
BrusselsBrussels UKUK GermanyGermany ItalyItaly SpainSpainFranceFrance
LS&CO. ProjectManagement
LS&CO. ProjectManagement
Location CoordinatorsManagement Reviewers
Process OwnersWalkthrough Performers
Finance Support
Project Organization
LSE Finance - May 2005 28
SOX program - Levi Strauss Europe
Roles & Responsibilities
LSE Finance - May 2005 29
SOX 404 - LSEExecutive Sponsors
Who: LSE Staff Members
What:► Empower the organization to meet SOX deadlines and deliverables► Promote the projects priority ► Meet periodically (min. once, max, twice a month) to review current status, next
steps and any blocks that require executive intervention► Sign Off on LSE financial reporting controls and 404 management assessment
process as of Nov 30, 2004.
LSE Finance - May 2005 30
SOX 404 - LSEInternal Audit
Who: European Internal Auditor
What: ► Serve as SOX Champion – urging the timely completion of accurate
documentation and prudent remediation of identified weaknesses► Provide SOX training► Partner with EY to perform testing and evaluation of controls, prior to location
sign off► Clarify input on controls and risk definitions/concepts► Supply test plan formats and guidelines► Perform quality reviews and monitor after Phase II, III and IV as to completeness
of documentation
LSE Finance - May 2005 31
SOX 404 - LSESOX Project Manager
Who: Finance person who oversees the entire European SOX project
What: ► Collaborate closely with the LS&CO SOX Project Manager and Location
Coordinators► Serve as Europe’s primary SOX contact/advisor► Identify blocking issues and propose resolutions► Drive, track and report progress to Executive Sponsors and SOX Team► Perform Quality Assessments► Safeguard consistency of documentation across European affiliates
LSE Finance - May 2005 32
SOX 404 - LSELocation Coordinator
Who: Person who is able to drive the SOX agenda
What: ► Ensure the completeness and timeliness of the SOX documentation► Maintain the remediation log► Maintain and keep the LSE Location Map up-to-date posted on the SOX 404
website► Coordinate and collect the SOX documentation for transmission to the LSE/US
SOX Project Manager► Be the main SOX contact within the location and with the LSE SOX Project
Manager► Own the locations share of the SOX website► Sign Off for each business process for each phase as to complete and accurate
documentation► Review weekly status reports with location senior management.
LSE Finance - May 2005 33
SOX 404 - LSEManagement Reviewer
Who: Person who has the ability to influence the level of control of the process
What:► Perform and/or guide appropriate testing to monitor that controls are working
effectively and results are documented.► Proactively work with managers and staff to address areas of control deficiencies ► Ensure/monitor that as processes change, appropriate controls are implemented► Be involved in reviewing the results of walkthrough and control testing results► Reinforce managers and staff responsibilities for the design of controls, execution
of controls as designed and monitoring of their effectiveness ► Maintain and validate high level controls within their area of accountability► Sign Off for each business process for each phase as to complete and accurate
documentation
LSE Finance - May 2005 34
SOX 404 - LSEProcess Owner
Who: Person who is accountable for and has the best knowledge and overview of the way of working and controls of the entire process
What: ► Conduct walkthroughs of processes and sub-processes to validate all aspects of
the control environment► Perform controls validation tests and control self-assessments. ► Evaluate and conclude on design (walk-through results and documentation) and
operating effectiveness (control testing) ► Review testing results with management► Active involvement in remediation – that issues ARE resolved► Ensure that control design gaps are corrected► Ensure actions to correct ineffectively executed controls are completed and
sustained.► If processes are changing, ensure that appropriate controls are implemented► Sign Off for each business process for each phase as to complete and accurate
