Getting ready for J-SOX 

Few would argue that the first half of this decade has been one of the most volatile for financial reporting in recent memory. In the wake of the misdeeds and mistakes of a few, we have been left with the realisation that good financial reporting, and indeed good corporate governance, require more than a belief that "we have good people, and we have never had a problem in the past." There are certain fundamental principles that form the foundations of an effective process for gathering, summarising and presenting an organisation's financial results.

Regulatory bodies around the world are attempting to inject those principles into every public company's financial reporting process. The US, with its Sarbanes-Oxley Act of 2002 (SOX) led the way, and in the process serves both as a model and a cautionary tale about the cost and effort of implementing sound corporate governance using a prescriptive approach.

Now, five years later, companies publicly listed in the Japanese stock exchange are grappling with the approaching deadlines to comply with "J-SOX", the informal nickname for the Financial Instruments and Exchange Law of 2006. The moniker "J-SOX" was attached to the law because of its similarity to SOX in requiring executive management to evaluate and disclose its assessment of the company's internal controls over financial reporting, which are subject to audit by external auditors.

In February 2007, the Business Accounting Council of the Financial Services Agency (FSA) released the final version of the Standards for Management Assessment and Audit of Internal Control over Financial Reporting (ICFR) and the Implementation Guidance for Management Assessment and Audit of ICFR (Practice Standard), which effectively serve as guidelines for J-SOX compliance. The rest of this article focuses on the requirements outlined in the Practice Standard.

Snapshot of J-SOX requirements
All companies listed on the Japanese stock exchange, including foreign issuers plus other companies requested by ministerial ordinance, must comply with J-SOX on an annual basis commencing in the fiscal year starting on or after 1 April 2008. As the vast majority of listed companies have fiscal years ending 31 March, the affected disclosure applies generally to year end 31 March 2009.

Management obligations include overseeing the implementation of an internal control environment over financial reporting (including entity-level controls), and assessing and disclosing its effectiveness. The external auditors opine on the management's evaluation process of its ICFR as outlined in the ICFR report - essentially stating whether the report can be relied upon or not. Unlike US SOX, external auditors do not directly opine on the effectiveness of ICFR.

Guidance for internal control reports
The Practice Standard issued by the FSA is organised into three main sections:

1.	Basic framework of internal control In this section, the Practice Standard details the internal control framework that companies should follow. The framework builds on the internationally accepted COSO framework, and adds one extra objective and one extra component to tailor it to the typical operating environment of Japanese firms (Figure 1). Specifically, the framework includes the additional internal control objective of 'safeguarding assets'. This objective focuses on both the tangible - such as acquisition, use and disposal of fixed assets - and the intangible - such as protecting intellectual property and customer information. In addition to the five COSO components of internal control, the Practice Standard also includes the component 'response to IT', in recognition of the deep investment and entrenchment of sophisticated IT throughout most Japanese operations. Figure 1. J-SOX framework
2.	Management's assessment and report on ICFR The Practice Standard in this section breaks down the methodical approach that management should apply in conducting its review of internal controls. The topics addressed by the Practice Standard, including some key highlights, include:
	Assessment points for company (or entity)-level controls:  Companies should use the framework outlined in the first section to address company-level controls. The Practice Standard includes an exhibit with sample questions for evaluating overall corporate governance.
	Scope of assessment for process-level controls:  A top-down, risk-based approach is recommended for selecting entities/business units, accounts and processes that should be included in the assessment. A minimum of two-thirds of consolidated financials should be covered by the scope of the review. Specific sections in the Practice Standard are also dedicated to conducting assessments of IT-based controls.
	Communication with auditors:  Keeping open communication with external auditors at milestone stages throughout the process is critical. One of the worst things that can happen to a company is to complete its ICFR assessment only to have its external auditors disagree with the scope of assessment.
	Guidelines for determining material weaknesses:  Companies must evaluate the severity of any findings detected throughout their ICFR review. The Practice Standards define that controls are ultimately assessed as 'deficiencies' or 'material weaknesses.' A single finding or a group of related findings in aggregate can escalate to the level of material weakness based on quantitative and/or qualitative measures. The Practice Standard offers the example of defining the quantitative material threshold as being 5% of the consolidated income before tax. Qualitative materiality can be determined for instance based on the extent of the impact on investment decisions or the reliability of financial reporting, such as information relating to related party transactions and big shareholders.
	Recording and retention of assessment procedures:  Sample flowcharts, narratives and risk matrices which a Company may choose to model are included. It is up to the Company to determine the appropriate type and level of documentation. It is suggested that documents are retained for the period of time equivalent to the inspection period for annual reports which is currently five years.
3.	External audit on ICFR In addition to providing guidance to external auditors on conducting their audit of management's evaluation process, the Practice Standard also stipulates that the external auditors should employ an integrated audit methodology whereby internal control audits are performed by the same audit firm and Engagement Partner that perform the financial audit.

Don't wait
Internal controls over financial reporting are more than just procedures required to be J-SOX compliant. They help ensure that management is able to generate the primary information the public uses to make investment decisions. Just as a good manufacturer builds in efficient controls and inspections to make certain its end product is reliable, good companies who use public capital seek to efficiently and effectively provide reliable financial information.

Furthermore, identifying and testing internal controls yields benefits beyond delivering the financial information that will create credibility in the financial markets. It can be a goldmine when it comes to uncovering ways to make business processes more efficient and delivering information that assists management in making more prudent business decisions. But the upside potential can only be realised if sufficient time, resources and skills are applied. Proper planning ensures an efficient compliance effort not only in the first year of compliance: it can impact the cost of compliance on a go-forward basis and generate longer-term economic value if a sound foundation of procedures and documentation are established from the start.

jennifer.chen@gthk.com.hk

Back

Main

Next