J-SOX Insights

Information as of December 1, 2006

Frequently Asked Questions About J-SOX

Q1: What is J-SOX? Is it the same as the U.S. Sarbanes- Separately, on November 21, 2006, the Subcommittee
Oxley Act? issued an exposure draft with detailed practical guidelines
“J-SOX” is an unofficial term that refers to the Japanese (“Implementation Standards”), to clarify the requirements
requirements similar to Sarbanes-Oxley Act Section 302 under the “Evaluation and Auditing Standards” report.
(management certification) and Section 404 (manage- Details of the ”Implementation Standards Exposure Draft”
ment evaluation and report on internal controls) in the are discussed further in the November 21, 2006 J-SOX Flash
United States. The so-called J-SOX requirements are incor- Report, produced by Protiviti Japan.
porated in the legislative draft titled “Financial Instruments Both the “Evaluation and Auditing Standards for Internal
and Exchange Law,” which covers new enactments of, and Control for Financial Reports” (Draft Standards) and the
amendments to, various laws related to financial instru- “Implementation Standards Exposure Draft” are expected
ments and Securities and Exchange Laws.1 to be finalized in early 2007.
While this legislation in Japan is different from the contents The “Evaluation and Auditing Standards” report describes
of the U.S. Sarbanes-Oxley Act, the specific requirements the management’s evaluation and audit of internal control
unofficially referred to as “J-SOX” are similar in substance over financial reporting as follows:
to the Sarbanes-Oxley Act Sections 302 and 404.
Evaluation of and Reporting on Internal Control for Finan-
Q2: Has the J-SOX legislation already been passed? Under cial Reports – Management assumes the role and the
the legislation, when would the J-SOX requirements be responsibility to develop and operate internal controls,
effective? and is required to evaluate the effectiveness of internal
The J-SOX legislation was passed as part of the “Financial control for financial reports, and report the results in the
Instruments and Exchange Law” on June 7, 2006. Compli- form of an internal control report to the public. In order
ance with J-SOX requirements is effective for fiscal years to evaluate the effectiveness of internal controls, man-
beginning on or after April 1, 2008. As most Japanese com- agement must first evaluate internal controls that have a
panies have a March 31 fiscal year-end, their first filing of a significant and pervasive impact on the financial reports
management evaluation report on internal control would be as a whole (companywide internal control). Manage-
for the fiscal year ending March 31, 2009. ment must then evaluate the internal controls relating
to specific processes. The scope of the review of specific
Q3: Which companies are subject to J-SOX requirements? processes would be based on the results of the evaluation
Approximately 3,800 listed Japanese companies, including of the companywide controls.
their significant subsidiaries and affiliates, fall under the
J-SOX mandate. “Significant subsidiaries and affiliates” is
defined in the exposure draft of implementation standards.
(See Q4 below.) In This Issue:
Q4: What does J-SOX require companies to do? Are the
requirements the same as those under the U.S. Sarbanes- Frequently Asked Questions About J-SOX
Oxley Act?
The Subcommittee on Internal Controls of the Business Translated Summary of the Report by
Accounting Council deliberated on the standards for the the Subcommittee on Internal Controls,
evaluation of the effectiveness of internal control over finan-
cial reporting by management and external auditors. The
Business Accounting Council: “Evaluation
Subcommittee’s report titled “Evaluation and Auditing Stan- and Auditing Standards for Internal
dards for Internal Control for Financial Reports” was issued Control Reported in Financial Reports”
on December 8, 2005, after its exposure period was closed.

1
The Securities and Exchange Law is a Japanese law equivalent to the Securi-
ties Act of 1933 and Securities Exchange Act of 1934 in the United States.

