The Japanese version of the Sarbanes-Oxley Act to be enacted next April will provide previously lacking guidance for IT departments around ensuring internal controls meet compliance requirements, according to Canadian analysts.
Nicknamed J-SOX, Japan’s Financial Instruments and Exchange Law will apply to publicly traded companies on the Japanese stock market and Canadian subsidiaries of Japanese parent companies, requiring them to implement internal financial reporting controls. The regulation is expected to affect 3,800 companies.
The differentiator between J-SOX and other versions of Sarbanes-Oxley is that Japanese oversight boards have developed their own internal control framework, said Ross Armstrong, senior research analyst with London, Ont.-based Info-Tech Research Group. “The point of any control framework is to assist IT departments in building and maintaining secure internal controls, which is a fundamental requirement of whatever flavour of SOX you wish to look at.”
Although the COSO framework is widely used under the Canadian and U.S. versions of Sarbanes-Oxley, it’s not mandated, said Armstrong. With J-SOX, on the other hand, the makers of the framework are openly advocating it.
The move shows the Japanese have recognized the confusion that arose in the U.S. due to lack of direction around compliance, said Armstrong. “This is good because it at least provides IT departments and CIOs with a bit more guidance around what kind of IT controls and application controls they should be looking at, how they should be evaluating them, and what constitutes a control deficiency, which is what auditors are looking for.”
The Japanese oversight boards have learned from the U.S. approach to compliance that if something is left “open”, it becomes harder to handle, said Nigel Wallis, research manager for applications services with Toronto-based analyst firm IDC Canada. “Now it’s pretty clear in J-SOX versus the U.S. and Canadian equivalent exactly what the framework is, the formula, and the formatting of how you would respond in the IT element.”
Eliminating confusion aside, developing and advocating such a framework helps to rein in costs and keep the scope limited. But apart from that difference, IT departments shouldn’t expect a huge change, especially if they are already subject to other versions of Sarbanes-Oxley, said Armstrong. “From an IT perspective, there’s virtually no difference between, J-SOX C-SOX and the U.S. flavour of Sarbanes-Oxley.”
Japanese subsidiaries in Canada – Fujitsu, Sony Canada, Honda Canada – may not have independence over their approach to J-SOX compliance as it will probably be driven out of Japan-based headquarters, said Wallis. However, they should still automate tasks “rather than looking at it as a checklist compliance box.” 078739