(
Provisional translation
)
Released on February 15, 2007
Business Accounting Council
The original texts of the Standards are prepared in the Japanese language, and
these translations are to be used solely as reference material to aid in the
understanding of the Standards.
For all purposes of interpreting and applying the Standards in practice, users
should consult the original Japanese texts available on the following website:
http://www.fsa.go.jp
On the Setting of the Standards and Practice Standards for
Management Assessment and Audit concerning Internal
Control Over Financial Reporting (Council Opinions)
On the Setting of the Standards and Practice Standards for
Management Assessment and Audit concerning Internal
Control Over Financial Reporting (Council Opinions)
Table of Contents
Page
On the Setting of the Standards and Practice Standards
for Management Assessment and Audit concerning
Internal Control Over Financial Reporting
(Council
Opinions) 1
Standards for Management Assessment and Audit
concerning Internal Control Over Financial Reporting 11
Practice Standards for Management Assessment and
Audit concerning Internal Control Over Financial
Reporting
35
1
On the Setting of the Standards and Practice Standards for
Management Assessment and Audit concerning Internal Control
Over Financial Reporting (Council Opinions)
February 15, 2007
Business Accounting Council
1
. General Background of Discussions
(1)
Necessity for enhancement of internal control
The securities market cannot fulfill its function unless corporate information is disclosed in a
fair manner to the investors. However, improper practices have been observed recently
concerning disclosure under the Securities and Exchange Law, and in particular that in the
Annual Report.
These cases may indicate that companies’ internal controls to ensure the reliability of corporate
disclosure are not functioning effectively. Considering these circumstances, in order to ensure
the reliability of corporate disclosure, it is necessary to seriously consider a measure to enhance
the internal controls of listed companies. The enhancement of internal controls will bring
various benefits to each listed company through the improvement of adequacy and efficiency of
business operation etc. It will also bring numerous benefits to all the market participants,
including the listed companies themselves, through the improvement of the reliability of
disclosure overall as well as the regional and global confidence of securities market.
In this regard, the importance of companies' internal controls has also been recognized in the
United States since a series of misconducts such as the Enron case. Consequently, under the
Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley Act
of 2002), the management of the Securities and Exchange Commission (SEC) registrant are
obliged to prepare the Internal Control Report, which shall contain an assessment of the
effectiveness of the internal controls over financial reporting. In addition, each registrant is
assumed to have an audit by certified public accountants.
1
2
Comparable systems have been introduced in other countries, such as the United Kingdom,
France, South Korea etc.
In Japan, certification by the company representative on the fair disclosure of Annual Report has
been in place as a voluntary system since the fiscal year ended on or after March 31, 2004,
which requires the management to assess whether the internal controls over financial reporting
are operating effectively. By way of the Financial Instruments and Exchange Law, which was
enacted in June 2006, the management of listed companies shall implement assessments of
internal controls over financial reporting, and this assessment shall be audited by certified
public accountants (Internal Control Report System). This system will come into effect in the
fiscal year starting on or after April 1, 2008.
(2)
Process of Discussion
At a general meeting held in January 2005, the Business Accounting Council made a decision to
start discussions on the development of the standard of the assessment by management and the
auditing thereof by certified public accountants concerning the effectiveness of the internal
control over financial reporting. Discussions were initiated by the Internal Control Committee
and started from February 2005. While reviewing the existing internal control standards abroad
and giving attention to the consistency with the corporate legislation in Japan, the Committee
discussed what should be the content of a workable standard accountable from an international
perspective and best reflecting of our country’s business practices.
Then, in July 2005, the Committee issued an exposure draft of the Standard for Management
Assessment and Audits of Internal Controls Over Financial Reporting. In consideration of the
public comments submitted thereto, on December 8, 2005, the Committee published the "Draft
Standards for Management Assessment and Audit concerning Internal Control Over Financial
Reporting".
In the course of publishing the Draft Standard, many comments were offered which requested
the development of a set of practical guidance (Practice Standard) which will assist with the
implementation of the Standard. The Committee made decision to further develop the Practice
Standard. The Committee established a task force and requested the promotion of practical
discussion and, on that basis, issued an exposure draft for the Practice Standard in November
2006.
2
3
Taking into account the public comments submitted for the exposure draft, the Council has
undertaken discussion and the following document, entitled "About the Setting of the Standards
and Practice Standards for Management Assessment and Audit concerning Internal Control
Over Financial Reporting (Council’ Opinion)".
2. Structure and Content of Standard
The Standard shown in this Opinion of Council is composed of three sections, namely "
Ⅰ
.
Basic Framework of Internal Control", "
Ⅱ
. Assessment and Report on Internal Control Over
Financial Reporting" and "
Ⅲ
.Audit on Internal Control Over Financial Reporting". "
Ⅰ
. Basic
Framework of Internal Control" shows the definition and conceptual framework of the internal
control of which design and operation the management has roles and responsibilities therein. "
Ⅱ
. Assessment and Report on Internal Control over Financial Reporting" and "
Ⅲ
. Audit on
Internal Control over Financial Reporting" indicate the framework of assessment standards by
management and the audit by certified public accountants concerning the effectiveness of the
internal controls over financial reporting, respectively.
The main content of the Standard is as follows.
(1)
Basic Framework of Internal Control
In principle, an "internal control" is a process undertaken by everyone in an organization in
order to achieve the four company objectives (
①
Effectiveness and efficiency of business
operations,
②
Reliability of financial reporting,
③
Compliance with applicable laws and
regulations relevant to business activities and
④
Safeguarding of assets), which consists of six
basic components (
①
Control environment,
②
Risk assessment and response,
③
Control
activities,
④
Information and communication,
⑤
Monitoring and
⑥
Response to IT). This
Standard defines the internal controls that ensure the reliability of financial reporting in the form
of "Internal Controls Over Financial Reporting", and describes what kind of methods and
procedures may be implemented when management assesses the effectiveness of Internal
Controls Over Financial Reporting and certified public accountants audit such assessments.
Although there are certain frameworks of internal control, including the COSO report in the
United States, published by the Committee of Sponsoring Organization of the Treadway
Committee (hereafter, referred to as the "COSO Report"), which are broadly known worldwide,
the fact is that international discussions about internal control are often centered around the
3
4
COSO Report. Therefore, this Standard generally follows the COSO Report framework but, to
best reflect the business practices in our country, sets out four objectives and six basic
components, which adds one more objective and component to the basic framework established
by the COSO Report, which contains three objectives and five components.
The Standard indicates "safeguarding of assets" as an objective distinct from others for the
reason that it is highly emphasized in our country that the acquisition, use and disposition of
assets shall be executed through due procedures and authorizations. Moreover, the Standard
adds "response to IT" to the basic components in consideration of the current reality of IT’s
deep penetration into business organizations, supported by the rapid evolution of the IT
environment which has occurred since the publication of the COSO Report. This Standard uses
the term "basic component" in order to clarify that these elements are illustrative, whereas the
COSO Report uses the term "component".
The above four objectives of internal controls overlap each other, and companies will achieve
these objectives by designing and operating effective internal controls. As for the reliability of
financial reporting, it is difficult for management to precisely understand all company activities
and the behaviors of all company personnel. Instead, by designing and operating effective
internal control systems within their company, management may ensure the fairness of
presentation in the financial reports. Ensuring the reliability of financial reporting through
designing and operating internal control systems provides certain advantages to companies,
such as through the reduction of information processing costs by way of enhancing the
effectiveness and efficiency of business operations, the expansion of market opportunities to
raise capital, and the reduction in the cost of capital procurement.
Management is responsible for establishing the processes whereby basic components of internal
control are implemented, and for operating them appropriately. For that purpose, management
not only needs to design the internal controls but also needs to operate it in the intended fashion.
However, it is not appropriate to explain herein how to design and operate the internal controls
in a uniform manner since such controls shall be specific to each individual company,
depending on its environment, the characteristic of its business, its size, etc. Management is
expected to undertake appropriate efforts to fulfill the functions and the roles of internal controls
in accordance with the specific circumstances.
(2)
Assessment and Report on Internal Control Over Financial Reporting
4
5
Management is charged with the roles and responsibilities of designing and operating internal
controls and, in regards to the internal controls over financial reporting, is required to assess its
effectiveness and report the result thereof to the public.
This assessment shall be made to the extent necessary from the viewpoint of materiality of the
impact on the reliability of financial reporting. Management is expected to make reasonable
decisions in regards to the scope of assessments in consideration of the materiality of
quantitative and qualitative impacts on financial reporting. Herewith, for instance, management
may eliminate accounts, subsidiaries or affiliates from the scope of assessment if any of these
are found to have little relevance.
When management assesses the effectiveness of internal controls, it first needs to assess the
internal controls, which have a palpable impact on the reliability of financial reporting on the
consolidation basis (hereafter referred to as "company-level control"). In consideration of the
results of these assessments, management shall then assess the process-level controls. This
Standard is to embody a top-down and risk-based approach. In this approach, management
begins by assessing company-level controls and obtaining certain conclusions on whether the
effective controls operate on a company level and, based on this conclusion, assess the
process-level controls focusing on the risks that could lead to material misstatements in the
financial reporting.
Management is then to prepare an "Internal Control Report" and state the results of said
assessment on the effectiveness of the internal controls over financial reporting, etc.
(3)
Audit on Internal Control Over Financial Reporting
Managerial assessments on the effectiveness of internal control over financial reporting are
assured by certified public accountants responsible for auditing the financial statements of the
company in question (hereafter, referred as "auditor(s)") by auditing whether the result of
assessments are fairly stated (in the Internal Control Report).
The Standard stipulates that internal control audits are to be performed by the same auditors
who audit the company's financial statements. (The Standard stipulates that not only the audit
firm, but also the engagement partners, be the same.) The integration of the internal control
audit with the audit of financial statements may achieve an effective and efficient audit by using
5
6
the same audit evidence in both audits.
Auditors should understand the company’s context, obtain a sufficient understanding of the
management’s assessment of design and operation of internal control, and organize audits,
paying attention to the materiality of the audit. As the auditors audit the results of the
management’s assessment of internal controls, they shall first examine the appropriateness of
the scope of assessment as determined by the management, and then examine the management's
assessment of company-level controls and the assessment of process-level controls performed
by the management based on the result of assessments of company-level controls.
The auditor shall prepare the “Internal Control Audit Report" and express an opinion on the
management's assessment on the effectiveness of internal controls over financial reporting. This
report shall in principle be combined with the auditors’ report on the financial statements.
(4)
Consideration of the Level of Assurance by Certified Public Accountants and
the Cost Burden
Examinations of the internal controls by auditors is performed to examine managerial
assessments on the effectiveness of said controls, which is a prerequisite for the preparation of
reliable financial statements, and also supports the effective and efficient conducting of financial
statement audits. This examination process is integrated with the audit of financial statements
and supports the in-depth and efficient conducting of said audits. If such examinations were to
not require the same level of assurance as a financial statement audit and auditors were to
perform different procedures and gather different evidences for the respective audits, it would
be unsuitable. It would make the procedures of both audits more cumbersome and complicated
if auditors were to evaluate audit evidence and derive different conclusions in each audit based
on the differences in the levels of assurance required. Therefore, levels of assurance to the
assessment on the effectiveness of internal control are determined by way of "audits."
However, when considering the contents of specific "audit" procedures, it is necessary to note
that said contents should not place an excessive burden on the auditors as well as the preparers
of financial statements and other relevant parties. In developing the standards for management's
assessments and auditors' audits, we have therefore examined current operations in the United
States, which previously implemented the system and decided to adopt the following measures
in particular so that the burden of cost relating to the assessment and audit would not be
excessive.
6
7
①
Using top-down/risk-based approach
When management assesses the effectiveness of internal controls, it shall first assess
company-level controls on a consolidated basis, and then, considering the result of these
assessments, assess the process-level controls to the extent necessary, focusing on the risks
that could create material misstatements in financial reporting.
②
Classification of deficiencies of internal controls
In this Standard, a deficiency in internal controls is classified in two categories, including
"material weaknesses" and other "deficiencies," according to its impact on financial
reporting. In the United States, control deficiencies are classified in three categories,
namely "material weaknesses," "significant deficiencies" and “other deficiencies." It is said
that this classification renders more complicated the procedures involved in assessing the
impacts thereof on financial reporting.
③
Not adopting direct reporting
Auditors shall solely audit the managerial assessments of internal controls and shall not
carry out direct reporting (where the auditors directly audit and report on the effectiveness
of internal control) which is adopted in the United States (in parallel with the audit of
management’s assessments). Consequently, auditors shall conduct the audit procedures and
obtain audit evidence in order to audit the result of managerial assessments.
④
Integration of internal control audit with audit of financial statements
Audits of internal controls are to be performed by the same auditors responsible for
auditing the company's financial statements. As a result, the effective and efficient practice
of audits may be ensured, since the audit evidence obtained through the internal control
audits and that obtained through audits of financial statements can be reciprocally utilized
in the respective audits.
⑤
Preparation of internal control audit report and financial statement audit report in a unified
form
The Internal Control Audit Report shall in principle be prepared in conjunction with the
report of financial statements audit.
⑥
Coordination with corporate auditors/audit committee and internal auditors
Auditors may contact the company personnel in charge of supervisory or monitoring
7
8
operations such as corporate auditors and, when necessary, make use of the work of
internal auditors as is deemed appropriate.
Corporate auditors or audit committees are responsible for conducting operational audits, in
order to evaluate the performance of duties by management from an independent viewpoint.
As part of operational audits, corporate auditors or audit committees conduct internal
controls audits. In the case of large companies (wherein financial audits are required under
the Company Law), corporate auditors or audit committees shall evaluate the
appropriateness of the conduct and results of said audits that the (external) auditors carry
out in relation to the statutory accounts.
In regards to the internal control audits described in this Standard, auditors are not expected
to examine the details of operational audits performed by corporate auditors. On the other
hand, when auditing the appropriateness of managerial assessments of company-level
controls over financial reporting, auditors should consider the design and operations of
internal controls at the management level, including the activities of corporate auditors or
audit committees, as part of the company's control environment.
3. Content of the Practice Standard
As previously mentioned with regard to the methods of establishing internal controls, each
company in principle may attempt to implement the most appropriate processes in accordance
with the specific circumstances surrounding the company in question. However, we have
received a number of public comments stating that doing so was difficult in practice solely by
way of applying the Draft Standard (and asking for guidance in certain areas). The Practice
Standard maintains the basic idea of respecting the innovative efforts of each company but tries
to provide as concrete a guidance framework as possible for establishing, assessing and auditing
internal controls over financial reporting.
In the Practice Standard, the company is expected to design and operate internal controls in
accordance with the environment surrounding the company, the characteristics of its business,
its size, etc. For instance, a smaller and less-complex company is expected to try to make efforts
according to the given conditions, in establishing, assessing and auditing internal control. These
efforts may encompass the search for possibilities for the implementation of alternate control
apparatuses, which may compensate for the segregation of duties, and the use of specialists
brought in from outside the company.
8
9
The main content of the Practice Standard is as follows.
(1)
Basic Framework of Internal Control
The Practice Standard provides detailed explanations about each of the four objectives and six
basic components that the Standard introduces. With reference to companies which advance the
preparation for the implementation of the Internal Control Report System, based on the Basic
Framework of Internal Control, the Practice Standard indicates the key points for establishing
internal controls over financial reporting and further illustrates the process for establishing said
system, demonstrating general procedures.
(2)
Assessment and Report on Internal Control Over Financial Reporting
①
Assessment Points for Company-Level Controls
The Practice Standard illustrates concrete items to evaluate in assessing company-level
controls. Each company is to put these items into practice.
②
Scope of Assessment for Process-Level Controls
For the assessment of process-level controls, the Practice Standard indicates the concrete
steps to determine the scope of assessment so that the management's assessment is properly
performed based on the aforementioned concept of a top-down and risk-based approach.
For example, "significant business locations" shall be determined in descending order
based on their sales levels (or other factors) until their combined amounts reaches
approximately two thirds on a consolidated basis. In the case of a generic company, all
business processes in the significant business locations that have an impact on three
accounts (sales, accounts receivable, and inventory) would be, in principle, within the
scope of assessment. In addition, management should select all business processes, if any,
which could have a significant impact on financial reporting so that they may determine the
appropriate scope of assessment.
③
Communication with Auditors
When auditors evaluate the scope of assessments that management determined and judged
as inappropriate, management should re-execute the assessment procedures in accordance
with the new scope for assessment. However, such re-execution may sometimes be difficult
due to limited timeframes. Therefore, the Practice Standard recommends that management
9
10
communicate with the auditors as appropriate and carry out preliminary discussions about
the scope of assessments soon after said scope is determine.
④
Guidelines for Determining Material Weaknesses
Among control deficiencies, management should disclose the material weakness(es) in the
Internal Control Report. In determining whether a control deficiency (or deficiencies)
constitutes a material weakness, management should evaluate it in light of both quantitative
and qualitative aspects. The Practice Standard illustrates concrete criteria for the
determination of the quantitative materiality thereof.
⑤
Recording and Retention of Assessment Procedures and Other Matters
Concerning the format, methodology, and other details regarding the records relating to the
assessment of internal controls, the Practice Standard clarifies that the company can adopt
(and make additions as necessary to) the records that the company has prepared in the past
and employs internally.
(3)
Audit on Internal Control Over Financial Reporting
As previously mentioned, audits of internal controls are to be performed by the same auditors
charged with conducting audits of companies’ financial statements. The Practice Standard
stipulates that auditors should plan internal control audits in a manner integrated with the
financial statement audits, and that the audit evidence obtained in either audits can be
reciprocally utilized in respective audits.
4. Effective Date
This Standard and Practice Standard will be applicable to assessments and audits of internal
controls over financial reporting for the fiscal year beginning on or after April 1, 2008,
concurrently with the implementation of Internal Control Report System introduced by the
Financial Instruments and Exchange Law.
10
Standards for Management Assessment and Audit concerning
Internal Control Over Financial Reporting
0
Standards for Management Assessment and Audit concerning Internal
Control Over Financial Reporting
Table of Contents
I
Basic Framework of Internal Control
1.
Definition of Internal Control
2.
Basic Components of Internal Control
3.
Limitations of Internal Control
4.
Roles and Responsibilities of Relevant Persons
II
Assessment and Report on Internal Control Over Financial Reporting
1.
Definitions Related to the Assessment of Internal Control Over Financial Reporting
2.
Assessment of Internal Control Over Financial Reporting, and Scope of Assessment
3.
Method of Assessing Internal Control Over Financial Reporting
4.
Management’s Report on Internal Control Over Financial Reporting
III
Audit on Internal Control Over Financial Reporting
1.
Objective of the Internal Control Audit by Financial Statement Auditor
2.
Relationship between the Internal Control Audit and the Financial Statement Audit
3.
Performance of the Internal Control Audit
4.
Auditor’s Report
11
1
Standards for Management Assessment and Audit concerning Internal
Control Over Financial Reporting
I
Basic Framework of Internal Control
This framework provides the conceptual framework for internal control that
underlies the standards used by management to assess and report on internal control
over financial reporting and the standards used by external auditors to audit internal
control over financial reporting.
Note: In this standard, management is assumed to include representative directors,
representative officers and other representatives of an executive level.
1.
Definition of Internal Control
Internal control is defined as a process performed by everyone in an organization
and incorporated in its operating activities in order to provide reasonable assurance of
achieving four objectives: effectiveness and efficiency of business operations,
reliability of financial reporting, compliance with applicable laws and regulations
relevant to business activities, and safeguarding of assets. Internal control consists of
six basic components: control environment, risk assessment and response, control
activities, information and communication, monitoring, and response to IT
(Information Technology).
Effectiveness and efficiency of business operations means promoting effective and
efficient operations in order to achieve the objectives of business activities.
Reliability of financial reporting means ensuring the reliability of financial
statements and the information that could have a material effect on financial
statements.
Compliance with applicable laws and regulations relevant to business activities
means promoting compliance with laws, ordinances and other codes relevant to
business activities.
Safeguarding of assets means to ensure that assets are acquired, used and disposed
of in accordance with proper procedures and approvals.
(Note) The above objectives of internal control are distinct but overlap each other.
To achieve the objectives of internal control, management is required to design
and effectively operate processes in where all internal control components are in
12
2
place. The relationship between the objectives and the components is one wherein all
components are to be present and function effectively for the achievement of each
control objective, and each individual component is necessary for the achievement of
every objective of the internal control.
As internal controls are built into companies’ internal rules and regulations, they
thus translate into reality and everyone within the organization is able to understand
and act on them in accordance with his/her own individual responsibilities. In
addition, the design and operation status of Internal Control should be monitors and
maintained in an appropriate manner.
It is impossible to provide an approach for the actual design and operation of
internal control that is uniformly applicable to all organizations, because individual
organizations will find themselves in different environments with different business
characteristics. Nonetheless, management, and indeed everyone in the organization,
must take appropriate actions so that the functions and roles of internal control
discussed in these standards are achieved effectively.
2.
Basic Components of Internal Control
Basic components of internal control are those required to achieve the objectives
of internal control and set the criteria for assessment of internal control.
(1)
Control Environment
The control environment determines the tone of an organization; influences the
awareness of its people toward control; lays the foundation for all other components;
and influences risk assessment and response, control activities, information and
communication, monitoring and response to IT.
The control environment encompasses the factors outlined below.
13
3
1)
Integrity and ethical values
2)
Management philosophy and operating style
3)
Management policies and strategies
4)
Functions of the Board of Directors and Corporate Auditors or Audit
Committee
5)
Organizational structure and practices
6)
Authority and responsibilities
7)
Policies and management of human resources
Note: In relation to the reliability of financial reporting, this might include, for
example: attitudes towards posting profits and other aspects of financial
reporting; ability of the board of directors and corporate auditors or audit
committee to appropriately monitor the reasonable financial reporting
processes and the effectiveness of internal control systems; and
organization and staffing of financial reporting processes and internal
control systems.
(2)
Risk Assessment and Response
“Risk assessment and response” is a series of processes aimed at 1) identifying,
analyzing and assessing factors that represent risks that could adversely affect the
achievement of the organization’s objectives in regards to events affecting the
achievement of an organization’s objectives and 2) selecting appropriate responses to
those risks based on the risk assessment.
1)
Risk Assessment
Risk assessment is a process to identify, analyze, and assess factors
from the events that affect an organization’s achievement of its
objectives as risk that could adversely affect the achievement of such
objectives.
When assessing risks, risks occurring externally and internally at
the organization are categorized as “company-level risks” relating to
the objectives of the entire organization and “Process-Level Risks”
relating to the objectives of individual function and activity units, and
14
4
then are analyzed as to their potential impact, likelihood, frequency
and others of risks identified to assess their impact on the objectives
according to their nature.
2)
Response to Risk
Response to risk is a process to select appropriate responses to
those risks based on the risk assessment.
When responding to risks, an appropriate action such as avoiding,
reducing, transferring, and accepting is taken regarding assessed risks.
Note: In relation to the reliability of financial reporting, the risks associated, for
example, with the development of new products or startup of new
businesses and the risks associated with the manufacturing / sales of major
products are also generally related to the effectiveness and efficiency of
business operations among the risks that could adversely affect the
achievement of the organization’s objectives, but in many cases they also
ultimately have a direct impact on the figures in financial reports through
the mechanisms of accounting estimates and forecasts. It is therefore
important to appropriately identify and assess their impact on reliability of
financial reporting and select the necessary action.
(3)
Control Activities
Control activities are policies and procedures established to ensure that the orders
and instructions of management are followed in an appropriate manner.
Control activities include a wide range of policies and procedures, such as
assignment of authority and responsibilities and segregation of duties. These policies
and procedures should be incorporated into the business process and function
effectively when performed by everyone in the organization. “
Note: In relation to the reliability of financial reporting, policies and procedures
that have the potential to influence the contents of financial reports must
ensure that operations are performed as intended by management. For this
purpose, it is important to establish activities such as clear segregation of
duties, checks and balances, continuous maintenance of records, timely
physical inventory tabulation and other types of physical asset
management, and appropriate analysis/monitoring of these activities at
15
5
each level of the organization
(4)
Information and Communication
Information and communication involves ensuring that necessary information is
identified, understood, processed and accurately communicated throughout the
organization and to relevant parties. The information required by everyone to carry
out his or her responsibilities must be identified, understood, processed and
communicated within the organization in a timely and appropriate manner. In
addition to communicating necessary information, it is important that the information
be understood properly by information receivers and shared with all of the people to
whom it is relevant.
Generally, information is identified, encapsulated, processed and communicated
through manual and computerized information systems.
1)
Information
Achieving the objectives of the organization and the objectives of Internal
Control requires that everyone in the organization identify the information required in
order to carry out their individual responsibilities in a timely and appropriate manner,
sufficiently understand the contents and reliability of the information and convert the
information into an applicable form.
2)
Communication
a.
Internal Communication
Achieving the objectives of the organization and the objectives of Internal
Control requires that the necessary information be conveyed to the appropriate
personnel within the organization in a timely manner. Additionally, when using the
organization’s information systems to communicate management policies to
everyone within the organization, management must also provide means of
conveying important information, to the upper levels of the organization in particular,
in a timely and appropriate manner.
b.
External Communication
Information must also be disseminated externally in a timely and appropriate
manner, not just internally. This includes disclosures of financial information
mandated by laws and regulations. Furthermore, communications from external
16
6
parties, such as customers, provide important information, and therefore it is
necessary to establish a process of identifying, encapsulating and processing
information from outside the organization in a timely and appropriate manner.
