Michael Rasmussen Paul Hamerman Vice President Vice President


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Michael Rasmussen Paul Hamerman Vice President Vice President

  1. 1. December 12, 2006. Call in at 7:55 p.m. Eastern Time Michael Rasmussen Paul Hamerman Vice President Vice President Forrester Research Teleconference Strategies for Achieving J-SOX Compliance
  2. 2. Agenda <ul><li>Compliance drivers and trends. </li></ul><ul><li>J-SOX overview — requirements and deadlines. </li></ul><ul><li>Lessons learned from US SOX compliance. </li></ul><ul><li>Compliance best practices. </li></ul><ul><li>The role of technology and consulting firms in J-SOX compliance. </li></ul>
  3. 3. Enterprise risk and compliance drivers and trends <ul><li>Drivers: </li></ul><ul><ul><li>Multiplicity of risk and regulations </li></ul></ul><ul><ul><li>Distributed operations and relationships </li></ul></ul><ul><ul><li>Interdependency of risk </li></ul></ul><ul><ul><li>Increased accountability </li></ul></ul><ul><ul><li>Fragmentation and duplication of effort </li></ul></ul><ul><li>2006 trends: </li></ul><ul><ul><li>Establishment of risk and compliance architecture </li></ul></ul><ul><ul><li>Development of risk intelligence </li></ul></ul><ul><ul><li>Implementation of governance, risk, and compliance (GRC) platforms </li></ul></ul><ul><ul><li>Centralized communication and training on corporate policies and procedures </li></ul></ul><ul><ul><li>Continued evolution of the CxO responsible for GRC </li></ul></ul>
  4. 4. It began with SOX <ul><li>The Sarbanes-Oxley Act was signed into law in 2002. It includes: </li></ul><ul><ul><li>Corporate transformation that impacted boards, management and the external auditors </li></ul></ul><ul><ul><li>Greater independence and oversight of board of directors </li></ul></ul><ul><ul><li>Established the Public Company Accounting Oversight Board for external auditors </li></ul></ul><ul><ul><li>Management now required to provide several certifications: </li></ul></ul><ul><ul><ul><li>Section 302 – Disclosure controls </li></ul></ul></ul><ul><ul><ul><li>Section 404 – Internal control over financial reporting </li></ul></ul></ul><ul><ul><ul><li>Section 906 – Accuracy of financial information </li></ul></ul></ul>
  5. 5. Components of SOX 11 Titles with 96 Sections 501 Title V Analyst Conflicts of Interest 301-308 Title III Corporate Responsibility 101-109 Title I Public Company Accounting oversight 1101-1107 Title XI Corporate Fraud and Accountability 1001 Title X Corporate Tax Returns 901-906 Title IX White-Collar Crime Penalty Enhancements 801-807 Title VIII Corporate and Criminal Fraud Accountability 701-705 Title VII Studies and Reports 601-604 Title VI Commission Resources and Authority 401-409 Title IV Enhanced Financia1 Disclosures 201-209 Title II Auditor Independence
  6. 6. US SOX implementation experience <ul><li>Nearly 5,000 companies have filed at least one report </li></ul><ul><li>Approximately 16% of first year filers reported material weaknesses </li></ul><ul><li>Average cost of compliance is $3.5 million per year </li></ul><ul><li>SEC and PCAOB are proposing changes to rein in the cost and effort around compliance </li></ul>
  7. 7. Agenda <ul><li>Compliance drivers and trends. </li></ul><ul><li>J-SOX overview — requirements and deadlines. </li></ul><ul><li>Lessons learned from US SOX compliance. </li></ul><ul><li>Compliance best practices. </li></ul><ul><li>The role of technology and consulting firms in J-SOX compliance. </li></ul>
  8. 8. Why J-SOX? Japan’s corporate reform <ul><li>Investors shifting their assets from bank savings accounts to equity, mutual funds, and other financial products </li></ul><ul><li>Japan is focused on enhancing its attractiveness as an international market </li></ul><ul><li>Fraudulent transactions resulting from loopholes and/or fraudulent disclosures </li></ul><ul><ul><li>e.g., Seibu Railway, Kanebo, Livedoor </li></ul></ul><ul><li>Japan’s Financial Instruments and Exchange Law* </li></ul><ul><ul><li>Establishing cross-sectional framework of a wide range of financial instruments and services </li></ul></ul><ul><ul><li>Enhancing disclosure requirements </li></ul></ul><ul><ul><li>Increasing the maximum criminal penalties against various market frauds </li></ul></ul><ul><ul><li>Providing organization structures for self-regulatory functions of exchanges in the form of stock corporations </li></ul></ul>*Source : FSA ‘s provisional document ”New Legislative Framework for Investor Protection “Financial Instruments and Exchange Law”-(Modified)
