The Japanese version of the Sarbanes-Oxley Act to be enacted next April will provide previously lacking guidance for IT departments around ensuring internal controls meet compliance requirements, according to Canadian analysts.
Nicknamed J-SOX, Japan's Financial Instruments and Exchange Law will apply to publicly traded companies on the Japanese stock market and Canadian subsidiaries of Japanese parent companies, requiring them to implement internal financial reporting controls. The regulation is expected to affect 3,800 companies.
The differentiator between J-SOX and other versions of Sarbanes-Oxley is that Japanese oversight boards have developed their own internal control framework, said Ross Armstrong, senior research analyst with London, Ont.-based Info-Tech Research Group. "The point of any control framework is to assist IT departments in building and maintaining secure internal controls, which is a fundamental requirement of whatever flavour of SOX you wish to look at."
Although the COSO framework is widely used under the Canadian and U.S. versions of Sarbanes-Oxley, it's not mandated, said Armstrong. With J-SOX, on the other hand, the makers of the framework are openly advocating it.
The move shows the Japanese have recognized the confusion that arose in the U.S. due to lack of direction around compliance, said Armstrong. "This is good because it at least provides IT departments and CIOs with a bit more guidance around what kind of IT controls and application controls they should be looking at, how they should be evaluating them, and what constitutes a control deficiency which is what auditors are looking for."
The Japanese oversight boards have learned from the U.S. approach to compliance that if something is left "open", it becomes harder to handle, said Nigel Wallis, research manager for applications services with Toronto, Ont.-based analyst firm IDC Canada. "Now it's pretty clear in J-SOX versus the U.S. and Canadian equivalent exactly what the framework is, the formula, and the formatting of how you would respond in the IT element."
Eliminating confusion aside, said Armstrong, developing and advocating such a framework helps to reign in costs and keep the scope limited.
But apart from that difference, IT departments shouldn't expect a huge change, especially if they are already subject to other versions of Sarbanes-Oxley, said Armstrong. "From an IT perspective, there's virtually no difference between J-SOX, C-SOX and the U.S. flavour of Sarbanes-Oxley."
However, for those who have never had to comply with Sarbanes-Oxley, J-SOX will place an increased workload on IT departments, specifically around having to look at their internal processes and controls "in a way they never had to do before, and deal with external auditors, and factor in the time and cost of doing that."
In addition, compliance needs to be budgeted for in both business and IT budgets.
Armstrong suggested companies that are rookies to compliance take advantage of the compliance literature that abounds out there, which detail pitfalls of implementation, cost studies and business cases. And there are frameworks like COSO and COBIT for high-level IT control objectives.
Some vendors are already providing tools for J-SOX compliance, such as Waltham, Mass.-based provider of governance and compliance software, OpenPages, which released this week a product that aims to help businesses meet J-SOX financial requirements.
It's often the case, however, that compliance requirements are "dropped off on the desk of the CIO or IT director" to bear the brunt of the responsibility, said Armstrong, because internal controls are seen to mean things like network access. And although it can mean that, IT doesn't own compliance, he said – the business does.
"IT is there to be a strategic enabler of compliance strategy. It's up to the business to determine what levels of risk actually exist, what data is more critical or sensitive, and then work with IT to develop those mitigation strategies."
Otherwise, he said, communication and ownership of issues could be problems down the road.
What are initially manual and costly tasks should eventually be automated and embedded within the company's broader risk management framework, said Wallis. "So the idea is you automate all your processes, and have a repeatable, reliable, predictable solution at a lower operating cost."
Japanese subsidiaries in Canada – Fujitsu, Sony Canada, Honda Canada – may not have independence over their approach to J-SOX compliance as it will probably be driven out of Japan-based headquarters, said Wallis. However, they should still automate tasks "rather than looking at it as a checklist compliance box."
Armstrong said one pitfall of J-SOX is the lack of special condition for company size, in that a small business must comply at the same rigour as its larger counterpart – a non-distinction that finds small companies doling out a disproportionate amount of money toward compliance.
In the U.S., the Public Company Accounting Oversight Board (PCAOB) is working towards defining small company-specific requirements, he said.