Note: In relation to the reliability of financial reporting, Information, for example,
refers to the creation of integrated accounting systems that appropriately
recognize measure and account for economic activities and provide the
accounting information that is at the core of financial reporting. On the
other hand, Communications refers to the maintaining of systems to report
this accounting information to relevant parties inside and outside the
organization in a timely and appropriate manner.
(5)
Monitoring
Monitoring is a process that continuously assesses the effectiveness of internal
control. Monitoring provides a means of continually observing, assessing and
correcting internal control. Monitoring includes ongoing monitoring that is performed
in the course of business operations and separate evaluations that are conducted from
perspectives independent of business operations. In some cases, both of the above
will be conducted independently; in others, they will be coordinated.
1)
Ongoing Monitoring
“Ongoing monitoring” consists of activities that are performed in the ordinary
course of operations such as business management and operational improvement in
order to monitor the effectiveness of internal control.
2)
Separate Evaluations
“Separate Evaluations”, which are different from ongoing monitoring, consists of
assessments of internal control that are performed periodically or as needed by parties
such as management, the board of directors, corporate auditors or audit committee,
internal auditors who have perspectives independent from that of normal operations.
3)
Assessment Process
Assessment of internal control is itself a process. The assessors of internal control
must sufficiently understand organizational activities and all components of internal
control to be assessed in advance.
17
7
4)
Reporting on Control Deficiencies
It is necessary to establish mechanisms for reporting information to the
appropriate personnel within an organization, according to the nature and degree of
the control deficiencies identified through ongoing monitoring or separate evaluations
to be appropriately addressed. These mechanisms include procedures for reporting to
management, the board of directors, corporate auditors and other parties.
Note: In relation to the reliability of financial reporting, ongoing monitoring
might include, for example, individual operational departments checking
ledger against actual volumes manufactured, on inventory or sold; or
relevant personnel monitoring the accuracy and completeness of the
inventory counts determined through regular inventory procedures.
separate evaluations would include financial accounting audit performed
by the internal audit department, corporate auditors or audit committee and
other parties that serve as the monitoring functions within an organization
to verify the reliability of all or a part of financial reporting.
(6)
Response to IT
Response to IT is to establish appropriate policies and procedures in advance to
achieve organizational objectives and to respond appropriately to IT inside/outside
the organization during the course of business activities based on the policies and
procedures.
Response to IT is not always independent from other components of internal
control, but if the business of the organization heavily relies on IT or the information
systems highly utilize IT, it serves as the assessment criteria for internal control
effectiveness as an essential part to achieve the internal control objectives.
Response to IT consists of response to IT environment and use of IT and IT
controls.
1)
Response to IT Environment
The IT environment is the internal/external use of IT that is needed for the
organization’s activities, the level of IT penetration into the society and market, the
use of IT for the company’s transactions, a series of information systems on which
the organization selectively relies and others. In regards to the IT environment, the
organization should establish appropriate policies and procedures in advance within
the areas under the auspices of the organization in order to achieve the objectives of
18
8
internal control and respond appropriately based on the policies and procedures.
Response to IT environment is not only linked to the control environment but is
assessed as a whole together with other components of internal control at each
business process.
2)
Use of IT and IT controls
Use of IT and IT controls means to utilize IT effectively and efficiently in order
to ensure the effectiveness of other basic components of internal control, and to
establish, in advance, appropriate policies and procedures for IT that is systematically
incorporated into the business and used in various ways within the organization to
achieve organizational objectives and make other basic components of internal
control operate more effectively.
Use of IT and IT controls refer to the integral parts of other components of
Internal Control and are assessed as a whole. In addition, Use of IT and IT controls
are assessed based on the vulnerability and impact on the business thereof as well as
convenience of the implemented IT.
Note: In relation to the reliability of financial reporting, IT cannot be disregarded
in any discussion of today’s corporate environments, and given that fact,
the IT environment that has a significant impact on the financial reporting
process and the Use or controls of IT built into the financial reporting
process itself must be taken into account and component of internal control
required to ensure the reliability of financial reporting must be established.
For example, control activities would include processes in all of the
company’s information processing systems to ensure that data relevant to
financial reporting is appropriately collected and processed; other control
activities would include processes to ensure that data in the computers used
in specific operational areas is appropriately collected, processed and
reflected in financial reports.
3.
Limitations of Internal Control
Internal control cannot provide absolute assurance with respect to the achievement of
objectives due to the following inherent limitations, but it aims at achieving the objectives
19
9
to a reasonable extent with the organized and integrated function of individual
components as a whole.
(1) Internal control may not operate effectively due to misjudgments, carelessness or
collusion among two or more individuals.
(2) Internal control may not necessarily respond to unexpected changes in internal or
external environments when controls were designed for non-routine transactions.
(3) The design and operation of internal control needs to consider relative costs and
benefits.
(4) Management can ignore or override internal control for illegitimate objectives.
4.
Roles and Responsibilities of Relevant Persons
(1)
Management
Management has ultimate responsibility for all the activities of an organization,
and as part of this, it has roles and responsibilities in the design and operation of
internal control based on the basic policies determined by the board of directors.
Management designs and operates internal control (including monitoring) through
the company’s organization as a means to satisfy its responsibility.
Management more significantly influences the tone of the organization that
affects the factors of the control environment and the other basic components of
internal control than any other individuals in an organization.
(2)
Board of Directors
The board of directors decides the preliminary policies related to the design and
operation of internal control.
The board of directors supervises the performance of management, including the
design and operation of internal control by the management.
The board of directors is an important part of company-level controls and a part of
the control environment for process-level controls.
(3)
Corporate Auditors or Audit Committee
Corporate auditors (auditor's board) or the audit committee is responsible for
auditing the performance of the directors and officers. As a part of this, they have the
role and responsibility to independently monitor and verify the design and operation
20
10
of internal control.
(4)
Internal Auditors
Internal auditors are responsible for examining and assessing the design and
operation of internal control and prompts remedial action as a part of their monitoring
functions, a basic component of internal control to ensure more effective achievement
of the internal control objectives.
Note: In this standard, the term “internal auditor” means any person or unit with
the responsibility for examining, assessing and recommending the design
and operation of internal control regardless of how their affiliation is
termed within the organization.
(5)
Other Personnel within the Organization
Internal control is a process carried out by everyone within an organization. All
personnel other than those listed above play a role in the design and operation of
effective internal control concerning their own work duties.
21
11
II
Assessment and Report on Internal Control Over Financial Reporting
1.
Definitions related to the Assessment of Internal Control Over Financial Reporting
Management has the role and responsibility to design and operate internal control.
Out of the internal control discussed in the “basic framework of internal control,” it is
particularly vital for management to assess the internal control over financial
reporting in accordance with generally accepted assessment standards for internal
control and report its conclusion externally in order to ensure the reliability of
financial reporting.
For the purposes of these standards, the terms below and their meanings are used:
(1)
“Financial reporting” and “financial reports” are external reporting of both 1)
financial statements and 2) disclosure information and others that could have a
material effect on the reliability of financial statements.
(2)
“Internal control over financial reporting” is an internal control that is necessary to
ensure the reliability of financial reporting.
(3)
“Effective internal control over financial reporting” means that the internal control is
designed and operated in accordance with an appropriate internal control framework
and is free of material weakness.
(4)
“Material weakness” is a deficiency that has a reasonable possibility of having a
material effect on financial reporting.
2.
Assessment of Internal Control Over Financial Reporting, and Scope of Assessment
(1)
Assessment of the effectiveness of Internal Control Over Financial Reporting
Management must assess the effectiveness of internal control over financial
reporting to the extent necessary in light of their degree of impact on the reliability of
financial reporting.
Prior to making such assessments, management must establish policies and
procedures for designing and operating internal control over financial reporting, and
must record and maintain their status. The assessment of internal control over
22
12
financial reporting effectiveness should be, in principle, performed on a consolidated
basis.
(Note) The internal controls over outsourced processes should be in the scope for
the assessment.
(2)
Determination of the Scope of Assessment
In assessing the effectiveness of internal controls, management should decide on
the reasonable scope of assessment for the following matters in light of their degree
of quantitative and qualitative impact on financial reporting, and should keep
appropriate records of the approach and grounds related to the scope of assessment
for relevant internal controls.
Presentation and disclosure of financial statements
Businesses and business operations comprising company’s activities
Transactions and events as the basis of financial reporting
Important business processes
Management should, based on the determination of significant locations or
business units, examine the scope of assessment for these items from the perspective
of their degree of quantitative and qualitative impact on the presentation and
disclosure of financial statements.
Based on these considerations, they should then think of the degree of quantitative
and qualitative impact on overall financial reporting from the businesses and business
operations comprising the company’s activities, the transactions and events as the
basis of financial reporting and important business processes, to arrive at a reasonable
scope of assessment.
Note: With regards to “presentation and disclosure of financial statements,” this
could include, for example, examining the scope of assessment by setting,
from the perspective of degree of quantitative impact, threshold amounts
for each account within the financial statements, and then examining the
degree of qualitative impact on financial statements to determine the
accounts that should be included within the scope of assessments.
Accounts with a significant degree of impact by either measure would be
included within the scope of assessments of internal controls.
In addition to this, for “businesses and operations comprising
23
13
company’s activities” and other matters on the list, reasonable scopes of
assessment would be determined in light of relevance thereof to the scope
of assessment studied with regards to “presentation and disclosure of
financial statements” and degree of quantitative and qualitative impact on
overall financial reporting.
3.
Method of Assessing Internal Control Over Financial Reporting
(1)
Internal Control Assessment by Management
Management, as the entity responsible for the design and operation of effective
internal control, assesses internal control over financial reporting. In evaluating
internal controls, management should first assess internal controls that have a material
impact on overall consolidated financial reporting (“company-level controls”
hereinafter) and, based on the results, assess the internal control incorporated into
business processes (“process-level controls” hereinafter).
Management’s assessment of internal controls should be conducted as of the end
of the fiscal year.
Note: What kind of internal controls are actually designed and operated by
companies varies in accordance with its individual circumstances and
business characteristics of individual companies. Management should
design and operate appropriate internal controls in accordance with the
circumstances of their companies in light of the internal controls
framework and assessment standards.
(2)
Assessment of Company-Level Controls
Management should assess the design and operation of company-level controls
and the degree of impact they have on process-level controls. In doing this,
management should sufficiently assess risks occurring inside/outside the organization
and should fully consider all events that could have a significant impact on overall
financial reporting. This would include, for example, company-level accounting
policies and financial policies, management decisions related to the structuring and
operation of organizations, and the decision-making process at the management level.
(3)
Assessment of Process-Level Controls
Based on the assessment of company-level controls, management should analyze
24
14
business processes within the scope of the internal controls to be assessed, identify a
key control that would have a material impact on the reliability of financial reporting
(“key control” hereinafter), and assess whether the basic components of internal
control are operating with regard to the key control.
(4)
Judgment of the Effectiveness of Internal Controls
If the assessment of internal control over financial reporting effectiveness reveals
that deficiencies relating to key controls, etc. are very likely to have a material impact
on financial reporting, the management should conclude that there are material
weaknesses in internal control over financial reporting.
(5)
Remediation of Material Weaknesses in Internal Controls
Control deficiencies over financial reporting and material weaknesses identified
in the course of the management’s assessment should be recognized on a timely basis
and appropriately dealt with.
Even when material weaknesses are identified, internal control over financial
reporting can be judged to be effective as long as the weaknesses are remediated by
the assessment date in the Internal Control Report (the fiscal year end date).
Note: Remedial actions taken after the fiscal year end date may be stated in the
Report as Supplementary Information.
(6)
Limitation of the Scope of Assessment
The management, when assessing the effectiveness of internal control over
financial reporting, may not be able to perform sufficient assessment procedures for a
certain part of the internal controls due to unavoidable circumstances. In such cases,
the management may assess the effectiveness of internal control over financial
reporting, excluding the parts where assessment procedures could not be performed,
after fully comprehending the impact of the exclusion on the financial reporting.
Note: Cases in which adequate assessment procedures could not be performed
due to unavoidable circumstances include, for example, a case when a
company acquired another company immediately prior to the fiscal year
end date, so the management could not perform sufficient assessment
procedures for the effectiveness of the acquired company’s internal
controls.
25
15
(7)
Recording and Retention of Assessment Procedures and Others
The management should record and retain the information on the assessment of
Internal control over financial reporting, including its procedures, results, identified
deficiencies and remedial actions.
4.
Management’s Report on Internal Control Over Financial Reporting
(1)
Management’s Report on Internal Control
Management should prepare a report on its assessment of the effectiveness of
internal control over financial reporting (“Internal Control Report” hereinafter).
(2)
Matters to be included in Internal Control Report
The internal control report should include the following matters:
1)
Matters related to design and operation
2)
Assessment scope, timing and procedures
3)
Results of assessment
4)
Supplementary information
(3)
Matters Related to Design and Operation
1)
The name of the person responsible for financial reports and internal control
over financial reporting
2)
A statement denoting the responsible of management in the design and operation
of internal control over financial reporting
3)
Generally accepted framework of internal control
4) Inherent limitations of internal control
(4)
Assessment Scope, Timing and Procedures
1)
Scope of assessment of internal control over financial reporting (including
approach and grounds used to determine scope)
2)
Timing of assessment of internal control over financial reporting
3)
A statement denoting that assessments of internal control over financial
26
16
reporting was performed in accordance with generally accepted assessment
standards for internal control
4)
Outline of procedures for the assessment of internal control over financial
reporting
(5) Results of Assessment
Below are methods for presenting the results of assessments on internal control over
financial reporting:
a.
A statement denoting that the internal control over financial reporting are
effective
b.
A statement denoting that although some assessment procedures could not
be performed, internal control over financial reporting are effective, as well
as what assessment procedures could not be performed and the reasons why
c.
A statement denoting that internal control over financial reporting are not
effective due to the material weaknesses identified, the details of material
weaknesses and the reasons why they have not been remediated
d.
A statement denoting that the results of assessments of internal control over
financial reporting cannot be presented because significant assessment
procedures could not be performed, as well as the assessment procedures
that could not be performed and the reasons why
(6) Supplementary Information
1) Subsequent events that would have a material impact on assessments of the
effectiveness of internal control over financial reporting
2) Remediation and other matters pertaining to material weaknesses implemented
after the end of the fiscal year
27
17
III
Audit on Internal Control Over Financial Reporting
1.
Objective of the Internal Control Audit by Financial Statement Auditor
The objective of an audit of management's assessments of the effectiveness of
Internal Control Over Financial Reporting (“Internal Control Audit” hereinafter) by
an external auditor of financial statements is to have external auditors express their
opinions, based on audit evidence obtained by themselves, as to whether the
management’s Internal Control Report fairly states the results of the assessment, in all
material respects, in accordance with generally accepted assessment standards for
internal control.
Such opinions on the Internal Control Report are expressed in the Audit Report on
Internal Control Assessment (“Internal Control Audit Report” hereinafter).
Unqualified opinions expressed by external auditors include the judgment that
they have obtained reasonable assurance that the Report does not include any material
misstatements.
The “reasonable assurance” means that external auditors have obtained sufficient
competent evidence to express such opinions.
2.
Relationship between the Internal Control Audit and the Financial Statement Audit
The Internal Control Audit and the Financial Statement Audit are, in principle,
performed integrally by the same external auditor. The audit evidence obtained in the
process of the Internal Control Audit may be used as audit evidence for the Financial
Statement Audit, and vice versa.
Notes: In this context, “the same external auditor” means not only the same audit
firm but also the same engagement partner that conducts the audit.
Generally, when internal control over financial reporting is ineffective due to
material weaknesses, for the purpose of the Financial Statement Audit, the external
auditor cannot apply sampling testing where he/she relies on Internal Control in
accordance with the Audit Standards.
In performing the Internal Control Audit, external auditors must comply with not
only the standards in this guideline, but also with general standards under the “Audit
Standards” and “Quality Control Standards for audit”.
28
18
3.
Performance of the Internal Control Audit
(1)
Audit Planning
External auditors must establish the audit plan based on the audit materiality,
considering the company’s environment, business characteristics and others and fully
understanding the status of the management’s design, operation and assessment of
internal controls.
External auditors must update the audit planning on a timely basis, by performing
procedures including the assessment of the improvement of internal controls, when
there have been changes in the events or circumstances based upon which the plan
was developed or when control deficiencies or material weaknesses have been
identified in the audit process.
(2)
Evaluation of the Appropriateness of the Scope of Assessment
External auditors must evaluate the reasonability of the methods and grounds used
by the management, in order to verify the adequacy of the scope of assessment
determined by the management.
In the case when the management has prepared an Internal Control Report that
excludes a certain scope of internal controls for which sufficient assessment
procedures could not be performed due to unavoidable circumstances, it is
particularly important that external auditors fully evaluate whether the reasons for the
management’s exclusion of the scope are justified and the impact of the exclusion on
the financial statements.
(3)
Evaluation of the Assessment of Company-Level Controls
External auditors must evaluate the appropriateness of the management’s
assessment of company-level controls.
In the evaluation, external auditors must fully consider the status of the design and
operation of internal controls at the management level, including the board of
directors, corporate auditors or audit committee, internal auditors, etc.
(4)
Evaluation of the Assessment of Process-Level Controls
External auditors must evaluate the appropriateness of the management’s
assessment of process-level controls. In the evaluation, external auditors must
evaluate whether the management has appropriately selected key controls,
29
19
considering the status of the management’s assessment of company-level controls and
with a full understanding of the company’s business processes.
In order to judge whether basic components of internal controls are properly
functioning in regards to each key control assessed by the management, external
auditors must obtain audit evidence for key audit objectives such as existence or
occurrence, completeness, rights and obligations, valuation, allocation and
presentation and disclosure.
In evaluating the effectiveness of basic components of process-level controls,
external auditors must also fully evaluate the status of the design and operation of
internal controls (including response to IT).
(5)
Report and Remediation of Material Weaknesses in Internal Controls
When identifying material weaknesses in internal controls in the course of the
Internal Control Audit, external auditors must report such material weaknesses to the
management, request for remediation and assess their remediation status on a timely
basis. External auditors must also report the details of such material weaknesses and
the remediation results to the board of directors, corporate auditors or audit
committee.
External auditors must report to appropriate personnel when identifying
deficiencies in internal controls.
External auditors must report the results of the Internal Control Audit to the
management, board of directors, corporate auditors or audit committee.
Note: External auditors may be required to report the material weaknesses in
internal controls identified in the course of the Internal Control Audit to
the management, board of directors, corporate auditors or audit committee
by the final date of the Company Law Audit.
(6)
Reporting of Frauds and Others
When identifying frauds or significant illegal facts in the course of an Internal
Control Audit, external auditors must report them to the management, the board of
directors and corporate auditors or audit committee and request for the appropriate
remediation, at the same time evaluating their impact on the effectiveness of internal
controls.
30
20
(7)
Coordination with Corporate Auditors or Audit Committee
External auditors should determine the scope and degree of coordination with the
corporate auditors or audit committee, in order to perform effective and efficient
audits.
(8)
Use of Other Auditors, etc
When using the results of the Internal Control Audit performed by other auditors,
external auditors must assess the appropriateness of such results and accordingly
determine the degree and method of using them, considering their significance and
the reliability of other auditors.
External auditors must evaluate the status of the internal audit performed by the
company, which is a part of its monitoring activities that comprises the basic
components of internal controls, and decide the scope and degree of its use.
4.
Auditor’s Report
(1)
Expression of Opinion
In the Internal Control Audit Report, external auditors must express an opinion on
whether the management’s assessment of internal control over financial reporting in
the Internal Control Report is fairly stated, in all material respects, in accordance with
the generally accepted assessment standards for internal control. Note that this
opinion is to be expressed to the assessment of the effectiveness of internal control
over financial reporting as of the end of the fiscal year.
Note: An unqualified opinion may be deposed if the material weakness in
question has been remediated by the end of the fiscal year. If the material
weakness is remediated after the end of the fiscal year, the implemented
remediation must be included as additional information in the Internal
Control Audit Report.
(2)
Structure of Report
In the Internal Control Audit Report, external auditors must include clear and
concise statements on the objectives of Internal Control Audit, the overview of the
performed Internal Control Audit and its opinion on the Internal Control Report. If
the external auditor disclaims its opinion, the statement must be included in the
Internal Control Audit Report.
31
21
When external auditor concludes the Internal Control Report is fairly stated but
need to include additional explanations to this conclusion as information in the
Internal Control Audit Report, these explanations must be clearly segregated from the
expression of opinion. The Internal Control Audit Report should in principle be
combined with the Financial Statement Audit Report.
(3)
Description of Unqualified Opinion
When concluding the management’s assessment of internal control over financial
reporting in the Internal Control Report is fairly stated, in all material respects, in
accordance with the generally accepted assessment standards for internal control,
external auditors must express an “Unqualified Opinion”.
When management, in the Internal Control Report, include a material weakness in
internal control over financial reporting and reasons why they have not been
remediated, and external auditor concludes these statements is fairly stated and
therefore express an unqualified opinion, the external auditor must include additional
explanatory information in the Internal Control Audit Report on 1) the material
weakness, 2) the reason why it has not been remediated and 3) the impact on
Financial Statement Audit.
When expressing an unqualified opinion, external auditors should include the
following descriptions in the Internal Control Audit Report:
1)
Internal Control Audit Objectives
a.
Scope of Internal Control Audit
b.
A statement denoting that management is responsible for the design and
operation of internal control over financial reporting and the preparation of
the Internal Control Report
c.
A statement denoting that external auditors’ responsibility for Internal
Control Audits is to express an independent opinion on the Internal Control
Report
d.
Inherent limitations of internal control
2)
Overview of the performed Internal Control Audit
a.
A statement denoting that the external auditor performed the Internal
Control Audit in accordance with generally accepted audit standards for
32
22
internal control
b.
Outline of the audit procedures performed in the Internal Control Audit
c.
Obtaining reasonable basis to express an opinion as a result of the Internal
Control Audit
3)
External auditor’s Opinion on the Internal Control Report
a.
An identification of management’s conclusion
b.
A statement denoting that the management’s assessments of internal
control over financial reporting in the Internal Control Report is fairly
stated, in all material respects, in accordance with the generally accepted
assessment standards for internal control
(4)
Exceptions to Opinions
When external auditors identify inappropriate parts in the Internal Control Report
regarding the scope, procedures and results of the assessment determined by the
management, they may not be able to express an unqualified opinion. However,
unless they judge that their impact is so significant that the Internal Control Report is
misstated as a whole, they should express a qualified opinion with exceptive items. In
such cases, inappropriate parts that have been excluded and their impact on the
Financial Statement Audit must be described in their opinion on the Internal Control
Report.
When external auditors identify remarkably inappropriate parts in the Internal
Control Report regarding the scope, procedures and results of the assessment
determined by the management and judge that the Report is misstated as a whole,
they must express an opinion that the Internal Control Report is not fairly stated. In
such cases, the fact that the Report is not fairly stated, relevant reasons and its impact
on the Financial Statement Audit should also be described.
(5)
Limitation of the Scope of Assessment
When external auditors cannot express an unqualified opinion because they were
unable to perform some of the important audit procedures, they must express a
qualified opinion with exceptive items, unless they judge their impact is so significant
that they cannot express any opinion on the Internal Control Report. In such cases,
external auditors must state the audit procedures that could not be performed in the
33
23
summary of the audit performed, and its impact on the Financial Statement Audit in
their opinion on the Internal Control Report.
External auditors must not express any opinions on the Internal Control Report
when they have not been able to obtain a reasonable basis for expressing opinions as
a result of not being able to perform some of the important audit procedures. In such
cases, external auditors should state the fact that they do not express their opinion on
the Internal Control Report and relevant reasons.
(6)
Additional Information
External auditors should add in the Internal Control Audit Report the
following matters:
1)
Material weaknesses in internal control over financial reporting and the reasons
why they have not been remediated, which are stated in the Internal Control
Report by the management, and their impact on the Financial Statement Audit,
when external auditors judge the statements to be appropriate and therefore
express an unqualified opinion
2)
Subsequent events that would have a material impact on the assessment of
internal control over financial reporting effectiveness
3)
Remedial actions and others taken after the fiscal year end date
4)
The scope for which sufficient assessment procedures could not be performed
and relevant reasons, when external auditors judge that the management could
not perform a certain part of the assessment procedures due to unavoidable
circumstances and therefore express an unqualified opinion
34
Practice Standards for Management Assessment and Audit
concerning Internal Control Over Financial Reporting
- 1 -
Practice Standards for Management Assessment and Audit concerning
Internal Control Over Financial Reporting
Table of Contents
I Basic Framework of Internal Control
1. Definition of Internal Control (objectives)
(1) Effectiveness and Efficiency of Business Operations
(2) Reliability of Financial Reporting
(3) Compliance with Applicable Laws and Regulations Relevant to Business Activities
(4) Safeguarding of Assets
(5) Relationship among Four Objectives
2. Basic Components of Internal Control
(1) Control Environment
(2) Risk Assessment and Response
(3) Control Activities
(4) Information and Communication
(5) Monitoring
(6) Response to IT (Information Technology)
3. Limitations of Internal Control
4. Roles and Responsibilities of Relevant Persons
(1) Management
(2) Board of Directors
(3) Corporate Auditors or Audit Committee
(4) Internal Auditors
(5) Other Personnel within the Organization
5. Establishing Internal Control Over Financial Reporting
(1) Key Points for Establishing Internal Control Over Financial Reporting
(2) Process for Establishing Internal Control Over Financial Reporting
II. Assessment and Report on Internal Control Over Financial
Reporting
1. Definitions Related to the Assessment of Internal Control Over Financial Reporting
2. Assessment of Internal Control Over Financial Reporting, and Scope of Assessment
(1) Assessment of the Effectiveness of Internal Control Over Financial Reporting
(2) Determination of the Scope of Assessment
3. Method of Assessing Internal Control Over Financial Reporting
(1) Internal Control Assessment by Management
35
- 2 -
(2) Assessment of Company-Level Controls
(3) Assessment of Process-Level Controls
(4) Judgment of the Effectiveness of Internal Controls
(5) Remediation of Material Weaknesses in Internal Controls
(6) Limitation of the Scope of Assessment
(7) Recording and Retention of Assessment Procedures and Others
III
.
