The Japanese version of the Sarbanes-Oxley Act to be enacted next April will provide previously lacking guidance for IT departments around ensuring internal controls meet compliance requirements, according to analysts.
Nicknamed J-SOX, Japan’s Financial Instruments and Exchange Law will apply to publicly traded companies on the Japanese stock market and Canadian subsidiaries of Japanese parent companies, requiring them to implement internal financial reporting controls. The regulation is expected to affect 3,800 companies.
The differentiator between J-SOX and other versions of Sarbanes-Oxley is that Japanese oversight boards have developed their own internal control framework, said Ross Armstrong, senior research analyst with Info-Tech Research Group. “The point of any control framework is to assist IT departments in building and maintaining secure internal controls, which is a fundamental requirement of whatever flavor of SOX you wish to look at.”
Although the COSO framework is widely used under the Canadian and US versions of Sarbanes-Oxley, it’s not mandated, said Armstrong. With J-SOX, on the other hand, the makers of the framework are openly advocating it.
The move shows the Japanese have recognized the confusion that arose in the US due to lack of direction around compliance, said Armstrong. “This is good because it at least provides IT departments and CIOs with a bit more guidance around what kind of IT controls and application controls they should be looking at, how they should be evaluating them, and what constitutes a control deficiency which is what auditors are looking for.”
The Japanese oversight boards have learned from the US approach to compliance that if something is left “open”, it becomes harder to handle, said Nigel Wallis, research manager for applications services with analyst firm IDC. “Now it’s pretty clear in J-SOX versus the US and Canadian equivalent exactly what the framework is, the formula, and the formatting of how you would respond in the IT element.”
Eliminating confusion aside, said Armstrong, developing and advocating such a framework helps to reign in costs and keep the scope limited. But apart from that difference, IT departments shouldn’t expect a huge change, especially if they are already subject to other versions of Sarbanes-Oxley, said Armstrong. “From an IT perspective, there’s virtually no difference between, J-SOX C-SOX and the U.S. flavor of Sarbanes-Oxley.”