J-SOX is the unofficial term for a part of Japan’s Financial Instruments and Exchange Law that was promulgated by the Japanese National Diet in June 2006 to ensure that corporate information is disclosed in a fair manner to investors. Responding to several corporate scandals, the government established J-SOX in order to enhance investor confidence in a company’s financial statements by emphasizing the internal control that may affect the financial aspects of a company.

Specifically, J-SOX requires that the management of public companies (1) design, implement, evaluate, and report on a system of internal corporate controls and (2) submit a “certification” stating that the descriptions in the financial statements are in compliance with applicable laws and regulations. Because the “internal control report” and the “management certification” are similar to the internal corporate controls that are required under the U.S. Sarbanes Oxley Act of 2002 (“SOX”), which was also passed in response to several corporate scandals, the new law is commonly referred to as J-SOX.

All public companies listed on the stock exchanges in Japan are required to prepare and submit internal control reports on a consolidated basis for fiscal years beginning on or after April 1, 2008. Because most listed Japanese companies (approximately 3,800) have a March 31 fiscal year end, management’s first filing of an evaluation of its internal controls will be for the fiscal year ending March 31, 2009.


On February 15, 2007, the Business Accounting Council of the Japanese Financial Services Agency released the Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting and the Practice Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting (the “Standards”).


The Standards are composed of three sections:

I. Basic Framework of Internal Control.

II. Management Assessment and Report on Internal Control over Financial Reporting (“ICR”).

III. Audit on Internal Control over Financial Reporting (“ICFR”).


In establishing the framework for internal controls, the Standards define internal control as a process performed by everyone in an organization and incorporated in its operating activities in order to provide reasonable assurance of achieving four objectives:

(1) Effectiveness and Efficiency of Business Operations: means promoting effective and efficient operations in order to achieve the objectives.

(2) Reliability of Financial Reporting: means ensuring the reliability of financial statements and the information that could have a material effect on the financial statements.

(3) Compliance with Applicable Laws: means promoting compliance with laws, regulations, and ordinances relevant to business activities.

(4) Safeguarding of Assets: means ensuring that assets are acquired, used and disposed of in accordance with proper procedures and approvals, to include intellectual property and customer information.

To achieve the four (4) objectives of internal control, management is required to design and effectively operate a process in which six internal control components are in place. In the Standards, management is assumed to include executive level representatives. The six (6) basic internal control components are as follows: (1) control environment, (2) risk assessment and response, (3) control activities, (4) information and communication, (5) monitoring, and (5) response to information technology. Because of the importance of these six (6) components to the internal control process, each individual component will be summarized in a future newsletter.

The Standards note that it is impossible to provide a single approach on how to design and operate internal controls because such controls will be specific to each company based on several factors such as its business environment, characteristics, and size.


As previously noted, management is responsible for designing and operating controls. Annually, J-SOX requires management to assess the effectiveness of the internal controls to the extent necessary in light of their impact on the reliability of the financial statements.

In order to make the assessment, management is first required to define the scope of the assessment. It should consider whether significant business units or locations might have a quantitative or qualitative impact on the reliability of the financial statements on a consolidated basis. While the company-wide controls need to be incorporated in all business units, small accounts or small subsidiaries can be eliminated from the scope of the assessment, if they are found to have little impact on the financial statements.

Management is required to prepare an ICR which explains the assessment scope, timing, procedures, and management’s conclusions regarding its internal control procedures. This report would be prepared at the end of the company’s fiscal year.


Upon completion of its ICR, the report will be reviewed by the certified public accountants who are responsible for auditing the company’s financial statements to ensure that the results are fairly stated. If the auditors identify a material weakness, the auditors must report the weakness to company management, request that management correct the weakness and then evaluate the correction. This information must also be provided to the board of directors, internal auditors, or the audit committee. Even if defects are found in the past practice, if they can be cured prior to the end of the fiscal year, when the ICR assessment is made, the auditor’s opinion can be “fair”.