Present, Past and Future
of Internal Control
A Survey of J-SOX Compliance
Contents
Preface
1
Chapter One What is Internal Control?
2
1-1 Concept of Internal Control and Its History
2
1-2 Ideal of Internal Control
5
1-3 Internal Control as Viewed by Each Company
5
1-4 Summary
7
Chapter Two Current Status
2-1 Overview of the Survey
8
8
2-2 Tendencies in Design and Establishment
12
2-3 Tendencies in Assessment
18
2-4 Challenges
21
2-5 Summary
23
Chapter Three Future Actions
24
3-1 Overall Picture of Future Actions to be Taken
24
3-2 Establish and Maintain Functions to Drive Internal Controls
26
3-3 Promote BPR to Maintain Control Levels and Enhance Business Efficiencies
27
3-4 Establish Enterprise Risk Management
29
3-5 Standardize Assessments
32
3-6 Expand Assessors
34
3-7 Future Actions for Each Group
35
3-8 Summary
37
At the end
37
[Appendix] Survey Results
38
Prefac e
The regulation for assessing internal control over financial reporting (J-SOX as it is called) has been applied since the fiscal
year that began on April 1, 2008 in accordance with the Financial Instruments and Exchange Law, prompting companies to
take actions to design, establish and assess their own internal controls.
The response to J-SOX varies as some companies view it merely as another set of legal requirements, seeking to complete
the procedure with minimum costs while some other companies regard it as a good opportunity to improve their
management quality. In any case however, the companies seem to be struggling in designing internal control as they are
partially unclear about how they should interpret what the law requires.
A lack of clear interpretation of requirements of the law may be because the term “internal control” has yet to be clearly
defined. Once the concept is clarified, management should be able to better grasp the demands of the law.
To achieve that goal, this research will first look at the concept of “internal control” and its history before moving on to
examine the actions being taken by companies. That will explain how the concept came into being and what was done to
make it into law as we know it today, laying the groundwork for our task of clarifying how companies are viewing and
responding to J-SOX, before answering the question later in this report on what should be done to better handle “J-SOX”
and “internal control”.
Lastly, we would like to take this opportunity to express our deep gratitude to corporations who kindly cooperated with us
for this survey in responding to questionnaires.
1
Cha p te r O n e W h a t i s I nternal C ontrol ?
1-1 Concept of Internal Control and Its History
imposing mandatory audit on financial statements on listed
companies. The role of auditors then was to inspect financial
statements to see if they comply with accounting principles.
Although the concept of internal control is said to trace its
history back to the beginning of the 20th century in the U.S.
when audit on financial statements came into being, its present
day interpretation differs from early days owing to changes in
the business environment. The following is a brief illustration of
the evolution which internal control has gone through in the U.S.
and Japan, respectively.
As corporations became even bigger and more complex,
however, it became impossible to ignore the aspect of business
management which is the prerequisite of auditing the reliability
of financial reporting. Consequently, the American Institute of
Certified Public Accountants published a special report “Internal
Control” in 1949 defining it as a “safeguarding of assets”, the
“ensuring of the accuracy and reliability of accounting data”,
the “promotion of operational efficiency” and the “adherence
to prescribed management policies”, thereby building in the
perspective of executive management.
U.S.
Beginning of 20th century (Concept of internal control comes
into being)
An earlier victory in the Spanish-American War brought
about an expansion of the overall economy and the scale of
enterprises in the U.S. after the turn of the century. Until those
days “detailed audit” was undertaken on all the target items as
an audit of financial statements, but a rapid growth in corporate
scale made it virtually impossible to continue the practice.
Consequently, a “sampling test” was introduced involving
examination of samples taken from the targets, assuming that
companies conduct their own inspection (System of checks and
balances) whereby potential frauds and errors in operations
are mutually checked within organizations. This internal check
system effectively marked the birth of the concept of internal
control.
This definition, however, invited criticisms that the scope of
responsibility of auditors was extended too far, leading to
arguments in favor of a narrower interpretation of the concept
of internal control.
1970s (Internal control signed into law)
Following the occurrences of overseas illegal payments made
by U.S. corporations, as seen in the Watergate and Lockheed
scandals in the 1970s, Foreign Corrupt Practices Act of
1977 (FCPA) was enacted in 1977. It clarified mandatory
establishment of the internal control systems for the first time,
which accelerated diffusion of internal control in the country.
1930-40s (Audit on financial statements institutionalized and the
concept expands)
In the wake of the Great Depression in 1929, the Securities Act
of 1933 and the Securities Exchange Act of 1934 were enacted,
Furthermore, the concept of internal control, which was the
subject of increasingly narrower interpretation by then, took
on a renewed role as the society began to embrace a need for
prevention of frauds, returning to wider interpretations again.
Figure 1 History of Concept and Regulation of Internal Control
Before1900 1900 ∼
U.S.
1910 ∼
Beginning of 20th Century
Corporate scale expansion
背景となった
Background
事象
★
1920 ∼
1930 ∼
1929
Great Depression
★
1940 ∼
1950 ∼
1960 ∼
Late 1940s
Corporate scale expands
and become complex
★
1970 ∼
★
Japan
★
★
◎
1934 Securities Exchange Act
●
Beginning of 20th Century
Occurrence of concept
2000 ∼
2001
Collapse of Enron
2002
Collapse of WorldCom
●
Enactment
●
2002
Sarbanes-Oxley Act
●
1949
Special report“Internal Control”published
Concept of
Internal control
◎
1977
Foreign Corrupt
Practices Act
1933 Securities Act
Concept of
internal control
1990 ∼
1972
1980s
Watergate Financial institutions
scandal
collapse
◎
Enactment
1980 ∼
●
1987
“Fraudulent Financial
Reporting”published
1950
1970
“Auditing Standards”“Study of Internal Control
published
in Auditing Financial Statements”
published
●
1992
COSO framework published
◎
★
Post WW II
Zaibatsu dismantled,
democratization
◎◎
2006
2006 Companies Act
Financial Instruments
and Exchange Law
1948
Certified
Public Accountants Law
Background
●
1994
“Internal Control”
published
★
1991
Revision of
auditing
standards
★★
2000
Daiwa Bank scandal
2004
False reporting
by listed companies
2
1980s-1990s (Advent of COSO framework)
1970s onward (Expansion of the concept)
In response to downfalls of financial institutions that occurred
in the 1980s, American Institute of Certified Public Accountants
(AICPA) established the Treadway Commission by calling for the
American Accounting Association and the Institute of Internal
Auditors (IIA), among others. Its role was accomplished in 1987
when it issued a report titled “Fraudulent Financial Reporting”,
stressing in it the importance of internal controls and necessity
of detailed examination and assessment criteria.
A report titled the “Study of Internal Control Organizations in
Auditing Financial Statements”, issued by Japan Accounting
Association in 1970, classified internal controls into three
categories: “asset management” to safeguard assets and
“accounting management” to guarantee the accuracy and
reliability of accounting records along with “operation
management” to enhance rational management and operational
efficiencies. These contents are similar to the special report
published by the American Institute of Certified Public
Accountants in 1949, in a new move to build in the perspective
of corporate management in addition to the stated objective of
ensuring the accuracy in financial reporting.
This was followed by a publication in 1992 of the COSO
framework by the Committee of Sponsoring Organizations of
Treadway Commission which cited three objectives of internal
controls; the “effectiveness and efficiency of business”, the
“reliability of financial report” and the “compliance with
applicable laws”. Furthermore, it provided five components;
“control environment”, “risk assessment”, “control activities”,
“information and communication” and “monitoring”. COSO
framework contributed to a broadened concept of internal
control as it built in the perspective of management and other
executives of corporations as well as that of auditors.
2000 onward (Formulation of U.S. SOX Act)
Sarbanes-Oxley Act (SOX Act) was established in 2002 in
response to the demise of Enron and WorldCom, requiring
company management to assess the effectiveness of internal
controls and disclose evidence documents.
Japan
1945 onward (Concept of internal control comes into being)
In the wake of the Word War II, Japan witnessed a host of major
changes caused by the democratization of the economy such as
the dismantling of “zaibatsu” conglomerates. Meanwhile, the
Securities Exchange Law was also amended in 1948 based on
U.S. laws, followed by the establishment in the same year of
the Certified Public Accountants Law to ensure the reliability
of financial statements for securities markets. Furthermore,
“Auditing Standards” were published in 1950 by Business
Accounting Council with the aim of initiating full-fledged
auditing by certified public accountants, which, in its preamble,
provided for the concept of internal control for the first time in
Japan.
The Auditing Standards used the term “Internal Control
Organization”, consisting of the “Internal Check Organization”
and the “Internal Audit Organization” with the former charged
with the duty to detect and prevent frauds in the provision. The
Standards also prescribed that large-sized corporations should
ensure the reliability of accounting records by the assistance
from an internal auditing organization. Furthermore, it was also
stipulated the designing of the internal control organization is
an obligation of management as a prerequisite before accepting
external audit.
3
1990s onward (Application of COSO framework)
The Japanese Institute of Certified Public Accountants issued
a report titled, the “Internal Control” in 1994 to provide
operational guidelines for internal controls stipulated in the
Reform Act of Auditing Standards of 1991. This report cited
four objectives of internal controls: “appropriate preparation of
financial statements”, “compliance with laws and regulations”,
“safeguarding of company assets” and “efficient execution of
business operations” in an effort to emulate the basic principles
of the COSO framework mentioned earlier.
2000 onward (Internal control become law)
A series of corporate scandals from 2000 onward accelerated
enactment of internal control.
The September 2000 verdict made on the class action lawsuit
of Daiwa Bank shareholders marked the first instance in
Japan of a corporate director being held accountable for the
fiduciary obligation of establishing risk management system,
namely, internal control system. This prompted a realization
that directors are obliged under the Commercial Law to design
internal control. Consequently, the establishment of the
system to ensure compliance with laws and appropriateness of
operations (internal control system) was explicitly required to
the companies adopting a committee-style corporate governance
system in the reform act of May 2002, and then to large
corporations under the Companies Act introduced in May 2006.
Furthermore, 2004 witnessed a numerous cases of false financial
reports by listed companies, resulting in an argument to design
internal control urgently to ensure the reliability of financial reporting.
As a result, the system of reporting internal controls was introduced
under the Financial Instruments and Exchange Law enacted in June
2006. Generally called “J-SOX”, the new law requires corporations to
submit the management assessment of the effectiveness of internal
control over financial reporting as an internal control report. It
also stipulates a mandatory audit by certified public accountant or
auditing company. J-SOX was formulated in consideration of events
that occurred after U.S. SOX Act came into law (see “U.S. SOX Act and
J-SOX” on the following page).
U.S. SOX Act and J-SOX
As mentioned earlier, U.S. SOX Act was enacted in 2002, followed by J-SOX (Financial Instruments and Exchange Law) which was
formulated in 2006 in Japan. During the process of devising J-SOX, the events that occurred in the U.S. after the SOX introduction
were taken into consideration, which has resulted in a number of differences between the two laws.
Those differences can be summarized in the following two points.
1.Application and alteration of COSO framework
U.S. SOX Act requires management to identify the framework to be used to assess the effectiveness of internal controls, thus
making the COSO framework highlighted earlier the de facto standard in the U.S. The“Practice Standards for Management
Assessment and Audit concerning Internal Control over Financial Reporting”of J-SOX (hereafter referred to as the“Practice
Standards”) were formulated based on the COSO framework from the beginning, but the following alterations were made in its
application.
(1)“Safeguarding of assets”added to the objectives
“Safeguarding of assets”is added as a purpose in addition to the three existing objectives of the COSO framework which
was understood to incorporate“Safeguarding of assets”implicitly within two objectives, i.e.“effectiveness and efficiency
of business”and“reliability of financial reporting", whereas in J-SOX it is expressly stipulated as an independent objective,
reflecting its importance.
(2) “Response to IT”added to the basic components
In light of the dramatic changes in the IT environment since the days when the COSO framework was first published,“Response
to IT”is added to the basic components.
(3)“Risk Assessment”changed into“Risk Assessment and Response”
In formulating the COSO framework, it was believed that responses after the implementation of“Risk Assessment”are a
matter to be considered by management on an individual basis, and thus this needs not be set forth in the rigid framework.
J-SOX, however, prescribes“Risk Assessment and Response”on the understanding that the scope of internal control should
include the responses being made after risk assessments.
Figure 2 COSO framework and J-SOX
COSO framework
s
ith
f ng
es of ns
w s
en cy tio
y o rti
ce law ns
tiv cien era
ilit epo
an ble atio
i
c
l
b
e
p
p a l
lia l r
m lic gu
Eff d effiss o
Re ncia
Co app d re
an sine
a
an
fin
bu
Basic framework of
internal control
under J-SOX
s
ith
of
es of ns
f ng e w ws s
g
en cy tio
c la n
y o rti
in
tiv cien era
ilit epo lian ble atio ard ts
c
b
e
p
ia al r mp lica gul gu sse
l
Eff d effiss o
Re nci Co pp re afe a
S
a nd
an sine
a
a
fin
bu
Monitoring
Response to IT
Information and
Communication
Monitoring
Control Activities
Information and
Communication
Risk Assessment
Control Activities
Control Environment
Risk Assessment
and Response
Control Environment
① “Safeguarding of assets”
added to the objectives
② “Response to IT” added
to the basic components
“Risk assessments”
③ changed into
“Risk Assessment and
Response”
2.Consideration of the Cost Burden
In the case of U.S. SOX Act, the Auditing Standard 2 (AS2, hereafter) published in March 2004 imposed an extremely heavy
burden on U.S. companies, financially pressuring them in the process of making themselves compliant with the new rules. At the
roundtable in May 2006 attended by specialists, various issues of SOX were highlighted with participants voicing concerns citing
“excessive costs”“
, a disproportionate burden on smaller companies”and“declining U.S. exchange listings”, among others.
Following these developments, J-SOX makes an effort to ensure that cost burdens will not be excessive. The following points are
set forth in the preamble to the Practice Standards in consideration of cost burdens.
(1)Using top-down/risk-based approach
(2)Classifications of deficiencies of internal control
(3)Not adopting direct reporting
(4)Integration of internal control audit with financial statement audit
(5)Preparation of internal control audit report and financial statement audit report in a unified form
(6)Coordination of external auditors and corporate auditor (or audit committee) / internal auditors
The U.S. AS2 was drastically revised into the new standard, AS5 in 2007. As the result of this revision, the audit scope has been
reduced and focused on the area directly related to the audit of financial statements.
4
1-2 Ideal of Internal Control
1-3 Internal Control as Viewed by Companies
In light of the history of internal control described earlier,
“internal control” was originally an accounting term, but the
definition kept on broadening in step with the growth of the
economy and enterprises, currently representing a structure to
prevent and detect frauds and errors, in a narrow interpretation,
and a system and procedure of management to achieve the
objectives of corporate management, in a broader definition.
