[Flashback] New Japanese Internal Controls Framework: Japan Works To Deter Fraud With “J-SOX”


Posted by Amy CHAN Wen Yi, Year 4 undergrad at the School of Accountancy, Singapore Management University

Takafumi Horie had no use for conventional Japanese business practices. This 30-something, self-proclaimed Web entrepreneur geek donned black T-shirts and jeans while most businessmen still wore the standard-issue gray suits.1 He flaunted the millions he amassed from his Livedoor Co. Ltd., an Internet service provider, and the companies he bought. He drove a Ferrari, lived in one of Tokyo’s flashiest apartment complexes, and bragged about his success on television – a Japanese taboo where modesty is prized.

But on Jan. 23, Horie’s hubris caught up with him. He and other Livedoor executives were arrested for allegedly spreading false information about a subsidiary’s takeover of a publisher. Prosecutors eventually said he violated securities laws to boost the earnings of his Internet company through shady stock splits and swaps and by buying up shares using “dummy” companies. On March 16, he was sentenced to two-and-a-half years in jail.3 The crime has been called Japan’s Enron.

In the past, Japan’s white-collar crooks rarely went to prison. Instead, Japanese regulators would mete out punishment case by case with little disclosure and no public humiliation.4 But that could all be changing.

With Japan’s revived economy and divergence from its traditional business traditions, economic crimes with high-yen losses are increasing. Japan is gradually shifting toward stronger regulatory scrutiny of business. In 2006, the Financial Services Agency (FSA) — Japan’s version of the Securities and Exchange Commission — took 163 administrative disciplinary actions against financial institutions, an increase of about 50 percent from 2005.5

And, more importantly, the country is emphasizing prevention and deterrence. In 2005, the FSA tasked Shinji Hatta and an ad hoc board of economic experts with devising internal control guidelines.

Hatta, a professor of auditing at the Graduate School of Professional Accountancy at Aoyama Gakuin University in Tokyo, didn’t want to see any more cases like Livedoor. So his board devised a broad framework “encompassing all the efforts to improve confidence in the Japanese securities market through enhancement of internal controls in Japanese-listed companies,” Hatta said.

Hatta, chairman of Japan’s ACFE Advisory Committee, says that the framework is not a copy of the U.S. Sarbanes-Oxley Act. Though the Japanese media has nicknamed the framework “J-SOX” for expediency, Hatta says the panel constructed a system that would confront unique Japanese conditions and not mimic SOX. He said the panel wanted to avoid the pitfalls of SOX and tailor the guidelines to Japan. Regardless, the country has had to bring its standards in line with those in the United States and other large countries because of growing competition from global financial centers. And to avoid any more Livedoors.

Hatta spoke to Fraud Magazine from his office in Tokyo. (The original interview was conducted in Japanese by staff members of the ACFE Japan office.)

How did you come to be associated with the ACFE’s Japan office and become the chairman of the ACFE’s Japan Advisory Committee?
In 1987, the Treadway Commission’s famous report, “Report of National Commission on Fraudulent Financial Reporting” was published; I obtained the report when I attended the 100th Anniversary General Assembly of AICPA held in the same year. I was so interested in the epoch-making report that I translated and published it in Japanese to introduce it to Japan’s corporate society. I strongly feel that I met this report by fate because it led me to translating all the COSO reports and my participation in later setting the internal control standards in Japan.

Therefore, I recognized the ACFE when it was founded as an anti-fraud organization in 1988, a year after the publication of the Treadway Commission report. And when I learned that D-Quest Inc. entered into the licensing agreement in Japan with ACFE in 2004 and I had a chance to meet with Mr. Wakiyama, the CEO of D-Quest, I felt I was destined to have some relationship with the ACFE. Later on, when ACFE JAPAN was launched, Mr. Wakiyama requested me to assume the position of chairman of the advisory committee. I embraced the request to contribute to developing a better business community in Japan.

How can CFEs contribute to Japanese corporate governance? How can the ACFE help in this process?
I think that experts who engage in corporate governance, internal control, audit, and fraud examination should not be ambitious to acquire fame by detecting frauds. They should be watch dogs rather than hunting dogs; the core of their activities should be prevention and deterrence of fraud. Therefore, I have empathy with the ACFE’s emphasis on prevention. I am also encouraged as an academic by Chairman Joseph Wells’ higher education initiative to raise fraud awareness among the next generation.

Unfortunately, frauds occur at any organization as long as it is operated by human beings. Therefore, Japanese public and private organizations need people with the CFE certification or those whom the ACFE has educated. I believe that the ACFE has a vital role in Japanese society.