Audit on Internal Control Over Financial Reporting
1. Objective of the Internal Control Audit
2. Relationship between the Internal Control Audit and the Financial Statement Audit
3. Audit Planning and the Scope of Assessment
(1) Audit Planning
(2) Evaluation of the Appropriateness of the Scope of Assessment
4. Performance of the Internal Control Audit
(1) Evaluation of the Assessment of Company-Level Controls
(2) Evaluation of the Assessment of Process-Level Controls
(3) Reporting and Remediation of Material Weaknesses in Internal Controls
(4) Report of Frauds and Others
(5) Coordination with Corporate Auditors or Audit Committee
(6) Use of Other Auditors, etc.
5. Auditor’s Report
(1) Exceptions to Opinions
(2) Limitation of the Scope of Assessment
(3) Additional Information
(Note) In this practice standard excerpts of corresponding standards are enclosed in box.
36
- 3 -
I Basic Framework of Internal Control
1. Definition of Internal Control (objectives)
Internal control is defined as a process performed by everyone in an organization and
incorporated in its operating activities in order to provide reasonable assurance of achieving
four objectives: effectiveness and efficiency of business operations, reliability of financial
reporting, compliance with applicable laws and regulations relevant to business activities, and
safeguarding of assets. Internal control consists of six basic components: control environment,
risk assessment and response, control activities, information and communication, monitoring,
and response to IT (Information Technology).
Internal control is established in an organization to achieve the four objectives that support its
operating activities. Internal control is intended to provide reasonable, but not absolute,
assurance as to the achievement of the four objectives- in terms of the organization, in
particular the management responsible for establishing internal control, by taking measures to
reduce the risk of failing to achieve the four objectives to a certain level.
Internal control should not be established separately from the organization or its daily business
operations, but should be incorporated into its business operations and be conducted by every
person in the organization in the course of performing their duties. Accordingly, not only
permanent employees, but also short-term or temporary employees who undertake certain roles
and perform their duties in the organization should conduct internal control.
Internal control is defined as a set of dynamic processes to be effected by everyone in the
organization, and is not a mere event, situation, rule, or mechanism. Therefore, establishment of
internal control does not automatically mean its completion. Internal control should be
constantly revised and reviewed during the course of its operation in response to changes in the
organization itself or the environment surrounding the organization.
It is impossible to provide an approach for the actual design and operation of internal control
that is uniformly applicable to all organizations, because individual organizations will find
themselves in different environments with different business characteristics. Nonetheless,
management, and indeed everyone in the organization, must take appropriate actions so that the
functions and roles of internal control discussed in these standards are achieved effectively.
It is impossible to provide an approach that is uniformly applicable to all organizations for the
establishment of internal control, because individual organizations will find themselves in
different environments.
Management of an organization should design and operate internal control suited to the
organization, in accordance with its business environment, characteristics, size, etc. Examples of
the matters to be considered in designing and operating internal control include product market
37
- 4 -
conditions, characteristics of products and customers, geographic scope of activities, intensity of
competitive intensity, speed of technological innovation, size of business, labor market
conditions, IT environment, and consideration for natural environment.
On the other hand, there is a basic framework that is commonly applicable to all organizations,
irrespective of their size and type of business. Chapter I, “Basic framework of internal control,”
is designed to provide a basic internal control framework, which constitutes a prerequisite for
evaluating, reporting, and auditing internal control over financial reporting as required by the
Financial Instruments and Exchange Law.
(1) Effectiveness and Efficiency of Business Operations
Effectiveness and efficiency of business operations means promoting effective and efficient
operations in order to achieve the objectives of business activities.
The term “operations” refers to the activities performed by all individuals in an organization on
a daily basis to achieve the objectives of the organization’s business activities. "Effectiveness of
business operations" refers to the extent to which an organization achieves the objectives set for
its business activities and operations. “Efficiency of business operations” refers to the extent to
which an organization reasonably utilizes time, human, financial, and other internal and external
resources in the course of the efforts to achieve its objectives.
While effectiveness and efficiency of business operations can be recognized at the level of the
entire organization, it is recommended to classify business activities according to the type of
operation and set reasonable objectives for each type of operation. Internal control should be
designed and operated in each of the operations performed by the organization to achieve these
individual objectives, and, through their achievement, ultimately help achieve effective and
efficient operations within the entire organization.
Internal control over effectiveness and efficiency of business operations helps an organization
achieve its goals related to effectiveness and efficiency by providing a system designed for
measuring/evaluating the level of achievement in operations and reasonable use of resources
and taking appropriate measures.
(2) Reliability of Financial Reporting
Reliability of financial reporting means ensuring the reliability of financial statements and the
information that could have a material effect on financial statements.
Because financial reporting provides information that is quite important for both internal and
38
- 5 -
external persons to verify the organization’s activities, ensuring the reliability of financial
reporting will contribute to the organization’s efforts to maintain and improve its social
credibility. On the other hand, erroneous information contained in financial reporting will cause
not only unexpected loss to a number of stakeholders, but also significant damage to the
organization’s credibility.
Financial reporting includes those required by the Financial Instruments and Exchange Law,
Company Law, and other laws and regulations, those required by contracts or agreements with
banks or business partners, and voluntary disclosure to stakeholders. In the context of this
standard, the term “financial reporting” refers to the financial statements and information that
could have a material effect on the financial statements described in the disclosure documents
(Annual Report and Securities Registration Statement) required by the Financial Instruments
and Exchange Law. (for details, refer to “1.[1]. Scope of financial reporting” in “II. Assessment
and Report on Internal Control Over Financial Reporting.”)
Internal control over the reliability of financial reporting helps prevent misstatements in
material components of the financial statements and supports the trustworthiness of the
organization’s financial reporting.
(3) Compliance with Applicable Laws and Regulations Relevant to Business Activities
Compliance with applicable laws and regulations relevant to business activities means
promoting compliance with laws, ordinances and other codes relevant to business activities.
If an organization or a person in the organization fails to comply with laws and regulations or
acts in disregard of social norms, the organization or the person will be punished and criticized
in proportion to the severity of the incompliance or act, and consequently may jeopardize the
organization’s ability to continue as a going concern. On the other hand, when an organization’s
sincere efforts to comply with laws and regulations (e.g., compliance with product safety
standards or ensuring of operational safety) are recognized, such recognition will contribute to
an improvement in the organization’s business performance and share price.
As above, when an organization wants to continue operating and growing, it is indispensable
for the organization to implement a system designed to ensure appropriate compliance with laws,
regulations and other norms governing its business activities.
Applicable laws and regulations relevant to business activities consist of the following:
[1]. Laws and regulations
Domestic and foreign laws, orders, ordinances, rules, etc., with which an organization should
39
- 6 -
comply in the course of conducting its business activities.
[2]. Standards, etc.
Norms other than laws and regulations that an organization is compelled to comply with by an
external authority. For example, rules of a stock exchange, accounting standards, etc.
[3]. Code of conduct existing internally or externally
Norms other than the above, with which an organization should voluntarily comply or agree to
comply. For example, articles of incorporation and other internal rules, code of conduct set by
the industry, etc.
Internal control over compliance with laws and regulations means designing and operating a
system to conduct business activities in compliance with applicable laws and regulations. An
organization can continue operating and expanding through these efforts.
(4) Safeguarding of Assets
Safeguarding of assets means to ensure that assets are acquired, used and disposed of in
accordance with proper procedures and approvals.
When an asset is fraudulently or wrongly acquired, used, or disposed of, this may cause
significant damage or have an adverse impact on an organization’s property or social credibility.
In the case where an organization conducts its business by using assets contributed by investors
or any other party, the organization’s management is responsible for safeguarding the assets in a
proper manner. Furthermore, its corporate auditor or audit committee is entitled by the
Company Law to examine the organization’s operational and financial conditions. They
therefore play an important role and assume significant responsibilities for the safeguarding of
assets.
Assets include not only tangible assets, but also intangible assets such as intellectual property
and customer information.
In order to prevent any fraudulent or erroneous acquisition, use, or disposal of assets,
organizations are required to establish a system by which assets are acquired, used, and disposed
of through proper procedures and approvals. They are also required to design and operate a
system by which any acquisition, use, or disposal of assets that has not undergone the proper
procedure or approval process is identified immediately and appropriate measures are taken.
(5) Relationship among Four Objectives
Although the four objectives of internal control - effectiveness and efficiency of business
operations, reliability of financial reporting, compliance with applicable laws and regulations
relevant to business activities and safeguarding of assets - are inherent, they are not
40
- 7 -
independent of each other, but rather closely connected.
Internal control is a process that is incorporated in an organization’s operating activities and
executed by everyone in the organization. Even if an internal control is established to achieve
one of the four objectives, it may operate in conjunction with another internal control
established to achieve another objective, or two or more controls may complement each other.
The internal control reporting system, which is introduced as a requirement of the Financial
Instruments and Exchange Law, aims to assure the effectiveness of internal control over
financial reporting through management’s evaluation and reporting of, and external auditor’s
audit on, internal control. It does not directly require organizations to design and operate
internal control to achieve objectives other than the reliability of financial reporting. However,
given that financial reports summarize financial information that is relevant to the entire range
of an organization’s business operations, they are closely connected with the entire range of
those operations. Therefore, when management wants to establish internal control over financial
reporting in an effective and efficient way, it should first understand the relationship among the
four objectives before designing and operating internal controls.
41
- 8 -
2. Basic Components of Internal Control
Basic components of internal control are those required to achieve the objectives of internal
control and set the criteria for assessment of internal control.
To achieve internal control objectives in an organization, it is important that all of the six basic
components be properly designed and operated.
(1) Control Environment
The control environment determines the tone of an organization; influences the awareness of
its people toward control; lays the foundation for all other components; and influences risk
assessment and response, control activities, information and communication, monitoring and
response to IT.
The control environment is a concept that encompasses an organization’s standard of values
and basic systems of human resources, duties and the like.
The tone of an organization refers to the awareness generally observed in the organization and
behaviors based on the awareness, as well as the strength and characteristics specific to the
organization. The tone of the organization often reflects its top management’s intentions and
attitudes. The values and basic systems held by an organization define the awareness and
behaviors unique to the organization and affect its people’s views on internal control.
The control environment is the most important component that serves as the prerequisite for,
and exerts influence on, other components.
Examples of general elements of the control environment include:
[1]. Integrity and ethical values
Integrity and ethical values of an organization are the important factors that shape its tone, and
have a significant impact on all persons in the organization when they make ethical decisions.
There may be various types of efforts on the integrity and ethical values. For example, an
organization may develop its basic philosophy and code of ethics or code of conduct based on
the philosophy, and establish internal control to ensure compliance with them. Its management
may be directly involved in the efforts to ensure the operating effectiveness of such internal
controls.
[2]. Management’s philosophy and operating style
Management’s philosophy and operating style have a significant impact not only on the
organization’s basic policies, but also on determining the tone of the organization. The manner
of communicating management’s philosophy and operating style also affects the behaviors of
the people in the organization. For example, management’s attitude to uphold proper accounting
and financial reporting practices, clearly defining the policies and principles to ensure the
42
- 9 -
proper practices, communicating them to internal and external parties, and establishing
appropriate systems to achieve them would provide a solid foundation for the achievement of
reliable financial reporting.
Management’s internal or external announcements, daily activities, decisions on the budget,
human resource policies, and the like will affect internal control in the organization through the
awareness of the people in the organization. Moreover, its philosophy and operating style will
be reflected, directly or indirectly, in in-house rules such as the corporate motto or credo,
management principles, management plan, code of ethics, and code of conduct. Internal control
systems are designed and operated in order to achieve the goals set in these rules or to comply
with these rules.
[3]. Management policies and strategies
Management policies and strategies employed by an organization to achieve its goals have a
significant impact not only on its people’s values, but also on other components, because they
determine the amount of resources allocated to each operation. Organization-wide goals
established for the management policies and strategies contribute to the achievement of internal
control goals when they are broken into smaller steps and specific activities through preparing
annual or divisional budgets or business plans that are included in the scope of internal control.
[4]. Functions of board of directors and corporate auditors or audit committee
The board of directors and corporate auditors or audit committee are the mechanisms
responsible for monitoring directors’ performance. Individual companies are required to
establish this mechanism within the company by the Company Law. For example,
effectiveness of the activities undertaken by the board of directors and corporate auditors or
audit committee (e.g., whether the board or committee members are actually able to express
their opinions independently of management or certain stakeholders; whether they can obtain
the accurate information necessary for the monitoring in a timely and appropriate manner;
whether they can communicate with management, internal auditors and the like in a timely and
appropriate manner; and whether their reports and comments are treated in an appropriate
manner in the organization) is an important factor to determine whether the monitoring of the
organization as a whole is effective.
[5]. Organizational structure and practices
In order to achieve an organization’s goals and ensure the effectiveness of information and
communication systems in the organization, it is important that the organization has a structure
43
- 10 -
that is suitable for its goals and capable of providing the flow of information necessary for the
control of business activities. It is important that an organizational structure, scope of authorities
and responsibilities, human resources and compensation systems, etc., be appropriately
established by management in accordance with its size, line of business, type of product or
service, geographic diversification, employee makeup, the nature of its market and the like.
An organization’s customary practice often serves as a guideline to determine the good or evil
of an activity within the organization.
For example, if an organization has a customary practice of not pointing out problems, such
practice will have a significant negative impact on the effectiveness of control activities,
information and communication, and monitoring. An organization’s customary practice is often
formed by internal factors such as its history, size, line of business, and employee makeup, as
well as external factors such as market, business partners, shareholders, parent company, local
characteristics, and restrictions specific to the industry.
Accordingly, those who attempt to change an organization’s long-existing customary practice
may face significant difficulties. However, if management evaluates that such customary
practice may be a factor that hinders continuity and development of the organization, it is
important for the management to provide appropriate principles, plans, personnel policies, and
the like.
[6]. Authority and responsibility
The term “authority” refers to the right to perform the organization’s activities. The term
“responsibility” refers to the responsibility or obligation to perform assigned activities. It is
important for the achievement of control objectives that authorities and responsibilities be
consistent with the goals of its business activities and assigned to appropriate personnel.
[7]. Policies and management for human resources
The term “human resources” refers to the human-related part of an organization’s management
resources. Policies for human resources refer to the policies established as part of the
management policies and those relevant to personnel affairs, such as employment, promotion,
payroll, and employee training. When an organization attempts to achieve its objectives, it is
important to make highly efficient use of existing human resource capacities, and, to that end, it
is essential to develop appropriate human resource policies.
(2) Risk Assessment and Response
[1]. Risk assessment
44
- 11 -
Risk assessment is a process to identify, analyze, and assess factors from the events that
affect an organization’s achievement of its objectives as risk that could adversely affect the
achievement of such objectives.
Risk is a factor that could adversely affect the achievement of the organization’s objectives.
Specifically, risks include a wide variety of factors, both external factors surrounding the
organization (e.g. natural disasters, theft, intensification of market competition, and fluctuations
in foreign currency or resource markets) and internal factors (information system errors and
troubles, occurrence of accounting errors, fraud, or leaks of personal information or information
relevant to high-level management decisions). The “risks” referred to herein are limited to the
risks that have a negative effect on, or cause a loss to, the organization. They do not include the
risks that have a positive effect on, or bring profits to, the organization.
Although it is impossible to provide a uniformly applicable procedure for risk assessment and
response because individual organizations will find themselves in different environments with
different business characteristics, the following is one example of the risk assessment process
flow:
Risk assessment flow
A. Identifying risks
The first step of the risk assessment and response process is to identify risks in an appropriate
way. In the first step, it is necessary to identify events that may affect the achievement of the
organization’s goals and determine what potential risks are involved in the events. As risks are
involved at various levels from company-level to individual process-level, it is important to
identify risks at each level in an appropriate way.
B. Classifying risks
To analyze and assess risks in an appropriate manner, it is important to classify the identified
risks from the viewpoint of, for example, whether they are company-level or process-level risks,
or whether they are precedented or unprecedented risks.
a. Company-level risks and process-level risks
Company-level risks are the risks that could adversely affect the achievement of the
Identifying risks
Classifying risks
Analyzing risks
Assessing risks
Responding to risks
45
- 12 -
organization’s objectives.
Company-level risks include, for example: an unusual change in financial position, operating
results, or cash flows; dependency on particular customers, products, or technologies; regulatory
requirements, business practices, and management policies specific to the organization; filing of
any material legal proceedings; and dependency on a particular member of top management.
Regarding the reliability of financial reporting, when an organization attempts to, for example,
make accurate accounting estimates or projections, it is an important factor for the organization
to respond properly to its company-level risks.
Process-level risks are the risks that could adversely affect the achievement of the objectives
set for individual business processes in the organization.
Process-level risks are usually managed through control activities incorporated in the business
operations, while company-level risks should be managed by designing and operating internal
controls covering the entire organization, including development of clear management policies
and strategies, strengthening of board of director, corporate auditor or audit committee functions,
enhancement of monitoring undertaken by the internal audit function, and the like.
b. Precedented and unprecedented risks
Risks can be divided into precedented risks and unprecedented risks. While effects of
precedented risks can be estimated, those of unprecedented risks are often unpredictable, and
therefore must be considered more cautiously. It must be remembered, however, that the
significance of the effects of precedented risks may change as situations change with the lapse
of time.
C. Analyzing/assessing risks
Once risks are identified and classified as described above, then they must be analyzed for the
likelihood of occurrence and the potential magnitude of their impact to estimate their
significance. After that, the risks are evaluated, in accordance with the estimated significance, to
determine whether any countermeasures should be taken.
An organization should only take countermeasures for those risks identified and classified as
significant, not for all risks.
[2]. Response to risk
Response to risk is a process to select appropriate responses to those risks based on the risk
assessment. When responding to risks, an appropriate action such as avoiding, reducing,
transferring, and accepting is taken regarding assessed risks.
[Types of responses to risk]
46
- 13 -
Responses to risk include avoiding, reducing, transferring, and accepting of risk and any
combination of them.
“Avoiding risk” refers to postponement or discontinuation of activities that give rise to the risk.
When the likelihood of occurrence of the risk is very high, the impact of the risk is greatly
magnified, or management of the risk is difficult, “avoiding risk” may be selected.
“Reducing risk” refers to taking such measures as establishing a new internal control
procedure to reduce the likelihood of occurrence or the magnitude of the impact.
“Transferring risk” refers to transferring all or part of the risk to a third party to reduce the
magnitude of the impact. Included are, for example, subscription to insurance products and
entering into a hedge transaction.
“Accepting risk” refers to not taking actions that may affect the likelihood of occurrence or the
magnitude of the impact; i.e., deciding to accept the risk. An organization may accept a risk as it
is, if the impact of the risk is below their acceptable level, when it is estimated that the cost of
precautionary risk management measures exceeds the benefit, or that the risk can be managed
even after its occurrence.
(3) Control Activities
Control activities are policies and procedures established to ensure that the orders and
instructions of management are followed in an appropriate manner. Control activities include a
wide range of policies and procedures, such as assignment of authority and responsibilities and
segregation of duties. These policies and procedures should be incorporated into the business
process and function effectively when performed by everyone in the organization.
To reduce the risk of occurrence of fraud or errors, it is important for management to clarify
the authority and responsibility assigned to each person in charge, and establish a system in
which each person in charge performs his or her duties in an appropriate manner within the
scope of his or her authority and responsibility. In that process, duties and responsibilities
should be divided or segregated between two or more persons. For example, duties of
authorizing transactions, recording transactions and managing assets are respectively assigned
to different individuals so that they are mutually supervised by each other in an appropriate way.
Appropriate segregation of duties can prevent problems such as a failure, as an organization, to
perform duties without disruption, which results from assigning duties to a single particular
person. Furthermore, by clearly defining authority and responsibilities and segregation of duties,
an organization will increase the visibility of internal control and prevent the occurrence of
fraud and errors.
47
- 14 -
A. Integration with risk assessment and response
When an organization decides to take a countermeasure against a certain risk during the course
of risk assessment and response, particularly on a business-process level, the organization uses,
in most cases, control activities incorporated into the business process. In this regard, risk
assessment and response and control activities are closely connected. It is important for an
organization to understand whether risk response measures are appropriately taken in the course
of control activities, and to improve its control activities when necessary.
B. Policies and procedures for control activities
Policies on control activities, which should be standardized and integrated throughout the
entire organization, can be developed, for example, in the form of company-level job
descriptions. In addition, policies, which should be decided by each division or activity unit, can
be developed into their own procedure manuals and the like.
It is also advisable that, in order to achieve the control activity policy goals, divisions and
activity units should set, if necessary, appropriate procedures (e.g.; authorization, inspection,
recording) in their business processes.
(4) Information and Communication
Information and communication involves ensuring that necessary information is identified,
understood, processed and accurately communicated throughout the organization and to
relevant parties. The information required by everyone to carry out his or her responsibilities
must be identified, understood, processed and communicated within the organization in a timely
and appropriate manner. In addition to communicating necessary information, it is important
that the information be understood properly by information receivers and shared with all of the
people to whom it is relevant.
[1]. Identification, understanding, and processing of information
An organization identifies truthful and unbiased information out of the information recognized
(“identification”). When the information is determined to be necessary for the organization, it
enters this into its information system (“understanding”). An “Information system” is a manual
or automated mechanism designed to process and communicate information. Information
entered into an information system is processed according to the purpose. (e.g.; classification,
organization, selection, and calculation (“processing”))
[2]. Communicating information
It is important for an organization to establish a system by which the identified, understood,
and processed information is communicated in an appropriate manner within the organization or
48
- 15 -
to external parties. Within an organization, policies developed by management, for example,
should be communicated in a timely and appropriate manner to all individuals in the
organization. It is also important to establish a system through which information about an
occurrence of fraud, an error or other material information concerning internal control is
communicated to management and the appropriate level of control in the organization in a
timely and appropriate manner.
At the same time, information must also be communicated or reported to external parties in an
appropriate manner. It must be properly provided, for example, through a report or disclosure
for shareholders, supervisory authorities, and other external parties.
Information on significant issues such as a fraud or errors may sometimes be provided by an
external party through customers and business partners. Accordingly, it is important to establish
not only a system to communicate and report information to external parties, but also a system
to collect information from external parties.
[3]. Whistleblower System and others
An organization may establish a Whistleblower System as one of the information and
communication systems as well as a monitoring system in the organization, apart from normal
communication channels. The Whistleblower System is designed to allow every member of the
organization to inform management, the board of directors, corporate auditors or the audit
committee, or in some cases, people outside the company such as a lawyer or other independent
counsel, of regulatory compliance issues and others. When introducing a Whistleblower System,
it is important for management to ensure effective operation of the system by establishing a
mechanism to protect whistleblowers as well as policies and procedures for taking necessary
corrective measures.
In addition, because an external party may sometimes provide information on the
organization’s internal control, it is also important to establish policies and procedures for
actions to be taken when such information is provided by external sources.
[4]. Relationship with other basic components
Information and communication has the function of connecting components of internal control
with each other and enabling effective operation of internal control.
For example, when a new management policy is developed under a control environment and
its details are communicated to, and accurately understood by, appropriate individuals in the
organization, risk assessment and response procedures are performed in a timely manner and
appropriate control activities are conducted.
49
- 16 -
On the other hand, if any significant information on control deficiencies is found through a
control activity or monitoring, such information is communicated to management or the
appropriate level of controller, and as a result the company-level plans and policies in the
control environment are changed as necessary.
In order to ensure the effectiveness of internal controls, it is important for an organization to
establish its information systems appropriately and provide quality information and appropriate
communication channels.
(5) Monitoring
Monitoring is a process that continuously assesses the effectiveness of internal control.
Monitoring provides a means of continually observing, assessing and correcting internal
control. Monitoring includes ongoing monitoring that is performed in the course of business
operations and separate evaluations that are conducted from perspectives independent of
business operations. In some cases, both of the above will be conducted independently; in
others, they will be coordinated.
[1]. Ongoing monitoring
Ongoing monitoring is a process that continuously reviews and assesses the effectiveness of
internal control by performing a series of procedures in the course of daily business operations.
Ongoing monitoring includes self-inspection or assessment of internal control conducted within
the department that performs business activities.
For financial reporting, for example, an appropriate controller may, on a regular or as-needed
basis, monitor the performance of the process of confirmation and analysis/reconciliation of
identified discrepancies, performed by the person in charge, for significant balances among
account receivables. This procedure is effective to confirm the accuracy of financial information
and existence of assets. It also leads not only to the correction of any discrepancy identified, but
also may lead to the finding of an issue in the sales process and promoting of remedial action
for of the issue.