  9. 9. Development of J-SOX – Timeline <ul><li>January 2005. Internal Control Subcommittee established under Financial System Council of the Financial Service Agency </li></ul><ul><li>December 2005. Draft of “Standards for Evaluation and Audit of Internal Control over Financial Reporting” released by Internal Control Subcommittee </li></ul><ul><li>June 2006. Financial Instruments and Exchange Law passed by the Diet (equivalent of US securities law) </li></ul><ul><li>November 2006. Exposure draft of “Implementation Standards for Internal Control over Financial Reporting” released </li></ul>
  10. 10. J-Sox defined <ul><li>J-SOX is the unofficial name given to the enhanced management disclosure requirements of the Financial Instruments Exchange Law </li></ul><ul><ul><li>Mandatory for all companies listed in Japan </li></ul></ul><ul><ul><li>Estimated 3,800+ Japanese companies are impacted </li></ul></ul><ul><ul><li>May be a phased implementation based on size </li></ul></ul><ul><ul><li>FSA may require non-listed financial institutions (including foreign financial institutions) to follow similar framework </li></ul></ul><ul><ul><li>Similar to Sarbanes-Oxley Sections 302 and 404 </li></ul></ul><ul><ul><li>Effective for fiscal years beginning on or after April 1, 2008 or for most it will apply to March 31, 2009 year-ends </li></ul></ul><ul><ul><ul><li>Most Japanese companies have March 31 fiscal year-ends </li></ul></ul></ul>
  11. 11. J-SOX anticipated guidance <ul><li>Financial Services Agency (US SEC equivalent) provides guidance for management </li></ul><ul><ul><li>Exposure draft of Implementation Standards for Evaluation and Audit of Internal Control over Financial Reporting was issued on November 21 </li></ul></ul><ul><ul><li>Incorporated lessons learned from US Sarbanes-Oxley </li></ul></ul><ul><ul><li>The 93-page document consists of three sections </li></ul></ul><ul><ul><ul><li>Internal control basic framework </li></ul></ul></ul><ul><ul><ul><li>Evaluation and reporting of internal control over management’s financial reporting </li></ul></ul></ul><ul><ul><ul><li>Audit of internal control over financial reporting </li></ul></ul></ul><ul><ul><li>Final guidance anticipated in January 2007 </li></ul></ul><ul><li>JICPA to provide guidance to auditors </li></ul><ul><ul><li>Guidance anticipated by February or March 2007 </li></ul></ul>
  12. 12. Draft regulatory standard guidance <ul><li>Top-down, risk-based approach to adopt </li></ul><ul><li>Classifications of deficiencies in internal control </li></ul><ul><li>No direct reporting </li></ul><ul><li>Integrated audits </li></ul><ul><li>Internal control audit report should be presented along with financial statements audit report </li></ul><ul><li>Cooperation between independent auditors, corporate auditors, and internal auditors </li></ul>
  13. 13. Draft of regulatory standard Source: Subcommittee on Internal Control, FSA Planning Design and operation at company Level Design and operation at application level Design and operation of IC by management Scope of assessment Assessment of company-level control Assessment of application-level control Assessment by management Management’s report Assessment by management Response to and remediation of deficiencies Planning the engagement Considering appropriateness of scope Considering evaluation of company-level control Considering evaluation of application-level control Independent auditor’s opinion Independent auditor’s report Audit by independent auditors Material weaknesses Deficiencies Evaluating IC deficiencies
  14. 14. J-SOX vs. US SOX 404 Source: Deloitte <ul><li>Required </li></ul><ul><li>External Auditor is required to issue the internal control audit report on ICFR </li></ul><ul><li>Direct and Indirect reporting </li></ul><ul><li>Required (possibility of deferral) </li></ul><ul><li>External auditor is required to issue the internal control audit report on ICFR </li></ul><ul><li>Indirect reporting only </li></ul>External audit <ul><li>Accelerated Filers: FY ending on/after 11/15/04 </li></ul><ul><li>Foreign Private Issuers (FPI): </li></ul><ul><ul><li>Large Accelerated Filers: FY ending on/after 7/15/06 </li></ul></ul><ul><ul><li>Accelerated Filers: FY ending on/after 7/15/07 </li></ul></ul><ul><li>All: FY beginning on/after 4/1/08 </li></ul><ul><li>E.g. For 3/31 Y/E Co, FY ending 3/31/09 </li></ul><ul><li>No deferral clause for management assessment </li></ul>Effective date <ul><li>SEC registrants </li></ul><ul><li>(Pending final decision) Exemption clause for smaller registrants </li></ul><ul><li>All public companies listed in Japan Exchanges </li></ul>Applicable US SOX 404 J-SOX
