| Bottom | Home | Article | Bookshelf | Keyword | Author | Oxymoron |


SOX: Sarbnes-Oxley Act of 2002

Cat: ICT
Pub: 2006

Hiroshi Nakajima

up 06509

SOX: Sarbnes-Oxley Act of 2002 SOX法 (2002年)
Impact on corporate management by J-SOX Act 企業経営に与える日本版SOX法のインパクト
Hiroshi Nakajima

中島 洋 


April, 2006

  • Hiroshi Nakajima, executive research fellow of Glocom, Int'l Univ. of Japan made lecture at IECP forum of Glocom about the hottest topic of SOX Act and background of this law in April, 2006.
  • He is also editor of Nikkei BP, a well-know IT journal in Japan.
  • SOX Act enacted on July 30, 2002, requiring most public companies must meet the mandates for financial statements filed after June 15, 2004.
  • The purpose of this law is to protect investors from the possibility of fraudulent accounting by corporations, in response to Enron, Worldcom in US and Kanebo, Livedoor in Japan and other accounting scandals.
  • 中島洋国際大学Glocom主幹研究員が最近話題のSOX法およびこの法律の背景について、2006年4月にGlocom IECPフォーラムで講演した。
  • 彼はまた日経BPの編集委員でもある。
  • SOX法は2002年7月30日に成立し、2004年6月15日以降提出のほとんどの上場企業の財務諸表から適用される。
  • この法律の目的は企業の (米国エンロン、ワールドコム、日本のカネボウ、ライブドアなど ) 不正会計から投資家を保護することにある。

0. Prologue:

  • Japanese SOX Act is laid on table of this Diet (Apr. 2006), and will be enacted as a part of Financial Product Transaction Law. This law will be applicable to the accounting filed after Mar. 2009 by public corporations, a year behind from the original consideration.
  • This law intends to guarantee accuracy of financial statements, requiring strict 'internal control' of public corporations with an appropriate mechanism. It is originally recognized as issues of financial division or audit division.
  • But it is also premised on information systems which may cause drastic change of management style: without IT systems it would be inefficient to respond to the requirements of Japanese SOX Act. Thus it is certain that management innovation based on IT systems would be essential to comply with such Japanese SOX act.

0. プロローグ:

  • いわゆる日本版SOX法は、新設される金融商品取引法の中に取り込まれて、今国会に上程され、当初の検討より1年遅い2009年3月期決算から上場企業に対して適用されることになった。
  • 内容は財務報告の正確性を保証するために企業の内部統制を厳格に運用し、そのための仕組みづくりを目的にしたもので、当初は財務問題、あるいは監査部門の問題のように認識されていた。
  • しかし、その前提には、情報システムを基礎に置いた経営の仕組みの根本的転換が不可欠で、それを行わずに日本版SOX法に対応することは極めて非効率なものになる。日本版SOX法は、情報システムをベースにした経営革新を迫るものである。

1. Tide of SOX Act:

  • IT enforces social transparency:
    • As background, there is confrontation between large-scale enterprise vs. society.
  • Record of investigation of social responsibility of corporations.
    • Environmental pollution infringed on local people.
    • Environmental assessment of corporate activities
    • Product Liability Act: the burden of proof (onus probandi) shall be to the corporation.
    • Responsibility for health hazard by long-term accumulation of medicine or food.
    • Act for Protection of Personal Data (enforced in Apr. 2005): penalty to corporation which was stolen the personal data.
      • Cf: Responsibility of CPO=Chief Privacy Officer
    • Long-term warranty of buildings, such as earthquake-proof, or elicitation of asbestos problem.
  • Improvement of transparency by IT:
    • Traceability: duty of disclosure by producer.
    • Suika: abrupt change of steal riding on a train, or control by RFID
    • Surveillance camera: at street, station, convenient store, or in elevator.
    • BAM (Business Activity Monitoring) through BPM (Business Process Management)
    • But this might provoke new criminal offense or social injustice.
  • Flood of various 'internal control' systems:
    • Spring 2006: New Corporate Law
    • Mar. 2009: Japanese SOX Act. (Financial Products Transaction Law) enforced.
    • SOX Act (US) enforced step by step after Nov. 2004
    • Three steps: PL, Personal Data, and SOX
    • Decisive IT systems by BPM and BAM

1. SOX法への流れ:

  • 情報技術が社会の透明性を強制:
    • 背景には大企業と社会との対決の構図あり
  • 企業に対する社会の責任追及の系譜
    • 住民・地域を侵害した環境公害
    • 地球環境に対する企業行動の影響評価(環境報告書)
    • PL法=立証責任が製造者の側(従来は被害者が立証責任
    • 医薬品・食品の長期蓄積による健康被害責任
    • 個人情報保護法(2005月4月施行):
      • CPO=Chief Privacy Officer 個人情報保護責任者
    • 長期的な建築物の安全保証 (耐震性、アスベスト問題の顕在化等)
  • 情報技術による透明性の向上
    • Traceability(生産者の開示責任)
    • Suica, 電磁カードによる不正の激変、RFIDによる管理
    • 監視カメラ: 街頭、駅頭、エレベータ、コンビニ
    • BAM (Business Activity Monitoring)
    • 但し、新たな犯罪や社会的不正義を刺激する
  • 続々登場する内部統制制度
    • 2006春 新会社法
    • 2009/3 日本型SOX法(金融商品取引法)施行
    • 米国2004/11以降SOX法順次施行
    • PL、個人情報、SOXの3steps
    • 情報システムによる企業のBPM、BAMは業務効率向上の決め手