protiviti.jp • +81.3.5219.6600
 Audit of Internal Control for Financial Reports – The • It is based on an approach that begins with an evaluation
external auditor responsible for auditing the company’s of companywide internal controls, followed by an assess-
financial statements also must conduct an audit of ment of process-level controls.
management’s evaluation of the effectiveness of internal However, unlike Section 404 of the U.S. Sarbanes-Oxley Act,
control for financial reports. The objective of the audit is the external auditor is not required to issue an opinion on
to determine the appropriateness of management’s evalu- the effectiveness of internal control over financial reporting.
ation. The external auditor compiles the audit results in The external auditor is required only to issue an opinion on
the form of an internal control audit report, and submits it management’s evaluation of the effectiveness of internal
to management. controls. Therefore, while the activities around the “docu-
The flow of management’s evaluation of internal control mentation” and “testing” by management for purposes of
over financial reporting and the work of the external auditor completing its evaluation are expected to be similar, the
was depicted in the July 2005 exposure draft of “Evaluation extent and scope of such activities is not clear at this time.
and Auditing Standards for Internal Control Reported in Q5: Is the scope of J-SOX limited to “internal control
Financial Reports.” over financial reporting”?
The “Evaluation and Auditing Standards” report does not Yes. The “Evaluation and Auditing Standard” report states
refer to terms like “documentation” or “testing;” therefore, that “internal controls aimed at ensuring the reliability of
it does not articulate specifically what needs to be done in financial reports are defined as “internal control for finan-
practice. However, the evaluation framework is similar to cial reports,” and “are subject to the evaluation and audit
that of the U.S. Sarbanes-Oxley Act in several respects: based on the draft standards.”
• It includes an evaluation by management based on
an internal control framework.
• It includes an external audit requirement, in addition
to management’s evaluation.

Management’s Assessments of Internal Control

Over Financial Reports and Auditors’ Evaluations of Those Assessments

%FTJHO
BOE
JNQMFNFOU
JOUFSOBM
"TTFTTNFOUT
PG
JOUFSOBM
"VEJUT
PG
JOUFSOBM
DPOUSPMT
CZ

DPOUSPMT
CZ
NBOBHFNFOU DPOUSPMT
PWFS
GJOBODJBM
SFQPSUT JOEFQFOEFOU
BVEJUPST
CZ
NBOBHFNFOU

&TUBCMJTI
CBTJD
QMBO
BOE
QPMJDZ 1MBO
BVEJU
FOHBHFNFOUT

&WBMVBUF
BQQSPQSJBUFOFTT
GPS
TDPQF

%FUFSNJOF
TDPQF
PG
BTTFTTNFOUT
PG
NBOBHFNFOUµT
BTTFTTNFOUT

%FTJHO
BOE
JNQMFNFOU
"TTFTT
DPNQBOZMFWFM &WBMVBUF
NBOBHFNFOUµT
BTTFTTNFOUT

DPNQBOZMFWFM
JOUFSOBM
DPOUSPMT JOUFSOBM
DPOUSPMT PG
DPNQBOZMFWFM
JOUFSOBM
DPOUSPMT

%FTJHO
BOE
JNQMFNFOU
"TTFTT
QSPDFTTMFWFM &WBMVBUF
NBOBHFNFOUµT
BTTFTTNFOUT

QSPDFTTMFWFM
JOUFSOBM
DPOUSPMT JOUFSOBM
DPOUSPMT PG
QSPDFTTMFWFM
JOUFSOBM
DPOUSPMT

6ITSVX
GSRXVSP 3FQPSU
DPOUSPM
EFGJDJFODJFT

3FNFEJBM
BDUJPOT
GPS
DPOUSPM HIJMGMIRGMIW BOE
NBUFSJBM
XFBLOFTTFT

EFGJDJFODJFT
BOE
XFBLOFTTFT ERHQEXIVMEP
[IEORIWWIW PG
JOUFSOBM
DPOUSPMT

0CKFDUJWFT
PG
JOUFSOBM
DPOUSPMT

…
&GGFDUJWF
BOE
FGGJDJFOU
PQFSBUJPOT
.BOBHFNFOUµT
BTTFTTNFOUT
PO 'PSN
BVEJUPSTµ
PQJOJPOT

…
3FMJBCMF
GJOBODJBM
SFQPSUJOH
FGGFDUJWFOFTT
PG
JOUFSOBM
DPOUSPMT PO
NBOBHFNFOUµT
SFQPSUT
…
$PNQMJBODF
XJUI
BQQMJDBCMF
MBXT
BOE
SFHVMBUJPOT
…
4BGFHVBSEFE
BTTFUT
#BTJD
DPNQPOFOUT
PG
JOUFSOBM
DPOUSPMT
.BOBHFNFOUµT
SFQPSUT "VEJUPSTµ
SFQPSUT
…
$POUSPM
FOWJSPONFOU
…
3JTL
BTTFTTNFOUT
BOE
SFTQPOTFT