  15. 15. J-SOX vs. US SOX 404 (Cont’d) Source: Deloitte <ul><li>CEO & CFO are responsible for: </li></ul><ul><ul><li>Establishing and maintaining internal controls over financial reporting (ICFR); </li></ul></ul><ul><ul><li>Selecting internal control framework for assessing effectiveness of ICFR; </li></ul></ul><ul><ul><li>Assessing effectiveness of ICFR; and </li></ul></ul><ul><ul><li>Disclosing all significant deficiencies and material weakness. </li></ul></ul><ul><li>External auditors audit and issue internal control attestation report. </li></ul><ul><li>CEO is responsible for: </li></ul><ul><ul><li>Designing and operating internal controls over financial reporting (ICFR); </li></ul></ul><ul><ul><li>Assessing effectiveness of ICFR; </li></ul></ul><ul><ul><li>Disclosing findings of the assessment of the ICFR; </li></ul></ul><ul><ul><li>Disclosing subsequent events that have material impact on the assessments of the effectiveness of ICFR and remediation taken after fiscal year end. </li></ul></ul>Management assessment language <ul><li>PCAOB Auditing Standard No.2 (PCAOB AS2) </li></ul><ul><li>PCAOB AS2 is the de facto guideline for management’s (SEC registrant’s) ICFR evaluation guideline </li></ul><ul><li>(Yet-to-be-released) </li></ul><ul><li>Framework of internal control (J-COSO) </li></ul><ul><li>Management assessment </li></ul><ul><li>Internal control audit (=PCAOB AS2) </li></ul>Guideline US SOX 404 J-SOX
  16. 16. Challenges & differences – SOX and J-SOX <ul><li>Professional services. Japan has fewer than 10% of the number of qualified accountants than the US. </li></ul><ul><li>Independence of auditors. While the concept of auditor independence exists in the Japanese market similar to the US, many Japanese firms can and will rely on the influence and recommendations of their audit firms. </li></ul><ul><li>Audit automation is critical. With the extreme shortage of auditors compared to US per capita numbers, this shortage will increase the requirement and necessity for process efficiency in the internal audit process and software that can support these processes. </li></ul><ul><li>Support of IT governance. In the November guidance regarding the scope of the J-SOX process, it is clear that IT controls are a central point of focus for J-SOX. </li></ul>
  17. 17. J-SOX trends <ul><li>Market picking up pace. O rganizations are beginning to prepare and ask about J-SOX, but it has yet to reach the pace immediately seen after the passing of rules in the US. Since most organizations make staffing assignments in the March and June time-frames, the pace of J-SOX activities will pick up significantly in late spring/early summer time frame. </li></ul><ul><li>Buy Japanese. T here is a strong emphasis on making sure that any solution purchased is tailored to the Japanese market. Japanese companies want to buy solutions from other Japanese companies that they trust. This significantly impacts how a US software company can effectively go to market. </li></ul><ul><li>Risk management is well understood. Since many of the large Japanese conglomerates have a strong position in the banking and/or the financial services world, there is a good understanding of the concepts and disciplines around operational risk management that exists in these companies. Moreover, risk management is a discipline exercised by most Japanese business process owners via their practice of consensus decision making. </li></ul><ul><li>Internal controls and the Japanese culture. The Japanese culture has a pre-existing condition of a strong control environment where the shame of wrong-doing is such a deterrent that is serves as defacto preventative control. </li></ul>
  18. 18. Agenda <ul><li>Compliance drivers and trends. </li></ul><ul><li>J-SOX overview — requirements and deadlines. </li></ul><ul><li>Lessons learned from US SOX compliance. </li></ul><ul><li>Compliance best practices. </li></ul><ul><li>The role of technology and consulting firms in J-SOX compliance. </li></ul>
  19. 19. SOX compliance remains a high 2006 priority
  20. 20. Challenges in initial SOX compliance efforts <ul><li>Costs soared well beyond expectations </li></ul><ul><li>Technology was underutilized for SOX </li></ul><ul><li>Numerous control deficiencies were uncovered </li></ul><ul><li>Financial management systems were in need of repair </li></ul><ul><li>Regulatory guidance was insufficient and unclear </li></ul><ul><ul><li>Ambiguity on scope of IT controls for SOX </li></ul></ul>