Figure 4 illustrates a selection of keywords for “internal control”
as seen by the respondent companies for the latest survey. Two
axes were used for classification purposes with the horizontal
axis covering management against operations in the opposite
direction. On the other hand, the vertical axis covers idea/
concept against structure/ methodology/ tools placed in the
reverse direction. All the responses from the responding entities
were then classified into four quadrants. Sizes of keywords were
adjusted to reflect the number of respondents, meaning that the
larger the keywords, the more companies made response to the
given keyword.
When looking at a company as an organization, internal
control can be rephrased as an“appropriate role sharing and a
realization of coordinating process to sustain it in a continuous
manner".
Although companies are required to seek a profit in order to
survive, it is not an end in itself. The significance of companies
continuing to exist is “to determine management goals in light
of contribution to the society and to execute necessary duties
collectively to achieve management goals”. Therefore, it is
desirable that the employees at least equally share the purposes
within the company.
In executing operations in a company, a versatile star performer
doing all the tasks could be the most effective and efficient
act, but an organization demands that duties be executed in an
appropriate role sharing (division of labor). Consequently, it is
necessary to confirm constantly that shared duties, or assigned
tasks, are practiced in accordance with the intention of the
management, namely, management goals, while adjusting tasks
where necessary. In other words, the internal controls within an
organization are essentially an“unceasing process of division
of labor and adjustment of tasks”, and the execution of this
process enables the alignment with management goals and the
prevention of frauds in a broader and narrow sense respectively.
(Figure 3).
The above analysis shows that internal control is a concept
which is indispensable to corporate management.
Figure 3 Internal controls for an organization
Vision
Management
objectives
CHECK
CHECK
Objectives of
organization
Research and
development
Procurement
Production
Accounting
5
Sales
Corporate management
system/procedure
One general tendency here is that companies view “internal
control” as an indispensable concept for a corporation, showing
that there exists no meaningful gap between the ideal of internal
control and the interpretation by each company.
Of the four quadrants, the largest number of responses was
seen for the one on the upper left, “management with idea/
concept”, indicating that internal controls are interpreted to
constitute management itself. Furthermore, many respondents
recognize it as an abstract concept such as an idea and concept,
rather than as a specific structure or methodology. Of these, the
largest number of responses cited “prerequisite/ indispensable/ a
basis of company development/ a necessary element of a going
concern”, obviously taking internal controls as a foundation
of corporate management without which continuation would
be endangered. It is interesting to note that internal control
is regarded as an issue of the mind in consideration of many
replies citing “management stance/ awareness change” when
internal controls tend to be interpreted easily as a process with
a set of specifics like an act of mutual checks.
Other quadrants show responses such as a “visualization of
operations”, “operational efficiencies”, “structure to enhance
corporate value/ tool for corporate growth” in large numbers.
While “visualization of operations” seems to be a relatively
orthodox interpretation, it is fascinating to see internal controls
are thought to constitute “operational efficiency”, not a factor
adding operational inefficiencies as generally perceived by
companies. This response seems to indicate that corporations
intend to proactively use the implementation of internal
controls as an opportunity to “achieve operational efficiencies”,
rather than passively expecting internal controls to “bring about
efficiencies”.
Most of the respondent corporations believe in internal control,
appreciating its inherent virtues with the exception of a few
companies identifying what they see as negative elements (those
in the gray zone on Figure 4), but these responses alone do not
provide a sufficient ground for judging whether internal control
itself or J-SOX has vices in nature.
Meanwhile, although there seem to be no major differences in
reminiscence of “internal control”, it is interesting to note that
companies tend to express it in a wide range of terms, indicating
how difficult it is to grasp the concept of internal control in the
absence of enough specifics.
While these four responses belong to the area of idea/ concept
(higher left), a “tool for enhancing corporate value/ tool for
corporate growth” stands out as the only response that can be
classified into structure/ methodology/ tools (lower left) among
five items with many responses, seemingly representing an idea
which is equivalent to a “prerequisite/ indispensable/ a basis of
company development”, rather than seeing them as specific tools.
Figure 4 Internal Controls as Viewed by Companies
Idea/ concept
Management
Operations
Prerequisite/ indispensable/
a basis of company development/
necessary element of a going concern
“Ethics”/ “ideals”/
morality enhancement/
corporate atmosphere
Visualization of
business performance/
current challenges/ risks
Strengthen corporate governance
Risk management
Standardize management/
Streamlining businesses
Framework of internal communication
Standardize operations
Provide procedural guidelines
for operations/ systematic guidelines/
specification/ documentation
Additional tasks on
requirements of evidence
Byproduct of corporation
on division of labor
Scheme of operations to be
implemented appropriately,
Scheme of check
Scheme of gain confidence
of the society
Life preservation gear
Scheme of ensuring sound
and efficient operations
Reduce operational risks and
improve operational quality
Streamlining
operations
Unnecessary system
Scheme of enhancing corporate value/
tool for corporate growth
Scheme of preventing frauds
Visualization of
operations
Social responsibility of companies
which gained confidence of stakeholders
Tighten control on the view of
human nature as inherently evil
Structure/ Method/ Tool
Management stance/
awareness change
Tool for making
improvements
Method and operations of
documentations and assessments
to satisfy external auditors
Tool to assist change of course
Note: Size of key words indicates the number of respondent corporations
6
1-4 Summary
The analysis so far shows that “internal control”, despite the
ambiguity of its concept, seems to have gained a general
recognition as an ideal that is indispensable for management of
an organization. So instituting it as law, in itself, does not pose
any obstacle to companies. However, if a corporation makes
a wrong interpretation of what is required by law in actual
implementation, it could end up with a heavy-loaded work,
outstripping the benefits from internal control.
It is obvious from the cases of the U.S. SOX Act that, apart
from the law’s provisions, most of the tasks conducted by the
target corporations consisted of a set of designs of processlevel controls. They included specifics such as introducing the
necessary check function for each process before prescribing it
in a document. These actions are considered to be equivalent to
the scheme of operations (the quadrant on the lower right) in
Figure 4 highlighted earlier, pointing to a major deviation from
what companies regard as internal controls. This makes one
wonder if these are equivalent to the actions forced by law.
In Practice Standards, J-SOX breaks down the structure of
internal control into three categories: company- level internal
controls, internal controls over financial closing and reporting
process, and process-level controls other than those over the
financial closing and reporting process (namely, process-level
controls). One note is its basic policy to adopt a top-down
approach, giving the impression that the burden for actual
implementation is smaller in comparison to U.S. SOX Act. The
difference between the two regimes can be best explained by
saying that U.S. SOX Act is focused on“control activities”whereas
J-SOX appears to be weighted more on“control environment".
The latter, nevertheless, is still in its early phase of
implementation, making it hard to say anything with conviction
now.
Bearing the above summary in mind, the following chapter
will highlight the results from the survey with regard to the
stance of companies toward J-SOX and how they handle it,
followed by next chapter extracting the key phenomenon from
the observation of how they are responding and behaving in
implementation. That will lay the groundwork for us to propose
actions for the future.
7
Cha p te r Two C u r r e n t S tatus
2-1 Overview of the Survey
How are corporations handling J-SOX in its inaugural year?
ABeam Consulting has conducted this survey with the objective
of identifying the basic policies of companies, way to approach
and the structure, among others, in order to clarify the issues
and put forward our views on the future.
Following is an overview of this research.
[Companies surveyed]
All companies listed on Tokyo Stock Exchange 1st Section,
2nd Section, Osaka Stock Exchange 1st Section, 2nd Section,
companies registered on Mothers and JASDAQ with employees of
not less than 300, totaling 2,800 companies
[Method]
Sent out questionnaires to directors and department heads who
are responsible for“J-SOX" ,“internal control" ,“accounting”and
“finance”
[Effective responses] 302 companies (11% of the targeted
companies)
Figure 6 Consolidated sales of respondent corporations
[Period] March through May 2008
Unknown 1%
Not less than 1 trillion yen
12%
Less than 25 billion yen
18%
500 billion yen -Less than 1 trillion yen
8%
Figure 5 Respondent corporations by industry
25 billion yenLess than 50 billion
Unknown 1%
200 billion yen Less than 500 billion yen
18%
Mining 0.3%
14%
Fishery/Forestry 1%
Electricity/Gas 1%
50 billion yen Less than 100 billion yen
Real estate 3%
15%
Construction 5%
100 billion yen Less than 200 billion yen
14%
Services 9%
Manufacturing
Transport/Information
and Communication 9%
Financials/Insurance 11%
42.7%
Trade 17%
8
[Survey Items]
Target areas of J-SOX can be broken down into three categories;
1) company-level controls, 2) controls over financial closing and
reporting process, , 3) process-level controls other than those
over the financial and reporting process (hereafter referred to as
process-level controls).
To clarify how companies handle J-SOX, this research has
established four pillars to categorize the survey items, reflecting
the Practice Standards (Figure 7): I. Company-level controls and
controls over financial closing and reporting process (policy,
status, method, challenges, etc.); II. Process-level controls (policy,
status, method, challenges, etc.); III. Assessment system (costs,
use of external resources such as auditors and consultants,
internal handling, etc.), IV. Matters common to all control
areas (current status of design and operation, and tools being
employed, etc.).
Figure 7 Practice Standards and survey items
【 Practice standards (reference)】
Assessment of company-level controls
Survey Items
Assessment of process-level controls
over financial closing and reporting
Ⅰ. Company-level controls, controls over
financial closing and reporting process
1.
2.
3.
4.
Assessment of process-level controls other than
those over the financial and reporting process
Selection policy on scope of assessment
Current status of assessment
Method of assessment
Challenges identified in design and establishment
● Selection of significant business units
● Identification of business processes
to be assessed
1. Significant processes which impact the accounts
that are closely associated with the company’s
objectives
2. Individually significant processes that relate to
businesses dealing with high-risk transactions
and others
3. Adjustment based on assessment results of
company-level controls
Ⅱ. Process-level controls other than those over
the financial and reporting process
5.
6.
7.
8.
Selection policy on scope of assessment
Current status of assessment
Method of assessment
Challenges identified in design and establishment
● Assessment of business processes included
in the scope of assessment
1. Identify and organize the overview of business
processes included in the scope of assessment
2. Identify risks in business processes and controls
to reduce such risks
3. Assess the design status of internal control
4. Assess the operation status of internal control
● Reporting of internal control
Survey Items
Ⅳ. Common
17.
18.
19.
20.
21.
Status of the use of internal control support tools
Status of dry run audit
Current status of design and operation
General challenges
Management challenges being tackled or identified in connection
with internal control
22. How does your company define “internal control”?
9
Survey Items
Ⅲ. Assessment system
9. Main division of establishment
10. System of separate assessment
11. Costs for implementing internal controls
12. Role of external consulting firms
13. Status of communication with external auditors
14. Implementation of internal controls at overseas
business units
15. Internal efforts for company-level penetration
16. Challenges relating to the system
In the sections from 2-2 onward, we will elaborate on the results
of the survey which yielded particularly distinct tendencies with
regard to design and establishment, assessments and challenges
(Figure 8), in this order. Respondents were divided into groups
based on overall tendencies and on attributes of corporation
(see the “Method of classifying into groups” on the next page)
to analyze overall tendencies and tendencies within each group,
respectively.
With regard to tendencies in design and establishment of
internal control, five items will be discussed; 1) status of
progress, 2) policy on design and establishment, 3) approach
to be penetrated within an organization, 4) scope of internal
control at overseas business units, 5) status of occurrence of
deficiencies.
As for tendencies in assessments, three items will be discussed;
1) whether or not separate assessments are being implemented,
2) department to which an independent assessor belongs, 3) the
number of key controls (*Note 1) covered by each independent
assessor.
Regarding the challenges, three items will be discussed; 1)
challenges relating to design and establishment, 2) challenges
relating to the system, 3) challenges in handling overseas
business units.
Furthermore, for reference, results of the survey are in the
“Appendix” shown at the end of this report.
Figure 8 Summary of survey items and tendencies
【 Survey Items 】
Ⅰ. Company-level controls, controls over
financial closing and reporting process
1.
2.
3.
4.
Selection policy on scope of assessment
Current status of assessment
Method of assessment
Challenges identified in design and establishment
Ⅱ. Process-level controls other than those
over the financial and reporting process
5. Selection policy on scope of assessment
6. Current status of assessment
7. Method of assessment
8. Challenges identified in design and establishment
Ⅲ. Assessment system
9. Main division of establishment
10. System of separate assessment
11. Costs for implementing internal controls
12. Role of external consulting firms
13. Status of communication with auditors
14. Implementation of internal controls at overseas
business units
15. Internal efforts for company-level penetration
16. Challenges relating to the system
【Summary of distinct tendencies 】
(Results of the survey covered by this report)
2-2 Tendencies in design and establishment
(1) Status of progress
(2) Policy on design and establishment
(3) Approach to penetrate internal control within an organization
(4) Scope of internal control at overseas business units
(5) Occurrence of deficiencies
2-3 Tendencies in assessments
(1) Whether or not separate assessments are being implemented
(2) Department to which an independent assessor belongs
(3) Number of key controls covered by each independent assessor
2-4 Challenges
(1) Challenges relating to design and establishment
(2) Challenges relating to the system
(3) Challenges in handling overseas business units
Ⅳ.Common
17. Status of the use of internal control support tools
18. Status of dry run audit
19. Current status of design and operation
20. General challenges
21. Management challenges being tackled or
identified in connection with internal control
22. How does your company define “internal control”?
Note
Summaryin in
controls
as prescribed
the Standards
Note1:1:Key
Key control:
control: “
“Summary
controls”
as”
prescribed
in theinPractice
Practice Standards
10
[Method of classifying into groups]
A corporation’s “scale” and “complexity” have a bearing on
tendencies in design and establishment, assessments and challenges.
To be more specific, differences would emerge in the policy on
responses, the approach, the method of establishing a system and
the degree of a burden in dealing with J-SOX, among others.
Let us take the example of how the scale and complexity of a
corporation have a bearing on the degree of a burden in dealing
with J-SOX requirements.
The scale of a company impacts on the number of business
units, employees and business processes, meaning that the larger
an organization is, the more locations and subsidiaries it tends
to have as the target of internal controls, and this holds true,
for example, for the number of employees to be subjected to
the training in voucher inputting. Furthermore, subsidiaries are
bound to have processes unique to them, further adding to the
total number of processes.
Complexity of a corporation has two components, complexity of
the business and the status of overseas operations.
As an organization’s business segments become more diverse,
the number of business processes and key controls should also
increase, reflecting a wide range of different business processes
for each segment. Likewise, a company which has overseas
operations must be equipped with business processes to adjust
to local business customs as well as laws and regulations at
respective locations, which is another factor for a larger number
of overall processes. Physical demands would also increase as
businesses need to provide services in multiple languages and to
establish the system locally, among others.
In this way, a burden from implementing steps to cope with
J-SOX requirements can vary, depending on the “scale” and
“complexity”. The burden should also vary on other factors such
as the policy on responses, the handling, and the method of
establishing a system.
As a result of the above observation, this research has broken down
respondent corporations into three groups based on their “scale” and
“complexity” in order to examine their tendencies (Figure 9).