[2]. Separate evaluations
Separate evaluations are conducted on a regular or as-needed basis to assess, from a different
point of view, whether there is any management issue that is not identified in the ongoing
monitoring.
A. Separate evaluation by management
Management is ultimately responsible for design and operation of internal control, as the
representative of the organization, and performs separate evaluations from that viewpoint.
However, there is a limit on the direct actions by management. Therefore, management usually
completes its separate evaluation process by directing the internal audit function or other
50
- 17 -
personnel and monitoring the results.
B. Separate evaluation by the board of directors
The board of directors establishes basic policies on the design and operation of internal control.
It is also responsible for supervising directors’ performance of their duties.
It is considered that in order to fulfill these functions, the board of directors is responsible for
monitoring whether management designs and operates internal control appropriately in
accordance with the decisions of the board of directors.
C. Separate evaluation by corporate auditors or the audit committee
Corporate auditors or the audit committee audit performance of duties by directors and other
personnel.
For effective monitoring, corporate auditors or the audit committee may use persons who assist
in investigations. In that case, it is important for corporate auditors or the audit committee to
ensure the assistants’ independence from the business activities, directors, or others which are
subject to the investigation.
D. Separate evaluation by internal audit function or other personnel
In general, an internal audit means that an internal auditor under the direct control of
management investigates the design and operation of internal control, from a standpoint that is
independent from the performance of business activities, and reports issues to be remediated.
[3]. Reporting on control deficiencies
Deficiencies identified through monitoring must be reported to an appropriate person,
depending on the content of the deficiency. Policies and procedures must be established for the
reporting of the deficiencies.
Usually, deficiencies identified through ongoing monitoring are analyzed and addressed by the
department that performed the monitoring. At the same time, it is recommended that
deficiencies and corrective measures are reported to a higher-level controller and, if necessary,
to management, the board of directors, the corporate auditors or the audit committee.
For the deficiencies identified by the internal auditor through separate evaluations, it is
important to ensure that a system is in place to report such deficiencies to management and, if
necessary, to the board of directors and corporate auditors or audit committee, in a timely
manner. The results of separate evaluations conducted by the board of directors, corporate
auditors or audit committee must be reported to the meeting of the board of directors to request
management to take appropriate measures.
51
- 18 -
Management should classify, analyze, and assess the risk that the reported deficiencies may
pose and take appropriate responses.
It is often the case that information regarding a control deficiency represents a sign of a control
deficiency that exists over a wide range of operations. Therefore, if management receives a
report regarding a deficiency in a specific transaction or event, it should issue an order to
perform a wider-ranging investigation, if necessary.
(6) Response to IT (Information Technology)
Response to IT is to establish appropriate policies and procedures in advance to achieve
organizational objectives and to respond appropriately to IT inside/outside the organization
during the course of business activities based on the policies and procedures.
Response to IT is not always independent from other components of internal control, but if the
business of the organization heavily relies on IT or the information systems highly utilize IT, it
serves as the assessment criteria for internal control effectiveness as an essential part to achieve
the internal control objectives. Response to IT consists of response to IT environment and use of
IT and IT controls.
Considering the current situation where the IT environment is developing rapidly, under which
IT has deeply penetrated organizations, response to IT has been included in the basic
components of internal control under Chapter I, “Basic framework of internal control,” herein.
Currently, organizations’ businesses heavily rely on IT, or their information systems have
incorporated information technology to a high degree. Consequently, most organizations are
unable to conduct their businesses without using IT. The reason why response to IT is included
in the basic components of internal control is to emphasize the fact that, under the current
circumstances where IT has deeply penetrated into organizations, an appropriate response to IT
inside/outside the organization during the course of business activities is indispensable for the
achievement of internal control objectives. This is not intended to force organizations to
introduce a new IT system or upgrade existing IT systems.
[1]. Response to IT environment
The IT environment is the internal/external use of IT that is needed for the organization’s
activities, the level of IT penetration into the society and market, the use of IT for the
company’s transactions, a series of information systems on which the organization selectively
relies and others.
An organization should appropriately understand the IT environment surrounding the
organization, and, based on that understanding, take appropriate measures for the usage and
control of IT. The following are examples of the factors surrounding the IT environments of
individual organizations that need to be considered by an organization:
A. IT pervasiveness into society and markets
52
- 19 -
B. Use of IT
in
transactions and other activities by organizations
C. The series of information systems on which the organization selectively relies (whether the
organization relies on an information system; if so, what kind of information system it is.)
D. Stability of IT-based information systems
E. Outsourcing relating to IT
[2]. Use of IT and IT controls
Use of IT and IT controls means to utilize IT effectively and efficiently in order to ensure the
effectiveness of other basic components of internal control, and to establish, in advance,
appropriate policies and procedures for IT that is systematically incorporated into the business
and used in various ways within the organization to achieve organizational objectives and make
other basic components of internal control operate more effectively.
[Use of IT]
IT is useful for enhancing the effectiveness and efficiency of information processing. When it
is used for internal control purposes, it will contribute to establishing more effective and
efficient internal control.
A. Use of IT for ensuring control environment effectiveness
The following are examples of IT-related factors in the control environment.
a. Management’s degree of interest in and attitude toward IT
b. Development of IT-related strategies, plans, and budgets; establishment of necessary
structures
c. Members’ basic knowledge about IT and ability to make use of IT
d. Policies on IT-related education and training
The use of IT is also important in order to efficiently design and operate the control
environment. For example, the use of e-mail, which is a part of IT, will make it possible to
communicate management’s intentions and the organization’s basic policies and decisions to
appropriate personnel in a timely manner, consequently contributing to the designing and
operation of the control environment.
On the other hand, the use of IT may also allow, for example, management, key executives,
and other members of the organization to easily conspire to commit fraud via e-mail or some
other means of IT. To avoid such an incident, it should be noted that it is necessary to implement
appropriate control activities.
B. Use of IT for ensuring the effectiveness of risk assessment and response
The use of IT as a means of recognizing events inside/outside the organization or a means of
53
- 20 -
sharing risk information will allow risk assessment and response to function in a more effective
and efficient way. For example, by establishing a system in which its sales administration
department or accounting department can recognize the occurrence and collection of accounts
receivables without delay and apply different controls to overdue accounts through the use of IT,
an organization can manage accounts receivables in an effective and efficient manner.
It would also be possible for an organization to design an internal control system whereby it
uses IT to understand how risk information is shared within the organization, then analyze it to
reconsider the scope of shared risk information or whether the risk is shared among appropriate
personnel, and then reconsider the scope of shared risk information based on the results of that
analysis.
C. Use of IT for ensuring effectiveness of control activities
Control activities can be automated when IT-based control activities are appropriately designed
and integrated into business processes. For example, an organization can immediately recognize
any difference between book and physical inventory to identify problems if it develops an
appropriate production control system in which a physical inventory inspection program is
installed and such procedures as input of released amounts of raw materials according to
production order by the production department and input of physical amounts of raw materials
on a daily basis by warehouse personnel are incorporated into business processes.
Automated controls are capable of not only processing information faster than manual control
procedures, but also preventing human errors. As a result, they make easier to perform
procedures in the internal control assessment and audit process. On the other hand, however,
automated controls may pose certain problems. For example, in the case of an unauthorized
change to a program or unauthorized use of a program, such unauthorized change or use may
not be discovered in a timely manner because only people with a good understanding of the
program can deal with it. The taking of appropriate access control measures should therefore be
considered.
D. Use of IT for ensuring the effectiveness of information and communication
The use of IT enables an organization to incorporate a tool to communicate information within
the organization into its business processes. When an IT-based information system – a network,
in particular – is used, a function to communicate information necessary for business
administration can be incorporated into the business processes. Examples of such functions
include sending a message to a responsible supervisor to indicate a failure to obtain necessary
approval or complete work within a specified timeframe.
54
- 21 -
The use of IT also enables an organization not only to provide timely information to external
parties (for example, by posting a message on its corporate website) but also to collect
information regarding product complaints or other matters from external parties. However,
when using IT to disclose to or collect information to/from external parties, it would be
necessary to ensure that appropriate measures are taken to prevent hacking or other threats from
outside the organization.
E. Use of IT to ensure the effectiveness of monitoring
Ongoing monitoring on the effectiveness of control activities can be performed in a more
comprehensive way when incorporated into a system for administering daily business activities
and automated within the system. And, as a result, the organization could reduce the level of
risks in separate evaluation and consequently perform a separate evaluation less frequently with
a smaller number of staff members.
On the other hand, implementation of an IT-based monitoring system should be prepared in an
orderly manner from the design phase, because it requires the establishment and coding of a
monitoring benchmark in advance.
As described above, the use of IT enables organizations to establish internal control in a more
effective and efficient manner; on the other hand, in a highly IT-dependent system, unlike in a
manual-based information system, it is difficult to make a drastic change to its procedures after
it is released.
In addition, depending on the system specifications, it is sometimes the case that procedures
performed or data changes made through the use of IT are not traced. In such a case, it will be
difficult to examine the incident after the fact.
Therefore, when designing and operating internal control, organizations should, based on a full
understanding of the characteristics of the IT-based information systems, undertake preparations
in an orderly manner, and, at the same time, consider how incidents could be examined
appropriately after the fact.
In the case where internal control is operated on a manual basis without any use of IT, it would
be necessary to establish a separate internal control to prevent, for example, errors inherent in
manual procedures; however, it should be noted that the fact is not necessarily indicative of a
deficiency in internal controls.
[IT controls]
IT controls mean controls over IT-based information systems. They are mainly automated, but
sometimes include manual based control.
55
- 22 -
A. IT control objectives for the achievement of organizational objectives
Objectives set by management for operating IT control effectively are called IT control
objectives. Examples of IT control objectives include the following.
a. Effectiveness and efficiency: Information is provided in an effective and efficient way
b. Compliance: Information is processed in compliance with applicable rules and regulations,
accounting standards, in-house rules, etc.
c. Reliability: Information is approved according to the organization’s will and intention, and
accurately recorded/processed without omission (validity, completeness, accuracy)
d. Availability: Information is available when necessary
e. Confidentiality: Information is protected from unauthorized use
IT controls for reliability of financial reporting are performed to ensure validity, completeness,
and accuracy of transactions recorded in accounting records.
Validity refers to the fact that transactions are approved and executed in accordance with the
organization’s will and intent.
Completeness refers to the fact that all of the transactions are recorded without omission or
duplication. Accuracy refers to the fact that transactions that occurred are recorded accurately in
the financial/accounting classifications and other major data elements.
The internal control reporting system required by the Financial Instruments and Exchange Law
is intended to ensure reliability of financial reporting in IT control; it is not intended to directly
require organizations to design and operate IT control for the achievement of objectives other
than the reliability of financial reporting.
B. Developing IT controls
Management develops IT controls to achieve the IT control objectives set by itself.
Control activities over IT consist of general controls and application controls. In order to
ensure complete and accurate information processing, it is important that the two types of
controls work in an integrated manner.
a. IT general controls
IT general controls refer to control activities intended to ensure an environment in which
application controls function effectively. Usually, they are policies and procedures associated
with multiple business process controls. Examples of IT general controls include the following.
56
- 23 -
・
Control of system development and maintenance
・
System operation and administration
・
Ensuring system security including access control from inside/outside the organization
・
Control of outsourcing contract management
In an IT-based information system, once an appropriate internal control (application control) is
incorporated, it will continue functioning unless an intentional change is made. However, if a
general control does not function effectively (for example, a necessary control is not
incorporated at the time of a system change at a later stage, or unauthorized change or access is
made to the program), the effectiveness of the incorporated internal control (application control)
may be impaired even if the control itself is appropriate.
In order to address such issues, it is important to ensure an appropriate designing of general
control activities, which include the following.
[1]. When developing a new system or changing an existing system, fully examine whether the
development or change is consistent with the existing system. At the same time, maintain
development or change logs appropriately.
[2]. Take appropriate access control measures to prevent unauthorized use of, and changes to,
the program.
Usually, an IT general control is established for each unit of IT infrastructure (hardware,
software, network, etc.) that supports business process management systems. For example,
when three business process management systems–purchase, sales, and distribution–are
centrally controlled by a single host computer and operating on the same IT infrastructure,
establishment of an effective general control over the infrastructure will contribute to a higher
reliability of information relevant to the three business processes.
On the other hand, if the three business process management systems are operating on separate
IT infrastructures, it would be necessary to establish a general control for each of the
infrastructures, because these infrastructures are likely to be administered by different
departments and based on different approaches.
b. IT application controls
IT application controls refer to the control activities that are incorporated into business
processes to ensure that all of the authorized business activities are accurately processed and
recorded in the business process management system.
Examples of IT application controls include the following.
・
Controls to ensure completeness, accuracy, and validity of entry data
57
- 24 -
・
Correction and reprocessing of errors
・
Maintenance and control of master data
・
Access control (user authentication, limiting the scope of operation, etc.)
These application controls can be performed manually. However, when being incorporated into
a system, they can be operated in a more effective and accurate manner.
58
- 25 -
3. Limitations of Internal Control
Internal control cannot provide absolute assurance with respect to the achievement of
objectives due to the following inherent limitations, but it aims at achieving the objectives to a
reasonable extent with the organized and integrated function of individual components as a
whole.
(1) Internal control may not operate effectively due to misjudgments, carelessness or
collusion among two or more individuals.
(2) Internal control may not necessarily respond to unexpected changes in internal or external
environments when controls were designed for non-routine transactions.
(3) The design and operation of internal control needs to consider relative costs and benefits.
(4) Management can ignore or override internal control for illegitimate objectives.
Limitations of internal control means the fact that internal control (even those appropriately
designed and operated) may not operate effectively due to its inherent limitations and does not
provide an absolute assurance as to the achievement of its objectives.
Internal control may not operate effectively due to misjudgments, carelessness or collusion
among two or more individuals. However, designing of internal control will significantly reduce
the risk of misjudgments and carelessness as well as the chances of collusion among two or
more individuals.
Internal control may not necessarily respond to unexpected changes in internal or external
environments when controls were designed for non-routine transactions. However, appropriate
design of internal control will contribute to widening the scope of unexpected environmental
changes/ non-routine transactions for which internal control is capable of response. One
example is to assign knowledgeable and experienced personnel selectively to the processes that
are likely to be subject to the unexpected environmental changes or non-routine transactions.
Internal control is designed and operated based on management’s decision and in terms of cost
versus benefit. When making a decision on whether an internal control procedure should be
introduced or maintained, an organization compares necessary costs with benefits that can be
obtained by the use of the procedure for risk management purposes.
In addition, management can ignore or override internal control for illegitimate objectives.
However, if management has established in the organization appropriate company-level or
process-level controls, the potential of such acts by management will be reduced significantly
because multiple individuals will be involved in the fact. In addition, as a result, it will serve as
reasonable deterrence against the management’s conduct.
Meanwhile, when management addresses unexpected changes in internal or external
environments or non-routine transactions outside the framework of existing internal control, or,
when an authorized person performs, based on a managerial decision, separate procedures in
excess of the limitation of existing internal control, such activities do not constitute ignorance or
overriding of internal control.
59
- 26 -
4. Roles and Responsibilities of Relevant Persons
(1) Management
Management has ultimate responsibility for all the activities of an organization, and as part of
this, it has roles and responsibilities in the design and operation of internal control based on the
basic policies determined by the board of directors.
Management designs and operates internal control (including monitoring) through the
company’s organization as a means to satisfy its responsibility.
Management more significantly influences the tone of the organization that affects the factors
of the control environment and the other basic components of internal control than any other
individuals in an organization.
Note: In this standard, management is assumed to include representative directors,
representative officers and other representatives of an executive level.
Management, as it represents an organization (Article 349, Company Law), is authorized to
perform business operations. At the same time, it has roles and responsibilities to design and
operate the organization’s internal control based on the basic policies determined by the board
of directors.
Representing its company, management is in a position to submit the Annual Report, and
ultimately responsible for the reliability of disclosure documents.
In addition, in the internal control reporting system under the Financial Instruments and
Exchange Law, management is likely to be required to sign the Internal Control Report.
Accordingly, management must properly assess and report designing and operation of internal
control over financial reporting.
If the company has a Chief Financial Officer, his/her signature may also be required in
addition to that of the representative of the company.
(2) Board of Directors
The board of directors decides the preliminary policies related to the design and operation of
internal control.
The board of directors supervises the performance of management, including the design and
operation of internal control by the management.
The board of directors is an important part of company-level controls and a part of the control
environment for process-level controls.
The board of directors is a decision-making body on the organization’s business operations
and determines basic policies on internal control. The board of directors is also a body that
supervises management's performance of duties and is authorized to appoint and discharge
management. (Articles 362, 416, and 420 of the Company Law)
Therefore, the board of directors is also responsible for supervising management’s designing
and operation of internal control.
(3) Corporate Auditors or Audit Committee
60
- 27 -
Corporate auditors (auditor's board) or the audit committee is responsible for auditing the
performance of the directors and officers. As a part of this, they have the role and responsibility
to independently monitor and verify the design and operation of internal control.
Corporate auditors or the audit committee audits performance of duties by directors and other
personnel (Article 381, paragraph 1, the Company Law and Article 404, paragraph 2, item 1
thereof). Corporate auditors or the audit committee conducts operational audits including
financial audits.
As part of its operational audit, corporate auditors or the audit committee monitor whether
internal control is appropriately designed and operated, including the system to ensure the
reliability of financial reporting. Under Company Law, corporate auditors or the audit
committee is required to evaluate the relevance of the approach employed by the external
auditor on the financial audit of the statutory accounts (in compliance with the Company Law),
as well as the results of the financial audit conducted by the external auditor.
On the other hand, in the Internal Control Audit as described herein, the external auditor does
not examine the details of the operational audit performed by the corporate auditor. However,
when evaluating the appropriateness of the assessment on the company-level controls over
financial reporting, the external auditor takes into consideration the designing and operation of
internal controls at the management level including corporate auditors or the audit committee,
as part of the control environment, monitoring, etc.
(4) Internal Auditors
Internal auditors are responsible for examining and assessing the design and operation of
internal control and prompts remedial action as a part of their monitoring functions, a basic
component of internal control to ensure more effective achievement of the internal control
objectives.
Note: In this standard, the term “internal auditor” means any person or unit with the
responsibility for examining, assessing and recommending the design and operation of internal
control regardless of how their affiliation is termed within the organization.
Internal auditors investigate, examine and assess the design and operation of internal control,
and report the results to appropriate personnel within the organization. Internal auditors, who
are often assigned to report directly to management, play an important role in the separate
evaluation of internal control.
To perform their duties, internal auditors must be free from any constraints imposed by the
organization’s other business units that are subject to an internal audit so that they can maintain
their objectivity. To this end, management must provide an environment in which internal
auditors can be independent of business processes and units subject to an internal audit, and
have no direct authority or responsibility for the function or business units.
Furthermore, it is also important that, in order to improve the effectiveness of internal control,
61
- 28 -
management establish a system through which it can receive reports from internal auditors in a
timely and appropriate manner.
(5) Other Personnel within the Organization
Internal control is a process carried out by everyone within an organization. All personnel
other than those listed above play a role in the design and operation of effective internal control
concerning their own work duties.
Internal control is a process carried out by everyone within an organization. All personnel
other than those listed under (1) to (4) above is also engaged in, for example, control activities,
information and communication within the organization, and ongoing monitoring, in the course
of their duties. In this sense, they play a role in the design and operation of effective internal
control within the scope of the authorities and responsibilities they have. “Other personnel in the
organization” includes not only permanent employees but also short-term or temporary
employees who undertake certain roles and perform their duties in the organization.
62
- 29 -
5. Establishing Internal Control Over Financial Reporting
(1) Key Points for Establishing Internal Control Over Financial Reporting
The following are the key points for the practical implementation of internal control over
financial reporting based on the basic framework of internal control mentioned herein before.
Management should ensure that the following points are in place. Any deficiencies must be
remediated as necessary.
Company-wide policies and procedures that ensure proper financial reporting are provided,
properly designed, and operating effectively
- Announcing an intention toward proper financial reporting; establishment of policies and
principles to realize such an intention
- Effective performance by board of directors and corporate auditors or audit committee
- Establishment of appropriate organizational structure
Appropriate assessment is performed on misstatement risk and action plans to manage such
risks are developed
- Identification and analysis of material misstatement risk
- Establishment of company-level and process-level controls to mitigate risks
Controls to mitigate material misstatement risk in the financial reporting are appropriately
designed and operated
- Clear definition of responsibilities and segregation of duties
- Development of company-wide job description; individual procedure manuals on an as needed
basis
- Necessary improvements of control activities based on the actual performance
A process is designed and operated to identify and handle truthful and objective information
and communicate such information to appropriate personnel in a timely manner
- Development of a structure that enables management to communicate intentions clearly and
instructions properly
- Development of a process in which material information on internal control is communicated
in a timely and proper manner
- Development of a structure that would allow for collection of material information on internal
control from the external organization
Monitoring of financial reporting is designed and operated appropriately
63
- 30 -
- Development of a process to assess the effectiveness of internal control over financial
reporting on a regular or as-needed basis
- Development of a structure to respond appropriately to information provided by a party within
or outside the company
- Development of a process for the timely and proper reporting of internal control issues
(deficiencies) identified via monitoring
Appropriate response to IT relating to internal control over financial reporting
- Proper understanding of the IT environment and effective and efficient use of IT based on the
understanding
- Development of general controls and application controls relevant to IT
(2) Process for Establishing Internal Control Over Financial Reporting
Different organizations have different procedures for establishing internal control. However, it
was considered possible to provide general procedures that are necessary as a preliminary step
before the assessment and reporting of internal control. The following are the examples of such
procedures:
[1]. Determining basic plans and policies
It is important that internal control be established based on a consistent policy developed by
management. The Company Law requires that the board of directors determines basic internal
control policies. Management should, based on the policies determined by the board of directors,
develop basic plans and policies for operating internal control over financial reporting at both
company level and process level.
Examples of basic plans and procedures to be developed by management include the following.
- Policies, principles, scope, and level of internal control to be established for proper financial
reporting
- Responsible persons at management or lower level for establishing internal control and
entity-wide control structure
- Scope and level of internal control that is necessary for the organization to establish
- Procedures and schedule necessary for establishing internal control
- Personnel who will be involved in the individual procedures necessary for the establishment of
internal control; organization of the personnel; method of preliminary education and training for
the personnel
[2]. Understanding design of internal controls
64
- 31 -
When basic plans and policies on internal control are determined in an organization, design of
internal controls is understood and the results are recorded and maintained. It is effective to
undertake these works as a company-wide project supervised by management and a person who
is responsible for establishing internal controls.
The design of company-level internal controls over financial reporting should be understood,
recorded, and maintained based on the rules and practices on the existing internal control, as
well as compliance with such rules and practices. In particular, it is important to make a record
if there are any implicit, unwritten rules in force within the company.
To understand the design of company-level internal control, it would be effective to refer to the
items listed in the exhibit # 1 (“Examples of Assessment Items for Company-Level Controls
Over Financial Reporting”) included in “II. Assessment and Report on Internal Control Over
Financial Reporting” accordingly.
The following is an example of the flow of procedures for understanding, recording, and
maintaining the design of internal control over financial reporting within key business
processes:
a. Sort out and understand the organization’s key business processes for the flow of transactions
and accounting processes, using charts and diagrams as necessary.
b. Identify the risk of misstatement for these business processes. Examine the financial
statements and accounts to which the risk relates, and whether the internal control incorporated
into the process is effective enough to reduce the identified risk, using charts and diagrams as
necessary.
For the examples of the charts and diagrams described above, refer to exhibit number 2,
“Business process flowchart (sample)” and “Business process description (sample),” and 3,
“Relationship between risks and controls (sample),” included in “II. Assessment and Report on
Internal Control Over Financial Reporting.”
Once the internal control design is recorded and visualized, internal control effectiveness can
be assessed.
Note: The following is the example of the identification of business processes. As different
organizations have different types of business operations, individual organizations are
encouraged to determine for themselves how the business processes should be identified and
65
- 32 -
sorted.
Example of business process classification
[3]. Addressing and remedying identified deficiencies
Control deficiencies identified during the control design understanding process must be
addressed in a proper manner. Management and persons responsible for establishing internal
control should, based on the basic plans and policies on internal control, take measures to
remedy the deficiencies.
Deficiencies in company-level controls, if any, should be remediated while referring to, for
example, exhibit number 1, (“Examples of Assessment Items for Company-Level Controls Over
Financial Reporting”) included in “II. Assessment and Report on Internal Control Over
Financial Reporting.”
Deficiencies in process-level controls should be remediated by following, for example, the
procedures described below:
a. If internal controls incorporated in the business process are not effective to reduce the risk of
Operations relating to
sales
Operations relating to
accounts receivable
Sales
operations
in relation to
b
usiness B
Export sales
operations
Wholesale Store sales Mail orders
Business or
operation
Business
Process
Operations
performed by the
organization
Sales orders Shipping
Recognition of
sales
Accounts
Sales
operations
in relation to
b
usiness
A
66
- 33 -
misstatements sufficiently, measures should be taken to correct the controls.
b. If any new flow of transactions or accounting processes is added as a result of the procedure
above, update the charts and diagram shown in [2]. a. and b.
The objective of the internal control reporting system required by the Financial Instruments
and Exchange Law is to ensure the reliability of financial reporting. Any deficiencies in internal
control over financial reporting should be addressed and remediated appropriately prior to
submitting the Internal Control Report. Management is required to improve and ensure the
effectiveness of internal control placed in operation at their organizations before the
enforcement of the internal control reporting system.