  21. 21. Year one challenges; year two improvements <ul><li>Year One Challenges </li></ul><ul><li>Poorly defined responsibilities, ad-hoc project teams </li></ul><ul><li>Contentious relationship with external auditor </li></ul><ul><li>Scope too broad, with an exhaustive approach </li></ul><ul><li>Unclear role and relevance of IT in the SOX effort </li></ul><ul><li>Lack of automated tools to document, evaluate, and test internal controls </li></ul><ul><li>Year Two Improvements </li></ul><ul><li>Clear roles and responsibilities, with full-time compliance teams </li></ul><ul><li>Frequent and organized communications with audit firm </li></ul><ul><li>Scope defined by a top-down, risk-based approach </li></ul><ul><li>Use of an IT framework to define the relevance of IT controls </li></ul><ul><li>Adoption of purpose-built software for controls documentation, evaluation, and monitoring </li></ul>
  22. 22. From compliance to value: best practices <ul><li>Best practices </li></ul><ul><li>Consolidation of like systems </li></ul><ul><li>Process consistency </li></ul><ul><li>Centralization/outsourcing </li></ul><ul><li>Compliance culture </li></ul><ul><li>Content/records management </li></ul><ul><li>Automated compliance process </li></ul><ul><li>Enterprise risk management </li></ul><ul><li>Business benefits </li></ul><ul><li>Faster close and reporting </li></ul><ul><li>Control and efficiency </li></ul><ul><li>Economies of scale </li></ul><ul><li>Integrity and accountability </li></ul><ul><li>Reusable knowledge </li></ul><ul><li>Lower compliance costs </li></ul><ul><li>Fewer surprises </li></ul>
  23. 23. Agenda <ul><li>Compliance drivers and trends. </li></ul><ul><li>J-SOX overview — requirements and deadlines. </li></ul><ul><li>Lessons learned from US SOX compliance. </li></ul><ul><li>Compliance best practices. </li></ul><ul><li>The role of technology and consulting firms in J-SOX compliance. </li></ul>
  24. 24. Seven Habits Of A Highly Effective Compliance Program July 2005, Best Practices “Seven Habits Of Highly Effective Compliance Programs”
  25. 25. Internal control maturity model Informal Documented Standardized Managed Optimized Level of maturity Controls Effectiveness
  26. 26. Agenda <ul><li>Compliance drivers and trends. </li></ul><ul><li>J-SOX overview — requirements and deadlines. </li></ul><ul><li>Lessons learned from US SOX compliance. </li></ul><ul><li>Compliance best practices. </li></ul><ul><li>The role of technology and consulting firms in J-SOX compliance. </li></ul>
  27. 27. SOX and J-SOX technology building blocks ERP and finance transactional systems Financial reporting and consolidations systems (J)SOX compliance management Controls monitoring and automation
  28. 28. Internal controls span business and IT Applications environment Business process controls Transaction analysis controls IT infrastructure controls Data, hardware, email, content, etc. Access controls and SOD Security and identity management Spreadsheet controls
  29. 29. Forrester compliance architecture Message & records archive Finance ERP Compliance documents Other Risk management Compliance rules Controls monitoring Internal controls evaluation Repository layer Business service layer Interaction layer Compliance portal CEO/CFO Audit committee Internal auditors External auditors Finance Business units Investors Regulators Business process layer Security layer HR
  30. 30. The SOX vendor landscape is growing . . . Source: Forrester Research, Inc.
  31. 31. Although not all of them are focused on Japan <ul><li>Services firms focused on J-SOX: </li></ul><ul><ul><li>Deloitte (Tohmatsu) </li></ul></ul><ul><ul><li>Ernst & Young (Shin Nihon) </li></ul></ul><ul><ul><li>IBM </li></ul></ul><ul><ul><li>KPMG (Azusa) </li></ul></ul><ul><ul><li>Misuzu </li></ul></ul><ul><ul><li>PricewaterhouseCoopers (Arata) </li></ul></ul><ul><ul><li>Protiviti </li></ul></ul><ul><li>Software firms focused on J-SOX </li></ul><ul><ul><li>Achiever Business Solutions </li></ul></ul><ul><ul><li>BWise </li></ul></ul><ul><ul><li>OpenPages </li></ul></ul><ul><ul><li>Oracle/Stellent </li></ul></ul><ul><ul><li>Paisley </li></ul></ul><ul><ul><li>SAP </li></ul></ul>
  32. 32. Recommendations <ul><li>Invest in J-SOX compliance software for sustainability, controls optimization, and lower costs </li></ul><ul><li>Standardize controls before automating them </li></ul><ul><li>Fine-tune your J-SOX compliance approach based on risks </li></ul><ul><li>Optimize your transactional systems environment </li></ul><ul><li>Consider J-SOX as part of a broader governance, risk, and compliance strategy </li></ul>
  33. 33. Thank you Michael Rasmussen Paul Hamerman mrasmussen@forrester.co [email_address] www.forrester.com