From now on, top management, corporate auditors, internal auditors, and external auditors should work together to strengthen internal control of Japanese companies. I expect that the knowledge provided by ACFE will give a great deal of added value to their collaborated efforts.

Could you explain J-SOX?

“J-SOX” does not refer to any specific law. It is a broad framework encompassing all the efforts to improve confidence in the Japanese securities market through enhancement of internal controls in Japanese-listed companies. Special attention in the framework is given to the internal control provision in Section 404 of the U.S. Sarbanes-Oxley Act because it has affected U.S. public companies more than any other section in the legislation.

In Japan, there have been a spate of accounting frauds by listed companies since 2004. The Financial Instruments and Exchange Law, which consolidated the existing Securities and Exchange Law, was enacted in June 2006 — and fully implemented in September – to restore confidence in securities market and to protect investors. The articles relating to internal control reporting won’t be enforced until the fiscal year ending after 2008. The law includes, under articles 24.4.4 and 193.2, provisions concerning the Internal Control Report System similar to Section 404 of the U.S. SOX.

The label, “J-SOX,” has been frequently used among the Japanese media reporting these moves. However, it might be misleading if you see J-SOX as equal to the articles relating to the Internal Control Report System of the Financial Instruments and Exchange Law. Especially, because Section 404 of the U.S. SOX has tended to give a negative impression due to cost increases for U.S.-listed companies, we are concerned that the term J-SOX might give a biased image to Japanese-listed companies and other participants in the market before the full implementation of the Internal Control Report System in Japan.

How was the new law formed?

I was not directly involved with the legislation because the committee I chaired didn’t have jurisdiction over legislation. As far as I understand, the background of the Financial Instruments and Exchange Law was similar to the U.S. SOX. A series of large-scale accounting fraud cases such as Enron and WorldCom destroyed confidence in the securities markets in the United States. In Japan, too, a string of frauds by listed companies occurred led by the Seibu Railway case in October 2004.

The FSA, which supervises the Japanese securities market, was alarmed by this situation, and promptly requested its Financial System Council to deliberate necessary measures. In December 2004, the council submitted a report recommending institutionalization of internal control, and the FSA decided to start discussing formulation of a law and operational standard in 2005. The Internal Control Committee of the Business Accounting Council, which I chaired, was established in January 2005 by an official consultation with the financial services minister.

Unlike the U.S. situation, where SOX was enacted within an exceptionally short period of time, the FSA didn’t necessarily have a sense of urgency and tried to assess deliberately the necessity of the institutionalization of internal control. However, further fraud cases such as Kanebo, Livedoor, and Murakami Fund seriously affected our capital markets, and active public opinion had begun to form. So it was inevitable that we would have to institutionalize internal control.

Are there some common denominators among the large Japanese fraud cases that helped spur the formation of the Japanese Internal Control Report System?
Yes, there are. In all cases, the executives were involved in the root of the disclosure frauds — in other words, they were the frauds led by the top management. Therefore, we had to clearly address this issue when we discussed the introduction of the Internal Control Report System.

Consequently, like the U.S. SOX, the Japanese system requires the CEO and CFO to submit a “certification” to clarify the top managements’ responsibilities for appropriate disclosure, and the Financial Instruments and Exchange Law imposes more strict penalties for misstatement. It was a crucial discussion for the introduction of the system to make executives realize that they are accountable not only for the results but also for enhancing the integrity and credibility of disclosure processes.

Which companies are subject to the new requirements?

Under the Financial Instruments and Exchange Law, listed companies are basically required to submit an internal control report. Compared with the U.S. where all the public companies are required to submit the report, the scope in Japan is narrower: the total number of listed companies at this point is a little less than 4,000.

However, Japan’s Internal Control Report System does not expect to loosen the standards or delay adopting time according to the size of a company. I think that smaller companies listed in the emerging markets may have higher risks than larger companies because many of the small companies might not have adequate organizational systems or managements’ awareness. Therefore, you could say that loosening the standards just for small companies would be preposterous.

Can you describe some of the basic provisions of the Financial Instruments and Exchange Law? What does it require companies to do?

As I mentioned, one article of the law stipulates that management shall submit certification on the fair disclosure of the annual report. This article is similar to Section 302 of U.S. SOX. We call it certification, but it is essentially an oath because the management has a legal obligation.

Another article, equivalent to Section 404 of the U.S. SOX, stipulates the submission of an internal control report signed by the CEO and CFO. Also, auditors or audit firms shall attest the report. One article prescribes penalties for an internal control report not being submitted or misstated.

