Assessment of process-level controls other than those over the financial and reporting process.
1. Selection of significant business locations/units
※
Business locations include headquarters, subsidiaries, local offices, branches, business units, etc.
※
Different or additional criteria may be used depending on the company’s business environment or characteristics.
(Examples) *Business processes that relate to businesses or operations dealing with high-risk transactions
*Business processes relating to significant accounts involving estimates and management’s judgment
*High-risk business processes that require special attention which include non-routine or irregular transactions
3. Assessment of business processes included in the scope of assessment
[1]. Identify and organize the overview of business processes included in the scope of assessment.
[2]. Identify the risk of misstatements in business processes and controls that would mitigate such risk.
[1]. Remediate identified control deficiencies, if any, by the fiscal year end date.
[2]. Disclose material weaknesses existing as of the fiscal year end date, if any.
4. Report of internal controls
Discuss the scope of assessment with external auditors as appropriate.
※
Business processes can be excluded from the scope of assessment when they are only remotely associated with businesses or
operations performed in significant business locations/units and do not have a material impact on the financial statements.
[2].Business processes of significant and other business locations/units that have a significant impact on the
financial reporting should be added to the scope of assessment individually.
※
The scope of sampling may be reduced when the company-level controls are assessed to be operating effectively and in
other circumstances.
[3]. Adjustment of the scope of and approaches to the assessment of process-level controls based on the assessment
results of company-level controls
※
When company-level controls have been assessed as ineffective, measures such as the expansion of the scope of assessment
or addition of assessment procedures may be necessary.
When company-level controls have been assessed as effective, the assessment procedures may be simplified by, for
example, reducing the scope of sampling, or reducing the frequency of a certain scope of assessment, according to the
materialit
of the sco
e
to ever
two or more accountin
eriods.
(Reference drawing 2)
Flow of the Assessment and Report on Internal Control Over Financial Reporting
Significant business locations/units are selected in the descending order of sales (or other factors) until their
combined amounts reach a certain ratio (for example, approximately two-thirds) of the total amounts.
[1]. All business processes of significant business locations/units which impact the accounts (in principle, in the
case of general companies, sales, accounts receivable and inventory) that are closely associated with the company’s
objectives should be in the scope.
[4]. Assess the operation status of internal controls by reviewing related documents, making inquiries, conducting
observations, verifying records on the performance of internal controls, examining the status of self assessment, etc.
[3]. Assess the design status of internal controls by reviewing related documents, making inquiries, conducting
observations and through other procedures.
2. Identification of business processes to be assessed
Assessment of company-level controls
(In principle, the management should assess all business locations from a company-wide perspective.)
Assessment of process-level controls over financial closing and reporting
(Financial closing and reporting process appropriate to be assessed from a company-wide perspective
should be assessed in a manner similar to company-level controls.)