documentation
LSE Finance - May 2005 35
SOX 404 - LSEWalkthrough Performer
Who: Person who is not affiliated (independent) with the process that they are walking through. They must be able to understand the entire process as well as the controls
What: ► Read through the walkthrough package then prepare and perform the walkthrough► Compare the actual flow of the process with the documented flow of the process► Determine whether processes are designed appropriately► Assess whether the key controls are designed effectively► Determine whether any key controls have been missed► Confirm whether the overall documentation is correct
LSE Finance - May 2005 36
SOX 404 - LSEFinance Support
Who: Finance person who supports non-finance Process Owners
What: ► Assist the non-finance Process Owners in building and creating the SOX
documentation
LSE Finance - May 2005 37
SOX program - Levi Strauss Europe
Project Documentation
LSE Finance - May 2005 38
SOX 404 - LSE
Project Documentation
► Overview/Purpose► Review and Update Documentation
High-Level Flowcharts Process Flowcharts Process Narratives Risk & Control Matrices Segregation of Duties Tables Walkthrough Documents QA Reviews Test Plans Gap Tables Status Reporting
LSE Finance - May 2005 39
Process Owner to Support
Process Flowchart
Risk and Controls Matrix
Segregation of Duties Table
Complete Walkthrough,
Test Plans, and Doc. Updates
Review Process Documentation
Final Review and Sign Off
Update Process Documentation
Process Owner Walkthrough Performer
Process Narrative
Review Walkthrough
Package
Completed Walkthrough
Package
Completed Test Plans
Updated Process Documents
Management Reviewer
High-Level Flowchart
SOX Team Reviewer
QA Review
Post Final Doc. to Handysoft
LSE Finance - May 2005 40
SOX 404 - LSEDocumenting Controls at the Process,
Transaction, and Application Level
Inherent andKey Business
Risks
SignificantAccounts
Management’sFinancial StatementAssertions
?
What CanGo Wrong?
ControlsSignificantProcesses
2003
FinancialStatements
2003
FinancialStatements
FinancialStatements
Management
Report on
Internal
Control
ReportEvaluate/Monitor
LSE Finance - May 2005 41
SOX 404 - LSE
►Asking “What Can Go Wrong” questions assists in:
Identifying points within transaction flow where there could be failure to achieve financial reporting objectives (including failure due to fraud)
Points where errors can occur that could result in misstatements in the financial statements
Identifying the additional questions that need to be answered to identify the appropriate controls required to cover off our financial statement assertions
Demonstrating this linkage = Section 404 compliance; essentially, this is why we are documenting and testing internal controls
LSE Finance - May 2005 42
SOX 404 - LSE
Identify Key Controls
► The SOX team has worked with the overall process owners to review and validate the key controls
► Key controls are:
• The set of controls that are relied upon by management to prove the validity of its assertions underlying significant accounts, transactions and disclosures reported in the financial statements, and
• Controls that can be tested
► A control at the operating level needed to mitigate a “What Can Go Wrong” is a key control
► Note: Key controls do not have to exist for EVERY risk within EVERY subprocess. Some key controls may sufficiently address the relevant assertions across several subprocesses.
LSE Finance - May 2005 43
► As a reminder, the flowchart is…• Pictorial representation of the flow of transactions for a process,
including risks and control points. • LS&Co.’s flowcharts have been created using the Visio program.
LSUS Home Office Payroll_Payroll Processing (EXAMPLE)
Cos
t Cen
ter
Man
ager
sD
ataP
lus,
Inc.
Pay
roll
Legend:PeopleSoft - Personnel Records SystemDataPlus - Payroll Processing System
DataPlusC4: Transmit
encrypted file to DataPlus, Inc. for processing (every Monday of Payroll
week)
Payroll Master
Maintenance
DataPlus, Inc processes LS&CO.