Figure 9 Groups of respondent corporations
Proportion of main business segments not more than 67% of overall sales or
sales at overseas business units not less than 33% of overall sales
Large
G2
60 corporations
Scale
Consolidated sales
not less than
100 billion yen
G1
83 corporations
(1) Determination of scale
Corporations were first divided into two groups with the first
one generating annual consolidated sales of not less than 100
billion yen and the second one with annual sales of less than
100 billion yen, and the latter was categorized as a “small-scale
group” (hereafter referred to as G3).
(2) Determination of complexity
Among those corporations with consolidated annual sales of
not less than 100 billion yen, those having multiple businesses
or operations at overseas business units with a scale above a
given level were categorized as a “large-scale group with a
high degree of complexity” (hereafter referred to as G2) and the
remainder was categorized as a “large-scale group with a low
degree of complexity” (likewise referred to as G1).
(2-1) Complexity of businesses operations
Specifically, the “proportion of a business segment generating
the largest consolidated sales in the corporation’s overall
consolidated sales” (percentage of sales from the main business
segment, hereafter), based on the “segment information by
type of businesses” in Annual Securities Reports (*Note 2), was
first calculated. Then, corporations with that percentage at not
more than 67% were defined as those with a high complexity
and were categorized into G2. The level of 67% was based
on the example from the Practice Standards stipulating that
if company-level internal controls are assessed effective,
significant business units may be selected within the scope of
assessment for process-level controls in descending order of
sales until their combined amounts reaches approximately two
thirds on a consolidated basis.
(2-2) Complexity depending on existence of overseas business units
The “geographic segment information” in Annual Securities
Reports was used to obtain the percentage of total “sales
to external customers” in areas other than Japan in the
consolidated “sales to external customers” (hereafter referred to
as the percentage of sales at overseas business units), and when
the level is in excess of 33%, the target company was identified
as a high complexity and was categorized as G2. When the level
is not more than 33%, the target company was identified as a
low complexity because all the overseas business units can be
regarded as falling outside the scope of an assessment as per the
example provided at the end of the preceding paragraph, 2-1.
Consequently, the following categorization was made:
G1“Large-scale, low-complexity group”totaling 83 corporations
G2“Large-scale, high-complexity group”totaling 60 corporations
G3
G3“Small-scale group”totaling 156 corporations
156 corporations
(*Note 3)
Small
Low
11
As benchmarks, consolidated sales were employed for the
scale of corporations and the complexity was measured by the
proportion of main business segments and sales at overseas
business units as a percentage of overall sales.
Complexity
High
Note 2: Annual Securities Reports used for reference were those valid as at the end of July 2007
Note.3: Of the total respondents of 302, 3 companies were not categorized due to
their anonymity
2-2 Tendencies in Design and Establishment
The following section covers the status of progress, policy on
design and establishment, approach to penetrate within an
organization, the handling of overseas business units and the
status of occurrence of deficiencies, in this order. As for the
status of progress, policy on design and establishment and the
status of occurrence of deficiencies, questions were asked on
company-level controls, controls over financial closing and
reporting process, and process-level controls.
(1)Status of progress
When asked about the current status of policies and manuals,
etc. relating to company-level controls (Figure 10), only 24%
of respondents replied that “policies and manuals have been
already updated and an operation is being undertaken” while
51% said they are “currently in the process of updating policies
and manuals”.
Furthermore, when asked about the clarification of risk controls
in connection with process-level controls (Figure 11), only
20% replied they have already made operating improvements
necessary for controls, and an operation is being undertaken.
73% and 76% of respondents have not yet completed document
update and operating improvements necessary for controls
respectively for company-level controls and process-level
controls. This reveals that a large number of corporations were
still in the process of designing and establishing internal control
even after the start of the inaugural year when the survey was
conducted.
Figure 10 Status of policies and manuals concerning company-level
controls (Question 2)
Looking at the company-level controls by group, G3 was
lagging behind the most, with 28% of companies still not
reaching the stage for update work, saying that they “have not
taken inventory of policies and manuals, etc. that need to be
created or revised”, or they “have taken inventory, but have
not started update yet”. The percentage of respondents giving
these replies stood at 19% for G1 and 8% for G2, respectively,
pointing to discrepancies among groups.
As for process-level controls, G1 and G2 are relatively advanced,
with G3 lagging the most, as in company-level controls. A
total of 44% of G3 said either that they “have not completed
clarification of risk controls” or that they “have completed
clarification of risk controls, but have not started operating
improvements necessary for controls”. When compared with
27% of G1 and 25% of G2, the discrepancy is as much as 17 to
19 percentage points, respectively.
Furthermore, the status of communication with auditors (Figure
12) shows that G2 is communicating well on all items while G3
is not exchanging opinions actively with auditors on operation
test and benchmarks, indicating G3 has not reached that stage
yet. This provides another reason to believe that G3 is lagging
behind in its response to J-SOX requirements.
Based on these observations, G3 has proven to be lagging behind
the most in comparison to G1 and G2.
Figure 11 Status of clarification of risk controls concerning process-level
controls (Question 6)
Have not taken inventory of policies and manuals, etc.
that need to be created or revised
Have taken inventory of policies and manuals, etc. that need
to be created or revised, but have not started update yet
Have taken inventory of policies and manuals, etc. that need
to be created or revised, and have started update
Policies and manuals, etc. have been already updated
and an operation is being undertaken
Others
No replies
Have not completed clarification of risk controls
Have completed clarification of risk controls, but have not started
operation improvements necessary for controls
Have completed clarification of risk controls, and started
operation improvements necessary for controls
Completed operation improvements necessary
for controls, and started operation
Others
No replies
73%
Overall 10% 12%
Ｇ１
7% 12%
Ｇ２
5%3%
Ｇ３
14%
51%
76%
24%
50%
30%
57%
27%
3%
Overall
1%
Ｇ１
7% 1%
Ｇ２
14%
10%
22%
17%
42%
13% 12%
43%
28%
0%
20%
29%
20%
4%
2%
10% 2%
44%
14%
20%
40%
50%
40%
60%
19% 3%
80%
100%
Ｇ３
16%
0%
28%
20%
38%
40%
60%
15% 3%
80%
100%
12
(2) Policy on design and establishment
With respect to the components (Figure 13) for assessment
items for company-level controls, 79% of corporations replied
that “questions were created in accordance with 42 assessment
items shown in the Practice Standards”, a sign that there is a
high degree of adherence to the Practice Standards. This reply
was made by 85% of G3, showing that these respondents relied
on the Practice Standards as the basis of their decision making.
Meanwhile, “Others” category contained 11 cases (4% of the
total) where tools provided by auditing firms were used.
Regarding the process-level controls, one question posed in
the survey was whether or not respondents narrowed down the
processes of assessment scope based on accounts (Figure 14).
As much as 82% of companies are shown to have done so by
using the 3 accounts prescribed in the Practice Standards (sales,
accounts receivable, inventories) or by adding other significant
accounts, indicating that the Practice Standards have played a
major part in their response.
Figure 13 Components of assessment items for company-level controls
(Question 3-1)
Questions were created in accordance with 42 assessment items
prescribed in the Practice Standards
Questions were created by using company’s own assessment items
Others
No replies
79%
Overall
10% 11%
G１
72%
15%
G２
71%
17% 10% 2%
G３
85%
0%
20%
13%
5%10%
40%
60%
80%
100%
Figure 14 Whether or not processes for assessment targets were narrowed
down based on accounts (Question 5-1)
Targeted only the processes relating to the 3 accounts
(sales, accounts receivable, inventories or other accounts
of equal significance)
Added other significant accounts to the 3 accounts
(sales, accounts receivable, inventories or other accounts
of equal significance)
Selected all the major accounts
Others
No replies
82%
26%
Overall
G１
Figure 12 Status of communication with auditors so far (Question 13)
Overall
G1
68%
66%
75%
66%
62%
65%
65%
58%
52%
Exchanged opinions about
policy on operation test in
implementing operation
test for internal control
48%
52%
Exchanged opinions about
assessment standards for
design and operation
of internal control
Others
39%
75%
68%
4%
1%
3%
6%
0%
13
64%
37%
20%
40%
60%
22%
G３
26%
0%
90%
92%
95%
87%
Exchanged opinions about
scope and the appropriateness
of documentation
Exchanged opinions about
design policy for initiating
the design of internal controls
G２
1%
14% 3%
53%
17% 4%
2%
13% 3%
60%
G3
G2
Obtained information from
auditors on policy for
determining assessment
scope, documentation and
assessment
26%
56%
80%
100%
1%
14% 3%
56%
20%
40%
60%
80%
100%
The above examination shows that about 80% of corporations
are adhering to the Practice Standards faithfully in the process of
narrowing down components of assessment items and objective
processes.
The responses to the question on how to judge the effectiveness
of company-level controls (Figure 15) were more diversified, to
“the unit of 42 assessment items in the Practice Standards were
adopted” (36%), “the unit of specific questions” (27%), “the unit
of 6 basic components” (15%), and “all questions as a whole”
(15%) probably due to the absence of a clear guideline in the
Practice Standards.
Comparing the responses by group on how to judge the
effectiveness of company-level controls, many in G1 and G2
replied “the individual questions” while many in G3 replied “the
42 assessment items in the Practice Standards”.
Figure 15 Measures to judge the effectiveness of company-level controls
(Question 3-3)
Judge if controls are effective by individual questions
Judge if controls are effective by 42 assessment items in the Practice Standards
Judge if controls are effective by 6 basic components (* Note 4) in the Practice Standards
Judge if controls are effective as a whole by overall questions
Others
No replies
Overall
27%
G１
28%
As above, the responses are diversified for cases where defined
benchmarks of the measure to judge effectiveness of companylevel controls and assessment method of controls over financial
closing and reporting process are not clearly indicated in the
Practice Standards, showing signs that companies are seeking
for optimal internal control for their own organizations.
24%
32%
G２
G３
15%
22%
28%
26%
0%
Regarding the method of assessing the controls over financial
closing and reporting process (Figure 16), the predominant reply
was that they “implemented it by sending out questionnaires to
all target companies as in company-level controls” (29%), but
the overall replies were diversified again probably due to the
lack of a clear guideline in the Practice Standards.
36%
17%
9%
22%
5% 1%
12%
44%
20%
15% 6%1%
13% 12% 4% 1%
40%
60%
80%
100%
Note 4: Six basic components: Referring to the following 6 components prescribed
in the Practice Standards of FSA as constituting basic elements of the framework
of internal control: control environment, Risk Assessment and Response, control
activities, information and communication, monitoring, response to IT
Figure 16 Method of implementing assessments of controls over financial
closing and reporting process (Question 3-5)
Implemented by using questionnaires, etc. (incl. check lists)
for all target companies as in company-level controls
Implemented by using RCM, etc. (*Note 5)
for all target companies as in process-level controls
Implemented by using either questionnaires (incl. check lists)
or RCM depending on target companies
Implemented by using both questionnaires (incl. check lists)
and RCM format for all target companies
Implemented by using questionnaires (incl. check lists) for all target
companies with additional use of RCM format for some companies
Others
No replies
29%
Overall
G１
15%
32%
22%
G２
G３
14%
17%
12% 13%
17%
30%
0%
18%
20%
15%
21%
40%
60%
16%
17% 5%
11%
22%
28%
18%
80%
4%
7% 1%
10% 6%
100%
Note 5: RCM stands for“Risk Control Matrix”
14
(3) Approach to penetrate within an organization
With regard to the question on “Approach to penetrate internal
control within an organization, or approach to be made for that
purpose” (Figure 17), the predominant reply was that they have
“appointed a responsible official of internal controls (process
owner)”, accounting for 46% of the respondents. All other
replies, however, were below 40%, and 70% of corporations
ticked only one or two items although that information is not
shown in the figure. Items on Figure 17 are effective steps
to make internal controls function well and to maintain that
state, so they should be handled proactively. Most companies,
however, appear to be failing to make enough approach to
penetrate internal control within an organization.
Looking at responses from each group, G1 shows slightly high
figures with 54% and 41% respectively for “having appointed a
responsible official of internal control (process owner)” and “have
prescribed duties for internal controls as rules, etc. in documents
as part of existing organization’s operations”. As for G2, 35%
replied that they have “established an organization to promote
internal control separately from a project team”, showing that
G2 is slightly more in favor of this step compared with other
groups.
Meanwhile, fewer respondents in G3 have either “appointed
a responsible official of internal control (process owner)” or
have “prescribed duties for internal control as rules, etc. in
documents”, indicating that, although by a small margin, largescale corporations tend to be making more efforts to penetrate
within an organization.
15
Figure 17 Approach to penetrate within an organization (Question 15)
G1
Overall
46%
54%
48%
40%
Appointed a responsible
official of internal control
(process owner)
Holding regular training
sessions
34%
35%
35%
34%
Management proactively
involved
33%
31%
37%
33%
32%
41%
37%
26%
Prescribed duties for internal
control as rules, etc. in
documents as part of existing
organization’s operations
26%
23%
35%
24%
Established an organization
to promote internal control
separately from a project team
Consideration of personnel
evaluation regarding
establishment and
maintenance of internal control
G3
G2
5%
7%
5%
4%
Others
0%
9%
12%
13%
6%
20%
40%
60%
80%
100%
(4) Scope of internal controls at overseas business units
When asked about the correspondence of internal controls at
overseas business units (Figure 18), 51% of respondents were
found to have overseas business units to be within the scope of
internal control. This was not limited to process-level controls,
but was inclusive of company-level controls as well.
Seen by group, an overwhelming 90% of G2 acknowledged
this in comparison to 49% of G1 and 37% of G3, respectively.
Among all the respondent corporations, criteria for categorizing
into G2 were: firstly, those with annual consolidated sales of not
less than 100 billion yen; secondly, proportion of main business
segments account for not more than 67% of total sales, or
contribution of sales from overseas business units not less than
33% of the total. Therefore, G2 represents companies which are
likely to assess process-level controls as well as company-level
controls also at overseas business units.
Figure 18 Whether or not there are overseas business units to be within the
assessment scope of internal controls
Yes
Geographical areas to be within the scope of internal controls
(Figure 19) are predominantly Asia, accounting for about 80%
of the total for any group. North America and Europe also stand
out, but they are far less than Asia in the case of G1 and G3.
Of note is that G2 has a larger number of overseas locations
compared with G1 and G3. Not only are their sales sizable,
but their network of overseas units is also extended to various
countries, indicating that corporations in G2 have a significant
amount of workloads in performing duties relating to overseas
units.
Figure 19 Geographical areas to be within the assessment scope of internal
controls
(Multiple replies allowed. Population Parameter: corporations
which have overseas business units)
(Question 14-1)
No
G1
Overall
51%
Overall
G3
G2
49%
81%
80%
81%
81%
Asia
G１
49%
51%
90%
G２
10%
59%
51%
North America
83%
41%
G３
37%
0%
20%
63%
40%
60%
Europe
80%
29%
45%
70%
33%
100%
Oceania
7%
14%
31%
3%
11%
5%
South America
2%
Middle East
Africa
26%
5%
5%
9%
2%
3%
5%
4%
0%
2%
Others 2%
2%
2%
0%
20%
40%
60%
80%
100%
16
(5) Status of occurrence of deficiencies
A question was asked on the current status of design and
operation of internal controls (Figure 20-22) with regard to
company-level controls, controls over financial closing and
reporting process, and process-level controls, respectively.