67
- 34 -
II. Assessment and Report on Internal Control Over Financial Reporting
1. Definitions Related to the Assessment of Internal Control Over Financial Reporting
Management has the role and responsibility to design and operate internal control. Out of
the internal control discussed in the “basic framework of internal control,” it is particularly vital
for management to assess the internal control over financial reporting in accordance with
generally accepted assessment standards for internal control and report its conclusion externally
in order to ensure the reliability of financial reporting.
For the purposes of these standards, the terms below and their meanings are used:
(1) “Financial reporting” and “financial reports” are external reporting of both 1) financial
statements and 2) disclosure information and others that could have a material effect on the
reliability of financial statements.
(2) “Internal control over financial reporting” is an internal control that is necessary to ensure
the reliability of financial reporting.
(3) “Effective internal control over financial reporting” means that the internal control is
designed and operated in accordance with an appropriate internal control framework and is free
of material weakness.
(4) “Material weakness” is a deficiency that has a reasonable possibility of having a material
effect on financial reporting.
[1]. Scope of financial reportin
g
A. “Financial statements” means the consolidated financial statements stipulated in the
“Regulations Concerning Terminology, Forms, and Preparation Methods of Consolidated
Financial Statements” (Ministry of Finance Regulation No.28, 1976) and the financial
statements stipulated in the “Regulations Concerning Terminology, Forms, and Preparation
Methods of Financial Statements” (Ministry of Finance Regulation No.59, 1963).
B. “Disclosure information and others that could have a material effect on the reliability of
financial statements” means the disclosure information and others (except financial statements)
included in the Annual Report and others, specifically listed as follows:
a. Disclosure information to be provided as a summary, excerpt, or breakdown, or by use of the
amounts and values presented in, or notes to, the financial statements (hereinafter referred to as
“information derived from data presented in financial statements and others”).
Examples include the following information included in the Annual Report:
1) “Major financial data proceedings” under the “company overview” section;
2) “Business results,” “production, orders received, and sales,” “research and development” and
“analysis of financial condition and results of operation” under the “business condition” section;
3) “Facilities and equipment”;
4) “Stock information,” “treasury stock repurchases,” “dividend policy” and “corporate
governance” under the “company information” section;
5) “Major assets and liabilities” and “other” under the “financial information” section;
68
- 35 -
6) “Corporate bonds guaranteed" under the “information on guarantors” section;
7) Information derived from data presented in the financial statements in “information on
indices and others.”
It should be noted that, with regard to this point, management should assess whether a system
to summarize, excerpt, break down, or use the information presented in financial statements
appropriately is designed and operated.
b. Matters that are closely related to the decision of whether an entity is an affiliate, decision on
the scope of consolidation or the necessity to apply the equity method, determination of whether
a party is a related party and other decisions involved in preparing the financial statements.
Examples include the following information in the Annual Report.
1) “Overview of business” and “affiliated companies” under the “corporate information” section
2) Affiliates, related parties, big shareholders in “big shareholders” under the “company
information” section
It should be noted that, with regard to this point, the management’s assessment is undertaken
with consideration for the significance of the impact these factors may have on the significant
judgments in preparing financial statements, and that the assessment does not necessarily
consider all of the information included in the disclosure information described above.
[2]. Guidelines for determining material weakness
This guidance shows the guideline for determining material weakness in terms of impact on
reliability of financial reporting. The guideline for determining material weakness cannot be
presented uniformly because it varies based on the environment or business nature of the companies.
Basically, it should be determined based on the likelihood and impact of misstatements relating to
financial reporting. It is therefore noted that the following guideline for determining material
weakness is used not for determining each business process to be added to the scope at II. 2. (2) [2],
“identifying business processes to be assessed,” but for judging whether each deficiency is deemed
as a material weakness.
A. Control deficiencies
Control deficiencies are classified into design deficiencies and operating effectiveness
deficiencies. Deficiencies in design arise when a control is missing or an existing control is not
properly designed and the control objective is not always met. Deficiencies in operating
effectiveness arise when a properly designed control does not operate as designed, when there
are many errors in operation or when the person performing the control does not properly
understand the nature and objectives of the control.
69
- 36 -
A single control deficiency or combination of different kinds of control deficiencies adversely
affect the company’s ability to record, process, or report transactions in compliance with
generally accepted accounting principles (“GAAP”) and regulations for financial reporting. As a
result, they may constitute a material weakness.
A. Material weakness
A material weakness is a deficiency that has a reasonable possibility of resulting in a
misstatement above a certain amount, or a possibility of being a qualitatively material
misstatement.
In determining whether a control deficiency constitutes a material weakness, management
should evaluate both quantitative and qualitative aspects.
The effectiveness of internal control over financial reporting should be assessed, in principle,
on a consolidated basis. Accordingly, the level of material effect should be considered based on
consolidated financial statements.
a. Determining quantitative materiality
Quantitative materiality can be calculated as a percentage of consolidated total assets,
consolidated sales, consolidated income before income taxes and minority interests and other
factors. These percentages are not defined as set amounts; rather, the percentage should be
determined based on the company’s situation, such as its type of business, size, and
characteristics.
Note: For example, the materiality threshold using consolidated income before income taxes
and minority interests may be set at approximately 5% of the consolidated income before tax.
However, ultimately, the materiality amount should be considered in the context of its
relationship to the quantitative materiality amount of the Financial Statement Audit.
b. Determining qualitative materiality
Qualitative materiality is determined based on the extent of impact on:
1) investment decisions, for example, on information relating to a delisting criteria or financial
covenants; and
2) the reliability of financial reporting, such as information relating to the related party
transactions and big shareholders.
70
- 37 -
2. Assessment of Internal Control Over Financial Reporting, and Scope of
Assessment
(1) Assessment of the Effectiveness of Internal Control Over Financial Reporting
Management must assess the effectiveness of internal control over financial reporting to the
extent necessary in light of their degree of impact on the reliability of financial reporting.
Prior to making such assessments, management must establish policies and procedures for
designing and operating internal control over financial reporting, and must record and maintain
their status. The assessment of internal control over financial reporting effectiveness should
be, in principle, performed on a consolidated basis. Internal control that has a significant impact
on consolidated financial statements in their entirety throughout the company group is
hereinafter referred to as “company-level controls.”
(Note) The internal controls over outsourced processes should be in the scope for the
assessment.
[1]. Scope of assessment on a consolidated basis
“The assessment of internal control over financial reporting effectiveness should be, in
principle, performed on a consolidated basis” means the requirement that the entities included in
a set of consolidated financial statements (i.e., the company issuing the Annual Report and its
subsidiaries and affiliates) should be subject to the process for determining the scope of internal
control over the financial reporting effectiveness assessment. In that process, the following
points should be noted:
A. Consolidated subsidiaries and others (incl. partnerships) should be made subject to the
process of determining the scope of assessment. When assessing the effectiveness of a
subsidiary’s internal control over financial reporting, the parent company may use the
subsidiary’s report on internal control over financial reporting (incl. reports received from the
subsidiary in the course of preparation), provided that the subsidiary:
1) is a listed company;
2) has prepared its internal control report based on this standard and the report has been audited
by an external auditor.
B. Equity method affiliated companies should be included in the scope for management’s
assessment of internal control. In that case, however, where the affiliated company has prepared
its report on internal control based on this standard, and the report has been audited by an
external auditor; or the affiliated company is a subsidiary of another company, the parent of the
affiliate has prepared its report on internal control based on this standard and the report has been
audited by an external auditor, these affiliated companies should be treated the same as the
listed subsidiaries under the preceding paragraph A. When an affiliate cannot be assessed in the
same manner as that of a subsidiary due to factors such as the existence of other controlling
71
- 38 -
shareholders, investment interest and equity method profit or loss in the affiliate, or dispatched
or interlocking officers (directors, corporate auditors, etc.), management should focus on
company-level controls and perform procedures such as sending out questionnaires, inquiring,
or reviewing reports prepared by the affiliate.
C. Foreign subsidiaries should also be considered in the scope of management’s assessment of
internal control.
However, if the country in which the subsidiary is located has an appropriate internal control
reporting regulation, it is permissible to use that internal control reporting regulation. In addition,
even if the country does not have an internal control reporting regulation, an appropriate internal
control reporting regulation of another country (other than Japan) may be used, depending on its
historical or geographical background. In those cases, it is permissible to use that internal
control reporting regulation.
[2]. Assessment of outsourced processes
A. Scope of assessment of outsourced processes
Examples of processes that a company may outsource to a third party outside the group include
authorization, execution, calculation, aggregation, and recording of transactions that form the
basis for financial statement or disclosure information preparation.
The company is responsible for the outsourced processes, and should include internal control
of them in the scope of assessment. If an outsourced process constitutes a significant business
process of the company, management should assess the effectiveness of the internal controls
within the process operated by the service organization.
B. Assessment of internal controls over outsourced processes
Management should understand and appropriately assess the design and operating
effectiveness of internal controls performed by the service organization over the outsourced
process. In the assessment, one of the following procedures may be used to assess the
effectiveness of internal controls.
a. Validation via sampling
This method is to examine the consistency between the reported results of the outsourced
processes and basic data. At the same time, a portion of the outsourced processes must be
re-performed by the company to validate the consistency.
For example, the payroll calculation process can be examined by comparing the number of
employees included in the payroll data outsourced to the service organization with the number
72
- 39 -
of records included in the calculation data received from the service organization, and at the
same time, by recalculating, within the company, a part of the calculation data selected at
random.
b. Use of service organization assessment results
In evaluating the design and operating effectiveness of internal controls over outsourced
processes, management may, at its own discretion, use reports and other documents on the
organization’s own assessment of the internal control over the processes that the company
outsources to the service organization.
In that case, management should examine whether the reports and other documents are
supported by sufficient evidence.
(2) Determination of the Scope of Assessment
In assessing the effectiveness of internal controls, management should decide on the
reasonable scope of assessment for the following matters in light of their degree of quantitative
and qualitative impact on financial reporting, and should keep appropriate records of the
approach and grounds related to the scope of assessment for relevant internal controls.
○
Presentation and disclosure of financial statements
○
Businesses and business operations comprising the company’s activities
○
Transactions and events as the basis of financial reporting
○
Important business processes
Management should, based on the determination of significant locations or business units,
examine the scope of assessment for these items from the perspective of their degree of
quantitative and qualitative impact on the presentation and disclosure of financial statements.
Based on these considerations, they should then think of the degree of quantitative and
qualitative impact on overall financial reporting from the businesses and business operations
comprising the company’s activities, the transactions and events as the basis of financial
reporting and important business processes, to arrive at a reasonable scope of assessment.
Management should assess company-level controls and use that as a basis to determine what
business process should be in the scope for internal control assessment.
It should be noted that company-level controls are not included in the controls for which the
scope of assessment should be determined in accordance with the procedures described under
“determining the scope of assessment of business processes” below. In principle, management
should assess company-level controls for all locations and business units from a company-wide
perspective.
However, locations and business units that do not have a material effect on financial reporting
may be excluded from the scope of assessment.
[Determining the scope of assessment of business processes]
It should be noted that the period-end financial reporting process (primarily performed by the
accounting department) to be assessed from a company-wide perspective should be assessed in
73
- 40 -
a similar manner as company-level controls.
Note: Example tasks of the period-end financial reporting process to be assessed from the
company-wide perspective include:
・
Preparing financial statements from the general ledger
・
Entry to prepare consolidated financial statements (consolidation adjustments, aggregation,
reclassification and others) and recording the contents
・
Stating disclosure items relevant to financial statements
However, the preceding sentence is not intended to preclude exclusion of those relating to
locations and business units with no material effect on financial reporting from the scope of
assessment.
The scope of assessment for business processes other than the above should be determined by
following the procedures below:
[1]. Selecting significant locations or business units
When a company has multiple locations and business units, the selection of locations or
business units to be assessed should be based on the degree of materiality of their sales or other
factors. For example, locations or business units are selected in descending order of sales (or
other factors) until their combined amount reaches a certain ratio of the consolidated sales (or
other factors).
(Note 1) Locations or business units are not necessarily limited by geographic concept. They
may be classified, in accordance with the form of the company, as headquarters, subsidiaries,
local offices, branches, or business units.
Although the basic criteria for selecting locations or business units is sales, different or
additional criteria may be used depending on the company’s business environment or
characteristics.
(Note 2) It is difficult to provide a “certain ratio” that is uniformly applicable to all
organizations, because individual organizations will find themselves in different environments
with different business characteristics. If, however, company-level controls are operating
effectively, then the “certain ratio” may be, for example, two-thirds of total sales on a
consolidation basis and others. In addition, individual business processes that have a high
degree of materiality (as described below) may be included in the scope. Instead of two-thirds
of total sales on a consolidation basis, a certain ratio may be applied to aggregated sales (before
elimination of inter-company transactions).
(Note 3) As sales amounts of affiliated companies are not included in a company’s consolidated
74
- 41 -
sales, management cannot use the certain ratio of consolidated sales for affiliates. Instead,
management should evaluate the degree of the affiliate’s impact on the company’s financial
statements and determine whether the affiliate should be deemed to be in the scope or not based
on its financial statement.
If a significant location or business unit has a reason that precludes the assessment (e.g.
acquisition, merger, or natural disaster immediately before the closing date), such a location or
business unit may not be subject to the assessment. In such a case, however, it should be borne
in mind that it is necessary to disclose in an addendum to the Internal Control Report that there
is a limitation on the scope of assessment.
[2]. Identifying business processes to be assessed
A. In general, in the locations and business units (except for equity method affiliates) selected in
[1] above, all business processes which impact the accounts that are closely associated with the
company’s business objectives should be in the scope (for example, in the case of a generic
company, the accounts that would be in the scope are, in principle, sales, accounts receivable,
and inventory).
However, a business process should be deemed outside the scope if it only has a remote
association with significant businesses or operations performed in a significant location or
business unit and has no material impact on the financial statements. In that case, management
should keep the record of the business processes that are deemed outside the scope and the
explanations behind such decisions.
The business processes leading to inventories include sales, inventory management, period-end
physical inventory count procedures, the purchasing process, the costing process and others. To
determine which processes should be in the scope, the company needs to evaluate its industry’s
characteristics and assess the risk of misstatements in these areas.
It is noted that, in general, within the costing process, management is not required to assess the
entire costing process, but enough of the process for end-of-period inventory valuation.
B. When locations and business units selected pursuant to [1] above or any other locations and
business units has a business process with a significant effect on financial reporting, such a
business process should be in the scope. In that case, the following points should be noted:
a. Business processes relating to a business or operation dealing with high-risk transactions.
Examples include business locations or business operations that have a high-risk business
75
- 42 -
likely to result in a misstatement in significant components of the financial statements (for
example; businesses that have financial and/or derivatives transactions, or those that have
inventory with volatile pricing), or those engaged in transactions that require complex
accounting treatment. In such cases, business processes relating to the business or business
operation should be examined to determine whether they should be in the scope.
b. Business processes relating to significant accounts involving estimates and management’s
judgment.
If it is a business process that relates to a significant account involving estimates and
management’s judgment (for example; allowances, loss on impairment of fixed assets, and
deferred tax assets or liabilities), and is likely to ultimately have a significant effect on the
financial reporting, an examination should be undertaken to determine whether the business
process should be in the scope.
c. Business processes requiring special attention because of the involvement in non-routine or
irregular transactions that have a high risk of misstatement.
For example, when a business process involves non-routine or irregular transactions (for
example; transactions under irregular business conditions and terms, transactions concentrated
around the period-end, significant increase in the number of transactions compared to the prior
year, etc.), and as a result has a high risk of misstatement, special attention must be paid to such
a process and an examination should be undertaken to determine whether the process should be
in the scope.
d. When a business process is included in the scope for a reason such as that noted above, after
considering the materiality to the financial reporting it may be sufficient to address only certain
transactions or events (or certain key business processes), rather than the entirety of the business
or operation.
[Communication with external auditor(s)]
A scope of assessment determined by management may be judged as inappropriate by an
external auditor as a result of the external auditor’s procedures. In such a case, management
should reaccomplish the assessment procedures for the new scope of assessment. However, such
reaccomplishment may sometimes be difficult due to a limited timeframe. Therefore, soon after
management determines the scope of assessment, management should discuss the basis and the
results of the scope with the auditor, as appropriate.
76
- 43 -
3. Method of Assessing Internal Control Over Financial Reporting
(1) Internal Control Assessment by Management
Management, as the entity responsible for the design and operation of effective internal
control, assesses internal control over financial reporting. In evaluating internal controls,
management should first assess internal controls that have a material impact on overall
consolidated financial reporting and, based on the results, assess the internal control
incorporated into business processes (“process-level controls” hereinafter).
Management’s assessment of internal controls should be conducted as of the end of the fiscal
year.
[1]. Internal control assessment structure
“Management’s assessment” means primarily performing the assessment and reporting of the
assessment results by management. Management is ultimately responsible for the assessment of
internal controls, and it is required to assume the responsibility for the planning, performance,
and results of the assessment.
However, as it is difficult for management to perform the entire work of assessment, it is
advisable to appoint a responsible person to help management perform the assessment, under
the direction of management, and establish a department or a mechanism that performs the
assessment under management’s direction. Alternatively, it is also advisable to use, for example,
the accounting department, internal audit department, or any other existing department, as long
as the department does not assess its own business.
The department or body that helps management perform the assessment, as well as individual
staff members of the department or the body, should be independent of the business operations
being assessed, and are required to maintain objectivity. In addition, they also need to be
sufficiently capable of performing the tasks required for the assessment. In other words, they
must be fully competent in relation to the design and assessment of internal controls, have a
solid understanding of assessment approaches and procedures, and be able to make proper
judgments.
A self-assessment on internal controls by persons who perform the day-to-day business
operations or by the department that executes the business operation is not to be considered a
“separate assessment”. However, such self-assessment is beneficial for improving the design
and operation of internal controls and may result in a more effective use of the separate
assessment. The company can use self-assessment as the basis of judgments to be made during
the assessment of internal controls when independent monitoring is performed on the results of
the self-assessment.
[2]. Use of work of experts
77
- 44 -
Management can perform part of the assessment of internal control over financial reporting by
using an expert outside the company.
The judgment as to whether an expert’s work provides sufficient evidence in support of the
assessment must be made by management on its own responsibility. Management should bear
the ultimate responsibility for assessment results.
To this end, the following points should be kept in mind.
A. The expert possesses not only professional expertise of the business, but also the
knowledge and experience necessary to provide work requested by management in regard to the
assessment of internal controls.
B. When asking an expert for an assessment, management should clarify the basic requirements
for the assessment to be performed by the expert. This understanding should cover the details of
the assessment procedures, the period of time for which the assessment is performed, scope of
assessment, number of samples, and so forth.
C. In order to clarify the details of the assessment procedures and the work content,
management should clearly define the matters to be included in the expert's report.
D. Management should check the progress of the expert’s work on a regular basis.
E. Management should review the expert’s work to assess whether the basic requirements have
been fulfilled.
(2) Assessment of Company-Level Controls
Management should assess the design and operation of company-level controls and the
degree of impact they have on process-level controls. In doing this, management should
sufficiently assess risks occurring inside/outside the organization and should fully consider all
events that could have a significant impact on overall financial reporting. This would include,
for example, company-level accounting policies and financial policies, management decisions
related to the structuring and operation of organizations, and the decision-making process at the
management level.
[1]. Company-level controls
Company-level controls are internal controls that have a pervasive impact on the company and
cover the entire company group (more basically, the company issuing the Annual Report and its
subsidiaries and affiliates). However, if it is deemed appropriate to perform a separate
assessment of internal controls at a specific subsidiary and/or business unit because of its unique
history, practice, or organizational structure, company-level controls to be applicable to only a
specific subsidiary and/or business unit may be assessed. In that case, management should
appropriately determine subsidiaries and business units for which internal controls are identified
and assessed separately by taking their degree of impact on the financial reporting into account.
[Assessment items for company-level controls]
78
- 45 -
The type of company-level controls varies depending on the business environment and
characteristics of the company, and individual companies are required to design and operate
internal controls that suit the company. Nevertheless, each basic component of internal control
has specific items to be assessed. Examples of such items are shown in Exhibit 1 (Examples of
assessment items for company-level controls over financial reporting). However, it should be
noted that the list of examples shown in Exhibit 1 is not intended to be a complete list of items
to be assessed, and that a company is required to make additions, deletions, and amendments as
necessary.
[2]. Methods for evaluating company-level controls
When evaluating company-level controls, procedures such as inquiries and verification of
records should be performed, as necessary, after appropriately understanding and analyzing the
internal controls to be assessed as a whole.
[3]. Company-level controls and process-level controls
Management should assess process-level controls based on the results of the assessment of
company-level controls. Company-level controls and process-level controls affect and
complement each other. Management should perform the assessment of internal controls by
ensuring an appropriate balance between the two.
[Different balances among companies due to different business characteristics]
A company’s focus (company-level controls or process-level controls) may differ depending
on the characteristics of the business performed or other factors. For example, company-level
controls may have a greater significance if the company’s organizational structure is relatively
simple.
On the other hand, if the ratio of a company’s business operations performed in accordance
with in-house rules, policies or procedures is high, process-level controls may have a relatively
greater significance. For example, it is necessary for a retail company with multiple outlets to
standardize its operational procedures. As a result, a variety of manuals for process-level
controls are prepared, including a sales manual, a cash-handling manual, an employee education
manual and a manual for responding to exceptional events.
Management should determine the scope and approaches for assessment of process-level
controls based on the results of the assessment of company-level controls. For example, if the
79
- 46 -
assessment of company-level controls concluded that they are not operating effectively, the
scope of assessment should be expanded or additional assessment should be performed for the
process-level controls affected by the ineffective company-level controls. On the other hand, if
the company-level controls are assessed as operating effectively, the assessment of process-level
controls may be simplified by, for example, reducing the scope of sampling. Alternatively, by
taking into account the materiality or other factors, the frequency of assessment of certain
controls can be reduced to a predetermined number of accounting periods.
It should be noted that the scope and approaches for the assessment of process-level controls
may be adjusted under the circumstances where, as mentioned under [1] above, a separate
assessment of company-level controls is performed for individual subsidiaries or business units
in the group in light of their characteristics and materiality.
(3) Assessment of Process-Level Controls
Based on the assessment of company-level controls, management should analyze business
processes within the scope of the internal controls to be assessed, identify a key control that
would have a material impact on the reliability of financial reporting (“key control”
hereinafter), and assess whether the basic components of internal control are operating with
regard to the key control.
Based on the assessment of company-level controls, management should analyze the business
processes within the scope of the internal control to be assessed, and then identify the controls
that would have a material impact on the reliability of financial reporting as key controls. In the
second step, management should assess whether the key controls are sufficient to mitigate the
risk of material misstatement. By evaluating the design and operation of the key controls,
management will obtain the base for the assessment of process-level controls effectiveness.
[1]. Identify/determine business processes in the scope
Management should recognize the flow of transactions in business processes within the scope
of assessment, including initiation, authorization, recording, processing, and reporting of
transactions. It should also understand the accounting procedures from the origination of
transactions to computing and journalizing transactions, etc. It would be useful to utilize charts
and diagrams, as necessary, to clarify and record the outline of the recognized business
processes.
Note: Examples of the charts and diagrams are shown in Exhibit 2, “Business process flowchart
(sample)” and “Business process description (sample).” However, these are merely examples of
charts and diagrams that may be prepared as necessary. Companies are not necessarily required
to use these examples, but are encouraged to use their own that are prepared separately (if any)
80
- 47 -
and make additions to them as necessary.
[2]. Identify the risk of misstatement and controls that mitigate the risk in business
processes
A. Management should identify the risk of misstatement due to fraud or error in the business
processes within the scope of assessment.
When identifying the risk, it is important to understand which of the financial statement
assertions (existence or occurrence; completeness; rights and obligations; valuation or
allocation; and presentation and disclosure) is affected by the fraud or error.
a. Existence or occurrence: Whether assets or liabilities of the entity exist and whether recorded
transactions or accounting events have actually occurred
b. Completeness: Whether all assets, liabilities, transactions, and accounting events that should
be presented in the financial statements are duly recorded
c. Rights and obligations: Whether assets are the rights of the entity and liabilities are the
obligations of the entity
d. Valuation: Whether assets and liabilities have been recorded in the financial statements in
appropriate amounts
e. Allocation: Whether transactions and accounting events are recorded in appropriate amounts
and whether revenues and expenses are allocated to appropriate accounting periods.
f. Presentation and disclosure: Whether transactions and accounting events are properly
presented and disclosed.
B. Identify the key controls implemented to mitigate the risk of misstatement
Management should identify internal controls implemented to mitigate the risk of misstatement.
In doing this, management should, focusing on the internal controls over initiating, authorizing,
recording, processing, and reporting, identify the key controls from the viewpoint of what types
of internal controls are necessary to ensure financial statement assertions, i.e., existence or
occurrence, completeness, rights and obligations, valuation, allocation, and presentation and
disclosure.
Management should determine whether the basic components of internal control over financial
reporting are operating effectively by determining whether the individual key controls related to
individual significant accounts are operating effectively and provide reasonable assurance over
the financial statement assertions, i.e., existence or occurrence, completeness, rights and
obligations, valuation, allocation, and presentation and disclosure.
It would be useful to utilize charts and diagrams as necessary for clarification and recording in
81
- 48 -
the assessment of the design and operation of process-level controls.