The standards for preparing an internal control report and auditing it were separately drawn up by the Internal Control Committee of the Business Accounting Council, which I chaired. Listed companies will prepare internal control reports based on the standards, and audit firms and CPAs will conduct an audit in line with the standards.

The Financial Instruments and Exchange Law requires that listed companies must not act to undermine the interests of stakeholders in general or disclose unfaithful information. I personally would like them to regard this as the minimum cost to enjoy enormous benefits obtained by listing and to obtain a pass to enter into capital markets.

The Internal Control Report System only indicates minimum standards. Top management should proactively tackle this issue to fulfill corporate social responsibilities. Just a passive attitude of abiding by laws and standards is not appropriate.

Can you elaborate more on the similarities and differences between Japan’s new standards and U.S. SOX?
Under Japan’s Standards of Internal Control Audit, the same auditor performs the internal control audit and financial statement audit. Audit evidence obtained through each audit can be effectively used in both fields, and improvements can be expected in efficiency and effectiveness of the audit.

Furthermore, unlike the United States, we do not adopt so-called “direct reporting” in which external auditors report the results of their internal control audits independent from the management’s assessment. In the Japanese standards, auditors conduct audits of internal control reports assessed and prepared by the management.

I think the reason why the United States adheres to direct reporting is that no function exists in its governance system that plays a role to conduct an operational audit of top management. Audit committees do not conduct direct audits so it is difficult for internal auditors to scrutinize top management. Under such circumstances, I assume the U.S. companies try to fulfill the function through external auditors’ direct reporting.

Auditors in Japan eventually will prepare one single audit report containing the result of both financial statement audits and internal control audits because the same auditor conducts both audits in a similar framework.

Also, the penalties for misstatements in Japan are less severe than those in the United States. Article 197.2 of the Financial Instruments and Exchange Law stipulates the punishment by imprisonment for up to 10 years and/or a fine of up to 10 million yen against misstatements in the financial statements. As for misstatement of an internal control report, the penalty is imprisonment for up to five years and/or a fine up to 5 million yen. Those penalties are more severe than the current ones.

U.S. SOX was a trailblazer but, understandably, the Public Company Accounting Oversight Board has had to hammer out more detailed interpretations. Do you believe Japan’s new system has improved on U.S. SOX and, if so, how?
The U.S. SOX rushed through Congress with a strong sense of urgency to restore confidence in the U.S. securities market. [Sen. Paul Sarbanes and the Hon. Michael Oxley don’t believe SOX was rushed into law. See http://www.ACFE.com/fraud/view.asp?articleid=676 and http://www.ACFE.com/fraud/view .asp?articleid=709. — ed.]

I think we can learn many things from Sarbanes and Oxley’s leadership. On the other hand, the legislation was so rushed that the detailed practice standards of the internal control report system were left behind to be handled afterward.

Regarding such issues as how management should assess its own internal control, the SEC showed its basic concept but did not present concrete guidelines. Furthermore, the Auditing Standard No. 2 (AS 2) set by the PCAOB, a brainchild of the U.S. SOX, in March 2004, contained very detailed provisions that brought cost increases to the companies. [PCAOB Auditing Standard No. 5 has now updated AS 2. See page 57. — ed.] I remember during the American Accounting Association’s 2005 annual meeting, Mr. Oxley expressing his anxieties at the early stage that the implementation guidelines had gone in a totally different direction from the original concept by those who drew up the U.S. SOX.

In Japan, drawing a lesson from what had happened in the United States, we put top priority on ensuring consistency in our practice standards for management assessment and audit concerning internal control through extensive discussions among all parties in charge. As I’ve said, those discussions resulted in such concepts as the same auditor conducting the integrated audit of financial statement and internal control and not introducing direct reporting.

In addition, under the Japanese Internal Control Report Standards, external auditors will appropriately coordinate with their clients’ internal audit functions and can use the work of internal auditors as necessary and appropriately.

You’ve been quoted in Compliance Week as saying that the J-SOX emphasizes that an internal control system should take a “top-down, risk-based approach.” Can you explain that?
The top-down, risk-based approach urges management to assess company-level internal controls on a consolidated basis [including all the group companies subject to consolidated accounting] first, and then to assess the process-level controls to the extent necessary, focusing on the risks of material misstatements in financial reporting. Management should invest its limited resources effectively in assessing credibility of its own company’s financial reporting. In order to do so, it should not deal with every single bit of risk equally but identify material risks that could undermine reliability of financial reporting by looking down upon its business activities as a whole.