38% of the respondents said that “internal controls are being
implemented well” for company-level controls. The same reply
was made by 28% for controls over financial closing and
reporting process compared with 20% for process-level controls.
Furthermore, of those who chose “Others”, many admitted not
to have reached the stage for determining the validity, saying
they “have not yet started” or “have not completed design and
operation improvement.”.
Overall, not many respondents replied that “internal controls are
being implemented well”, indicating more deficiencies may be
detected going forward. Therefore, it may take considerable time
before they design and operate all internal controls “well”.
In the earlier query on the status of progress, more than 70%
of corporations said they have not completed the update of
documents and the operating improvements necessary for
controls, showing that many companies have not yet to finalize
the whole process of establishment. Furthermore, there seems
to be a large number of companies which are still in the process
of design and establishment of internal control as the need to
remediate deficiencies give rise to new requirements to design
and establish controls.
Comparing responses by area, company-level controls are the
most advanced, followed by process controls over financial
closing and reporting with process-level controls coming last.
This tendency is common to all groups, but G2 has the smallest
number of replies confirming in every area that “controls are
being implemented well”. This reply accounted for only 10%
with regard to process-level controls. This group’s high degree
of complexity appears to pose difficulty for ensuring good
implementation of internal controls. Likewise, after the start
of fully-fledged assessment phase, G2 is the group which is
most likely to face new detections of deficiencies because of its
complexity.
Figure 20-22 Current status of design and operation (Question 19)
Internal controls are being implemented well
Detecting some deficiencies although need examination
to determine if they are material weakness
Have already detected material weakness in internal controls
No replies
Others
Internal controls are being implemented well
Detecting some deficiencies although need examination
to determine if they are material weakness
5%
6%
Overall
38%
44%
Have already detected material weakness in internal 7%
controls
(1) Company-level controls
Ｇ１
42%
38%
41%
44%
35%
42%
47%
41%
36%
35%
20%
45%
47%
60%
Overall
Ｇ２
Ｇ１
Ｇ３
Ｇ２
0%
Ｇ３
40%
36%
0%
20%
45%
40%
60%
7% 4%
6%
5%
6%
7%
5%
3%
10%
7% 4%
6%
6%
6%
7%
5%
3%
10%
80%
100%
6%
80%
7%
6%
100%
(2) Process controls over financial closing and reporting
Overall
28%
Ｇ１
52%
34%
Ｇ３
48%
20%
5% 3%
5%
3% 3%
10%
62%
27%
0%
5% 9% 6%
53%
22%
Ｇ２
40%
60%
6% 11% 8%
80%
100%
(3) Process-level controls
Overall
20%
Ｇ１
Ｇ２
1%
9%2%
65%
10%
5% 7% 5%
73%
21%
0%
7% 5%3%
65%
23%
Ｇ３
17
No replies
Others
8% 6% 4%
61%
20%
40%
60%
80%
100%
2-3 Tendencies in assessments
As for assessments, we will elaborate on whether or not separate
assessments are being implemented, the division to which an
independent assessor belongs and the number of key controls
covered by each independent assessor.
Figure 23 Whether or not separate assessments are being implemented for
company-level internal controls (Question 3-4)
No separate assessment was conducted and only self-inspections (assessments
by control division or the party of the division to be controlled) were carried out
Separate assessments conducted on all the results of the self-inspection
Separate assessments conducted on part of the results of self-inspection
Only separate assessments conducted without any self-inspections
(1)Whether or not separate assessments are being implemented
When asked whether or not separate assessments (assessments
by members with no direct interest in the organization in the
scope of assessments) are being implemented for companylevel controls (Figure 23), 84% of corporations surveyed said
they implement separate assessments in one form or another.
Their replies consisted of the following: “Separate assessments
are being implemented on all self-assessment results”; “Separate
assessments are being implemented on part of self-inspection
results; “Only separate assessments are being implemented
without self-assessment”.
With regard to process-level controls as well (Figure 24), 85% of
corporations replied that they implement separate assessments,
meaning that more than 80% of companies have the policy to
implement separate assessments to check the status of internal
controls in a vigorous manner from a perspective other than
that of the targeted division.
Looking at G3 among different groups, 15% are doing “only
self-inspections” for company-level controls. As for processlevel controls, a total of 11% replied that they are either doing
“only self-inspections” or “self-inspections based on mutual
check”, showing a slightly higher proportion of self-inspections
only for this group in comparison to others. In contrast, G2
has a lower proportion of the same reply. This is not a big
difference, but it indicates that a higher proportion of smallscale corporations tend to rely only on self-inspections, rather
than implementing separate assessments.
Others
No replies
84%
Overall
11%
G1
7%
G2
5%
G3
45%
22%
46%
19%
57%
15%
0%
20%
25%
40%
6%
22%
18%
40%
1%
4%
17%
60%
15%
2%
3%
15%
1%
4%
80%
100%
Figure 24 Whether or not separate assessments are being implemented for
process-level controls (Question 7-2)
Only self-inspections conducted by the division conducting operations
Self-inspections conducted by mutual check of separate organizations
within the division conducting operations
Separate assessments conducted on all self-inspection results
Separate assessments conducted on part of self-inspection results
Only separate assessments conducted without any self-inspections
No replies
Others
Overall
3%
4%
G1 2% 1%
G2 2%
11%
G3 6% 5%
0%
85%
32%
32%
33%
30%
30%
33%
32%
20%
7%1%
28%
5%1%
23%
31%
40%
21%
60%
10% 2%
17%
8% 1%
80%
100%
18
(2)Division to which an independent assessor belongs
(3)Number of key controls covered by each independent assessor
Regarding the division to which an independent assessor
belongs (Figure 25),“internal audit division”was the reply from
88% of respondents. Assessments are probably regarded as an
extension of auditor’s conventional duties for the majority of
companies, resulting in internal audit division taking on a major
role in implementing separate assessments.
Replies on the “number of processes in the scope of assessments
which have been prescribed in documents”, “average number
of key controls for each unit of process” and “anticipated
number of independent assessors” were employed to calculate
the “number of key controls covered by an independent
assessor”, the “average number of business processes in the
scope of assessments per company” and the “average number of
independent assessors per company” (*Note 6).
Replies from each group also show 80-90% of respondents
singling out internal audit division.
As for other divisions mentioned, accounting and finance
are trailing internal audit, followed by information system,
corporate management, probably reflecting the fact those
charged with the designing and establishing of internal control
remain involved in assessments even at this stage.
The number of key controls covered by an independent assessor
(Figure 26) reveals the fact that each assessor has to assess
as many as 95 key controls. Most of them are experiencing
assessment of internal controls for the first time, so a heavy
work load is a cause of concern.
When we compare G1 and G2 regarding the number of business
processes in the scope of assessments per company (Figure 27),
G2 shows the number which is more than 3 times larger than
G1, clearly showing that G2 is heavily burdened with their
efforts to cope with J-SOX.
Figure 25 Division to which an independent assessor belongs
(Multiple replies allowed) (Question 10-2)
Overall
G1
88%
90%
83%
88%
Internal audit division
24%
18%
27%
26%
Accounting and finance
division
General affairs division
4%
12%
15%
15%
9%
4%
3%
13%
Legal, compliance
division
Others
0%
19
Conversely, G1 is allocating relatively larger human resources to
separate assessments in comparison to G2 and G3.
14%
8%
22%
13%
Information system
division
Corporate planning
division
G3
G2
8%
5%
7%
10%
15%
13%
23%
12%
20%
40%
On the other hand, the average number of independent assessors
per company for G2 (Figure 28) stood at only 40% higher than
that of G1, representing a much smaller gap in comparison to
the number of business processes. As a result, the number of key
controls covered by an independent assessor for G2 (Figure 26)
was 170, which is 3 times that of G1 and 2.4 times that of G3,
meaning that the work load for the independent assessor of G2 is
far greater than that of other groups.
60%
80%
100%
Figure 26 Number of key controls covered by each independent assessor
95
Overall
G1
About 3 times
59
170
G2
72
G3
0
50
2.4 times
100
150
200
Figure 27 Number of business processes in the scope of assessments per company
116
Overall
More than 3 times
101
G1
334
G2
50
G3
0
100
200
300
400
Figure 28 Number of independent assessors per company
6.7
Overall
9.11.4 times
G1
12.4
G2
3.7
G3
0
5
10
15
Note 6: Calculation of the number of key controls per independent assessor
Overall
G1
G2
A
Average number of business processes per company
116
101
334
50
B
Average number of key controls per unit of process
5.5
5.3
6.3
5.3
C(A×B) Average number of total key controls per company
638
535
2104
265
6.7
9.1
12.4
3.7
95
59
170
72
D
Average number of independent assessors per company
E(C÷D) Number of key controls covered by an independent assessor
G3
Reference: According to the“FEI Survey on Sarbanes-Oxley Section 404 Implementation”(May 2007, with valid respondents totaling 172
companies with average annual sales of $68 million), time spent by employees on the handling of the law in fiscal 2006 stood at 18,070
hours. If this is divided by the scheduled annual working hours in Japan of 1,680, that would represent an equivalent of 10.7 employees
being engaged in the relevant duties on a full time basis. However, the U.S. was still in the third year of the law’s implementation, and
duties may have involved design and establishment, among others, not just assessments.
20
2-4 Challenges
This survey asked questions regarding challenges in design and
establishment of company-level controls / process controls over
financial closing and reporting, and process-level controls along
with challenges in the system and in the handling of overseas
operations. We will elaborate on these issues in this order.
(1) Challenges in design and establishment
Looking at challenges identified in design and establishment of
company-level controls / process controls over financial closing
and reporting, and process-level controls (Figure 28 and 29),
the predominant reply was that “procedure for assessment is not
clearly defined”, representing 42% and 38%, in Figure 28 and
Figure 29, respectively. We are already well into the inaugural
year with the assessment stage around the corner, but many
corporations do not appear to be ready for that stage yet.
Figure 29 Challenges identified in design and establishment of company-level
controls, and process controls over financial closing and reporting (Multiple
replies allowed) (Question 4)
G1
Overall
42%
37%
40%
46%
29%
25%
25%
33%
Management policy on
evidence not defined
Shortage of necessary
resources
24%
25%
22%
24%
Issues of improvement
occur frequently
Clearly defined the policy
on determining scope of
assessment and procedure,
but have conflict of opinion
with auditor
Others
0%
21
Clearly defined the policy
on determining scope of
assessment and procedure,
but have conflict of opinion
with auditor
4%
5%
5%
3%
Policy on determining
scope of assessment not
clearly defined
20%
21%
14%
7%
5%
7%
2%
10%
4%
4%
3%
5%
Others
5%
30%
40%
50%
23%
15%
11%
11%
14%
15%
10%
16%
13%
7%
Scope of design and
establishment (including
volume of necessary
documents) expanding
more than anticipated
4%
5%
3%
4%
8%
25%
23%
23%
28%
Defined the policy on
determining scope of
assessment, but procedure
not clearly defined
11%
11%
10%
11%
37%
29%
31%
28%
28%
Issues of improvement
occur frequently
Policy on determining
scope of assessment not
clearly defined
30%
22%
30%
27%
30%
32%
Management policy on
evidence not defined
Scope of design and
establishment (including
volume of necessary
documents) expanding
more than anticipated
40%
42%
Unit for assessing the
effectiveness not clearly
defined
24%
20%
23%
27%
19%
16%
15%
22%
38%
31%
31%
27%
29%
G3
G2
Procedure for assessment
not clearly defined
Unit for assessing the
effectiveness not clearly
defined
Defined the policy on
determining scope of
assessment, but procedure
not clearly defined
G1
Overall
Shortage of necessary
resources
25%
17%
Figure 30 Challenges identified in design and establishment of process-level
controls (Multiple replies allowed) (Question 8)
G3
G2
Procedure for assessment
not clearly defined
In examining other items by group, G1 suffers less from
challenges such as “shortage of necessary resources” (17% for
company-level controls, 22% for process-level controls) and “the
unit for assessing the effectiveness not clearly defined” (20%
for company-level controls, 27% for process-level controls)
in comparison to other groups, indicating it is relatively
advanced. Furthermore, those saying that the “scope of design
and establishment of the process-level controls is expanding
more than anticipated” accounts for only 7% of the group
against 23% for G2. Probably in tandem with that, G2 shows
more replies on “shortage of resources” (37%) in design and
establishment of business processes compared with other groups.
Meanwhile, many respondents in G3 are citing challenges
such as the lack of policy on assessment procedures (46%) and
management policy of evidence (33%), among others, pointing
to a delay in assessments as well.
0%
10%
10%
22%
20%
30%
40%
50%
(2)Challenges relating the system
(3) Challenges identified regarding the handling of internal con-
With regard to challenges relating the system (Figure 31),
more than half of the corporations raised a lack of enough
resources (54%) and skill sets (54%) for implementing separate
assessments. This shows that more than half of the companies
are struggling in their preparations for assessments.
trols at overseas business units
Looking at each group, G1 is slightly less burdened with
challenges compared with other groups, with the exception of
the item saying that “auditor’s involvement not sufficient”, so
things seem to be managed relatively better at the group.
G2 is highlighting a lack of enough resources (63%) most
strongly as an issue, with many in the group already aware of
the issue of the limited number of personnel for a big work load.
Asked about challenges for the handling of overseas business
units (Figure 32), most prevalent responses were; “Not enough
resources at overseas business units” (50%), “Limited awareness
of internal control at overseas business units” (40%) and “A
lack of communication between the head office and overseas
subsidiaries” (38%).
Of those replies from each group, what attracts one’s attention,
in particular, is the reply from G2, which cites "Not enough
resources at overseas business units", with 70% of corporations
identifying it as a challenge. As corporations enter assessment
phase, the lack of assessors at overseas business units is quite
likely to be more serious issue for G2.
G3 predominantly pointed out a lack of enough skill sets (57%).
It may be because the companies in this group have not reached
the stage to train assessors due to generally lagging progress.
The above examination shows that, although many corporations
are progressing to assessment phase, they strongly identify
challenges in formulating implementation procedure and
Figure 32 Challenges identified regarding the handling of internal controls at
overseas business units）
(Multiple replies allowed, and the population parameter is
corporations which have relevant overseas units) (Question 14-2)
establishing the assessment system.
