J-SOX is the unofficial term for a part of Japan’s Financial Instruments and Exchange Law that was promulgated by the Japanese National Diet in June 2006 to ensure that corporate information is disclosed in a fair manner to investors. Responding to several corporate scandals, the government established J-SOX in order to enhance investor confidence in an organization’s financial statements by emphasizing the internal control that may affect the financial aspects of a company.

On February 15, 2007, the Business Accounting Council of the Japanese Financial Services Agency released the Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting and the Practice Standards for Management Assessment and Audit Concerning Internal Control over Financial Reporting (the “Standards”).

The Standards defines internal control as a process performed by everyone in an organization and incorporated in its operating activities in order to provide reasonable assurance of achieving four objectives:

(1) Effectiveness and Efficiency of Business Operations

(2) Reliability of Financial Reporting

(3) Compliance with Applicable Laws

(4) Safeguarding of Assets

To achieve the four (4) objectives of internal control, management is required to design and effectively operate a process in which six internal control components are in place.

(1) Control Environment

(2) Risk Assessment and Response

(3) Control Activities

(4) Information and Communication

(5) Monitoring

(6) Response to Information Technology In this newsletter, we will summarize the Control Environment and Risk Assessment and Response components.


According to the Standards, the Control Environment determines the tone of the organization, influences the awareness of people toward control, and lays the foundation for the other five components.

Because of its influence, the Control Environment is considered the most important component. The Control Environment considers the organization’s (1) integrity and ethical values, (2) management’s philosophy and operating style, (3) management’s policies and strategies, (4) functions of the board of directors and internal auditors, (5) organizational structure and practices, (6) authority and responsibilities, and (7) human resources management and polices.

Integrity and ethical values are important factors in shaping the tone of an organization. Here, the Standard suggests that companies consider developing a code of conduct or code of ethics that summarizes the organization’s philosophy. Additionally, management’s commitment to upholding proper accounting and reporting practices through clearly defined policies and procedures also helps set the tone.

The board of directors must be able to express its independent opinion, receive timely information in order to monitor management and be confident the organization will carry out its decisions.

The structure of the organization must allow information to flow to decision makers. The appropriate personnel must have the authority and responsibility for carrying out those actions necessary to achieve the organization’s goals. All employment related policies, and procedures related to hiring, firing, promotion, payroll and employee training, assist in setting the creating a culture of compliance.

Organizations wishing to improve their Control Environment may want to consider, among other measures, adopting or reviewing their existing:

  • Code of Conduct/Ethics 
  • Corporate Record Books 
  • Business Qualifications, Licenses and Reports 
  • Accounting Policies 
  • Internal Reporting Relationships 
  • Authority Matrices 
  • Employee Handbooks 
  • Job Descriptions 
  • Immigration and Work Authorization Policies


Risk assessment and response is a series of processes used to identify, classify, analyze, assess and respond to risks that could prevent the organization from achieving its business goals and selecting the appropriate response to deal with such risks. In responding to a risk, the organization can decide to avoid, reduce, transfer via contract provisions or insurance, or accept the risk.

Risk can be internal or external. Internal risks include such things as accounting errors, fraud, and leaks of personal information External risks include such things as natural disasters, theft, and market competition.

Risk is present at the company level and the process level. Company-level risks are the risks that could adversely affect the achievement of the organization’s objectives. Company-level risks include such things as an unusual change in financial position, operating results, or cash flows, dependency on particular customers, products, or technologies, imposition of legal regulations, dependency on a particular member of top management, and the filing of any material legal proceeding. Process-level risks are the risks that could adversely affect the achievement of objectives set for individual business units in the organization.

For example, the sales, shipping or accounting department may not properly account for a customer’s order. This process risk is usually managed through control activities incorporated in the business operations. Legal risks such as product liability, anti-trust, intellectual property safeguards, import and export controls can also be risks because they can have a direct impact on the financial statements. Companies should identify the legal risks associated with their business and take the appropriate measures to avoid or reduce such risks.

Organizations wishing to review their risk assessment and response should review:

  •  Record Retention Requirements 
  • Anti-Trust Activities 
  • Intellectual Property Safeguards 
  • Foreign Corrupt Practices Review 
  • Import & Export Controls 
  • Independent Contractors
  • Vendor and Supplier Agreements
  • Contract Terms and Conditions
  • Privacy Safeguards 
  • Insurance Coverage 
  • FMLA, ADA, COBRA, ERISA Compliance