…
$POUSPM
BDUJWJUJFT
…
*OGPSNBUJPO
BOE
DPNNVOJDBUJPO

…
.POJUPSJOH

…
3FTQPOTF
UP
*5

page  English translation of J-SOX Insights

However, the definition of “Financial Reports” for J-SOX “internal control for financial reports,” and “are subject to
is expected to be larger than the scope of the Sarbanes- the evaluation and audit based on the draft standards.”
Oxley Act. “Financial Reports” include financial statements
and footnotes, which are the focus of “internal control over While the Basic Framework of Internal Control under J-SOX
financial reporting” in the United States, and certain other is similar to the COSO framework in its objectives and
financial-related disclosures in public reports, such as finan- elements, “preservation of assets” also is added as an
cial highlights, status of stock issued and shareholders. objective (which is similar to the addition by COSO of “safe-
guarding of assets” in its addendum to its internal control
Q6: Is the J-SOX internal control framework different from framework), and “IT support” is added as an internal control
the COSO framework used in the United States? element to reflect the importance of the IT environment to
effective internal control.
The draft standards presented in the “Evaluation and Audit-
ing Standards for Internal Control for Financial Reports,” Q7: When should Japanese companies start preparing
issued on December 8, 2005, consist of three parts: for J-SOX compliance?
(1) Part I is the “Basic Framework of Internal Control” that The first filing date of management’s report on internal
describes the definition and the conceptual framework control is proposed for fiscal years beginning on or after
of internal control over financial reporting, which man- April 1, 2008; this requirement means the fiscal year ending
agement has the role and responsibility to design and March 31, 2009 for most Japanese March year-end compa-
operate; nies. While the report filing date for these companies is a
(2) Part II is the “Evaluation and Reporting of Internal little over two and a half years from now, many large, March
Control for Financial Reports,” which articulates man- year-end Japanese companies are already in the process of
agement’s approach to evaluating the effectiveness of initiating their compliance projects.
internal control for financial reports; and
The publicity around the cost and time for U.S. companies
(3) Part III is the “Auditing of Internal Control for Financial and Japanese SEC-registered companies to implement the
Reports,” which explains the approach to the standards U.S. Sarbanes-Oxley Act requirements has gained the atten-
for audits conducted by the independent accounting firm. tion of many Japanese companies. External auditors and
The “Basic Framework of Internal Control” (Part I) is dis- consultants are recommending that Japanese companies
cussed in the report as follows: start their projects early. While the United States had the
COSO framework, as well as the common practice over pre-
“Internal control is basically a process that is carried out vious decades by external auditors of relying on selected
by all members of the company, in order to fulfill four internal controls in conjunction with the financial statement
corporate objectives: (1) effectiveness and efficiency of audit, these concepts are rather new to Japanese manage-
operations; (2) reliability of financial reports; (3) com- ment and external auditors. Due to the language barrier and
pliance with laws and regulations relating to business their corporate governance style, many Japanese compa-
activities; and (4) preservation of assets. nies have decentralized operations and allow their business
It is comprised of six basic elements: (1) control environ- units and subsidiaries to have their own operating practices
ment; (2) risk assessments and responses; (3) control and IT systems. There is also less history of internal auditing
activities; (4) information and communication; (5) moni- in comparison to companies in the United States. Evaluating
toring; and (6) response to IT. Internal controls aimed at internal controls on a consolidated basis, including overseas
ensuring the reliability of financial reports are defined as subsidiaries, is expected be a very new and challenging
experience for many Japanese companies.

Report by the Subcommittee on Internal Controls, Business

Accounting Council: “Evaluation and Auditing Standards for
Internal Control Reported in Financial Reports”1
Recent incidents of improper disclosure are claimed to have to internal controls for financial reports since 2004. In
been caused partly by the failure of internal controls to response to such a trend, the Subcommittee on Internal
function effectively and ensure the reliability of disclosure. Controls of the Business Accounting Council headed by
In the United States, the Sarbanes-Oxley Act has enforced Shinji Hatta (Professor at the Graduate School of Aoyama
mandatory evaluation by management and mandatory Gakuin University) has deliberated on the standards for
audits by certified public accountants (CPAs) with respect evaluation by the management and audits by CPAs, etc.