G1
Overall
37%
Not enough resources at
overseas business units
50%
70%
41%
G1
Overall
51%
Auditor’s involvement not
sufficient
Internal support system
not sufficient
63%
0%
19%
14%
23%
20%
Channels at overseas
business units not clarified
17%
20%
10%
18%
Official language for
communication with
overseas business units
(Japanese, English, etc.)
not clarified
23%
16%
27%
26%
20%
21%
15%
20%
26%
In good progress without
any issues
Others
40%
60%
10%
7%
6%
16%
Responsible division at
overseas subsidiaries not
clearly defined
7%
11%
5%
5%
Others
38%
29%
43%
40%
Lack of communication
between the head office
and overseas subsidiaries
Not enough contacts
with auditor of overseas
subsidiaries
54%
50%
50%
57%
Not enough skill sets for
implementing separate
assessments
Not yet defined the costs
for implementing internal
control assessments from
the inaugural year onward
G3
G2
54%
52%
Not enough resources for
implementing separate
assessments
40%
39%
35%
45%
Limited awareness of
internal control at overseas
business units
Figure 31 Challenges identified regarding the system
(Multiple replies allowed) (Question 16)
80%
G3
G2
8%
7%
4%
12%
5%
0%
6%
7%
11%
4%
10%
22%
5%
10%
4%
3%
100%
0%
20%
40%
60%
80%
100%
22
2-5 Summary
<Tendencies by group>
We would like to summarize overall tendencies (Figure 33, left
hand side) and tendencies by group (Figure 33, right side) based
on the results discussed so far.
Arrows from the center of Figure 33 shows which earlier section
has become the source of each tendency.
<Overall tendencies>
Corporations are not making enough efforts internally to
penetrate internal control, which raises doubts about whether
controls can be implemented effectively and maintained. At
the time the survey was conducted, many companies were still
in the middle of designing and establishing controls, which
will eventually require them to remediate deficiencies and
keep on working on these tasks during this inaugural year. As
for the methodology in design and establishment, respondent
corporations appear to be complying faithfully with Practice
Standards.
With regard to assessments, formulating procedure for
implementation and establishing the system were identified
as challenges. Furthermore, most of the companies plan to
implement separate assessments by internal audit division,
requiring each assessor to cover as many as 100 key controls.
G1 seems to be at a relatively more advanced stage, better
equipped in human resources for separate assessments in
comparison to other groups. On the other hand, G2 stands out
with the volume of assessment far bigger than other groups. As
it also has a large number of overseas business units targeted for
assessments, G2 is feared to face potential shortages of resources
needed for overseas assessments once a fully-fledged assessment
is initiated. Meanwhile, G3 is generally lagging behind other
groups in all of company-level controls, controls over financial
closing and reporting process, and process-level controls.
All these results have shown that there is a wide range of gaps
in the progress for J-SOX compliance, depending on the scale of
the company.
Furthermore, corporations with a low degree of complexity have
a relatively large number of assessors while companies with a
high degree of complexity have a relatively fewer number of
such assessors, indicating that complexity has a bearing on the
relative number of personnel assigned to the task of assessments.
As the above discussion, many companies are still in the process
of designing and establishing internal control, and they will
continue to face a big work load for the time being as the
upcoming implementation of assessments will also add to their
work. Assessments, in particular, are feared to bring about a
considerable amount of work load, presenting a big hurdle to
overcome, both in quantity and quality, when many companies
are lagging behind in their effort to handle J-SOX requirements.
On the other hand, the survey has revealed the items pointing
to particular challenges by group, which would provide the
necessary steps to take to cope with internal controls for each
group.
Figure 33 Major tendencies observed in the survey results
Tendencies by group
Summary of
distinct tendencies
Continuing to work on design and
establishment even after the start
of the inaugural year
Many companies are faithfully
complying with the Practice
Standards
Implementation procedure and
system preparations are challenges
An assessor of internal audit division
covers 100 key controls each
for separate assessment
G1
In assessments
In assessments
A relatively large number
of assessors assigned to
assessments
Not enough resources
at overseas business units
Relatively large volume
of assessments
2-3 Tendencies in assessments
(1) Whether or not separate
assessments are being implemented
(2) Department to which the
independent assessor belongs
(3) Number of key controls covered
by each independent assessor
2-4 Challenges
G3
Fast
In design and
establishment
(1) Challenges relating to design
and establishment
(2) Challenges relating to the system
(3) Challenges in handling
overseas business units
Effect from complexity
23
G2
Design and establishment
lagging behind
↓
Assessments
Not enough efforts are being made
internally to assist a company-level
penetration
↑
Design and establishment
(Survey results of this report)
2-2 Tendencies in design and
establishment
(1) Progress
(2) Policy on design and establishment
(3) Approach to penetrate within
an organization
(4) Scope of internal controls
at overseas business units
(5) Status of occurrence of deficiencies
Effect
from scale
Progress in coping
with legal requirements
Overall tendencies
Slow
Many ←
Relative number of
personnel assigned
to assessments
→ Few
Cha p te r Th r e e F u t u r e A cti ons
3-1 Overall Picture of Future Actions to be Taken
Based on the current approaches of internal control described
in the preceding chapter, we have illustrated the relationship
between the events assumed in case the matters are left to
chance and a set of future actions that will help avert or cope
with those events in an effective manner (Figure 34). In regard
to each action, it is not easy to pinpoint uniformly the timing of
implementation or the degree of its necessity, nevertheless each
one represents a theme worth examination, at least, in order to
ensure acceptance of J-SOX-related initiatives at companies.
Following sections will elaborate on each item individually.
“Not enough efforts are being made internally to assist company-
level penetration”shows a lack of efforts by personnel other
than those in the division driving the initiative for coping with
J-SOX. Internal controls, however, need to be implemented by
those within each operational division, and without a sufficient
level of awareness on the part of staff in a given division, a
control is not able to perform its expected function, potentially
leading to a deterioration of the quality of internal control.
What companies can do to address this issue is to communicate
repeatedly to each employee with regard to what the internal
control is and their potential impact on the company so that
the awareness level of each employee can be raised. To help
this process, an organization should have a function to promote
internal control and clearly define the body to drive the initiative,
which will help prevent quality deteriorations. Furthermore,
as internal control is not a one-off thing but the scheme to be
maintained continuously, the promotion function is preferable
to be retained consistently.
“Continuing to work on design and establishment even after the
start of the inaugural year”confirms the fact that companies are
still in the process of continuously designing and establishing
controls at the time the survey was conducted (March to
May 2008). As assessment processes get in full swing in the
near future, resources and time available for designing and
establishing could decrease on a relative basis, design and
establishment may not be performed as fully as they used to be.
Essentially, it is desirable to conduct design and establishment
in light of the question of whether each company can perform
duties continuously and efficiently, rather than just getting
through an audit, but the difficulties encountered during the
design and establishment process could cause the attention to
be directed to the minimum requirement of getting through
an audit, potentially resulting in an erosion of operational
efficiencies.
Corporations that started to respond to J-SOX requirements
from an early stage are likely to already have the twin goals
of maintaining the control level and enhancing operational
efficiencies at the same time from the inaugural year of the
law. On the other hand, as for companies not belonging to that
category, if the perceived erosion of operational efficiencies is
too serious to be ignored, they will be required to take steps to
address the issue by the promotion of BPR for the twin objectives
of maintaining control levels and enhancing operational
efficiencies at the same time.
Figure 34 Overall picture of future actions to be taken
Assessments
Design/establishment
Current approaches
(general tendencies)
Assumed events
Actions
Not enough efforts are being made
internally to assist a company-level
penetration
Lack of awareness on the part of staff
at operational divisions, causing quality
deterioration of internal control
(1) Establish and maintain the function
to promote internal control
Continuing to work on design and
establishment even after the start of
the inaugural year
Lack of time leading to an introduction of
unrealistic controls to pass through an audit,
leading to a deterioration of operational
efficiencies
(2) Promote BPR for the twin goals of
maintaining control levels and enhancing
operational efficiencies at the same time
Many companies are complying
faithfully with the Practice Standards
Currently coping only with legal requirements,
but in need of increased efforts to enhance
corporate value
(3) Establish the Enterprise
Risk Management
Challenges are implementation
procedures and system preparations
Assessment work implemented
without enough preparations,
negatively affecting efficiencies
(4) Standardize assessment work
An assessor of internal audit division
covers 100 key controls each
for separate assessment
Assessment volume per each
assessor is so big, causing an erosion
of assessment quality
(5) Expand the personnel assigned
to assessments
24
“ Many companies are complying faithfully with the Practice
Standards ”, but it is not possible here to decide whether
it is good or not. From the standpoint of meeting the law’s
requirements, it can be regarded as a solid response, nevertheless
it may be separated from the perspective of enhancing corporate
value. As J-SOX will remain in place for years to come, a
review of internal control-related efforts from the perspective
of enhancing corporate value is effective. An“establishment
of Enterprise Risk Management”mentioned here is essentially
aimed at a creation of the management style which pays
attention not only to negative risks but also to risks, in extreme
cases, that could potentially bring on positives. Although
sufficient discussions are needed for establishing the concrete
system, this is an idea worth discussing for the future as a viable
action to accompany the effort to enhance the corporate value.
“ Challenges are implementation procedures and system
preparations”represents a concern on a shortage of human
resources for assessment and a lack of enough skills as well as
the absence of clear implementation procedure of assessments.
What are the potential problems of assessment when the
implementation procedure is not clarified? For instance, an
independent assessor may not know which set of evidence needs
to be collected, or what to check on which control. Furthermore,
a manager of the assessors may not be able to issue clear
instructions at an appropriate timing without the knowledge of
how far the work has progressed.
25
Shortages in resources and skill sets of assessors are bound
to cause various problems. For instance, an assessor may not
be able to assess business units or processes that should be
assessed. Another potential problem would be the occurrence of
inconsistencies in assessments conducted by different assessors.
As assessment will be made every year from now on, it is
desirable to“standardize assessment work”to avoid the cases of
inefficiencies mentioned above.
With respect to the fact that “ An assessor of internal audit
division covers 100 key controls each for separate assessment”,
it is difficult to assess this number, but if simply calculated
by the unit of month, that would be an equivalent of 8 to
9 key controls being assessed per month or 1 key control
being assessed without interruption for 2 days in a row. These
numbers may not look extraordinary, but considering many
companies are implementing internal controls this year for
the first time, completing an assessment of one key control
within 2 days is not an easy task unless the organization has a
full understanding of internal control, potentially resulting in
superficial implementation to the detriment of quality control of
assessments.
Assessments can be improved to a degree as far as the efficiency
is concerned by the efforts to standardize assessment work
mentioned earlier, but it is difficult to say if the existing
resources are sufficient to achieve that goal when considering
the fit with other operations that have been in place up until
now. Therefore, a natural discussion would be on the need to
“expand the assessors”.
3-2 Establish and Maintain Functions to Drive
Internal Control
As mentioned earlier, in order to raise the awareness of internal
control on the staff at operational divisions and to avoid the
quality erosion, it is an effective step to establish the function
to promote internal control within an organization, which will
help maintain internal control in a sustainable manner. To be
specific, this refers to a collaboration between the“function to
promote internal control”and the“process owner”The former
entails overseeing the establishment of company-level control
policy and act as a channel for auditors. The latter is the person
charged with specific implementation of control requirements
and promotion of penetration of control policies at each
operational department and geographical location (Figure 35).
The function to promote internal control has the role to establish
the control policy which is uniformly applicable to each
company and the entire group while driving the penetration of
such policy to operational divisions in a top-down approach.
Furthermore, its role encompasses coordination with external
auditors, enabling those involved to carry out the task of
getting auditors’ opinions reflected in control policies and
activities being conducted at the workplace. When the
function to promote internal control takes a strong leadership
toward operational divisions, companies will be able to avoid
undesirable cases including inconsistencies in the level of
controls at different operational divisions, a failure to remediate
deficiencies constantly and occurrences of deficiencies being
indicated by an external audit even after the completion of the
design of internal control pursuant to control policy within an
organization.
The function to promote internal control does not have to take
the form of a dedicated organization. For instance, a member
of the existing accounting division or internal audit division is
allowed to co-acts as the function to promote internal control.
However, the same member is not appropriate to assess internal
controls, so the staff to serve at the function should be chosen
separately from among people other than the control assessors.
A process owner is charged with the duty of fully understanding
the business processes at operational divisions, putting into
action the control policy established by the function to
promote internal control while penetrating such policy within
an organization. The function to promote internal control is
responsible for the establishment and maintenance of control
guidelines at the company-level while the process owner
is required to build the control guidelines specifically into
operations.
The function to promote internal control and the process
owner are required to coordinate their opinions from their own
perspectives, with the objective of realizing optimal control for
the corporation and its penetration within an organization.
Figure 35 Establishment and maintenance of the function to promote internal
control
Before the system was established
Management
経営者
There is no promoter
of internal control for
whole group, so control
policy is not established
nor penetrated into
the workplace
Business
事業Ａ. A
Business
事業Ｂ. B
No responsible official of internal control on site,
so control policy and awareness are not penetrated
within an organization
After establishment
Function to promote internal control
Establish control policy and act as a channel
for auditors
Main roles
i)Establish and maintain control policy
for whole group
ii)Explanation to each process owner
iii)Cross-divisional coordination of control levels
iv)Coordination with internal or external auditors
Coordination by both parties
to put control requirements
into actions to penetrate within
an organization
Process owner
Putting control requirements into actions
at the divisional-level, geographical area-level
Main roles
Management
経営者
Function
内部統制
to promote
推進機能
internal
control
.
Business A
.
Business B
Process
プロセス
owner
オーナー
i) Putting control policy into specific operations
ii) Penetrate the awareness of internal control
to each operational division
26
3-3 Promote BPR to Maintain Control Levels
and Enhance Operating Effectiveness
Furthermore, an integration of applications by the introduction of
ERP, etc. will not only lead to realization of enhanced operational
efficiencies but will also contribute considerably to the
In order to maintain control levels and enhance operational
efficiencies, companies should consider a standardization of
operations and integration of applications by an introduction of
ERP along with the establishment of SOA (Figure 36).
strengthening and automation of controls.
ERP, for example, is designed to ensure the consistency of data,
which is made possible by data check at the time of input, a
prevention of omissions/redundancies in the handling process,
by referencing with data involved in multiple operations and
by the realization of integrated data management. Separately,
its workflow function enables automation of controls, among
other benefits, helping strengthen and automate overall controls
(Figure 37).
By standardizing the operations of each business division
and business unit, corporations can reduce the number of
processes within a company and a group, leading to efficiency.
Standardized operations do not require different controls
tailored to each business unit and business segment, enabling
the corporation to conduct operations with minimal controls.
Figure 36 Standardization of operations and integration of applications
Standardization of operations
Standardization of operations enables
reduction in business processes and controls
Japan
U.S.
Europe
....
Japan
Europe
....
Sales
Process
Sales
Process
U.S.
Procurement
Integration of
applications (ERP, etc.)