Note: Examples of the charts and diagrams are shown in Exhibit 3, “Relationship between risks
and controls (sample).” However, these are merely examples of charts and diagrams that may be
prepared as necessary. Companies are not necessarily required to use these examples, but are
encouraged to use their own that are prepared separately (if any) and make additions to them as
necessary.
[3]. Assessing design effectiveness of process-level controls
Management should determine, by taking such measures as review of relevant records,
inquiries to the employees and monitoring, whether the individual key controls related to
individual significant accounts identified pursuant to [2] above are properly designed and
provide reasonable assurance of achieving the financial statement assertions, i.e. existence and
occurrence, completeness, rights and obligations, valuation, allocation, and presentation and
disclosure. In doing this, if internal controls are operating in accordance with prescribed policies,
management should assess the effectiveness of the internal controls based on whether they are
adequate to sufficiently mitigate the risk of misstatements in significant components of the
financial statements.
The following are examples of matters to be kept in mind during the assessment.
- Whether internal controls are operating effectively to prevent or detect any fraud or error on a
timely basis
- Whether an appropriate segregation of duties is in place
- Whether persons in charge possess the knowledge and experience necessary to operate internal
controls
- Whether information concerning internal control is appropriately communicated, analyzed,
and used
- Whether any measures are in place to address, on a timely basis, a fraud or error identified by
internal control
[4]. Assessing operating effectiveness of process-level controls
A. Contents of operating effectiveness assessment
Management should assess the operation of process-level controls to determine whether they
are operating effectively.
Management should check the operation of process-level controls by applying procedures that
include reviewing relevant records, making inquiries to appropriate staff personnel on internal
controls, observing the application of specific controls, examining records regarding the
82
- 49 -
operation of internal controls, and investigating the progress in the self-assessment on the
operation of internal controls, etc.
B. Method of evaluating operation
In principle, management should obtain sufficient and appropriate evidence via sampling when
evaluating the operation. The scope of sampling may be reduced when company-level controls
are assessed to be operating effectively or it is deemed that a consistent and standardized
procedure is applied to multiple locations and business units in the company.
For example, when a company has multiple business locations and outlets, its company-level
controls are assessed to be operating effectively if 1) the business is performed based on
common rules, 2) information and communication are sufficient to make decisions during the
course of business, and 3) an internal audit is conducted to monitor the integrity of internal
controls.
In such a case, management categorizes locations and business units by characteristics,
assesses the operation at a certain number of business locations in each category, and uses the
results of those assessments to estimate and assess the operation of internal controls for the
entire group instead of performing an assessment of operation at each business location.
When selecting business locations to be included in the scope of assessment, an effective
method for selection (e.g., introducing a random sampling method) should be considered at the
planning stage, bearing in mind that all business locations should be covered at least once
within a certain period of time.
C. Timing to assess operation
To determine internal control effectiveness as of the assessment date (period-end date), it is
necessary to assess the operating effectiveness at an appropriate time.
When the assessment of the operation is conducted on an interim date and a significant change
is made to internal control before the period-end date, it is necessary to consider taking
additional measures. The examples of the additional measures include:
a. Identify and understand the details of the significant change
b. Assess the design effectiveness of internal controls after the change, including the
misstatement risk and controls to mitigate the risk in the business process associated with the
change
c. Assess the operating effectiveness of internal controls after the change
It should be noted that internal controls that do not exist as of the period-end date following the
change need not be assessed.
83
- 50 -
It is efficient and effective to assess the operation of internal controls over the period-end
financial reporting process in the early part of the fiscal period, using the prior period’s
operation as a starting point (in that case, it is a precondition that if any significant change is
made to internal control before the period-end date, appropriate additional measures are taken).
This is because any deficiency in internal controls over the period-end financial reporting
process must be remediated as early as possible in order to ensure the proper functioning of
these processes during the period, and it is likely that assessment of the operating effectiveness
of internal controls over the period-end financial reporting process will largely overlap the
assessment of internal control in the Financial Statement Audit.
D. Matters to be kept in mind in determining the method of assessment
The following matters are to be kept in mind in determining the method (sample size, sample
period, etc.) of operation assessment:
a. Types and characteristics of internal controls
Management should determine the method (sample size, sample period, etc.) for evaluating the
operation of internal controls after considering their materiality and complexity, the nature of
decisions to be made by persons in charge, the capability of the personnel involved in internal
control, the previous year’s results of assessment and the changes made afterward, etc.
Because IT-based controls are a repetition of consistent transactions, when such internal
control is assessed to be designed effectively, procedures for evaluating the operation of
IT-based controls may be less extensive than those for manual controls (by reducing the sample
size, shortening the sample period, etc.), provided that IT general controls are designed and
operating effectively.
b. Period-end financial reporting process
As described under 2 (2) above, if a period-end financial reporting process is deemed
appropriate to be assessed from a company-wide viewpoint, it should be so assessed in a
manner analogous to that of company-level controls.
However, other period-end financial reporting processes should be assessed as specific
business processes.
In such a case, internal control over the period-end financial reporting process is extremely
significant for the reliability of financial reporting, and there will be a small number of
processes to be assessed, because they are less frequently performed compared to those business
processes relating to day-to-day transactions. Therefore, in general, operating effectiveness of
84
- 51 -
internal controls over the period-end financial reporting process should be assessed in a more
cautious manner than that of other internal controls.
[5]. Assessing IT-based controls
A. Assessing IT-based controls
When IT is used in a company’s information systems, information is, in general, processed and
prepared through various types of application systems and then reflected in the accounting
system. Therefore, management should assess internal controls designed to ensure the reliability
of financial information prepared by these application and accounting systems. Such internal
controls include automated controls built into computer programs and controls in which manual
and computerized systems are operated in an integrated manner.
IT controls are categorized as general controls and application controls. Management should
assess both types of controls.
B.
Determining scope of assessment
a. Scope of business processes and systems
The first step of evaluating IT controls over financial reporting should be to clarify the scope
of assessment for the systems related to internal control over financial reporting. When checking
accounting procedures performed in a business process, from origination of transactions to
computing and journalizing transactions, it is necessary to identify business processes and
systems that are associated with significant financial statement accounts, and the outline of the
functions of the systems and departments in which the systems are used, etc.
In doing this, it would be useful to utilize charts and diagrams, as necessary, in order to
recognize and clarify not only the accounting procedures performed in the business process,
from origination of transactions to computing and journalizing transactions, but also the flow of
data among systems. It would also be useful to prepare a list of the systems being used in each
business process.
Note: In the above Exhibit 2, “Business process flowchart (sample),” the column on the right
side is provided to allow users to draw their own system flowchart.
b. Understanding IT infrastructure
In addition to the systems used in each business process, an overview of the IT infrastructure
supporting those systems should also be understood. For example, it is encouraged to obtain an
85
- 52 -
understanding of the following points.
- Structure of the organizations involved in IT
- Rules and procedure manuals regarding IT
- Hardware configuration
- Configuration of basic software
- Networking
- Outsourcing to external organizations
C. Identifying assessment unit
When evaluating IT general controls, assessment units should be determined based on the
overview of the IT infrastructure. For example, when the sales, purchasing, and logistics
systems are developed in-house and controlled by the information systems department, while
off-the-shelf packaged accounting software is introduced and controlled by the accounting
department, the units should be the “information systems department” and the “accounting
department.”
On the other hand, IT application controls should basically be assessed for each system.
Management should identify the application controls used in each system by using flowcharts or
other tools as necessary.
Note: In the “Business process flowchart (sample)” shown before in Exhibit 2, a column is
provided on the right side to allow users to draw their own system flowchart. It is useful, for
example, to describe the details of the application controls in the notes to the column, or in the
“Business process description (sample)” prepared separately.
The following diagram is an illustrated example of the relationship among the sales process,
cash receipts process and accounting data in a sales transaction. It is often the case that a
company’s business processes are categorized by function and systemized based on the function.
For example, the sales process is categorized into the function group of sales orders, shipping,
and so forth, and systemized as necessary.
Management should understand the relationship among the financial statement accounts,
transactions, business processes and systems to be able to identify which type of accounting
data is supported by which system for major transactions.
86
- 53 -
D. Assessing effectiveness of design and operation of IT-based controls
a. IT general controls
Management should assess the effectiveness of design and operation of IT general controls by
focusing on the following points.
- Development and maintenance of information systems
- Operation and administration of information systems
- Security of information systems, including access control from inside/outside the organization
- Outsourcing contract management
In assessing the operating effectiveness of internal controls as a part of the assessment of
internal control effectiveness, management should assess the operating effectiveness of general
controls in conjunction with the assessment of the operating effectiveness of related application
controls. By expanding the scope of the assessment of the operation of application controls,
management may still obtain sufficient assurance that internal controls are operating effectively
without evaluating the operation of general controls.
Financial reporting
Accounting system
Function
Business process
System
Linked system
Logistics and
inventory
system
Sales control system
Accounts receivable
Cash
Sales
Accounting data in
the scope of
assessment
A
ccounts
receivable
(recording)
A
ccounts
receivable
(collection)
Shipment
Billing
Collection
Order
Order unit
Sales unit
Accounts
receivable
billing
u
nit
Sales process
Cash receipt
Accounts
receivable
collection
u
nit
87
- 54 -
b. Assessment of IT application controls
Management should assess whether the identified IT application controls are appropriately
integrated into business processes and operating effectively. Specifically, the following
examples are to be considered in evaluating the effectiveness of design and operation of
application controls.
- Whether completeness, accuracy, and validity of entry information are secured
- Whether functions to correct and reprocess erroneous data are secured
- Whether the accuracy of master data is secured
- Whether an appropriate access control (user authentication, limiting the scope of operation,
etc.) is applied
c. Use of previous period's results of assessment
In principle, IT-based controls must be assessed on an annual basis, as is the case with manual
controls. However, once an internal control is automated by using IT, it operates continually
unless a change is made or an error has occurred.
Therefore, if an automated control was assessed in the previous period as operating effectively
without control deficiencies, management may continuously use those results, provided the
following conditions are met and recorded.
1) No changes have been made to the control since the last assessment
2) No failures or errors have occurred
3) Related general controls have been assessed and found to be designed appropriately and
operating effectively
(4) Judgment of the Effectiveness of Internal Controls
If the assessment of internal control over financial reporting effectiveness reveals that
deficiencies relating to key controls, etc. are very likely to have a material impact on financial
reporting, the management should conclude that there are material weaknesses in internal
control over financial reporting.
[1]. Judgment of the effectiveness of company-level controls
A. Evaluation of deficiencies
Deficiencies in company-level controls will have a pervasive impact directly or indirectly on
not only process-level controls, but also, ultimately, on the contents of financial reporting.
Therefore, if deficiencies exist in company-level controls, careful consideration is required to
determine the likelihood of their causing material misstatements in the financial reporting, as
well as their impact on process-level controls.
88
- 55 -
B. Judgment of the effectiveness
In order to judge company-level controls to be effective, it is important that the company-level
controls satisfy the following conditions in order to mitigate the risk of causing false statements
and disclosures in the financial reporting.
・
Company-level controls have been designed and operating in accordance with the generally
accepted internal control framework
・
Company-level controls support the effective design and operation of process-level controls,
and adequately compose the overall structure of the company’s internal controls
C. Deficiencies in company-level controls
Deficiencies in company-level controls are very likely to have a material impact on the
effectiveness of internal controls. The following are examples of deficiencies in company-level
controls that may constitute material weaknesses.
a. The management does not perform risk assessment associated with the reliability of financial
reporting, nor does it respond to such risks.
b. The board of directors, corporate auditors or audit committee does not supervise, monitor nor
examine the design and operating effectiveness of internal controls for securing the reliability of
financial reporting.
c. The department that shall be responsible for the assessment of internal control over financial
reporting effectiveness is not clear.
d. Deficiencies existing in internal controls over IT relating to financial reporting are left
unimproved.
e. The board of directors, corporate auditors or audit committee cannot supervise, monitor or
examine internal control over financial reporting effectiveness due to the lack of records on the
design of internal controls, such as records on the process flow, identification of misstatement
risks or internal controls over risks.
f. Deficiencies in company-level controls reported to the management, board of directors or
corporate auditors or audit committee are not remediated within a reasonable period of time.
Even if deficiencies exist in company-level controls, it is sometimes the case that process-level
controls function effectively on an independent basis. However, deficiencies in company-level
controls mean deficiencies in the design of basic internal controls, and therefore internal
controls as a whole would be less likely to function effectively.
[2]. Judgment of the effectiveness of process-level controls
A. Assessment of the control design effectiveness
In assessing the design effectiveness of internal controls, it is necessary to check whether they
89
- 56 -
are designed to mitigate misstatement risks in accounts, notes and disclosures in financial
statements to a reasonable level.
B. Assessment of the control operating effectiveness
The management should assess whether internal controls are operating as effectively as
expected. In the assessment, the management should confirm that internal controls are operating
as intended to mitigate each of the misstatement risks.
C. Assessment of the impact and likelihood of misstatements
When misstatements occur in accounts, etc. due to control deficiencies, it is necessary to
estimate the scope of their impact in order to determine whether such deficiencies would
constitute material weaknesses. In addition, when estimating the quantitative impact of control
deficiencies, the likelihood of misstatements should also be examined.
When there are multiple deficiencies in internal controls, the issue of whether the deficiencies,
either individually or in combination with other deficiencies, constitute material weaknesses
should be assessed. In other words, whether control deficiencies related to the same account
would constitute material weaknesses or not should be judged based on whether the aggregate
impact of such deficiencies is likely to cause misstatements in the material components of the
financial reporting. For example, the balance of accounts receivable is affected by credit sales in
the sales process and by collections in the cash receipt process, so when there are control
deficiencies in both processes, the aggregate impact of such deficiencies on the balance of
accounts receivable must be considered.
It is sometimes the case that the aggregate impact of deficiencies on a single account may not
constitute material misstatements at the financial statement level, but such impact on multiple
accounts may. Such deficiencies also constitute material weaknesses.
Furthermore, when estimating the likelihood and impact of misstatements in accounts, etc., the
focus should be placed on how individual controls interact with each other to mitigate the risk
of misstatements, rather than how each control operates on an individual basis. To this end, it is
necessary to examine whether there is any internal control that compensates for deficiencies in
another control (compensating control), and if there is, to what extent the compensating control
can reduce the likelihood of misstatements in accounts, etc. and mitigate the quantitative impact.
For the detailed method for calculating the quantitative impact of control deficiencies, you
may refer to “Evaluation of deficiencies in process-level controls” in Section 4(2)[4] of Chapter
III “Audit on Internal Control Over Financial Reporting”. This should also serve as a useful
reference in the assessment process as well.
[3]. Judgment of the effectiveness of IT controls
A. Deficiencies in IT general controls
90
- 57 -
When there are deficiencies in IT general controls, whether the objective of the reliability of
financial reporting is achieved by alternative or compensating controls should be examined.
Deficiencies in IT general controls may not immediately be determined to be material
weaknesses since they are not directly related to misstatement risks in the significant
components of the financial reporting. However, deficiencies in IT general controls may prevent
continuous and effective operation of IT application controls even if they have been designed to
function effectively, and therefore misstatement risks would increase.
B. Deficiencies in IT application controls
When there are deficiencies in IT application controls, their impact and likelihood of causing
misstatements should also be assessed, as is the case with deficiencies in process-level controls.
When there are deficiencies in IT application controls that use both manual work and an IT
function, the management should determine whether the deficiencies result from the manual
work or the IT function. It should be noted that the same type of errors may have repeatedly
occurred when they result from the IT function.
[4]. Report of deficiencies and others
When identifying control deficiencies and material weaknesses in the assessment of internal
control over financial reporting, the person should report them to the appropriate personnel,
such as his or her supervisor, together with their details, quantitative impact on the entire
financial statements, countermeasures to be taken and other information considered useful, and
request remedial actions. At the same time, he or she must report material weaknesses (and
control deficiencies when deemed necessary) to the management, board of directors, corporate
auditors or audit committee and external auditors. If material weaknesses remain as of the fiscal
year end date, the details of the material weaknesses and the reasons why they have not been
remediated should be stated in the Internal Control Report.
(5) Remediation of Material Weaknesses in Internal Controls
Control deficiencies over financial reporting and material weaknesses identified in the course
of the management’s assessment should be recognized on a timely basis and appropriately dealt
with.
Even when material weaknesses are identified, internal control over financial reporting can
be judged to be effective as long as the weaknesses are remediated by the assessment date in the
Internal Control Report (the fiscal year end date).
Note: Remedial actions taken after the fiscal year end date may be stated in the Report as
Supplementary Information.
[1]. Remedial procedures for material weaknesses and others
When developing a plan for the assessment and reporting of internal controls, it is advisable to
91
- 58 -
leave some additional time before the final assessment date (fiscal year end date), so that control
deficiencies and material weaknesses identified in the assessment can be remediated in time.
[2]. Assessment procedures for remedial actions taken after the fiscal year end date
The assessment date of internal controls is the fiscal year end date, so remedial actions
taken
after the fiscal year end date do not affect the assessment results of internal control over financial
reporting.
However, if remedial actions have been taken before the Internal Control Report issue date, the
management can state their details in the Internal Control Report as Supplementary Information.
If, prior to the issue date, it has been confirmed that internal controls are designed and operating
effectively, the management can also include the details of remedial actions and the fact that
such actions have been completed in the Report.
(6) Limitation of the Scope of Assessment
The management, when assessing the effectiveness of internal control over financial
reporting, may not be able to perform sufficient assessment procedures for a certain part of the
internal controls due to unavoidable circumstances. In such cases, the management may assess
the effectiveness of internal control over financial reporting, excluding the parts where
assessment procedures could not be performed, after fully comprehending the impact of the
exclusion on the financial reporting.
Note: Cases in which adequate assessment procedures could not be performed due to
unavoidable circumstances include, for example, a case when a company acquired
another company immediately prior to the fiscal year end date, so the management could
not perform sufficient assessment procedures for the effectiveness of the acquired
company’s internal controls.
[Acceptable limitations]
“Unavoidable circumstances” are, for example, circumstances where it is deemed difficult to
perform assessment procedures in accordance with this guidance within the period of time
usually required for financial statements to be prepared and approved by the board of directors,
due to the acquisition or merger of other companies immediately prior to the fiscal year end date,
occurrence of natural disasters or other reasons.
When excluding a certain scope of assessment, the subject scope and reasons for the exclusion
must be included in the Internal Control Report. It should be noted that if the exclusion of the
scope of assessment may have a significant impact on the reliability of financial reporting, the
assessment results of internal controls cannot be expressed.
(7) Recording and Retention of Assessment Procedures and Others
The management should record and retain the information on the assessment of Internal
control over financial reporting, including its procedures, results, identified deficiencies and
92
- 59 -
remedial actions.
[1]. Recording of internal controls
The scope, format and method of recording the information on internal controls cannot be
uniformly defined. However, it may be appropriate to record and retain, for example, the
following information.
A. Policies and procedures for the design and operation of internal control over financial
reporting
B. The design and operation status of each assessment item adopted by the management in the
assessment of company-level controls
C. Overview of business processes related to significant accounts and disclosures (including the
system flow, overview of IT application controls and a list of systems being used in each
business process)
D. Material misstatement risks in each business process and contents of internal controls
designed to mitigate such risks (including the relationship with existence or occurrence,
completeness, rights and obligations, valuation, allocation, presentation and disclosure, as well
as the details of IT-based controls)
E. The design and operation status of internal controls over the areas described under D above
F. Procedures and results of the internal control assessment, identified deficiencies and relevant
remedial actions
*Records on the assessment plan
*Records on the determination of the scope of assessment (including the method and grounds
for the determination)
*Records on the procedures and results of the internal control assessment performed, remedial
actions taken, etc.
The format, method, etc. of the records cannot be uniformly defined. Companies should note
that they can utilize records prepared and used internally, making additions when necessary.
[2]. Retention of records
Retention scope, format and period of prepared records on internal control over financial
reporting should be determined by respective companies, in the light of the requirements under
applicable laws and regulations. However, based on the Financial Instruments and Exchange
Law, companies may be required to retain the appropriate scope and format of records (digital
media, paper, film, etc. and other formats that can be visualized on a timely basis when
93
- 60 -
necessary) for the period of time equivalent to the inspection period for the Annual Report and
the Exhibits thereto (five years).
Associated supporting records should be appropriately retained so that a third party can inspect
them at a later date.
94
- 61 -
(Exhibit 1)
Examples of Assessment Items for Company-Level Controls Over Financial Reporting
(Note)
Control Environment
・
Does the management recognize the importance of reliable financial reporting and
clearly define basic financial reporting policies, including the role of internal control
over financial reporting?
・
Are systems of the company designed and operated based on an appropriate
management philosophy and code of ethics so that detected behaviors deviating from
the principles would be adequately remediated?
・
Does the management select appropriate accounting principles and retain objective
procedures for the determination of accounting estimates and others?
・
Do the board of directors and corporate auditors or audit committee understand and
fulfill their responsibilities for appropriately supervising and monitoring the
management in regard to the financial reporting and relevant internal controls?
・
Do corporate auditors or audit committee maintain an appropriate level of cooperation
with internal and other auditors?
・
Does the management take appropriate measures to improve problematic
organizational structures or practices, in which, for example, it is difficult to point out
existing problems?
・
Does the management adequately assign roles in regard to each function (e.g.,
production, sales, information and accounting) and activity unit in the company?
・
Does the management identify the competencies necessary to support the preparation
of reliable financial reporting and procure/dispatch qualified personnel?
・
Are the competencies necessary for the preparation of reliable financial reporting
reviewed regularly and maintained appropriately?
・
Are the assignment of responsibilities and delegations of authority made clear to all
employees?
・
Is the delegation of responsibilities and authority to employees, etc. kept at appropriate
levels, not without limitation?
・
Does the management provide employees, etc. with the means, training, etc. necessary
to fulfill their duties and support them in the improvement of their abilities?
・
Is the performance evaluation of employees, etc., conducted in a fair and appropriate
manner?
Risk Assessment and Response
・
Is there an effective risk assessment system that involves appropriate levels of
management and managers to ensure the reliability of financial reporting?
・
Are internal and external factors and their impact on the preparation of reliable
financial reporting adequately considered in the process of risk identification?
・
Does the management establish a system to reassess the risk and take appropriate
measures whenever changes occur that may have a significant impact on the reliability
of the financial reporting (e.g., organizational changes, development of information
technologies, etc.)?
(Note: This is a list of examples of the assessment items for company-level controls. It should be noted
that companies might adopt other assessment items or make additions, eliminations and
amendments to this list, since company-level controls
may vary depending on each company’s
business environment and characteristics.
95
- 62 -
・
Does the management appropriately assess and address fraud risks based on not only
superficial facts regarding fraud, but also incentives, causes, backgrounds and other
factors that may result in fraud?
Control Activities
・
Are policies and procedures established to ensure the performance of control activities
that sufficiently mitigate and address the risks to the reliability of the financial
reporting?
・
Does the management clarify segregation of duties and appropriately delegate authority
and responsibilities to personnel in charge, in respect to the preparation of reliable
financial reporting?
・
Are responsibilities and accountability regarding control activities properly allocated to
managers of business units or business processes where risks exist?
・
Are company-wide job regulations and individual business procedures properly
established?
・
Are control activities faithfully performed over entire operations?
・
Are errors, etc. detected through the performance of control activities appropriately
investigated and properly addressed?
・
Is the adequacy of control activities regularly examined based on their implementation
status? Are necessary remedial actions taken?
Communication and Information
・
Is a system set in place to ensure that management’s policies and instructions regarding
the preparation of reliable financial reporting are communicated to all of the people in
the company, especially to those who are engaged in the preparation of financial
reporting?
・
Is a system set in place to ensure that the accounting and financial information is
appropriately communicated from relevant business processes to the information
system and adequately made available?
・
Is a system set in place to ensure that the important information on internal controls is
smoothly communicated to the management and appropriate level of managers in the
organization?
・
Is the information appropriately communicated and shared among the management,
board of directors, corporate auditors or audit committee and other relevant parties?
・
Are there any communication routes that can be used independently from ordinary
communication routes, such as the Whistleblower System, etc.?
・
Is a system set in place to ensure that external information on internal controls is
properly utilized and adequately communicated to the management, board of directors,
corporate auditors or audit committee?
Monitoring
・
Are ongoing monitoring activities appropriately embedded within the company's
overall business operations?
・
Does the management appropriately adjust the scope and frequency of independent
assessments in accordance with the magnitude of the risks, significance of internal
controls and effectiveness of ongoing monitoring activities?
・
Does the person assigned to oversee monitoring activities have sufficient knowledge
and competency for fulfilling the task?
・
Does the management receive the monitoring results on a timely basis and take
adequate account of them?
96
- 63 -
・
Is the important information on internal controls communicated from within and
outside the company appropriately considered? Are necessary remedial actions taken?
・
Is the information on control deficiencies obtained through the monitoring activities
appropriately reported to senior managers involved in such activities and persons who
are responsible for managing such activities and relevant internal controls and taking
remedial actions?
・
Is the information on material weaknesses, etc. of internal controls appropriately
communicated to the management, board of directors, corporate auditors or audit
committee?
Response to IT
・
Does the management establish appropriate strategies, plans, etc. in regard to IT?
・
Does the management, when designing internal controls, adequately understand the
company’s IT environment and clearly present policies based on such knowledge?
・
Does the management make proper judgments as to the areas in which to use IT-based
controls and the areas in which to use manual controls in order to mitigate the risks to
achievement of the reliability of financial reporting?