Payroll
DataPlus, Inc. mails check or deposits to
employee bank account
Payroll LeadC2: Reviews proof report for accuracy and completeness
(totals to be compared with actual payroll run); reruns if
necessary
DataPlusAutopay calculates and creates normal biweek
payroll record and appended adjustments
Payroll LeadC2: reviews
exception report, investigates and
resolves discrepancies
Payroll Pay Adjustments &
Manual Payments
2nd DataPlus Proof Report
Payroll LeadC2: Reviews proof
report for exceptions, resolves discrepancies
and reruns payroll if necessary
C1: DataPlus Exception Report (gross biweek pay over
$10,000)
1st DataPlus Proof Report
Payroll leadC3: Locks database
to prevent further changes to Payroll
Master
Note 1
Payroll Lead unlocks database to
allow access to Payroll Master, and
notifies General Accounting via email the file is available.
Payroll Leadreceives files from
DataPlus and places on secure General Acounting directory
DataPlus, Inc. generates Payroll register files and transmits files to
LS&CO.
Note 2
Payroll Accounting
(Posting to G/L)
Payroll Specialist Generates 1st
DataPlus proof report detailing normal pay,
adjustments, GTL and taxable income
Payroll Specialist Generates 2nd
DataPlus Proof Report which compares pay to
prior period pay
Monthly Salary Reports
Prepared by
Internal AuditApproved byProcess
Payroll Processing
Create Date
May 28, 2003Modify Date
May 28, 2003
Page 1 of 2Process Owner
Amanda Gardner
R2
R2
Note 3
Note 3
C8,C9&C10: General Controls: Policies &
Procedures, segregation of duties
and Record Retention Policies are defined and
documented
C7: DataPlus generates Monthly
Salary Report
R7
SOX 404 - LSE
LSE Finance - May 2005 44
SOX 404 - Controls
► Authorization (P) – Control ensures activities are completed by individuals with proper authority
► Segregation of Duties (P) – Control ensures proper separation between responsibilities for authorization, custody of assets, recordkeeping, and reconciliation activities
► Reconciliation (D) – Control provides for comparison and validation of records and related balances to an independent source, with follow-up and resolution of differences
► Management Review (P/D) – Control provides for management’s analytical review of specific activities and their outcomes for appropriateness, with necessary action taken to follow-up on unusual or exception items
► Non -management review (P/D) -Control provides for an analytical review by non-management - peer review, supervisory review of specific activities and their outcome for appropriateness, with necessary action taken to follow up on unusual or exception items.
► Exception/Edit/Control Reports (D) – Reports are generated (may or may not be system-generated) and reviewed to support key control activities, with responsibility assigned for review and follow-up
LSE Finance - May 2005 45
SOX 404 - Controls
► Access (P) - Controls to ensure the ability to complete certain activities (input, authorization, review, etc.) are restricted to individuals on a need-to-know basis
► Interface/Conversion controls (P) - Controls to ensure data is accurately and completely input, processed, or output within a system or with interfaces with other systems
► Configuration Parameters (P) - "Switches" and/or mapping set in the system that can be turned on/off to sure data against inappropriate processing. Also, can be account mapping related to how a transaction is mapped to the G/L and then to the Financial Statements.
► Policies/Procedures - Documented policies which describe company guidelines meant to generate compliance with external rules and regulations as well as provide internal consistency. Procedures are a control used to provide guidance and educate performers and reviewers of activities.
LSE Finance - May 2005 46
SOX 404 – High Level Process► Documention
Document process, identify risks & controls► Validation
Validate that key risks are covered in the process, check whether controls are working effectively
► Remediation Take corrective action when controls are not designed properly
or are not working as designed► Testing
Test controls by taking samples from population period
► Reporting Report control platform to management
Report Report Remediate Remediate Validate ValidateDocumentDocument Test Test
LSE Finance - May 2005 47
Lessons Learned
LSE Finance - May 2005 48
Lessons Learned - LSE
► Project must be driven by the local organization
► Have a common reporting tool in place from the start
► Standardize processes
► Obtain full commitment from non-financial management
► Pre-define standard risks & controls
► Get involvement from Auditing
► IT support and commitment
► Desktop applications
LSE Finance - May 2005 49
Questions