Japanese SOX (J-SOX)
J-SOX is a standard for describing, evaluating and auditing internal controls relevant for the financial reporting and creation of the financial statements. J-SOX is mandatory for all Japanese stock traded companies and plays a very important role in the risk management. Depending on the size of a subsidiary it may as well have to implement J-SOX regardless of its location.
Company Level Controls (CLC)
The company level controls (CLC) describe and define company guidelines and controls which act as an umbrella for the whole company. The overall responsibility of the CLCs usually lies with the management. While it is not recommended to include ISO and J-SOX in one or the other it is often possible to re-use existing elements if available.
Topics which may be handled in the CLC are:
- Communication (effectiveness, efficiency)
- Compliance (fraud, whistle blower system, dealing with misconduct)
- General responsibilities and how they are ensured
- Hiring, training and promotion policies
- General guidelines and policies
- Risk management
Financial Statement Closing Process (FSCP)
The financial statement closing process (FSCP) describes and defines general financial guidelines and controls which act as an umbrella for the whole finance department and financial closing process. The overall responsibility of the FSCP usually lies with the CFO. The FSCP can often be combined with existing financial controls and guidelines (e.g. in Germany many parts of the IKS can be used).
Topics which may be handled in the FSCP are:
- General accounting guidelines
- Reporting guidelines
- Closing guidelines
- Budgeting guidelines
General Controls IT (IT-GC / GC-IT)
The general controls IT (GC-IT or IT-GC) describe and define general IT guidelines and controls which act as an umbrella for the whole IT infrastructure surrounding the financial closing process. The overall responsibility of the IT-GC usually lies with the Head of IT.
Topics which may be handled in the IT-GC are:
- System Development and Maintenance
- System Security (Access Control)
- System Operation and Administration
- Outsourcing Contract Management
Process Level Controls (PLC)
The process level controls (PLC) describe and define process specific guidelines, risks and controls. Parts of the PLC are a process documentation, a risk control matrix (RCM) and a flow chart for the process. In the process documentation the risks and controls must be mentioned and referenced to the RCM. Additionally, many organizations provide a walk-through document (WT) which shows with images examples of the process steps (e.g. sample documents and sample controls). The purpose of the walk-through is to show the auditors how the controls should be performed and how the documents look like. The auditors can use the walk-through document as a guideline when checking their test samples.
Risk Control Matrix (RCM)
The risk control matrix (RCM) has some similarities with a risk register. However, the RCM focuses more on the two aspects mitigation type and occurrence. Every year the effectiveness (ES) and the efficiency (EY) of the controls must be validated by the control owner.
|No.||Responsible||Process||Risk Event||Frequency||Mitigation/Control Type||ES||EY||Evidences|
Both the mitigation or control type and the frequency have an impact on how the controls are tested by auditors and how many test samples are collected.
- Many times a day (25 - 60 tests)
- Daily (20 - 40 tests/evidences)
- Weekly (5 - 20 tests/evidences)
- Monthly (2 - 6 tests/evidences)
- Quarterly (1 - 4 tests/evidences)
- Annually (1 test/evidences)
- Manual control (digital or physical document required as evidence)
- System control (audited by IT specialist)
Common processes handled in the PLC are:
- Sales / Order-To-Cash
- Describes the sales process from the customer order until the payment
- Purchase / Cash-To-Order
- Describes the purchase process from ordering a product or service until the delivery and payment of the order
- Describes the stock management, inventory and stock evaluation process
- Describes the payroll process
The audit for for J-SOX is usually two-fold. One audit is performed by internal auditors who are independent from the finance department and audited processes. The second audit is performed by external auditors who do a re-performance test (testing some of the already tested documents of the internal auditing team) and independent tests. Either the internal audit takes place before the external audit or they may also take place during the same time. In some situations parts of the audits may be performed before the year-end giving the audited company some time to improve findings during the audit. However, the finalization of the J-SOX audit is performed after the year-end for the past year.
At the start of the audit the auditors (internal or external) will request a list of the population (list of all possible elements which should have been controlled). Based on this population they will perform a random sample of evidences that should be provided to the auditors. Additional, samples might be chosen on random basis during the audit. If the audit is the first audit or has a new auditor it is likely that the J-SOX documentation needs to be discussed and presented in detail with additional explanations.
At the end of the audit you will most likely receive a list of none-conformities which the auditors expect you to either improve until the end of the fiscal year or until the audit in the next year.
Example documents for J-SOX can be found as part of the business documentation at jingga.app.