・
When using IT for the design of control activities, are the risks that accompany the use
of IT taken into account?
・
Does the management adequately establish policies and procedures regarding IT
general controls and IT application controls?
97
- 64 -
(Exhibit2)
Wholesale process relating to Business A
Customer Sales Department Shi
pp
in
g
De
p
artment
Accounting Department
Information System
Process Flow(Example)
(Note) When a more detailed description is needed, you may add notes in the flow chart or separately prepare
narratives, as shown in the exam
p
le on the next
p
a
g
e.
Order Shipping Sales Recognition Billing
Teleph
one
Fax
Mail
Customer
Master
Order
Memo
Order
Form
Order
Entry
Order File
Shipping
Instruction File
Order
Confirma
tion
Shipping
Instructi
on
Shipping
Shipping
Entry
Shipping File
Shipping
Receipt
Sales File
Shipping
Report
Shipping
Report
Accounting
S
y
stem
Sales
Voucher
Invoice File
Sales
Voucher
Invoice
A
pp
roval
A
pp
roval
Check
Check
Check
Check
Shipping
Instructi
on
98
- 65 -
Wholesale process relating to Business A
1.Order
Sales representatives prepare “order memos” for orders received by telephone.
Order entry into the sales management system is effective only for orders from customers
registered in the customer master.
After the order entry, “shipping instructions” and “order confirmations” are printed out from the
sales management system, which will be checked against “order memos” or “order forms” and
then approved by sales managers.
“Shipping instructions” are forwarded to the shipping department with “order memos” or “order
forms” attached.
2.Shipping
Shipping clerks ship the goods based on “shipping instructions” which have been approved by
shipping managers.
・
・
・
3.Sales recognition
Entered shipping data are converted to sales data. Sales data are transferred to the accounting
system and the sales vouchers are printed out.
・
・
・
4.Billing
Printed-out invoices are forwarded to sales clerks and checked against sales vouchers.
・
・
・
Narratives(Example)
99
- 66 -
(Exhibit3)
Existence or Occurrence
Completeness
Rights and Obligations
Valuation
Allocation
Presentation and Disclos
u
Order
Entry of wrong
amounts for orders
Order entry clerks in the sales
department check “order
confirmations” and “shipping
instructions” against “order
forms”. All “order forms” and
“shipping instructions” have
been approved by sales
managers.
○○ ○ -
Order
Receipt of orders
exceeding the credit
limit
Order entry is effective only for
orders that match customers’
registered conditions.
○○-
・
・
・
Shipping
Shipping of a smaller
number of goods than
requested
Shipping clerks check whether
the numbers of goods
correspond to those in shipping
instructions.
○○ △
Shipping clerks could
not respond to
irregular shipping.
Shipping
Goods are not
shipped as scheduled
in the shipping
instruction
The dates in shipping
instructions are checked against
the dates in shipping reports.
○○ -
・
・
・
・
・
・
Comment
Risk Control Matrix(Example)
Evaluation
Assertion
Business Risks Contorols
100
- 67 -
III. Audit on Internal Control Over Financial Reporting
1. Objective of the Internal Control Audit
The objective of an audit of management's assessments of the effectiveness of Internal
Control Over Financial Reporting (“Internal Control Audit” hereinafter) by an external auditor
of financial statements is to have external auditors express their opinions, based on audit
evidence obtained by themselves, as to whether the management’s Internal Control Report
fairly states the results of the assessment, in all material respects, in accordance with generally
accepted assessment standards for internal control.
Such opinions on the Internal Control Report are expressed in the Audit Report on Internal
Control Assessment (“Internal Control Audit Report” hereinafter).
Unqualified opinions expressed by external auditors include the judgment that they have
obtained reasonable assurance that the Report does not include any material misstatements.
The “reasonable assurance” means that external auditors have obtained sufficient competent
evidence to express such opinions.
[Objective of Internal Control Audit]
The objective of the Internal Control Audit based on this guideline is to have external auditors
express their opinions as to whether the management’s Internal Control Report is fairly stated,
in all material respects, in accordance with generally accepted assessment standards for internal
control.
In other words, in the Internal Control Audit, external auditors express their opinions on the
management’s assertions, which are expressed in the results of the internal control effectiveness
assessment, They do not directly evaluate the design and operating effectiveness of internal
controls, aside from those relating to the management’s assertions.
Note: In the United States, companies, in addition to the Internal Control Audit stated above,
adopt direct reporting, which is not performed in Japan.
However, external auditors need to obtain sufficient competent audit evidence to form the
basis for expressing their opinions in the Internal Control Audit; therefore, to that extent, they
shall obtain audit evidence directly from companies, etc.
101
- 68 -
2. Relationship between the Internal Control Audit and the Financial Statement Audit
The Internal Control Audit and the Financial Statement Audit are, in principle, performed
integrally by the same external auditor. The audit evidence obtained in the process of the
Internal Control Audit may be used as audit evidence for the Financial Statement Audit, and
vice versa.
Notes: In this context, “the same external auditor” means not only the same audit firm but also
the same engagement partner that conducts the audit.
Generally, when internal control over financial reporting is ineffective due to material
weaknesses, for the purpose of the Financial Statement Audit, the external auditor cannot apply
sampling testing where he/she relies on Internal Control in accordance with the Audit
Standards.
In performing the Internal Control Audit, external auditors must comply with not only the
standards in this guideline, but also with general standards under the “Audit Standards” and
“Quality Control Standards for audit”.
[Restriction concerning the simultaneous provision of Internal Control Audit service and
non-audit certification services]
It should be noted that external auditors who conduct Internal Control Audits must not have
any positional or financial interests prohibited under relevant laws and that simultaneous
provision of certain non-audit certification services shall be restricted.
However, in the course of the Internal Control Audit, external auditors should report identified
control deficiencies and material weaknesses to the management and request remediation. In the
course of establishing the internal control system, they are not prohibited from exchanging
opinions with the management or other parties as needed, or from providing appropriate
suggestions towards the establishment of an effective internal control system, if the company or
the management, not external auditors, implements relevant tasks and makes necessary
decisions.
3. Audit Planning and the Scope of Assessment
(1) Audit Planning
External auditors must establish the audit plan based on the audit materiality, considering the
company’s environment, business characteristics and others and fully understanding the status
of the management’s design, operation and assessment of internal controls.
External auditors must update the audit planning on a timely basis, by performing procedures
including the assessment of the improvement of internal controls, when there have been
changes in the events or circumstances based upon which the plan was developed or when
control deficiencies or material weaknesses have been identified in the audit process.
In order to perform the Internal Control Audit effectively and efficiently, external auditors
must establish the audit plan, based on the audit materiality, by considering the company’s
environment, business characteristics and others and fully understanding the status of the
management’s design, operation and assessment of internal controls.
102
- 69 -
The Internal Control Audit and the Financial Statement Audit are, in principle, performed by
the same external auditor
s
. External auditors shall therefore be required to establish the Internal
Control Audit plan as a part of the Financial Statement Audit plan.
[1]. Understanding the company’s environment, business characteristics and others
External auditors should understand the company’s environment, business characteristics and
others, including:
・
market, business partners, shareholders, parent company, regional characteristics,
restrictions inherent to the industry and other conditions existing outside the company;
and
・
history, size, line of business, employee makeup and other conditions existing inside
the company.
However, external auditors are usually considered to have gained an understanding of such
information in the course of the Financial Statement Audit. In that case, they are not required to
perform special procedures.
[2]. Understanding of the status of the design and operation of internal controls
External auditors should, by reviewing records, querying the management and appropriate
managers or responsible personnel or through other procedures, understand the status of the
design and operation of the company’s internal controls, including, for example, the following.
・
Knowledge about the company’s internal control over financial reporting
・
Whether or not there have been any changes recently to the company’s business or
internal control over financial reporting
・
The status of locations and business units within the company group, in regard to
records and retention of the information on internal control over financial reporting and
implementation of monitoring activities
[3]. Understanding the management's assessment of internal controls
External auditors should, by reviewing records, querying the management and appropriate
managers or responsible personnel, or through other procedures, understand procedures and
plans for the management’s assessment of internal control over financial reporting
effectiveness, including, for example, the following.
・
Contents and timing of significant procedures such as the determination of the scope of
assessment
・
The status of the establishment of criteria for judging the magnitude of control
103
- 70 -
deficiencies whether they constitute material weaknesses or not
・
Whether or not there are any control deficiencies or material weaknesses already
reported to the management, corporate auditors or audit committee or board of
directors, and if any, their details
・
Results of the procedures performed through internal audits, etc.
Paragraphs [2] and [3] above do not preclude external auditors from using certain information
they have obtained in the course of the Financial Statement Audit.
[4]. Audit planning
For the purpose of effective and efficient audit, external auditors should develop the audit
planning by considering the information specified in Paragraphs [1] – [3] above and the audit
results of the previous year and focusing on the risk of misstatements in significant components
of financial reporting.
External auditors should update the audit planning accordingly when there have been changes
to the events or circumstance
s
based on which the plan was developed or when any significant
factors have been newly identified in the audit process.
(2) Evaluation of the Appropriateness of the Scope of Assessment
External auditors must evaluate the reasonability of the methods and grounds used by the
management, in order to verify the adequacy of the scope of assessment determined by the
management.
In the case when the management has prepared an Internal Control Report that excludes a
certain scope of internal controls for which sufficient assessment procedures could not be
performed due to unavoidable circumstances, it is particularly important that external auditors
fully evaluate whether the reasons for the management’s exclusion of the scope are justified and
the impact of the exclusion on the financial statements.
[1]. Selection of significant locations/business units
External auditors should understand the process of the management’s determination of
significant locations/business units to be included in the scope of assessment, and review
whether the management has adequately selected significant locations or business units based
on Chapter II, “Assessment and Report on Internal Control Over Financial Reporting.”
The following are examples of the procedures that external auditors should perform for the
aforementioned purposes.
・
Obtain a full list of all locations and business units of the company on a consolidated
basis, including subsidiaries, affiliates, etc.
・
Locations and business units may be classified into headquarters, subsidiaries, local
104
- 71 -
offices, branches, business units, etc. according to the company’s situation. In such
cases, external auditors should confirm the adequacy of the methods and results of such
classification
・
Basic criteria for the selection of significant locations or business units may be the
amount of sales and other factors. External auditors should evaluate whether the
criteria adopted by the management are appropriate by referring to Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting.”
・
Confirm whether significant or locations business units have been appropriately
selected according to the criteria adopted by the management;
・
When judging that the process or the result of the management’s selection of
significant or locations business units is inappropriate, request the management to
perform additional procedures, including re-selection of the significant locations or
business units.
[2]. Identification of business processes to be assessed
A. Business processes of significant locations or business units that relate to the company’s
business objectives
External auditors should confirm, for significant locations or business units, whether their
business processes related to significant accounts that have material impact on the company’s
business objectives (sales, accounts receivable, inventory and other accounts) are appropriately
included in the scope of assessment, in accordance with Chapter II, “Assessment and Report on
Internal Control Over Financial Reporting”.
If there are any business processes excluded from the scope of assessment as a result of the
management’s conclusion that they only have remote association with significant locations or
business units and therefore have immaterial impacts on the financial reporting, external
auditors should confirm whether the management’s conclusion is appropriate or not.
External auditors should evaluate the appropriateness of the management’s selection of the
business processes to be included in the scope of assessment by reviewing the internal control
records described in Section 3(7)[1], C to F, of Chapter II, “Assessment and Report on Internal
Control Over Financial Reporting” and querying the management and appropriate managers or
responsible personnel, or through other procedures.
If external auditors judge that the management's selection of the business processes to be
included in the scope of assessment is not appropriate, they should request the management to
perform additional procedures including re-selection of such business processes.
105
- 72 -
B. Business processes that have a significant impact on the financial reporting
When business processes in significant and other locations or business units have a significant
impact on the financial reporting, external auditors should confirm whether such business
processes are appropriately included in the additional scope of assessment, in accordance with
Chapter II, “Assessment and Report on Internal Control Over Financial Reporting.”
In the confirmation, external auditors may perform procedures including the review of the
internal control records described in Section 3(7)[1], C to F, of Chapter II, “Assessment and
Report on Internal Control Over Financial Reporting,” querying of the management and
appropriate managers or responsible personnel, or other procedures. However, they should note
that if they have already examined the existence of business processes that have a significant
impact on the financial reporting while in the process of the Financial Statement Audit, the
result of such an examination may be used.
If external auditors judge that the management’s selection of the business processes to be
included in the scope of assessment is not appropriate (e.g. inadequate identification of high-risk
businesses or business operations), they should request the management to perform additional
procedures including re-selection of business processes to be assessed.
C. Adjustment of the scope, method, etc. of assessment, based on the results of the assessment
of company-level controls
In the case where the management has adjusted the scope, method, etc. of the assessment of
business processes based on the results of the assessment of company-level controls (refer to
Section 3(2)[3] of Chapter II, “Assessment and Report on Internal Control Over Financial
Reporting”), external auditors should evaluate the appropriateness of such adjustment by
reviewing the internal control records described in Section 3(7)[1], C to F, of Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting,” querying the
management and appropriate managers or responsible personnel, or through other procedures.
If external auditors judge that the management’s adjustment is not appropriate, they should
request the management to perform additional procedures so that the scope of assessment,
method, etc. would be adequately readjusted.
[3]. Communication with the management
When the scope of assessment determined by the management is judged as inappropriate as a
result of the evaluation performed by external auditors, the management shall be required to
perform reassessment procedures over the new scope of assessment. However, the reassessment
procedures may be difficult due to the limited timeframe. Therefore, after the management has
106
- 73 -
determined the scope of assessment, external auditors, if necessary, should communicate with
the management regarding the methods, grounds, etc. based on which he or she has determined
such scope.
107
- 74 -
4. Performance of the Internal Control Audit
(1) Evaluation of the Assessment of Company-Level Controls
External auditors must evaluate the appropriateness of the management’s assessment of
company-level controls. In the evaluation, external auditors must fully consider the status of the
design and operation of internal controls at the management level, including the board of
directors, corporate auditors or audit committee, internal auditors, etc.
External auditors should obtain a general understanding of company-level controls and
evaluate the appropriateness of the management’s assessment, taking into consideration, for
example, the assessment items listed in Exhibit 1, “Examples of Assessment Items for
Company-Level Controls over Financial Reporting” of Chapter II, “Assessment and Report on
Internal Control Over Financial Reporting”.
[1]. Evaluation of the status of the design and operation of company-level controls
In evaluating the design status of company-level controls, external auditors should review the
appropriateness of the assessment items adopted by the management by referring, for example,
to the assessment items shown in Exhibit 1 above (“Examples of Assessment Items for
Company-Level Controls over Financial Reporting”). In the process, external auditors should
evaluate the appropriateness of the assessment results of the management, by confirming the
result for each assessment item and the grounds based on which the results were obtained, by
reviewing the internal control records described in Section 3(7), A and B, of Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting,” querying the
management and other personnel, etc., or through other procedures.
Regarding some items under the “control environment” category, however, it is sometimes the
case that the information on the operation of internal controls is not recorded. In such cases,
external auditors should assess the operation of internal controls through inquiries to relevant
persons or observations.
[2]. Evaluation of monitoring functions performed by the board of directors and corporate
auditors or audit committee
The management has the ultimate responsibility for the preparation and release of the Annual
Report and other financial reporting documents. However, the board of directors and corporate
auditors or audit committee play an important role in the appropriate disclosure of information
by performing monitoring functions in the process from the preparation to the release of such
documents. When evaluating the status of the design and operation of company-level controls, it
is therefore important that external auditors assess the monitoring functions performed by the
108
- 75 -
board of directors and corporate auditors or audit committee regarding, for example, the
following points.
A. Are there any rules in place that set out the responsibilities of the board of directors,
corporate auditors or audit committee?
B. Are there any records or minutes of the meetings of the board of directors, corporate auditors
or audit committee?
C. Do the members of the board of directors, corporate auditors or audit committee understand
and properly fulfill their responsibilities to adequately supervise and monitor the management,
in order to perform the monitoring functions over the design and operation of internal controls?
D. Do corporate auditors or the audit committee maintain an appropriate level of cooperation
with internal and external auditors?
External auditors should note that if they, as is generally expected, have obtained certain audit
evidence in the process of the Financial Statement Audit, they may use such audit evidence for
[1] and [2] above.
[3]. Evaluation of deficiencies in company-level controls
External auditors, when identifying deficiencies in company-level controls, should carefully
consider their likelihood of causing a significant impact on the financial reporting, including
their impact on process-level controls, and verify the appropriateness of the management’s
assessment.
When determining whether deficiencies in company-level controls constitute material
weaknesses, descriptions in Section 3(4)[1] “Judgment of the effectiveness of company-level
controls” of Chapter II, “Assessment and Report on Internal Control Over Financial Reporting”
should be taken into account.
(2) Evaluation of the Assessment of Process-Level Controls
External auditors must evaluate the appropriateness of the management’s assessment of
process-level controls. In the evaluation, external auditors must evaluate whether the
management has appropriately selected key controls, considering the status of the
management’s assessment of company-level controls and with a full understanding of the
company’s business processes.
In order to judge whether basic components of internal controls are properly functioning in
regards to each key control assessed by the management, external auditors must obtain audit
evidence for key audit objectives such as existence or occurrence, completeness, rights and
obligations, valuation, allocation and presentation and disclosure.
In evaluating the effectiveness of basic components of process-level controls, external
109
- 76 -
auditors must also fully evaluate the status of the design and operation of internal controls
(including response to IT).
[1]. Evaluation of the assessment of process-level controls
External auditors should understand the status of the design and operation of process-level
controls which have been included in the scope of assessment, and evaluate the appropriateness
of the management’s assessment.
A. Evaluation of the status of the design of process-level controls
External auditors should understand the status of the design of process-level controls that have
been included in the scope of assessment. For that purpose, external auditors should obtain the
records described in Section 3(7)[1], C to F of Chapter II, “Assessment and Report on Internal
Control Over Financial Reporting” and perform, for example, the following procedures
regarding business processes that have been included in the scope of assessment.
a. Understand the flow of transactions in business processes which have been included in the
scope of assessment (including how transactions are initiated, authorized, recorded, processed
and reported), by reviewing the obtained records regarding the status of the design of internal
controls, querying the management and appropriate managers or responsible personnel or
through other procedures. External auditors should also understand the accounting process from
the origination of transactions such as computing, journalizing, etc. When it is difficult to
understand the status of the design of internal controls by the review of records, inquiries, etc.,
external auditors should conduct on-site observations at the location of the business processes,
in order to determine the appropriateness of the procedures performed in such business
processes.
b. External auditors should note that, for the purpose of ensuring an accurate understanding of
the status of internal control design, it is useful for them to select one or more typical
transactions of each business process included in the scope of assessment, and trace their
business flow from their origination to their recording in financial statements, according to the
records on internal controls described in Section 3(7)[1], C to F of Chapter II, “Assessment and
Report on Internal Control Over Financial Reporting,” etc.
External auditors should also consider whether the appropriate manager or responsible
personnel for internal controls has authority or competencies necessary for the design of internal
controls.
c. Understand how the management identified the risk of misstatements in the significant
components of financial reporting, by reviewing the obtained records concerning the status of
the design of internal controls, querying the management and appropriate manager or
110
- 77 -
responsible personnel or through other procedures.
d. Understand how the management identified key controls that perform a pivotal role in
mitigating the risk of misstatements, by reviewing the obtained records on the status of the
design of internal controls, querying the management and appropriate manager or responsible
personnel or through other procedures.
e. Evaluate whether the key controls described under d. above are designed to mitigate the risk
of misstatements in significant components of financial reporting sufficiently if they are
operated in accordance with prescribed policies. This should be evaluated based on the
judgment whether they provide reasonable assurance for securing requirements for the creation
of appropriate financial information such as existence or occurrence, completeness, rights and
obligations, valuation, allocation and presentation and disclosure. Based on this judgment,
external auditors should evaluate the appropriateness of the management's assessment of the
effectiveness of the internal control design.
External auditors should note that if they, as is usually expected, have obtained certain audit
evidence in the process of the Financial Statement Audit, they may use such audit evidence for
the evaluation of the status of the internal control design stated above.
B. Evaluation of the status of the operation of process-level controls
Concerning business processes which have been included in the scope of assessment, external
auditors should evaluate the management’s assessment of the effectiveness of the operation of
internal controls, judging whether they are appropriately operated as designed and whether the
manager or responsible personnel performing internal controls has authority and competencies
necessary for fulfilling the task.
a. Details and methods of the evaluation of the operation
External auditors must understand the status of the operation of process-level controls included
in the scope of assessment. For that purpose, external auditors should obtain the records on the
management’s operation of internal controls described in Section 3(7)[1] of Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting” and evaluate the
operation of internal controls (including the status of self-assessment), by reviewing relevant
records, querying appropriate managers or responsible personnel or through other procedures.
When it is difficult to evaluate by the review of records, inquiries, etc., external auditors
should observe business operations or have appropriate managers or responsible personnel
re-perform the procedures, if necessary.
The procedures above are, basically, performed by obtaining appropriate evidence through the
conduct of tests using samples selected by external auditors themselves (for example, in the case
111
- 78 -
of repetitive daily-routine transactions, at least 25 samples for each key control in the scope of
assessment would be necessary, in order to achieve a reliability rate of 90% based on the normal
statistical distribution).
In the process, if, for example, the management has randomly selected samples from repetitive
routine transactions, it would not be efficient for external auditors to select other samples
through the same approach. In such cases, external auditors may use the samples selected by the
management as a part of samples they themselves have selected, after evaluating their adequacy
and verifying a portion of the results of the tests conducted by the management.
b. Timing of the evaluation of the operation
External auditors should evaluate the status of the operation of internal controls at an
appropriate time in order to assess whether internal controls are effectively operating as of the
fiscal year end date. When to evaluate the status of the operation of internal controls may vary
depending on the nature of the internal controls to be evaluated and the frequency at which the
internal controls is performed.
When significant changes are made to internal controls during the period from the
management’s assessment date to the fiscal year end date, external auditors should confirm
whether the management has performed the additional procedures necessary to understand and
assess the design and operation of internal controls after the change according to Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting.”
Regarding the internal controls over the period-end financial reporting processes, external
auditors should note that it is efficient and effective to evaluate its operation status at an early
date, based on the previous year’s operation, on the premise that appropriate additional
procedures would be performed when there are significant changes to the internal controls
before the fiscal-year end date. This is because (1) identified deficiencies, if there are any,
should be corrected at an early date, so that appropriate period-end financial reporting processes
would be secured before the fiscal year end date; and (2) it is considered that the evaluation of
the operation of internal controls over the period-end financial reporting processes is largely
overlapped with the evaluation process for internal controls in the Financial Statement Audit.
External auditors should note that if they, as is generally expected, have obtained certain audit
evidence in the process of the Financial Statement Audit, they may use such audit evidence for a
and b above.
c. Points to be noted when determining the method of evaluating the operation
External auditors should obtain sufficient and appropriate evidence to evaluate the
appropriateness of the management’s assessment of process-level controls that have been
included in the scope of assessment. The following points should be considered when
determining the procedures to perform.
112
- 79 -
[Nature of the internal controls]
When determining the evaluation method, external auditors should consider (1) the
significance and complexity of the internal controls; (2) the significance of judgments made in
the course of the operation of the internal controls; (3) the competencies of the person who
implements the internal controls; (4) the frequency at which the internal control
s
are
implemented and (5) evaluation results of the previous year and changes made afterward.
[Period-end financial reporting processes]
Internal controls over the period-end financial reporting processes are significant business
processes for the achievement of the reliability of financial reporting, and external auditors may
be able to evaluate the fewer cases of internal controls over the period-end financial reporting
processes, since internal controls over the processes are less frequently implemented. Therefore,
the operation of internal controls over the period-end financial reporting processes must be
evaluated more carefully than in the case of other internal controls (Internal controls over
period-end financial reporting processes may be assessed either as company-level controls or as
specific process-level controls. For details, refer to Sections 2(2) and 3(3)[4]Db of Chapter II,
“Assessment and Report on Internal Control Over Financial Reporting.” )
[2]. Evaluation of the assessment of IT-based controls
A. Understanding of IT-based controls
External auditors should understand the overview of IT-based controls by obtaining the records
on internal controls described in Section 3(7) of Chapter II, “Assessment and Report on Internal
Control Over Financial Reporting,” at the same time evaluating whether IT general controls and
IT application controls included in the management’s scope of assessment are appropriate.
When evaluating the effectiveness of the management’s assessment of business processes
undertaken in companies using IT, external auditors should perform the “[1].Evaluation of the
assessment of process-level controls” stated above for the manually performed controls, and
evaluation of the assessment of IT general controls and IT application controls stated
hereinafter for the IT-based controls.
B. Evaluation of the assessment of IT general controls
External auditors should understand IT general controls and evaluate the appropriateness of the
management’s assessment. In the process, external auditors should consider, for example, the
113
- 80 -
following items.
a. System development, modification and maintenance
When the company develops, procures or modifies the system or software associated with the
financial reporting, external auditors should check whether the proper approval has been
obtained and pre-implementation tests have been adequately carried out.
In the process, external auditors should note, for example, the following points.
・
Prescribed approval has been obtained in advance from the management or
appropriate managers, for the development, procurement or modification of the
system or software.
・
Development methods suitable for the development objectives are applied in the
development, procurement or modification of the system or software.
