Japanese companies and their international subsidiaries have started prepping for next year’s implementation of a corporate governance framework that’s comparable to the requirements imposed by the Sarbanes-Oxley Act in the U.S.
Many U.S.-based IT managers have started working on processes to ensure compliance with the emerging financial controls requirements, informally known as J-SOX, even though initial details aren’t expected until next month.
“This is just like the early stages of Sarbanes-Oxley — nobody really knows” the specific requirements yet, said Michael Pellegrino, vice president of IT at Fuji Photo Film U.S.A. Inc., a Valhalla, N.Y.-based subsidiary of Tokyo-based Fujifilm Corp.
As the largest of Fujifilm’s 12 North American subsidiaries, Pellegrino’s group is following the lead of its parent firm’s IT operations on what steps it should take to document its IT controls.
Pellegrino noted that as part of its due-diligence efforts, his company is already creating a “matrix” of all its hardware, the IP addresses for those machines and the software that runs on them.
He said that his organization expects to document the controls it has in place for several IT processes that could affect the company’s financial activities. Among them are those related to the procurement and development of software applications, the procurement and development of IT infrastructure, the deployment and testing of IT, and the management of third-party IT services.
Sarb-Ox Lessons Learned
J-SOX, officially known as the Financial Instruments and Exchange Law, is scheduled to go into effect in April 2008 for roughly 3,800 companies listed in Japan, along with their foreign subsidiaries.
Japan’s Financial Services Agency — similar to the U.S. Securities and Exchange Commission — moved to create J-SOX laws following accounting scandals involving companies such as Seibu Railway Co., Livedoor Co. and the Murakami Fund.
Marios Damianides, an IT risk management consultant and partner at Ernst & Young LLP in New York, said he expects that the relaxation of some Sarbanes-Oxley requirements by the Public Company Accounting Oversight Board in the U.S. late last year should help ensure that the J-SOX rules won’t be excessive for businesses.
The lessons learned from U.S. companies’ Sarbanes-Oxley efforts will lead Japan’s Financial Services Agency to “soften J-SOX [requirements] a little bit,” said Damianides, a former international president of the Information Systems Audit and Control Association.
As part of its effort to meet J-SOX requirements, Tokyo Electron Ltd. is revising its security and IT policies “to conform with what J-SOX is going to look like,” said Russ Finney, CIO at Tokyo Electron America Inc. in Austin. “It’s going to be a lot of work.”
That work will involve tracking and monitoring the company’s global IT systems, as well as documenting the security safeguards it has in place for each of those systems, said Finney.
“I would anticipate that we’d be in good shape” regarding IT asset tracking, since Tokyo Electron already does that, said Finney.
But, like Fuji Photo’s Pellegrino, Finney and his IT team in Austin can only address the J-SOX requirements that have been made clear by Japan’s Financial Services Agency.
“We’re working hard on the things we know about,” said Finney. “As soon as J-SOX gets approved, we’ll be an early adopter.”
Many Japanese companies may have a jump-start in meeting the requirements because IT asset tracking is already commonly practiced by most businesses in the country, said Masafumi Tanabu, a partner at Tokyo-based KPMG AZSA & Co. The firm is helping its accounting customers comply with the regulatory framework.
In Japan, companies must denote individual assets, such as servers and desktop machines, in their accounting records and expense those assets in order to receive tax benefits for them, Tanabu noted.