Introduction of ERP to realize
the strengthening and automation
of controls while enhancing
operational efficiencies
Procurement
Inventory
management
Inventory
management
Accounting
Accounting
Figure 37 Internal controls by ERP
Examples of ERP’s support functions for internal control
Timing of internal controls
Pre-check
Post-check
Rigorous management of user
authority
Schemes created cannot be altered without authorization and
any alteration made is captured in the change history
Ensure data interface consistency
Avoid any overlap of authorities on preparation of schemes and
transactional inputs to support the effort to create the scheme
to prevent any deficiencies
Transaction update/
retain change history
・・・etc
Maintain the relationship
in a series of transactions
Other benefits brought on by ERP
Trace and retrieve from account
closing to primitive transactions
Create the uniform core operations to simplify assessment and
documentation works when handling controls by making
the comparison with the diversified application system configuration
Visualization of data from initial
transaction and evidence
27
Only authorized transactions can be allowed to be input based
on transactional facts accurately without any redundancies and
omissions before retained
Finalized transactional data are not authorized to be altered and
any alteration made is captured in the change history
Advanced input check and
authorization process
Good
Examples of specific controls provided by ERP
Specially good
When implementing the deployment of the system template to
the companies concerned in the future, simplify the whole series
of control responses with the similar objective of creating
the uniform operations
After the completion of the standardization of operations and
integration of applications, the next step will be an introduction
of SOA (Service Oriented Architecture). SOA is designed to
regard the process as the chain of “services” and to re-use
services in multiple processes to ensure the flexibility which was
unavailable to be realized by the integration of applications.
Processes in a company consist of a process area which
seeks a better efficiency and stronger controls on the back of
standardization (integration) and another process area which
seeks flexibility on individualization within a business and
business unit. The former is called “COE” and the latter “EDGE”
below.
An introduction of SOA will enable an organization to arrange
the processes of COE as“services”, responding to a wide range
of needs flexibly and swiftly, with the result that it is established
as shared infrastructure to support EDGE. This helps accelerate
the move to make common components, which, in turn, will
lead to the establishment of the system to execute EDGE by
replacing common components. Furthermore, even in areas
where informatization was promoted by individual applications,
an increased availability of common components will enable
companies to centrally operate and manage the areas which
used to be handled in separate manners by each business unit
and business segment (Figure 38).
Figure 38 Establishment of common base by SOA
Establish the shared infrastructure
Japan
U.S.
Europe
･･･
SOA introduction to enable flexible and
swift response to needs, helping establish
the shared infrastructure to support EDGE
Sales
EDGE
Refers to areas where competitive
advantage is guaranteed at the business
segment and business unit level
COE
(Center Of
Excellence)
Refers to areas where competitive
advantage is guaranteed at
the company and the entire group level
Process
Shared infrastructure
to support EDGE
Procurement
Inventory
management
Accounting
28
3-4 Establish Enterprise Risk Management
The results of this survey show that companies have a strong
inclination to regard the establishment of internal control
merely as a response to legal requirements in the absence of the
perspective for enhancing corporate value. To avoid the J-SOX
compliance ending up coping with perpetual cost-heavy legal
requirements and also to contribute to the enhancement of
corporate value, establishing the Enterprise Risk Management
will be effective.
As the Enterprise Risk Management represents companylevel activities, a strong system to promote it is needed for its
realization. However, given the current situation where not
many companies are equipped with the function to manage risks
in a systematic manner, it is hard to expect the realization in a
single step. It is, therefore, more realistic to realize in a threestep approach described below.
Enterprise Risk Management is defined as a system and
procedure to control all kinds of risks surrounding companies at
the company-level.
Figure 40 Steps for establishing the Enterprise Risk Management
Stage one
Scope of risks to be managed
According to the COSO-ERM (Enterprise Risk Management), a
leading framework published by the Committee of Sponsoring
Organizations of the Treadway Commission in September 2004,
the Enterprise Risk Management has four objectives and eight
components. This represents an evolution in many ways from
the COSO Control Framework published in 1992, an internal
control framework. A special feature of the COSO-ERM is that
it identifies risks from a more strategic perspective by adding
“strategy” to existing objectives (Figure 39).
Stage two
Stage three
Implement risk management
at the company-level
in a comprehensive manner
Centralize
the risk management system
Establish and maintain
the function to promote
internal control
Strength of the risk management system
Figure 39 Objectives and components of ERM under COSO-ERM
Components of COSO-ERM
Component
Objectives and
components of COSO-ERM
Summary
Internal
Environment
Acting as a base of other components of ERM,
providing discipline and structure
Objective
setting
Being set at the strategy level, forming the base of
objectives for business, reporting and compliance
Event
Identification
Identify the potential event to impact
the company to achieve the objectives
Risk
Assessment
Examine the degree of impact from a potential
event on the achievement of objectives
Objectives of COSO-ERM
29
Objective
Summary
Strategic
Corresponding to the corporation’s mission
while involved in the advanced target supporting
the mission
Risk
Response
Decide on responses from among aversion, reduction,
sharing and acceptance about the detected risk,
after assessing the risks
Operations
Relating to the effectiveness and efficiency
in capitalizing the resources of the business
Control
Activities
Policies and procedures that help certify
that risk management is in place
Reporting
Relating to the reliability of reporting
by the company
Information &
Communication
Communicate the appropriate information properly
to stakeholders within and outside of an organization
Compliance
Relating to compliance with laws and
regulations applicable to the company
Monitoring
Monitoring activities to ensure that ERM activities
remain valid
Stage one Establish and maintain the function to promote
internal control
As seen in 3-2, in order to promote internal control activities
such as the establishment of control policy and the raising
of awareness at operational divisions at company-level, it is
necessary to establish and maintain human resources assigned
to the tasks or an organization with the function to promote
internal control.
Stage two Centralize the risk management system
The next step is to centralize the risk management system,
which involves centralizing the existing functions over risk
management such as compliance work and maintenance of
each ISO standard, as well as the function to promote internal
control mentioned earlier. This will lay the groundwork for
implementing a company-level risk management.
The following sections elaborate on the stage two and three,
starting with the former.
Currently, many companies implement risk management other
than J-SOX such as compliance work, maintenance of each
standard of ISO as well as the function to promote internal
control mentioned earlier by establishing each separate
committee or operational divisions. This has led to an increase
in workload at the workplace to be managed as well as higher
control costs of the management organization, which is a
body to implement controls. There are more than one control
organization designed for each purpose, carrying out control
activities independently of one another, but as most of the
workplace to be managed is the same, they may be preoccupied
with responses to nearly identical inspections and physical
inspection one after another.
Stage three Implement risk management at the company-level
in a comprehensive manner
The last step is to realize the risk management at the companylevel and in a comprehensive manner. Various risks exist in
corporate activities other than those recognized previously
as the subject of controls such as J-SOX, compliance work,
The purpose of centralizing the risk management system is to
centralize the organization, documents, assessments and other
aspects of the broadly-defined internal control to avoid the
above-mentioned situation.
maintenance of each standard of ISO. A company-level response
to these risks through the cooperative effort by the management
and employees at operational divisions should result in a
realization of Enterprise Risk Management.
will enable an implementation of the risk management in a
The realization of the centralized risk management system
centralized manner, rather than in an independent manner
done previously. This will not only help reduce control costs and
the workload for the staff involved but will also enhance the
effectiveness of the risk management as controls begin to wield
greater power (Figure 41).
Figure 41 Centralization of the risk management system
Before centralization
After centralization (To-Be)
Management
経営者
Management
経営者
Compliance control division
Function
内部統制
to promote
推進機能
internal control
Quality control division
Environment/CSR division
Centralized
risk management
system
Information security division
Business A
事業Ａ.
Business B
事業Ｂ.
Establishment of operational divisions
relating to various risks has increased
control costs and the workload for
the staff
Centralization of
risk management system
Business A
.
Business B
事業Ｂ.
The centralized risk management
system will help reduce control costs
and the workload for the staff,
resulting in an enhanced effectiveness
of the risk management.
30
The following sections elaborate on the stage three.
The risks involved in corporate activities are not confined
to compliance and ISO, among others, which are currently
the objectives of control. Therefore, centralizing the risk
management system only does not completely enable
corporations to cope with a whole range of risks involved in
business activities. Accordingly, it is necessary to implement risk
management at the company-level in a comprehensive manner.
Specifically, a company-level risk assessment needs to be
implemented first. Risk assessment at the company level is
defined as an act taken by the management and the staff at
operational divisions to detect the risks. Risks involved in
each company are totally diverse, depending on the business
and environment, among other factors. Furthermore, the risks
perceived by the management tend to be different from those
recognized at operational divisions, making it necessary for
companies to locate the risks from every angle by implementing
a company-level risk assessment.
The next step is to categorize those detected risks into
compliance risks, business risks, operational risks, financial
risks, country risks, reputational risks and insurance/casualty
disaster risks in order to devise optimal measures after an
examination of the frequency of occurrences and their impact.
This would help clarify what actions to take at what costs for
each risk.
As mentioned above, the Enterprise Risk Management consists
of detection and assessment of all the risks involved in business
activities as well as the formulation of correspondence measures.
This process enables organizations to realize a risk management
with the twin goals of guaranteeing the reliability of financial
reporting, a defensive element and enhancing the corporate
value, an offensive element by assessing risks and establishing
necessary responses to execute the corporate strategy (Figure 42).
Figure 42 Establishment of the Enterprise Risk Management
Before establishing
the Enterprise Risk Management
Offense
Risk
recognition
Defense
Correspond only
to financial reporting
risks, focusing only on
legal requirements
After the Enterprise Risk Management
is established (To Be)
Contribute to enhancement
of corporate value
Realize the risk management with
the twin goals of “offense” and “defense”
to help enhance the corporate value
Offense
Risk
recognition
Defense
Financial
reporting
risks
Research and
development
Procurement
Production
Accounting
Research and
development
Procurement
Production
Accounting
31
Sales
Compliance risk
Risk of having a significant impact on business
activities due to a violation of laws
Business risk
Risk of having a significant impact on a corporation’s
foundation due to external factors and wrong
business strategies
Operational risk
Risk of causing losses occurred in each process
of operations on companies
Financial risk
Risk of deterioration of financial performance
caused by the changes in the financial and
economic environment
Country risk
Risk of not being able to continue the business and of
suffering losses from loans and investments due to
the circumstances in the country where investments
have been made
Reputational risk
Risk of causing tangible and intangible losses because
of the broken foundation of trading due to negative
opinions on the company and business which may or
may not be true
Insurance/
casualty risk
Risk of suffering losses caused by incidental events
such as accidents and disasters
Sales
Respond to all kinds of risks
Respond to not just financial
reporting risks but all the risks
3-5 Standardize Assessments
Implementing an assessment without defining the procedure
of the task could result in inefficiencies, potentially increasing
the costs. In order to avoid it, it is imperative that companies
“standardize assessment operations”.
“ Standardize assessment ”is to clarify the workflow from the
selection of the scope of assessment to its implementation,
the assessments of its effectiveness as well as the timing of
implementation and the relevant procedure.
Once the procedure is clarified, it allows an organization to
decide what can be implemented at the group level uniformly
and what should be done at each company in the group. For
instance, a decision on the scope of assessment, implementation
of assessments of company-level process / process over financial
closing and reporting and effectiveness assessment may be
carried out at the group level in a uniform manner. On the other
hand, the assessment of business process controls may be done
at each company, depending on the organization’s decision
which is made easier by a clearly defined procedure.
Furthermore, while performing the actual assessments, it will be
effective to use the internal control tools such as SAP Solutions
for GRC (See “What is SAP GRC?” on the next page), among
others, as a means of monitoring the status of implementation
at each company. By managing the specific implementation
process of the assessment procedure mentioned earlier with the
help of the IT system, an organization will be able to dispense
with manual tasks devoted to controls and improve the precision
of standardized operations of assessments (Figure 43).
In addition, a review of the assessment procedure will identify
the profile of people needed for the relevant tasks as well as the
number of such staff. In other words, each business unit will
be able to obtain the optimal number of assessors by taking
into account the contents and volume of work to be done both
at the company and group levels. In this respect, it should be
fair to say that standardization of assessment is essential as a
prerequisite for expanding the number of assessors, which will
be discussed later.
Figure 43 Standardize Assessments
Before standardizing operations
of assessments
？
Assessment
procedure
not clarified
After standardizing operations of assessments (To-Be)
Be
Separate assessments of controls over the company-level/
process of financial closing and reporting
Select
the scope of
assessment
targets
Separate assessments of process-level controls
Evidence
Assessment operations will
be inefficient in the absence
of appropriate instructions
due to unknown status of
progress
Standardize operations of
Evidence assessments
Evidence
Internal control
assessment tool
Assessments of
effectiveness
Clarify procedure by the standardization
of operations of assessments
Monitoring by the assessment tool
Instructions can be made appropriately
by monitoring the standardized
assessment operations
32
What is SAP GRC?
SAP Solutions for GRC refers to an integrated solution for the controls over governance, risks and compliance, targeting CFOs.
SAP Solutions for GRC provides solutions to cope with various laws and regulations, among which there are two solutions specially
related to J-SOX compliance, SAP® GRC Access Control and SAP® GRC Process Control.
Figure 44 SAP Ⓡ GRC Access Control and SAP Ⓡ GRC Process Control
Separate assessments of controls over
company-level/process of financial closing
and reporting
Select the scope
for assessment
Separate assessments of
process-level controls
Future（To-Be）
Effectiveness
assessments
Evidence
Evidence
Evidence
Visualization/standardization of assessment procedure
Visualization/standardization of segregation of duties
SAP GRC AC
(Access controls)
SAP GRC PC
(Process controls)
RCM
information
Predefine the desirable
state of segregation of
duties within the IT
system
1
Retain RCM information
at the level of organization
and process control
2
Check automatically
the status of system
controls by collaborating
with the ERP system
3
Global
Organization A
Organization B
Account G
Account G
Procurement
Procurement
Payment
SAP-ECC
Auto check
Store in the database
Standardize the assessment
Management
procedure on a workflow basis
layer
and centrally control the progress Collaboration
Rules on segregation
of duties intended
by the company
Controller
layer
Payment
System controls
Control 1
Control 1
Manual controls
Control 2
Control 2
Staff layer
Research/
development Procurement Production
Sales
Accounting
SAP GRC Process Control is a solution that centrally control within the SAP system the status of controls built in the business
processes and the process of the assessments of the relevant controls. Specifically, it has the function to automatically test the
status of the system controls in collaboration with SAP and other ERP systems and to centrally control the progress of assessments
by retaining the assessment procedure on a workflow basis, among others, enabling the user to achieve the visualization and
automation of controls and their assessment processes.
SAP GRC Access Control is a solution to prevent frauds by restricting an unapproved access and authorization to the relevant
system upon predefining the desirable state of the segregation of duties within the information system. Specifically, it analyzes
and reports the combination of risky duties after crosschecking the status of the authority of ERP and other applications against
the check rules on segregation of duties retained in the database. It also ensures that the consistency of the check rules are
confirmed, among other functions, in the process of designing the roles, contributing to the achievement of the visualization,
standardization and optimization of the segregation of duties.
33
3-6　Expand assessors
are also quite familiar with operations at the work place, but
developing such people takes time.
The results of this survey point out that many companies are
experiencing shortage of assessors in quality and quantity which
is turning out to be a pressing issue. As J-SOX attaches a special
importance to the “reliability of financial reporting”, knowledge
of accounting and finance is essential.