1
Translated summary of the reports issued by the Subcommittee on Internal Controls,
from the FSA Newsletter, February 2006 (http://www.fsa.go.jp/en/newsletter/2006/02a.html)

English translation of J-SOX Insights page 

with respect to the effectiveness of internal controls for internal control), and evaluate the internal controls relat-
financial reports, and compiled its report titled “Evaluation ing to operations based on the results.
and Auditing Standards for Internal Control Reported in
Financial Reports,” dated December 8, 2005. 3. Audit of Internal Controls for Financial Reports
The external auditor in charge of auditing the financial
The draft standards presented in the report consist of statements of the company audits the evaluation of the
three parts: (1) “Basic Framework of Internal Control” that effectiveness of internal controls for financial reports
describes the definition and the conceptual framework of performed by the management, to determine the appro-
internal control itself, which management has the role and priateness of the evaluation results. The external auditor
responsibility to develop and operate; (2) “Evaluation and compiles the audit results in the form of an internal con-
Reporting of Internal Control for Financial Reports,” which trol audit report, and submits it to management.
shows the approach to evaluation by management with
respect to the effectiveness of internal controls for financial The report by the Subcommittee on Internal Controls
reports; and (3) “Auditing of Internal Controls for Financial describes the modality of internationally accountable and
Reports,” which explains the approach to the standards of effective standards that are consistent with the company
audits conducted by CPAs, etc. laws of Japan. It verifies the implementation status, etc.,
in the United States, where the system was introduced
1. Basic Framework of Internal Control before Japan, and incorporates measures to prevent costs,
Internal control is basically a process that is carried etc., from becoming excessive. This is in consideration of
out by all members of the company in order to fulfill debates over whether or not mandatory evaluation by man-
four corporate objectives: (1) effectiveness and effi- agement and mandatory audits by external auditors, with
ciency of operations; (2) reliability of financial reports; respect to internal controls for financial reports, would
(3) compliance with laws and regulations relating to be an excessive burden. Furthermore, for the draft stan-
business activities; and (4) preservation of assets. It is dards presented in the said report, there have been many
comprised of six basic elements: (1) control environment; requests for the development of detailed practical guide-
(2) response to risks and evaluation; (3) control activities; lines (implementation standards) that would be applicable
(4) information and communication; (5) monitoring; and at the working level. Accordingly, the Subcommittee decided
(6) IT support. Among them, internal controls aimed at to conduct further studies on implementation standards,
ensuring the reliability of financial reports are defined as and established a working group headed by Nao Hashimoto
“internal controls for financial reports,” and are subject (Professor at the Graduate School of Aoyama Gakuin Univer-
to the evaluation and audit based on the draft standards. sity) under the Subcommittee in December 2005.
2. Evaluation and Report of Internal Control The report submitted by the First Subcommittee of the
for Financial Reports Financial System Council on December 22, 2005 recom-
Management assumes the role and the responsibility to mends that evaluation by management and audits by
develop and operate internal controls, and is required CPAs be made mandatory, based on the report by the Sub-
to directly evaluate the effectiveness of internal controls committee on Internal Controls, in order to ensure the
for financial reports, and report the results to the public appropriateness of financial reports of listed companies. It
in the form of an internal control report. When evaluat- also recommends the introduction of a system that requires
ing the effectiveness of internal controls, management management to confirm the appropriateness of statements
first must evaluate internal controls that have a material in securities reports at the same time.
impact on the financial reports as a whole (companywide

Protiviti is a leading provider of independent internal audit and business and technology risk consulting services. We
help companies worldwide identify, assess, measure and manage financial, operational and technology-related risks
encountered in their industries, and assist in the implementation of the processes and controls to enable their contin-
ued monitoring. Protiviti also offers a full spectrum of internal audit services to assist management and directors with
their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality
assessment and readiness reviews.
For additional information about the issues reviewed in J-SOX Insights or Protiviti’s services, please contact:
Protiviti Japan Co., Ltd.
Ote Center Building, 1-1-3 Ote-machi
Chiyoda-ku, Tokyo, Japan 100-0004
+81.3.5219.6600
[email protected]

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
© 2007 Protiviti. An Equal Opportunity Employer