In fact, the concept of risk-based approach has already been expected of external auditors who perform financial statement audit. By adopting the same approach to the management’s assessment concerning internal control, we aim to realize the effective operation of an internal control report system.

I think we delivered a strong message to management that “you are the central figure of the internal controls and need to proactively tackle it.”

Can you explain some of the cultural and corporate changes in Japan that have made J-SOX necessary?
First of all, in Japan we have the expression of “heart-to-heart communication.” Traditionally, Japanese organizations have operated with no definite job descriptions or division roles. But due to drastic changes in the business environment caused by deregulation, globalization, and a widening generation gap, management can’t operate under the time-honored shared values and ethics. I expect the internal control standards we set up to help Japanese companies “visualize” implicit knowledge — or documenting and sharing implicit knowledge owned by experienced employees — and improve organizational and operational efficiency.

Secondly, many baby boomers will soon be retiring. They tend to be ethical, very loyal to their employers, and have extensive work experiences. Therefore, it is important for Japanese companies to strengthen the internal controls in line with clarified standards so that baby boomers can properly pass on their knowledge, skills, and insights.

Are there great disparities in sound corporate governance among large Japanese companies? What are the conditions that cause good and bad governance?

After all, I think it is still management’s attitude or “tone at the top.” It is very important whether top management can carry out its mission and ensure that its attitude is shared company-wide. Only the commitment of top management can realize it.

Unfortunately, many of the leaders in Japanese companies were called “salaried management” and did not necessarily have strong leadership. When the economy constantly grows, companies can get through somehow without real leaders. However, during a phase of major change, weaknesses are revealed and companies lose their sense of direction. Weak leadership in top management can be attributed to Japan’s long-term recession in the 1990s after the collapse of the bubble economy.

Some have said that in the past Japan generally gave suspended sentences for white-collar crime. But now, for instance, Takafumi Horie, who ran the Internet company, Livedoor, received a two-and-a-half-year prison sentence for securities fraud and an associate received a two-year jail term. Is this a trend, and if so, is it because of the threat of J-SOX?
Leaving aside whether recent court decisions were affected by J-SOX or not, it can be definitely said that the securities markets are a vital infrastructure for Japan because the nation has very few natural resources from which we can draw income. The flowing lifeblood of money in the markets supports business activities and gives a boost to the economy. If Japan is not trusted by investors worldwide, the country will lose not only economic power but also its prestige.

Nevertheless, it has been said that Japan has been lax in prosecuting white-collar crimes and has weak deterrent power. The Japanese public has taken a harsh view of violent crimes, but both the public and judiciary have tended to be soft on economic crimes because it did not endanger human lives. But it is obvious from the Enron case that many victims including employees and their families weep behind the white-collar crime. If you think about these victims, economic crimes are very serious, and it is quite natural to impose severe penalties. I think it would be an international trend.

Public opinion in Japan follows that trend as deregulation and globalization of economic activities continues. In the adjudications for the cases of Livedoor and Murakami Fund, the court listened to public opinion and imposed prison sentences on the defendants. It was quite surprising, but I think this trend will intensify in the future.

Chou Aoyama [renamed Misuzu and finally dissolved at the end of July of this year], one of Japan’s four large accounting firms, was punished for its failure to establish proper internal controls and systems in relation to the alleged collusion in corporate fraud at Kanebo, a textiles and cosmetics business. Is this case similar to Andersen’s relationship to Enron? What was wrong with Misuzu’s system?
The causes that forced Misuzu to be dissolved include some different factors from those in Andersen’s case, but the two cases had at least one thing in common: both firms lost trust and reputation — the lifeline for CPAs and audit firms as guardians of the securities market. Andersen’s case sent an alarm to the world that once an audit firm loses public trust, it will collapse like an avalanche.

But having said that, Japanese audit firms might have not taken it seriously, thinking somehow “it will not happen in Japan” or “we can hide unpleasant realities.” However, capital markets are now borderless, and authorities now take actions one step further than before. Therefore, they dared to take the toughest-ever action against Misuzu with the orders that the business be suspended. I think that it was an ordeal for the Japanese accounting and audit system to overcome so that it can be highly recognized internationally.

I suspect Misuzu’s system had quality control problems not only at each audit-process level but at the corporate level as well. In 2005, the large-scale window-dressing case of Kanebo was uncovered, and the accountants of former Chuo Aoyama Audit Corporation (later renamed as Misuzu) were arrested. Taking this incident seriously, the Financial Services Agency set the Quality Control Standards for Audit in October of the same year. In April 2006, the [Japanese] Certified Public Accountants and Auditing Oversight Board also strengthened quality control review by applying the standards.