・Internal auditor is preoccupied by dealing with legal
requirements, failing to make any proposals on a crossdivisional efficiency drive, among other steps.
(3) Difficulty in assessments at overseas business units
・Language barrier and the weakness in controls at overseas
business units pose challenges in maintaining the equivalent
assessment quality with domestic business units.
Furthermore, a body implementing the assessment work as a
proxy of the management is quite often internal audit division
whose duties are not only confined to the monitoring of the
reliability of financial reporting, but are actually quite extensive,
ranging from careful examination of the efficiency of operations
as well as the validity and compliance with the laws.
In trying to solve the above-mentioned challenges, outsourcing
(BPO of internal control assessment * Note 7) could provide an
effective solution (Figure 46).
BPO of internal control assessment aims to solve those three
challenges in a following manner.
Companies, however, suffer from a scarcity of people wellversed in both ordinary operations and accounting who
also have the management perspective. Developing people
internally until they join that league cannot be done overnight.
Consequently, organizations are likely to be exposed to the
following challenges in the process of implementing internal
controls at the work place.
(1) Systematize the knowledge obtained from the advanced
cases of internal control assessment as a methodology of
assessment of internal controls before applying it to each
assessment being implemented by individual groups
(2) Have assessments implemented by experienced accounting
(1) Doubts about the scope and depth of assessments
and finance staff, those with accounting qualifications or those
・Assessor is not sure what to assess by how much as an
assessment work is a first experience
well-versed in internal control operations on behalf of regular
assessors
・A lack of uniform guidelines result in inconsistencies of
assessment quality
(3) Delegate assessment work to those fully equipped with local
language skills and a knowledge of internal control
(2) Shortage of assessors in quality and quantity
Note 7: BPO of Internal control assessment: BPO stands for Business Process
Outsourcing, referring to an implementation of internal control assessments by
utilizing outside human resources.
・Assessment of internal controls can only be done by those with
a strong working knowledge of accounting and finance who
Figure 45 Expansion of assessors
Before expansion of assessors
After expansion of assessors（To-Be）
Management
Management
Shortages of staff for
assessments both in
quality and quantity
System of separate
assessments
System of separate
assessments
Business Business Business
A
B
C
Business Business Business
A
B
C
Subcontract agency of
internal control
assessments
BPO of Internal control assessments
Compensate for the shortage of human
resources for assessments, both in quality
and quantity, by implementing the
assessment work utilizing the outside
human resources
34
3-7 Future Actions for Each Group
Each action we propose here was formulated by analyzing how
controls are being handled on the basis of the results of the
survey, representing a set of actions that need to be taken by all
the companies. Looking at these groups individually, however,
there is a varying degree of importance in action to be taken by
each group (Figure 46).
G3, clearly lagging behind in design and establishment, needs to
speed up the establishment of the function to promote internal
control to accelerate J-SOX compliance further (Figure 46 *1).
G1 devotes more human resources to assessments, meaning it
has more room to reduce the number of personnel engaging in
the assessment (Figure 46 *2) by standardization of assessment
operations. G1 has fewer controls covered by each assessor
than other groups do, and of note is the fact that the number
of assessors is not particularly small compared with other
groups. This indicates that the large-scale companies with low
complexity in G1 should curb costs by reducing the number of
assessors by maximizing the benefits from standardization of
assessment operations.
G2, on the other hand, is understood to have relatively large
assessment volume, indicating that if G2 standardizes operations
of assessments, they may still be in needs to expand assessors
(Figure 46 *3). Because of its high degree of complexity, G2
has limited areas of operational overlaps by its individual
divisions, giving it a far smaller room to standardize operations
in comparison to G1. This will cause G2 to expand the team of
assessors, but if it relies too much on internal human resources,
the group will run the risk of undermining performance of its
regular operations, making the utilization of external human
resources a major theme.
35
Figure 46 Future actions for each group
G1
G2
1 Establish and maintain the function
to promote internal control
*1
2 Promotion of BPR for the twin goals
of maintaining controls and
enhancing operational efficiencies
3 Establish the Enterprise
Risk Management
4 Standardize operations of
assessments
G3
*2
5 Expand the assessors
*3
3-8　Summary
As listed companies are dealing with J-SOX for the first time,
and it seems to force additional operations on a superficial level,
they tend to consider the specific correspondence independently
from other management issues within the company. However,
when we consider the significance of internal controls
for companies, they constitute an indispensable element
for an organization, and the new law is merely imposing
requirements to fulfill the tasks which essentially should be
done spontaneously. Being the subject crucial for corporate
survival, internal control should not be treated separately from
other management issues. In that respect, companies should
assess pluses and minuses of the implementation of J-SOX
and the strengthened internal control, devise the measures to
compensate for the minuses in particular, and aim to undertake
management in a balanced manner in consideration of other
management issues. “Assumed events” were primarily based on
the minuses of the strengthened internal control, so the “Future
actions to be taken” were formulated to compensate for the
negative effects caused by the strengthening of internal control.
Meanwhile, there are benefits from the implementation of
J-SOX, the biggest of which is the fact that it now allows
corporations to make efforts to strengthen internal control in a
consistent manner. They seek to enhance operational efficiencies
and explore new business opportunities by turning the risks into
chances with a goal of growing in perpetuity, and the benefits
of such activities can be reaped more effectively if the companies
carry them out in a consistent manner by making the most of their
experiences in implementing J-SOX, rather than tackling them on
an ad hoc basis without any planning. In that sense, the “Future
actions to be taken” mentioned earlier in this chapter should
be reexamined individually not just as a means of facilitating
the strengthening of internal control but as a basis for pursuing
each theme in a sustainable fashion.
36
At the e n d
History of “internal control” is not very long, having spent only
a century since it came into being as described in Chapter One.
However, during that time the definition of “internal control”
has been broadened, adjusted and has reached a point now
where it exerts a major influence on corporate management
beyond the realm of accounting. The introduction of the
new law, therefore, was made out of necessity in light of the
magnitude of its current impact on corporate management.
Our observations show that each company is striving to handle
internal control effectively and efficiently from their standpoint,
but it appears that their preparations are taking more time than
expected. That may be attributable to occurrences of failures
of their attempts as they tackle new things one after another,
but another factor hampering their efforts must be the sheer
volume of work load, forcing them to work longer than initially
expected.
Now that the inaugural year of J-SOX has already begun,
corporations are strongly required to cope with it efficiently
within the limited time available, in light of the discussions
earlier. Yet there is no perfect answer to addressing internal
control for them, and the external auditors are a no exception,
meaning that there exists no defined validity. In other words,
the inaugural year requires a balance of effectiveness and
efficiency which is unique to that year, and the second year will
come with its own demands on the balance of effectiveness and
efficiency as a result of the separate examination.
37
Companies are now in the transition phase as they grapple with
the new law in its inaugural year, and apart from the necessary
actions for the first year, they should prepare for the steps for
the second year onward with the aim of coping with the law in
a consistent manner. One important subject during that process
will be to identify the optimal level of effectiveness of internal
control suited to each stage where a corporation stands, rather
than pursuing a static level of effectiveness, which will be
assisted by an examination and implementation of the “Future
actions” mentioned earlier as a source of new ideas. A successful
implementation of these actions should contribute to a further
development and evolution of the concept of the“ internal
control”, leading to the making of a new history.
[A ppendi x]
Survey []]
[App e n d i x ] Su r v e y R esul ts
For reference, all the survey results are attached as Appendix.
In addition, for Question 5-4, 10-1, 11-1 and 11-2, which are responded by numbers, the results by group are also shown as
they presumably correlate with the scale of a business, among other factors. (See Page 11 on the methodology of categorization
into groups)
I. Company-level controls and process controls
over financial closing and reporting
1. Policy on determining the scope of company-level controls
Question 1. Please place a circle next to your choice
regarding policy on determining the assessment scope of
company-level controls
Exclude insignificant
business units based
on qualitative risks
Others
Exclude insignificant
3% 6%
business units using
more than two criteria
from among sales,
25%
total assets
24%
and profits
Exclude insignificant
business units based
on the criterion
of profits
36%
4%
Exclude insignificant
business units based
on the criterion of sales
Exclude insignificant business
units based on the criterion of
total assets 2%
2. Status of company-level controls
Question 2. Please place a circle next to your choice
regarding the objectives of assessments for company-level
controls mainly with respect to the status of policies and
manuals
Have not yet taken
inventory of the policies
and manuals which needs
to be created or revised
Have taken inventory
of the policies and
manuals which needs
to be created or revised,
but have not started to
update them
All the business
units
Policies and manuals
have been updated
already and have
started operation
Others 3%
10%
24%
12%
51%
Have taken inventory of
the policies and manuals
which need to be created
or revised and have started
to update them
3. Method of implementing assessments with regard to
company-level controls and process controls over financial
closing and reporting
Question 3-1. Please place a circle next to your choice
regarding the components of assessment items for
company-level controls
Questions were
created by using
company’s own
assessment items
Others
11%
10%
79%
Questions were created
in accordance with 42
assessment items shown
as examples in the Practice
Standards
38
Question 3-2. Please place a circle next to your choice
regarding the level of assessment items for companylevel controls
Others 1%
Not identify the
evidence when
replying to questions
6%
Identify the name
of evidence when
replying to questions
44%
Identify the points
of reason specifically
as well as the name
of evidence when
replying to questions
Question 3-3. Please place a circle next to your
choice regarding the unit for judging the validity of
company-level controls
49%
No replies 1%
Judge if controls are
effective as a whole
by overall questions
Others
6%
Judge if controls
are effective by
individual questions
15%
28%
15%
Judge if controls are
effective by the 6 basic
components in the
Practice Standards
35%
Judge if controls are effective
by the 42 assessment items
in the Practice Standards
Question 3-4. Please place a circle next to your choice
regarding the question of whether or not there was an
implementation of separate assessments of companylevel controls (by members with no direct interest in
the organization in the scope of assessment)
No replies 1%
Others 4%
Only separate
assessments
conducted without
any self-inspections
Separate assessments
conducted on part of
the results of the
self-inspections
Question 3-5. Please place a circle next to your choice
regarding the method of implementing assessments
of process control over financial closing and reporting
No separate assessment
was conducted and
only self-inspections
(assessments by the control
division or the party of the
division to be controlled)
were carried out
11%
17%
45%
22%
Separate assessments
conducted on all the
results of the self-inspections
Others 5%
Implemented by using
questionnaires (incl. check lists)
for all target companies with
additional use of RCM
29%
17%
format for some companies
Implemented by using both
questionnaires (incl. check lists)
and RCM format for all target
companies
16%
15%
18%
Implemented by using
either questionnaires
(incl. check lists) or RCM
depending on target
companies
39
Implemented by using
questionnaires, etc.
