Japanese Sarbanes-Oxley (J-SOX) Compliance Services
June 05, 2019
By Brian Ferrara
Japan’s version of Sarbanes-Oxley (SOX) is incorporated in its Financial Instruments and Exchange (FIE) Act enacted in 2006. The J-SOX requirement is the Japanese equivalent to U.S. SOX in relation to Sections 302 "Corporate Responsibility for Financial Reports" and 404 "Management Assessment of Internal Controls." Both regulations are aimed at evaluating internal control systems relating to financial reporting, assure the proper expression of external financial reporting with the requirement of financial-report certifications by the CEO and CFO and prevent the recurrence of investor deception.
Not unlike the U.S., the J-SOX regulatory initiative was also in response to a number of scandals in the Japanese markets, including Seibu Railway in October 2004, Kanebo in September 2005, and Livedoor in January 2006. There are a number of similarities and differences which need to be addressed by companies, especially with subsidiaries located in both Japan and the U.S. Overall, J-SOX requirements require a broader initiative than U.S. SOX. The Internal Control Reporting System in Japan looked to avoid both the burden and confusion surrounding U.S. SOX when developing the standards.
- Internal controls over financial reporting will include not only the financial statements and their footnotes, but also items that are disclosed in other areas of Securities Reports.
- Evaluation of certain controls at affiliates accounted for in accordance with the equity-method of accounting.
- Evaluation of entity-level internal controls including book closing and financial reporting processes at all business units.
- Companies are to focus on processes related to the closing of the books and reporting, sales, accounts receivable, inventory and the significant processes related to the business objectives of the company.
- There are only two types of deficiencies based on quantitative and qualitative factors:
- Material weakness
- A material weakness is reported if the effect of the misstatement is greater than 5% of consolidated pre-tax income.
Other specifics for J-SOX in reporting and evaluation of internal controls over financial reporting, distinguishing the standards from U.S. SOX, are:
- Internal control assessment reports will be audited and certified by independent accountants, who will attest to the reports' reliability or lack thereof. Under U.S. SOX requirements, in addition to assessing a company's management-generated internal control assessment reports, the certifying accountants must also perform an audit of the effectiveness of the company's financial reporting-related internal control system.
- The managers of a company are responsible for designing and implementing an internal control system, and they must assess the effectiveness of that system.
- Management reports on the accuracy of disclosures and the company's internal controls.
- J-SOX does not restrict consulting roles offered by external auditors to the same client.
Information Subjected to the Rules:
- Consolidated financial statements and their footnotes in the financial section of Securities Report.
- Disclosures that have a significant impact on the reliability of financial statements in other sections of the Securities Report.
J-SOX Internal Control Framework:
- J-SOX framework includes an objective of “preservation of assets” in addition to three Committee of Sponsoring Organization (COSO) objectives: operations, reporting and compliance.
- J-SOX framework includes an element of “Response to IT” in addition to five COSO elements: control environment, risk assessment, control activities, information and communication, and monitoring activities.
Evaluation Steps for J-SOX:
- Determine the scope by reasonably considering the materiality of the quantitative and qualitative impacts to the financial reporting.
- Evaluate company-level internal controls. The list of elements is similar to COSO, with the addition of “Response to Information Technology.”
- Evaluate process-level internal control over financial close and reporting. Controls are divided into company-level controls and process-level controls. The company-level controls should be evaluated at all business units.
- Process-level controls related to sales, AR and inventory should be considered as significant processes for manufacturing companies.
- All other high-risk business processes should be evaluated.
Four -Phase Approach
It is imperative for Japanese companies to recognize the issues in order to evaluate and establish effective internal controls and to be prepared for the compliance due date. We have developed a four phase approach which will provide guidance for successful compliance of J-SOX requirements within your organization.
- Planning & Scoping:
- Evaluate and compare J-SOX to U.S. SOX requirements on a company level.
- Establish materiality threshold metrics.
- Assess risk at the company and process level with emphasis on safeguarding of assets and IT control environment.
- Risk Assessment & Control Design:
- Evaluate company and process-level internal controls over high risk areas related to financial reporting and close, sales, accounts receivable, inventory and purchasing
- Determine and rate the inherent risk.
- Review internal control system designed and implemented by management.
- Align the control activities to the risk at the company and process level.
- Identify key controls.
- Testing & Evaluating Controls:
- Develop test plans based on the significance and type of control.
- Review test plans with management with consideration of implemented internal control system.
- Perform test execution.
- Deficiency Assessment & Conclusion Report:
- Evaluate identified control deficiencies.
- Communicate identified control deficiencies to management.
- Prepare conclusion report.
- Provide response to IT.
M&D Intelligence - Q2 2019