・
When implementing the new system or software, sufficient tests have been
conducted and their results have been approved by appropriate managers of the
user department and IT department.
・
The process of developing, procuring or modifying the new system or software
should be appropriately recorded and retained. In the case of modification, records
on the status of internal control design over the old system or software must be
updated.
・
Before data is stored in or transferred to the new system or software, measures to
prevent errors, fraud, etc. must be taken.
・
Before the introduction of the new system or software, employees who use the
system or software must have received education and training based on the
appropriate planning.
b. System operation and administration
External auditors should verify the effectiveness of operation and administration of the system
relating to the financial reporting. In the process, external auditors should consider, for example,
the following points.
・
To deal with data loss or other problems due to malfunctions, failures, etc., critical
data or software constituting the system should be backed up and measures for the
prompt recovery should be taken.
・
In case of malfunctions, failures, etc. of the system or software, adequate
responses should be taken for such as identification, analysis, solution, etc. of such
problems.
c. System security
114
- 81 -
External auditors should verify whether the company has established appropriate access
control and other policies, in order to prevent unauthorized uses, falsifications, destructions, etc.
of data, system, software and others relating to the financial reporting.
d. Outsourcing contract management
When the company outsources its IT-based processes related to the financial reporting to a
third party, external auditors should evaluate whether the company is appropriately managing
the outsourcing contracts.
External auditors should note that if they, as is generally expected, have obtained certain audit
evidence in the process of the Financial Statement Audit, they may use such audit evidence for a
to d above. It should also be noted that companies using relatively simple systems such as
uncustomized packaged software should place larger importance on IT general controls.
C. Evaluation of the assessment of IT application controls
External auditors should evaluate the assessment of the design and operation of IT application
controls, according to, for example, the following procedures.
a. External auditors should review system specifications or other records to confirm that the
system has been properly developed to perform the accounting procedures that the company had
intended.
b. In the process, external auditors should take into consideration, for example, the following
assessment items, which are described in Section 3(3) of Chapter II, “Assessment and Report on
Internal Control Over Financial Reporting”.
・
Are the measures taken to ensure the completeness, accuracy, validity, etc. of entry
information?
・
Are erroneous data appropriately corrected and reprocessed?
・
Are master data on suppliers, customers and others appropriately maintained and
managed?
・
Are there appropriate access control measures, including user authentication and
limitation of the operation range?
c. External auditors should review the operation of application controls.
External auditors should evaluate the status of the operation of application controls and
self-assessment by reviewing the obtained records, etc. described under A. above, querying the
115
- 82 -
appropriate managers or responsible personnel or through other procedures.
In the process, external auditors should: (1) choose some transactions (sampling) for each of
the key application controls included in the scope of assessment; (2) compare the input data and
output data of such transactions; and (3) check whether the output data is as expected by, for
example, recalculating based on the input data.
As stated above, external auditors should obtain appropriate audit evidence by conducting tests
using samples they selected. However, they may use samples selected by the management as a
part of the samples selected by themselves, after evaluating their adequacy and verifying a
portion of the results of the tests conducted by the management.
Since IT-based controls repeat and continue consistent processing, when their design is
evaluated to be effective, their operation can generally be evaluated through simpler evaluation
procedures compared to manual controls (i.e., reduction of the number of samples, shortening of
the sampling period), on the premise that IT general controls are effectively functioning.
External auditors can continuously use the assessment results of the previous year for IT-based
automated internal controls, provided that they have confirmed and recorded that (1) no changes
have been made to the controls after the last assessment; (2) no failures or errors are occurring
and (3) related general controls have been judged to be effectively functioning, as a result of the
assessment of their design and operation.
External auditors should note that if they, as is generally expected, have obtained certain audit
evidence in the process of the Financial Statement Audit, they may use such audit evidence for
the evaluation stated above.
D. Use of IT experts
When planning and conducting an Internal Control Audit, external auditors should determine
whether a
n
expert’s work should be used or not, considering the degree of IT utilization in the
company and the significance of the impact of IT on the assessment of internal control over
financial reporting effectiveness. If a
n
expert’s work is used, external auditors should consider
the professional competence of the expert (i.e. whether he or she possesses not only IT
knowledge but also the knowledge necessary to assess the risk of any significant impact on the
financial reporting related to the information system), as well as whether the work of the expert
possesses adequate objectivity.
[3]. Evaluation of the assessment of outsourced processes
If the processes contracted out by the management to external service organizations constitute
116
- 83 -
a part of a business process included in the scope of assessment, external auditors should
examine the effectiveness of internal controls regarding the outsourced processes, by following,
for example, the procedures described below.
A. Obtain an understanding of internal controls over outsourced business processes
implemented by service organizations, as well as those implemented by the company.
B. In the case when the company implements internal controls over business processes operated
by the service organization, review the status of the management’s assessment of such internal
controls.
C. When the company has obtained reports, etc. on the evaluation performed by the service
organization regarding the design and operation of internal controls over outsourced processes,
consider whether the reports, etc. provide sufficient evidence.
[4]. Evaluation of deficiencies in process-level controls
When control deficiencies are identified, external auditors should determine whether the
deficiencies constitute, either individually or in combination with other deficiencies, material
weaknesses, by following, for example, the procedures described below.
A. Determine which account, etc. and to what extent the deficiencies identified in business
processes may have impacts on.
When external auditors determine the significance of deficiencies identified in business
processes, they should consider which accounts, etc. and to what extent the deficiencies may
have impacts on.
For example, when a deficiency is identified in a business process relating to the sales of a
certain item, the total sales of the location or business unit would be affected, if such a sales
process is pervasively adopted in the location or business unit (for example, when a deficiency
is identified in a shipment process of a location or business unit where all shipments are made
according to formulated sales procedures). On the other hand, if the problematic business
process were peculiar to the sales process of a specified item, the deficiency would only affect
the sales of the item.
A deficiency would affect the total sales of all of other locations and business units, if the same
procedure as the problematic business process is applied pervasively across other locations and
business units (for example, in the case when other locations and business units adopt the same
sales procedures based on the same narratives, etc. with the location or business unit where the
deficiency is identified). However, the ultimate significance of control deficiencies is to be
117
- 84 -
determined by considering the actual occurrence rate of problems in other locations and
business units, as is shown in B below.
B. Evaluation of the likelihood of having an actual impact
External auditors should evaluate the likelihood of having an actual impact considered in A.
above. The likelihood may be deduced statistically from sampling results. If the deduction is
regarded to be difficult, however, external auditors may qualitatively comprehend the
significance of risks (e.g. levels of likelihood-high, medium, low) and apply a predetermined
ratio respectively, taking into account the points described below.
In such cases, if the likelihood of having an actual impact is judged to be extremely small, it
may be excluded from the evaluation.
・
Significance and frequency of detected exceptions
For example, it is judged that the more significant the errors identified in the
evaluation through sampling tests, and the more frequently errors are detected, the
greater the likelihood is having an actual impact.
・
Cause of detected exceptions
For example, an error may occur due to carelessness at a location or business unit
where rules related to internal controls are complied with, while an error may occur
at a location or business unit where rules related to internal controls are not complied
with at all; the likelihood of having an actual impact may be judged lower in the
former case than the latter.
・
Complementary controls
For example, if complementary controls are identified, certain control deficiencies
may be compensated for by other controls. In such cases, the likelihood of having an
actual impact may be reduced.
C. Determination of qualitative and quantitative significance of control deficiencies
External auditors should evaluate the potential quantitative impact of control deficiencies on
financial reporting, based on the amounts and likelihood evaluated according to A. and B. above,
and then judge their qualitative and quantitative significance in accordance with 1 [2]
“Guidelines for determining material weaknesses” of Chapter II, “Assessment and Report on
Internal Control Over Financial Reporting”. If deficiencies in business processes have a
significant qualitative or quantitative impact, they should be judged as material weaknesses.
When there are multiple deficiencies, whether or not they constitute material weaknesses
118
- 85 -
should be judged by aggregating their quantitative impact (without duplicating amounts).
D. Treatment of deficiencies in IT general controls over IT-based controls
IT general controls over IT-based controls are control activities to ensure an environment that
supports the effective operation of IT application controls. If deficiencies exist in general
controls, they may prevent continuous and effective operation of application controls, even if
they have been designed to function effectively. Therefore, deficiencies identified in general
controls must be improved immediately.
However, deficiencies in IT general controls are not necessarily directly related to the risk of
misstatements in significant components of the financial reporting. Accordingly, it should be
noted that if application controls have been verified to be functioning effectively, deficiencies in
general controls should not immediately be judged as material weaknesses.
(3) Reporting and Remediation of Material Weaknesses in Internal Controls
When identifying material weaknesses in internal controls in the course of the Internal
Control Audit, external auditors must report such material weaknesses to the management,
request for remediation and assess their remediation status on a timely basis. External auditors
must also report the details of such material weaknesses and the remediation results to the board
of directors, corporate auditors or audit committee.
External auditors must report to appropriate personnel when identifying deficiencies in
internal controls.
External auditors must report the results of the Internal Control Audit to the management,
board of directors, corporate auditors or audit committee.
Note: External auditors may be required to report the material weaknesses in internal controls
identified in the course of the Internal Control Audit to the management, board of
directors, corporate auditors or audit committee by the final date of the Company Law
Audit.
[1]. Report of material weaknesses and others
[Report of material weaknesses and others identified in the course of an Internal Control Audit]
If external auditors identify material weaknesses in the course of an audit, they should report
the details of the material weaknesses to the management and request for their remediation.
They should also report to the board of directors and corporate auditors or audit committee that
they have reported the details of the material weaknesses to the management.
When external auditors identify deficiencies other than material weaknesses over financial
reporting in the process of the audit, even though they are not required to do so proactively, they
should also report such deficiencies to appropriate managers on a timely basis.
In the reporting, external auditors must clarify whether the deficiencies are classified as control
deficiencies or material weaknesses. However, if they find it necessary, they may immediately
119
- 86 -
report the deficiencies without clear classification and report such classification at a later time.
[2]. Evaluation of the remedial status of material weaknesses
[Examination of the remedial status of material weaknesses identified during the fiscal year]
When identifying material weaknesses in internal controls in the course of the audit, external
auditors must report them to the management, request for their remediation and assess the
remedial status of such material weaknesses on a timely basis.
Even if the management or external auditors identify material weaknesses in the course of an
audit, internal controls can be judged effective, if such material weaknesses, including those
identified in the previous year or earlier, have been remediated by the assessment date (the fiscal
year end date) specified in the Internal Control Report.
External auditors must also report the results of the remediation of material weaknesses to the
board of directors and corporate auditors or audit committee.
If remedial actions have been taken before the assessment date (the fiscal year end date),
external auditors should evaluate the appropriateness of the management’s assessment of such
remedial actions.
120
- 87 -
[3]. Remedial actions taken after the fiscal year end date
A. Evaluation of remedial actions taken after the fiscal-year end
If the supplementary information on remedial actions taken after the fiscal year end date is
added to the Internal Control Report, external auditors should perform, for example, the
following procedures to evaluate the appropriateness of such information.
a. Obtain and examine internal approval documents, etc. on such remedial actions.
b. Query officers, etc. in charge of finance, accounting and other relevant departments for the
details of the remedial actions.
c. If remedial actions have been taken in consolidated subsidiaries, etc., which are audited by
other external auditors, ask such auditors their views on such remedial actions.
B. Additional information on remedial actions taken after the fiscal year end date
If external auditors conclude that the supplementary information on remedial actions taken after
the fiscal year end date that the management added to the Internal Control Report is appropriate,
they should add it as additional information in the Internal Control Audit Report.
If external auditors conclude that the information on the remedial actions is not appropriate,
they should express a qualified opinion with exceptive items, or express an adverse opinion that
the statement in the Internal Control Report is inappropriate with relevant reasons.
If it has been confirmed that internal controls have been effectively designed and operated
before the issue date of the Internal Control Report, the management shall state in the Report the
details of the remedial actions and that such actions have been completed. In such cases,
external auditors should evaluate the appropriateness of such information stated by the
management.
However, external auditors should note that if they have already obtained certain audit
evidence for the management’s information stated above in the course of the Financial
Statement Audit, they may use such audit evidence accordingly.
(4) Report of Frauds and Others
When identifying frauds or significant illegal facts in the course of an Internal Control Audit,
external auditors must report them to the management, the board of directors and corporate
auditors or audit committee and request for the appropriate remediation, at the same time
evaluating their impact on the effectiveness of internal controls.
When identifying fraud or illegal facts in the course of an Internal Control Audit, external
auditors must report them to the management, board of directors and corporate auditors or audit
121
- 88 -
committee on a timely basis and request for the appropriate remediation. External auditors
should evaluate their impact on the effectiveness of internal controls and, if judging them to
constitute control deficiencies or material weaknesses, should take the measures described
under (3) above.
(5) Coordination with Corporate Auditors or Audit Committee
External auditors should determine the scope and degree of coordination with the corporate
auditors or audit committee, in order to perform effective and efficient audits.
External auditors are required to determine the scope and degree of coordination with the
corporate auditors or audit committee, in order to perform effective and efficient audits. The
method and timing of the coordination and the information and opinions to be exchanged should
be determined based on the agreement with corporate auditors and other parties, in accordance
with the condition of the audit company, etc.
(6) Use of Other Auditors, etc.
When using the results of the Internal Control Audit performed by other auditors, external
auditors must assess the appropriateness of such results and accordingly determine the degree
and method of using them, considering their significance and the reliability of other auditors.
External auditors must evaluate the status of the internal audit performed by the company,
which is a part of its monitoring activities that comprises the basic components of internal
controls, and decide the scope and degree of its use.
[1]. Use of other auditors
The appropriateness of the use of other auditors should be determined based on the generally
accepted financial statement audit standards.
External auditors may use audit results of overseas subsidiaries performed by other auditors
under non-Japanese Internal control audit standard, when they are judged to be substantively
equivalent to those performed under Japanese internal control audit standard.
[2]. Use of the work of experts
The appropriateness of the use of work of experts in an audit on internal control over financial
reporting should also be determined based on the generally accepted financial statement audit
standards.
[3]. Use of the work of internal auditors, etc.
A. Evaluation of the work of internal auditors, etc.
When internal auditors, etc. have performed the assessment of the effectiveness of internal
controls, external auditors cannot use their work as a substitute for their own assessment, but
may use such work as audit evidence for the management’s assessment, provided that they have
122
- 89 -
evaluated the quality and effectiveness of the work of internal auditors.
B. Procedures to be performed in evaluating the work of internal auditors, etc.
When evaluating the quality and effectiveness of the assessment work of internal auditors, etc.,
external auditors should perform, for example, the following procedures.
a. Evaluation of the competence and objectivity of the person who performed the assessment
work
External auditors should assess whether the person who performed the assessment work has
adequate technical competence and maintains objectivity with respect to the
business
operations assessed.
b. Evaluation of a portion of the assessment work
External auditors should evaluate a portion of the assessment work performed in internal audits,
etc., in order to determine their quality and effectiveness.
123
- 90 -
5. Auditor’s Report
(1) Exceptions to Opinions
When external auditors identify inappropriate parts in the Internal Control Report regarding
the scope, procedures and results of the assessment determined by the management, they may
not be able to express an unqualified opinion. However, unless they judge that their impact is so
significant that the Internal Control Report is misstated as a whole, they should express a
qualified opinion with exceptive items. In such cases, inappropriate parts that have been
excluded and their impact on the Financial Statement Audit must be described in their opinion
on the Internal Control Report.
When external auditors identify remarkably inappropriate parts in the Internal Control Report
regarding the scope, procedures and results of the assessment determined by the management
and judge that the Report is misstated as a whole, they must express an opinion that the Internal
Control Report is not fairly stated. In such cases, the fact that the Report is not fairly stated,
relevant reasons and its impact on the Financial Statement Audit should also be described.
[Expression of a qualified opinion]
When external auditors identify inappropriate parts regarding the scope, procedures or results
of the assessment determined by the management and therefore cannot express an unqualified
opinion, they should express a qualified opinion, unless they judge that their impact is so
significant that the Internal Control Report is misstated as a whole.
For example, it applies to the case when external auditors conclude that the management’s
assessment that there are material weaknesses in internal control over financial reporting is
appropriate, but at the same time concluding that the management’s statement in the Internal
Control Report regarding the remedial actions taken after the fiscal year end date is not
appropriate.
(2) Limitation of the Scope of Assessment
When external auditors cannot express an unqualified opinion because they were unable to
perform some of the important audit procedures, they must express a qualified opinion with
exceptive items, unless they judge their impact is so significant that they cannot express any
opinion on the Internal Control Report. In such cases, external auditors must state the audit
procedures that could not be performed in the summary of the audit performed, and its impact
on the Financial Statement Audit in their opinion on the Internal Control Report.
External auditors must not express any opinions on the Internal Control Report when they
have not been able to obtain a reasonable basis for expressing opinions as a result of not being
able to perform some of the important audit procedures. In such cases, external auditors should
state the fact that they do not express their opinion on the Internal Control Report and relevant
reasons.
[External auditors’ treatment of limitation of the scope of assessment]
If, due to “unavoidable circumstances,” sufficient assessment procedures could not be
performed for a certain part of the internal controls, external auditors should carefully examine
whether the reasons are justified. If external auditors conclude that the management’s
124
- 91 -
assessment of internal control over financial reporting is fairly stated in all material respects in
accordance with generally accepted assessment standards for internal control, except for the
scope for which sufficient assessment procedures could not be performed due to unavoidable
circumstances, they should express an unqualified opinion in the Internal Control Audit Report.
In such cases, external auditors should add in the Internal Control Audit Report the scope that
the management excluded from the assessment due to unavoidable circumstances and relevant
reasons.
If external auditors conclude that the reasons for the management not performing a part of the
assessment procedures are justified and express an unqualified opinion, they should consider the
following points.
A. The management’s assessment of internal control over financial reporting effectiveness is
fairly stated in all material respects, except for certain controls for which the assessment
procedures could not be performed due to unavoidable circumstances
B. Quantitative or qualitative impact of not performing sufficient assessment procedures for a
certain part of the internal controls due to unavoidable circumstances is not so significant as to
constitute material weaknesses in the entire system of internal control over financial reporting
(3) Additional Information
External auditors should add in the Internal Control Audit Report the following matters.
[1]. Material weaknesses in internal control over financial reporting and the reasons why they
have not been remediated, which are stated in the Internal Control Report by the management,
and their impact on the Financial Statement Audit, when external auditors judge the statements
to be appropriate and therefore express an unqualified opinion.
[2]. Subsequent events that would have a material impact on the assessment of internal control
over financial reporting effectiveness;
[3]. Remedial actions and others taken after the fiscal year end date;
[4]. The scope for which sufficient assessment procedures could not be performed and relevant
reasons, when external auditors judge that the management could not perform a certain part of
the assessment procedures due to unavoidable circumstances and therefore express an
unqualified opinion.
[Subsequent Events to be described in the Internal Control Report]
External auditors should examine whether there have been any subsequent events that may
have a significant impact on the assessment of internal control over financial reporting
effectiveness; and if there are any subsequent events that need to be described in the Internal
Control Report, external auditors should examine whether they are appropriately described.
The following are the examples of procedures to examine whether there are any significant
subsequent events.
A. Query financial and accounting officers about whether any events that should be recognized
as significant subsequent events have occurred.
125
- 92 -
B. Review minutes of important meetings of the shareholders and board of directors, corporate
auditors and managing directors, etc. held after the year-end closing date. If such minutes are
not available, make inquiries about the matters discussed in the meetings.
External auditors should note that if they, as is generally expected, have already identified
significant subsequent events in the process of the Financial Statement Audit, they may
accordingly use such audit evidence obtained in the Financial Statement Audit with respect to
the significant subsequent events.
126
(Reference Drawing 1)
Understand, record and retain the design status of internal controls.
*Documentation of tacit rules within the company, if there is any
[2]. Identify, record and retain the design status of important process-level controls.
Identified deficiencies should be appropriately remediated.
Process of Establishing Internal Control Over Financial Reporting
1. Determination of Basic Planning and Policies
2. Understanding of the Design Status of Internal Controls
The management should determine basic planning and policies for the implementation of
company-level controls and process-level controls over financial reporting, according to the
determination made by the board of directors regarding basic policies for internal controls.
[4]. Personnel to be involved in the establishment of internal controls and the method of their
organization, education and training; and others.
※
The management should determine, for example, the following basic planning and policies.
[1]. Policies, principles, the scope and level for internal controls to be established
[2]. Responsible personnel and company-level management system for the establishment of internal
controls
[3]. Procedures and schedule for the establishment of internal controls
[1]. Understand, record and retain the design status of company-level controls in the light of
rules and practices of existing internal controls and their compliance status.
*Organize and understand the flow of transactions and accounting procedures of important
business processes.
3. Response and Remediation for Identified Deficiencies
*Identify risks of misstatements regarding business processes that have been organized and
understood. Examine the relationship between the risks and the financial reporting or accounts;
and whether the risks are sufficiently mitigated by the internal controls incorporated into
operations.
127
Assessment of process-level controls other than those over the financial and reporting process.
1. Selection of significant business locations/units
※
Business locations include headquarters, subsidiaries, local offices, branches, business units, etc.
※
Different or additional criteria may be used depending on the company’s business environment or characteristics.
(Examples) *Business processes that relate to businesses or operations dealing with high-risk transactions
*Business processes relating to significant accounts involving estimates and management’s judgment
*High-risk business processes that require special attention which include non-routine or irregular transactions
3. Assessment of business processes included in the scope of assessment
[1]. Identify and organize the overview of business processes included in the scope of assessment.
[2]. Identify the risk of misstatements in business processes and controls that would mitigate such risk.
[1]. Remediate identified control deficiencies, if any, by the fiscal year end date.
[2]. Disclose material weaknesses existing as of the fiscal year end date, if any.
4. Report of internal controls
Discuss the scope of assessment with external auditors as appropriate.
※
Business processes can be excluded from the scope of assessment when they are only remotely associated with businesses or
operations performed in significant business locations/units and do not have a material impact on the financial statements.
[2].Business processes of significant and other business locations/units that have a significant impact on the
financial reporting should be added to the scope of assessment individually.
※
The scope of sampling may be reduced when the company-level controls are assessed to be operating effectively and in
other circumstances.
[3]. Adjustment of the scope of and approaches to the assessment of process-level controls based on the assessment
results of company-level controls
※
When company-level controls have been assessed as ineffective, measures such as the expansion of the scope of assessment
or addition of assessment procedures may be necessary.
※
When company-level controls have been assessed as effective, the assessment procedures may be simplified by, for
example, reducing the scope of sampling, or reducing the frequency of a certain scope of assessment, according to the
materialit
y
of the sco
p
e
,
to ever
y
two or more accountin
g
p
eriods.
(Reference drawing 2)
Flow of the Assessment and Report on Internal Control Over Financial Reporting
Significant business locations/units are selected in the descending order of sales (or other factors) until their
combined amounts reach a certain ratio (for example, approximately two-thirds) of the total amounts.
[1]. All business processes of significant business locations/units which impact the accounts (in principle, in the
case of general companies, sales, accounts receivable and inventory) that are closely associated with the company’s
objectives should be in the scope.
[4]. Assess the operation status of internal controls by reviewing related documents, making inquiries, conducting
observations, verifying records on the performance of internal controls, examining the status of self assessment, etc.
[3]. Assess the design status of internal controls by reviewing related documents, making inquiries, conducting
observations and through other procedures.
2. Identification of business processes to be assessed
Assessment of company-level controls
(In principle, the management should assess all business locations from a company-wide perspective.)
Assessment of process-level controls over financial closing and reporting
(Financial closing and reporting process appropriate to be assessed from a company-wide perspective
should be assessed in a manner similar to company-level controls.)
128
Evaluation of Deficiencies in Process-level Controls
※
In the case of repetitive daily-routine transactions, etc., the number of samples may be reduced.
Determine the likelihood of having an actual impact stated in [1] above.
* Deduce the likelihood by using the results of sampling tests.
※
If the likelihood of the impact is extremely remote, it may be excluded from the evaluation.
※
When there are multiple deficiencies, the significance should be judged by the aggregate impact
(excluding duplicating amounts).
(Reference Drawing 3)
Evaluate through sampling tests (at least 25 samples per each key control would be necessary to attain a
reliability rate of 90%)
Identify Deficiencies in Process-level Controls
Determine which accounts, etc. and to what extent the deficiencies identified in
process-level controls may have impacts on.
Evaluation of the Effectiveness of the Assessment of Process-level Controls
If the deficiencies have a qualitative and quantitative significance, they
should be judged to be material weaknesses.
[2]. Evaluation of the likelihood of the impact
[3]. Determination of qualitative and quantitative significance of control
deficiencies
[1]. Evaluation of the extent of the impact of deficiencies
*When a deficiency is identified in the sales process of a certain product in a certain business location,
the total sales of the business location would be affected if the sales process were adopted throughout
across the business location.
*When the problematic sales process is peculiar to a certain product, it will only affect the sales of such
a product.
*When a similar sales process is adopted in other business locations, the deficiency stated above would
also affect the sales of such other business locations.
* If the deduction is difficult, categorize risks by their qualitative significance (e.g. levels of likelihood
–high, medium, low), and apply a ratio predetermined respectively.
Considering the extent and likelihood stated in [1] and [2] above, determine the qualitative
and quantitative significance of the control deficiencies (for example, approximately 5% of the
consolidated income before tax).
129