(incl. check lists) for all
target companies as in
company-level controls
Implemented by using
RCM, etc. for all target
companies as in
process-level controls
4. Challenges regarding company-level controls and process
controls over financial closing and reporting
Question 4. Please place a circle all of your choices
regarding challenges identified in design and establishment
of company-level controls and process controls over
financial closing and reporting (multiple replies allowed)
Procedure for assessment not
clearly defined
42%
Management policy on evidence
not defined
29%
Shortage of necessary resources
25%
Unit for assessing the effectiveness
not clearly defined
24%
Issues of improvement occur
frequently
24%
Defined the policy on determining
scope of assessment, but procedure
not clearly defined
19%
Scope of design and establishment
expanding more than anticipated
11%
Policy on determining scope of
assessment not clearly defined
Clearly defined the policy on
determining scope of assessment
and procedure, but have conflict
of opinion with auditor
4%
4%
Others
11%
0%
10%
20%
30%
40%
40
50%
II. Process-level controls other than controls over
financial closing and reporting process
No replies 1%
5. Policy on selecting the process-level controls
Question 5-1. Please place a circle next to your choice
regarding the question on whether there was a
narrowing down in accounts
Targeted only the processes
relating to the 3 accounts
(sales, accounts receivable,
inventories or other accounts
of equal significance)
Others 3%
Selected all the
major accounts
26%
14%
56%
Added other significant accounts
to the 3 accounts (sales, accounts
receivable, inventories or other
accounts of equal significance)
Question 5-2. Please place a circle all of your choices
regarding the question of whether or not business risks
were selected (multiple replies allowed)
Confined deliberately to
risks in financial reporting
54%
Included the credit risk in
assessment targets when
selecting the process
27%
Included the inventory risk
in assessment targets when
selecting the process
Included the compliance risk
in assessment targets when
selecting the process
Included the foreign exchange
risk in assessment targets when
selecting the process
Included the quality risk in
assessment targets when
selecting the process
21%
9%
8%
5%
10%
No special attention paid
2%
Others
0%
Question 5-3. Please place a circle next to your choice
regarding the starting point of the process of assessment
targets of your company, taking the example of the
sales process (sub-process: quotation, agreement, order
receipt, shipment, sales recording)
Others 5%
Targeted only the sub-process
of sales recording from which
journal entries arise
41
40%
43%
44%
Targeted the sub-processes
from agreement or order
receipt to which the rights
and obligations are attributable
60%
80%
Targeted all the sub-processes
(* Note 9) within the sales
process (* Note 8)
8%
Note 8: Process: A unit identified as an operational group when implementing
assessments, such as the procurement and sales processes at a manufacturing
company
Note 9: Sub-process: A unit with which a whole series of procedures are
completed such as the concluding of an agreement, the order receipt and the
sales recording in the sales process
20%
100%
Question 5-4. Please reply regarding the assessment volume
for process-level controls
Question 5-4-1. Please enter the number of companies in
the scope of assessments for process-level controls
Not more than
5 companies
6–10 companies
11–15 companies
16–20 companies
Not less than
21 companies
No replies
1% 3%
11% 5% 5%
75%
Overall
G１
3%
1%
11% 7% 2%
76%
35%
G２
2%
18%
10%
27%
1%
1%
89%
G３
0%
20%
8%
6%2%
40%
60%
80%
100%
2%
Question 5-4-2. Please enter the number of business
processes for which documentation was conducted
a. Total of group companies
Not more than
50 processes
51–100 processes
101–150 processes
151–200 processes
Not less than
201 processes
No replies
46%
Overall
G１
39%
G２
25%
G３
18%
b. At the parent company or the primary business corporation
20%
12%
2%
7%
27%
60%
51–100 processes
101–150 processes
151–200 processes
Not less than
201 processes
No replies
59%
G１
54%
G２
53%
22%
20%
4%
5% 1% 14%
2%
12% 5% 8%
18%
40%
60%
100%
2%
5% 2% 14%
18%
63%
0%
80%
Not more than
50 processes
Overall
G３
21%
1%
8% 3% 15%
16%
40%
16%
2%
11% 17%
18%
57%
0%
9% 3%9%
17%
20%
1%
1%
5% 12%
80%
100%
42
Question 5-4-3. Please place a circle next to your choice
regarding an average number of key controls for each
process unit
1∼2
3∼5
Not less than 10
No replies
Overall
18%
37%
G１
18%
42%
G２
5%
42%
23%
G３
0%
6∼9
19%
13%
20%
32%
20%
20%
6%
21%
6%
27%
23%
40%
60%
17%
80%
6%
5%
100%
6. Status of process-level controls
Question 6. Please place a circle next to your choice on
the status of clarification of risk controls with regard to the
process-level controls in the scope of assessment
Others
Have not completed
clarification of risk controls
14%
4%
Completed operation
improvements necessary
for controls, and started
operation
20%
22%
40%
Have completed clarification
of risk controls, but have not
started operation improvements necessary for controls
7. Method of implementing assessments of process-level
controls
Question 7-1. Please place a circle next to your choice
regarding the method of identifying risks at your company,
taking the example of the sales process (sub-process:
quotation, agreement, order receipt, shipment, sales
recording)
Identify one risk per assertion
in the entire sales process
4%
No replies 1%
Identify multiple risks
per assertion in the
entire sales process
Others 3%
9%
10%
48%
Define potential risks
for each business process
(with some assertions not
defined as risks and not covered)
43
Have completed clarification
of risk controls, and started
operation improvements
necessary for controls
25%
Identify one risk per assertion
for a sub-process unit such as
sales, shipment, and sales recording
Identify multiple risks per
assertion for a sub-process
unit such as sales recording
Question 7-2. Please place a circle next to your choice
regarding the question of whether or not separate
assessments are being implemented for process-level
controls (assessments by members with no direct interest in
the organization in the scope of assessment)
Only self-inspections conducted
by the division conducting the
operations without any separate
assessments
No replies 1%
Self-inspections conducted
by mutual check of separate
organizations within the
division conducting the
operations without any
separate assessments
Others
Only separate assessments
conducted without
any self-inspections
7%
4%
3%
21%
32%
Separate assessments conducted
on all self-inspection results
32%
Separate assessments
conducted on part of
self-inspection results
8. Challenges in the process-level controls
Question 8. Please place a circle all of your choices
regarding the challenges identified in the process-level
controls (multiple replies allowed)
Procedure for assessment
not clearly defined
38%
Shortage of resources necessary
for design and establishment of
internal control
30%
Unit for assessing the effectiveness
not clearly defined
30%
Management policy of evidence
not defined for assessing
internal control
29%
Issues of improvement relating to
design and establishment of internal
control occur frequently
26%
Defined the policy on determining
scope of assessment, but implementation
procedure not clearly defined
16%
Scope of design and establishment
(including volume of documentation)
expanding more than anticipated
14%
Clearly defined the policy on determining
scope of assessment and implementation
procedure, but have conflict of opinion
with auditor
5%
4%
Policy on determining scope of
assessment not clearly defined
Others
11%
0%
10%
20%
30%
40%
44
50%
III.Assessment system
Question 9. With respect to the establishment of the system
for assessing internal control, please place a double circle
all of your choices regarding the division that has played a
central role and a single circle all of your choices regarding
other relevant divisions (multiple choices allowed)
･ Reference: Internal audit division leads establishment at most of corporations where
accounting and finance division is not involved. In cases the internal audit division
is not involved, either accounting and finance or corporate planning division plays a
central role
Other relevant
divisions
Division that played
a central role
9. Division in charge of establishment
Accounting and
finance division
24%
Internal audit
division
45%
22%
46%
Information
system division 5%
48%
Corporate
planning division 12%
Project team
18%
13% 9%
General affairs 1%
division
18%
Legal and
compliance 2% 13%
division
Others 1% 8%
0%
20%
40%
60%
80%
100%
10. System of separate assessments
1–4
Question 10-1. Please enter an estimated number of
assessors to conduct separate assessments
a. Work full-time
5–9
58%
Overall
G１
21%
37%
33%
28%
G２
b. Work concurrently
20%
0∼4
60%
5∼9
15%
36%
13%
G２
31%
17%
0%
20%
40%
80%
13%
15%
100%
60%
No replies
28%
36%
22%
16%
51%
12%
Not less than 10
G１
G３
17%
1%
7% 12%
40%
44%
Overall
8% 13%
22%
80%
0%
No replies
13%
38%
G３
45
Not less than 10
30%
8%
25%
80%
100%
Question 10-2. Please place a circle all of your choices
regarding the division to which a to-be appointed
independent assessor belongs (multiple replies allowed)
Internal audit
division
88%
Accounting and
finance division
24%
Information system
division
14%
Corporate planning
division
12%
General affairs division
9%
Legal and
compliance division
8%
14%
Others
0%
20%
40%
60%
80%
100%
11. Costs
Question 11. With respect to external costs of the overall
costs for establishing the system of internal control
assessment, please place a circle around your choice
regarding the costs spent on preparations so far and the
estimated costs for the inaugural year of the new law
Less than 50 million yen
Question 11-1. Costs spent on preparations so far (excluding
costs for establishing the IT infrastructure such as
implementing ERP system)
No replies
50 million yen – less than 100 million yen
100 million yen – less than 200 million yen
200 million yen – less than 500 million yen
500 million yen – less than 1 billion yen
Not less than 1 billion yen
Overall
58%
G１
48%
25%
G２
14%
18%
25%
G３
10%
20%
21%
10%
Question 11-2. Estimated costs for the inaugural year
of the new law (excluding costs for establishing the IT
infrastructure and audit)
20%
40%
4%
2%
1%
12% 8% 10% 2%
1%
20% 2%
2%
75%
0%
3%1%
6% 2%
60%
80%
100%
Less than 50 million yen
50 million yen – less than 100 million yen
100 million yen – less than 200 million yen
200 million yen – less than 500 million yen
500 million yen – less than 1 billion yen
Not less than 1 billion yen
No replies
Overall
80%
G１
76%
8%
10% 6%4%5%
55%
G２
G３
20%
2%
5%
10% 7% 2%
3% 2%
3%
92%
0%
20%
3%1% 3%
3%1%
40%
60%
80%
100%
46
12. Contents of support from consulting firms
Question 12. Please place a circle all of your choices
regarding the roles you have required to an external
consulting firm (including advisory services required to an
auditing firm other than the external auditor) in case you
have required support, and please place a triangle in case
you have a plan to require in the future (multiple replies
allowed)
43%
1%
Support for formulating the policy
on the procedure of responding to
the regulation such as
documentation and assessments
41%
1%
Advices on the contents of
controls
34%
4%
Support for project management
(PMO)
1%
Implementation of
documentation
1%
31%
27%
Implementation of assessments
21%
6%
Coordination not scheduled
with external auditor
13%
2%
13%
Not required services to
consulting firms
0%
13. Status of communication with external auditor
Plan to require support
Have required support
Require advices to the external
auditor
10%
20%
30%
Exchanged opinions about scope
67%
on policy for determining scope,
documentation and assessment
Exchanged opinions about design
policy for initiating the design
of internal control
61%
Exchanged opinions about policy
on operation test in implementing
operation test for internal controls
52%
Exchanged opinions about
assessment standards for design
and operation of internal controls
49%
4%
Others
0%
Question 14-1. Please place a circles all of your choices
regarding the geographical areas targeted (multiple choices
allowed)
20%
40%
60%
80%
100%
41%
Asia
North America
30%
23%
Europe
7%
Oceania
6%
South America
3%
Middle East
Africa
1%
Others
1%
No replies
49%
(no overseas business
units to be targeted)
0%
47
50%
89%
and the appropriateness of
Question 13. Please place a circle all of your choices
documentation contents
regarding the status of communication with external
auditor so far (multiple replies allowed)
Obtained information from auditors
14. Handling internal controls at overseas business units
40%
10%
20%
30%
40%
50%
Question 14-2. Please place a circle all of your choices
regarding the challenges identified at overseas business
units (multiple replies allowed and the population
parameter is corporations which have relevant overseas
business units)
Not enough resources
at overseas business units
50%
Limited awareness of internal
control at overseas business units
40%
Lack of communication between
the head office and overseas
subsidiaries
38%
Not enough contacts with
auditor of overseas subsidiaries
21%
Responsible division at overseas
subsidiaries not clearly defined
10%
Channels at overseas business
units not clarified
8%
Official language is not clarified
for communication with overseas
business units
(Japanese, English, etc.)
5%
5%
Others
In good progress without
any issues
11%
0%
20%
40%
60%
80%
100%
15. Approach to penetrate
Question 15. Please place a circle all of your choices
regarding the approaches you are making or you plan to
make to penetrate internal control at the company-level,
(multiple replies allowed)
Appointed a responsible
official (process owner) of
internal control
46%
Holding regular training
sessions
34%
Management proactively
involved
34%
Prescribed duties for internal
control as rules, etc. in documents
as part of existing organization’s
operations
33%
Established an organization to
promote internal control separately
from a project team
26%
Consideration of personnel
evaluation regarding establishment
and maintenance of internal control
5%
Others
9%
0%
10%
20%
30%
40%
50%
80%
100%
16. Challenges for the system
Question 16. Please place a circle all of your choices
regarding the challenges identified for the system
(multiple replies allowed)
Not enough resources for
implementing separate
assessments
54%
Not enough skill sets for
implementing separate
assessments
54%
Internal support system
not sufficient
23%
Not yet defined the costs for
implementing internal control
assessments from the inaugural
year onward
19%
Auditor’
s involvement
not sufficient
17%
Others
7%
0%
20%
40%
60%
48
IV. Common
Currently using
17. Status of use of internal control assessment support tools
Question 17. Please place a circle all of your choices
regarding the function you are currently using with regard
to the support tools for internal control assessments, and
please place a triangle in case you have a plan to use from
now on (multiple replies allowed)
Function to support
document preparation
Plan to use in the future
50%
1%
Document management
function
Function to support
assessment procedure
(workflow, audit evidence
management, etc.)
28%
12%
16%
14%
Project management
function
5%
3%
Function to educate
personnel
3%
5%
Not used
25%
0%
8%
2%
No plan
0%
20%
40%
60%
80%
100%
18. Status of dry run audit
Question 18. Please place a circle next to your choice
regarding the status of the dry run audit
No replies
Conducted the dry run
audit, including the final
comprehensive assessments
3%
No plan to
implement
16%
Dry run audit by the
auditor not conducted,
but internal assessments
partially carried out
17%
24%
28%
12%
Comprehensive assessments
not conducted, but carried
out the review by the auditor
Dry run audit by the
auditor not conducted,
but comprehensive
assessments carried out
as internal assessments
19. Current status of design and operation of internal control
Question 19. With respect to the current status of the design
and operation of internal control, please place a circle next
to your choice of a relevant reply regarding company-level
controls / process controls over the financial closing and
reporting, and process-level controls, respectively
Internal controls are being implemented well
Detecting some deficiencies although need examination to
determine if they are material weakness
Have already detected material weakness in internal controls
Others
Company-level
38%
Financial closing
and reporting
28%
Process-level
44%
52%
20%
0%
49
No replies
6%7% 5%
5% 9% 6%
7% 5%
3%
65%
20%
40%
60%
80%
100%
20. Issues in internal control at respondent corporations
Question 20. Please place a circle all of your choices regarding the issues in internal control of your company (multiple replies allowed)
52%
Shortage of staff and skills for independent monitoring
46%
Not enough update of the policies and manuals with explicit provisions
40%
Not enough evidence for design and operation of internal controls
37%
Shortage of staff and skills for ongoing monitoring
Not enough operatation compliant with explicitly prescribed rules and
procedures
34%
General shortage of explicit rules
26%
Difficult to add staff in accordance with development in separation and
segregation of duties
26%
Not enough documents for design and test of information system
24%
Difficult to assess appropriate strategy and plan on IT
24%
Difficult to handle double checks and approval procedure with regard to the
processes of financial closing and reporting
20%
Difficult to ensure safety of the information system, including access controls
20%
Rules and procedure for maintenance and operation of the information
system not clarified
17%
Not enough handling of the safekeeping of the archived documents
17%
16%
Difficult to assess risks and the responses to risks
14%
Difficult to clarify assessment scope of EUC
13%
Scope of assessment targets not clarified with regard to IT general controls
Difficult to assess the effectiveness of estimates and forecasts with regard to
the processes of financial closing and reporting
12%
Difficult to assess the supervisory and monitoring functions of the board of
directors and internal auditors or audit committee
12%
Not enough procedure of mutual check on each occasion due to a large
transaction volume of business processes
12%
Difficult to assess the “policy and attitude” of the management with
regard to the focus on financial reporting
11%
Difficult to prove that the IT controls are not altered after an assessment is
implemented
10%
Difficult to assess the IT system whose development and running are being
outsourced
9%
Difficult to assess the effectiveness of organizational design (organizational
structure and authority/responsibility)
9%
Concern about the inability to fully cope with change in the accounting
system with the company’s own resources
5%
Others
6%
0%
20%
40%
60%
80%
100%
50
21. Approaches in association with internal control
Question 21. Please place a circle all of your choices regarding the challenges in management which you are currently
addressing or which you are concerned about (multiple replies allowed)
40%
Strengthen and review group management
38%
Human resource development
37%
Accelerating account closing and reporting
36%
Strengthen information security
Enhance operational efficiencies or systematization
of internal control assessments
33%
32%
Improve the information system infrastructure
30%
Standardize operations (BPR)
18%
Enterprise Risk Management (ERM)
Disasters measures and business contingency plan
16%
Comply with international accounting standards
16%
14%
Systematize management information
Electronic management of internal control related
documents
12%
10%
Shared services
8%
Environmental measure
6%
Cash management system (CMS)
Outsourcing of information system audits
4%
Outsourcing of internal control assessment
4%
Others
4%
0%
51
10%
20%
30%
40%
50%
About ABeam Consulting
ABeam Consulting is a comprehensive management consulting firm, providing global services, tailor-made to the needs of each country
or region through its overseas network centered mainly in Asia. With expertise in such fields as strategy, BPR, IT, organization/
personnel and outsourcing and its experienced staff of approximately 3,500 professionals, it provides wide-ranging consulting services
to companies and organizations in the fields of finance, manufacturing, distribution, energy, telecommunications and the public sector.
Website: http://jp.abeam.com/
Strategic Management Research Center
With focusing on critical management issues executives face, the research division of the Strategic Management Research Center
communicate practical opinions supported by our unique research data.
Authors
Yousuke Nakano
Process & Technology
Principal
FMC Sector Leader
J-SOX Initiative Leader
Kiyoshi Nishiyama
Process & Technology
Manager
FMC Sector
Kimiaki Kimura
Strategic Management Research Center
Director
Haruka Taguchi
Strategic Management Research Center
Manager
Kiyotaka Ota
Strategic Management Research Center
Associate
Ryusuke Sakuma
Process & Technology
Manager
FMC Sector
Inquiries on this matter should be addressed to:
Marketing
ABeam Consulting Ltd.
Address: Yurakucho Building, 1-10-1 Yurakucho, Chiyoda-ku, Tokyo, 100-0006
Phone: 03-5521-5555
Yurakucho Building, 1-10-1 Yurakucho, Chiyoda-ku, Tokyo, 100-0006 Japan
Tel : +81-3-5521-5555 Fax : +81-3-5521-5563
http: //jp.abeam.com
Copyright © 2009 by ABeam Consulting, All rights reserved.