Can you describe the unique Japanese corporate auditor or “kansayaku” and how that person fits into the framework?

“Kansayaku,” or corporate auditor, was initially introduced to Japan in the Meiji era [1868 to 1912] based on the governance mechanism in Germany. Although there were many twists and turns, it has been a major institution of Japanese corporations for more than 100 years. The role of the corporate auditor is to monitor the execution of duties of the members of a board of directors. That person has full legal authority to conduct financial audit and operational audits other than accounting.

In reality, however, many critics have said that corporate auditors do not function as originally expected because they were in fact under the command of representative directors — drawn from the board of directors — who appointed them. Therefore, its role and responsibility was repeatedly reviewed after commercial and company laws were revised.

Since 1950, seven revisions of commercial law have been made regarding the role and responsibility of Kansayaku. Generally speaking, the points of revision are power and authority, term of office, numbers, and responsibility.

Still, the situation stayed the same, and some started arguing about abolishing corporate auditors. In 2003, the commercial law was revised so that Japanese companies can now introduce a U.S.-style committee system to replace corporate auditors. However, a series of accounting frauds coincided in the United States, and the effectiveness of the committee system was also questioned in Japan. Thus, corporate auditors survived once more in the governance mechanism of most Japanese companies.

I think it is very important for corporate auditors to fulfill their expected role to enhance the effectiveness of the Japanese internal control report system. Actually, the existence of corporate auditors in Japanese corporate governance is one of the reasons why Japan didn’t adopt direct reporting on internal control from external auditors. If corporate auditors can actually carry out their legal right and responsibility for operational audit and cooperate with external auditors more closely, I expect the confidence in Japan’s internal control report system will be remarkably increased.

Even though the law won’t go into full effect until April 2008, companies are beginning to implement it. Have you received much feedback yet?
We have not received any official feedback yet, but so far we have seen that the approximately 3,900 companies subject to the Internal Control Report System can be roughly divided into three groups.

The first group consists of the companies that have already experienced the U.S. SOX compliance or proactively introduced the U.S.-style internal control. They are the most advanced, but I would like them to be aware of the difference between the United States and the Japanese internal control standards and avoid the pitfalls of introducing systems that are too costly.

Companies in the second group are making steady progress in establishing internal control in accordance with the final standard we issued on Feb. 15 of this year. They are the typical Japanese listed companies.

The third group includes companies that have not yet taken any action so far hoping that they can wait until an additional government ordinance or detailed questions and answers are issued or that less stringent standards might be applied to small- and medium-sized listed companies just as in the United States. The number of the companies in this group is decreasing, but it is about 400 – approximately 10 percent of all the listed companies.

I am telling the third group, “The blue bird (good news) will never come.” The Internal Control Report System in Japan is a minimum standard, and the authority clearly announces that it applies to all listed companies without exception. We would like management to meet the minimum requirement first and then build its own internal control on the foundation. If you remain reactive, you will definitely pay the price later. I personally have an impression that none of the top management are fully committed in the companies in these three groups. Without a strong tone at the top, employees in the field will make internal controls a mere formality — just drawing up business process charts, binding them up neatly, and storing them on the shelves. Management must keep firmly in mind that their efforts to implement internal controls never end. They must be upgraded step by step. To make it happen, management has to take the initiative and actively engage in the effort.

Shinji Hatta, professor of auditing at the Graduate School of Professional Accountancy at Aoyama Gakuin University in Tokyo, is chairman of Japan’s ACFE Advisory Committee. He was educated at Keio University and Waseada University in Tokyo.

Previously, he was professor of accounting and auditing at the School of Management at Aoyama Gakuin University, and professor of accounting and auditing in the department of economics at Surugadai University in Saitama. He has written extensively on auditing, corporate governance, international accounting, and integrated frameworks of internal control.

Hatta is the chairman of the Internal Control Committee of the Business Accounting Council of the Financial Services Agency (FSA), a member of the Steering Committee of Independent Evaluation of Governance within the United Nations, chairman of the NHK Compliance Committee, an examiner of Japan’s Certified Public Accountants Examination for the Certified Public Accountants and Auditing Oversight Board of the FSA, and president of the Japan Auditing Association. He is also the academic coordinator for the JICPA Journal, and a member of the Japanese Institute of CPAs’ Ethics Committee.

Dick Carozza is the editor of Fraud Magazine.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on http://www.fraud-magazine.com or http://www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s