WHAT IS J-SOX?
J-SOX is the unofficial term for a part of Japan’s Financial Instruments and Exchange Law that was promulgated by the Japanese National Diet in June 2006 to ensure that corporate information is disclosed in a fair manner to investors. Responding to several corporate scandals, the government established J-SOX in order to enhance investor confidence in an organization’s financial statements by emphasizing the internal control that may affect material financial aspects of a company.
On February 15, 2007, the Business Accounting Council of the Japanese Financial Services Agency released the Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting and the Practice Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting (the “Standards”).
The Standards defines internal control as a process performed by everyone in an organization and incorporated in its operating activities in order to provide reasonable assurance of achieving four objectives:
(1) Effectiveness and Efficiency of Business Operations
(2) Reliability of Financial Reporting
(3) Compliance with Applicable Laws
(4) Safeguarding of Assets
To achieve the four (4) objectives of internal control, management is required to design and effectively operate a process in which six internal control components are in place.
- Control Environment
- Risk Assessment and Response
- Control Activities
- Information and Communication
- Response to Information Technology
In this newsletter, we will summarize two components: Control Activities and Information and Communication.
I. CONTROL ACTIVITIES
The Standards define Control Activities as those policies and procedures established to ensure that the orders and instructions of management are followed in an appropriate manner. Control Activities include a wide range of policies and procedures, such as the assignment of authority and responsibilities and the segregation of duties.
To reduce the risk of fraud and errors, the Standards indicate that management should clarify the authority and responsibility of each person in charge. In this process, it may be appropriate to divide and segregate duties between two or more employees. For example, the process of requesting a corporate expenditure, authorizing the use of corporate funds and the recording the actual expenditure should be assigned to different employees.
The Standards recommend the segregation of employee duties to help increase the visibility of internal control within the company and help prevent the occurrence of fraud and errors.
Organizations wishing to improve their Control Activities may wish to consider, among other measures:
- Whether an authority matrix has been prepared at both the company and individual department level? The company level matrix should outline and describe those duties assigned to the officers and managers of the company. The department level matrix should describe the authority given to individual employees based on their position within each individual department.
- Whether management has instituted an internal control process that requires two levels of review for financial transactions and provides for a division of duties within the accounting department.
II. INFORMATION AND COMMUNICATION
The information and communication component involves ensuring that necessary information is identified, understood, processed, and accurately communicated to all relevant parties in a timely and appropriate manner.
To achieve the organization’s business objectives and to improve internal control, each employee should identify what information is required to carry out his or her responsibilities. The information must then be received and converted to usable form.
Communication involves both internal and external communications. Internal communication means communicating all necessary information to appropriate personnel within the organization. For example, organizations should establish a system whereby information about the occurrence of fraud, a material error, or a violation of an internal control procedure or requirement is communicated to the appropriate level of management. This can be achieved via a whistleblower system.
External communication involves ensuring that the appropriate information is properly disclosed to external parties such as shareholders and the various federal, state, and local regulatory authorities. External communication also involves establishing a method or procedure to process information received from customers and business partners regarding employee errors and/or possible employee-initiated fraud.
Organizations wishing to improve Information and Communication should consider, among other measures:
- Is there is a whistleblower system in place? Is there a way to communicate upstream through someone other than a direct superior, such as an ombudsman or corporate counsel? Is anonymity permitted? Are employees who report suspected improprieties immune from reprisals?
- Are mechanisms in place to obtain relevant external information on market conditions, competitors’ programs, legislative or regulatory developments, and economic changes?
- Are feedback mechanisms in place with all suppliers and customers? Are customer and supplier suggestions, complaints, and other input captured and communicated to relevant internal parties?
- Are mechanisms in place for employees to provide recommendations for improvement?