2. Point of Japanese SOX Act.:

  • The trend of SOX Act is irreversible.
    • Transparency of corporations has been historic move.
  • The point of SOX Act is 'internal control' of corporation, but informatization is indispensable, having an impact to:
    • consultant, server, application, database, ERP, disaster recovery, ASP service
    • digital data is indispensable for quick disclosure of information
    • digital record is indispensable for effective surveillance, like IDC, or Disaster Recovery center.
    • EDI i indispensable for effective digital storage of transaction.
  • Sure implementation of 'internal control':
    • investment for informatization is top priority for CEO, CFO.
    • CEO has the final responsibility. (up to 20 years in prison)
  • Informatization is not only for SOX Act.
    • promote more efficiency or optimization of business process.
    • cost down
    • strengthening of competitive edge.
    • active response to further requirement for compliance.
  • Preemptive actions through corporate informatization:
      • Huge explosion of demand of SE:
        M&A requires more SE capacity like Tokyo-UFJ Bank.
      • Development cost increase is anticipated.
    • Demand for ASP, particularly from M&S corporations.

2. J-SOX法の要点:

  • SOX法の流れは不可逆:(2009/3施行)
    • 企業の透明性を要求する歴史的な流れ
  • SOX法の本質は企業の内部統制だが、情報化が不可欠
    • ビジネスの波及:コンサル、サーバ、AP, DB, ERP, DR, ASPサービス
    • 迅速な情報開示には電子記録媒体が不可欠→短期、中長期
    • 効果的な監視統制には電子記録保管が不可欠→IDC, DRセンタ
    • 効果的な電子保管には電子取引が不可欠:EDIの必須化
  • 確実な内部統制の実施:
    • CEO, CFOにとって情報投資が最優先課題
    • 社長は企業の最終責任者(CEOに最高禁固20年)
  • 情報投資はSOX法のためだけではない。
    • ビジネス・プロセスの効率化、最適化
    • Cost down
    • 競争力強化、
    • 新たなCompliance要求に積極対応
  • 先手必勝:企業の情報化は必須
    • 需要の大爆発:SEの逼迫
    • 後になれば開発コストは急上昇する
    • ASP需要:中小企業にも波及

3. US SOX Act:

  • Sarbanes Oxley Act:
    • applicable to public corporations from Nov. 5, 2004
    • to guarantee transparency and accuracy of corporate accounting and financial statement, including
      • transparent and reliable corporate accounting
      • strengthening independency of auditor and strict code of conduct.
      • clarification of accountability of management and corporate governance.
      • in order to accomplish the above corporate compliance, the law mandate SEC registered corporations that appropriate internal control properly shall be organized and performed.
  • Section 302:
    • Corporate Responsibility For Financial Reports.
      The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."
    • A violation of this section must be knowing and intentional to give rise to liability.
  • Section 404:
    • Management Assessment Of Internal Controls.
      Requires each annual report of an issuer to contain an "internal control report", which shall:
      • (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
      • (2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
    • Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.
    • The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."
    • Directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code.
    • Directs the SEC to revise its regulations concerning prompt disclosure on Form 8-K to require immediate disclosure "of any change in, or waiver of," an issuer's code of ethics.
  • Section 409:
    • Real Time Disclosure.
      Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.
  • Title VIII:
    • Corporate and Criminal Fraud Accountability Act of 2002.
      It is a felony to "knowingly" destroy or create documents to "impede, obstruct or influence" any existing or contemplated federal investigation.
    • Auditors are required to maintain "all audit or review work papers" for five years.
    • The statute of limitations on securities fraud claims is extended to the earlier of five years from the fraud, or two years after the fraud was discovered, from three years and one year, respectively.
    • Employees of issuers and accounting firms are extended "whistle-blower protection" that would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistle blowers are also granted a remedy of special damages and attorney's fees.
    • A new crime for securities fraud that has penalties of fines and up to 10 years imprisonment.

3. 米国SOX法:

  • サーベンス・オックスリー法:
  • 対象:2004/11/5以降終了する事業年度から上場企業に対して適用
  • 目的:企業会計や財務報告の透明性・正確性を保証すること
    • 透明で信頼できる企業会計
    • 監査人の独立性強化とその行動規範の厳格化
    • 経営者の説明責任の明確化とCorporate governance
    • 以上の目的を達成するため、財務報告作成までの業務プロセスの内部統制(Internal control)が適正に組織され実行されることをSEC登録企業に対して法律的に要請する。
  • < 302条>:
  • 財務報告に対する会社の責任:
  • CEO, CFOは、財務報告書の正確性、完全性、適切な表現、開示の統制と手順に責任を持つことを宣誓すること。
  • <404条>:
  • 内部統制に関する社内管理:
    • 内部統制に関する適切な仕組みと財務報告に関する手続きを記載
    • 各会計年度末時点でのこれら内部統制の仕組みと財務報告手続きに関する評価を記載すること。
  • 各報告に間する監査役は経営者による評価報告を認証する。認証方法は取締役会が決定する。
  • SECは、公表書類が倫理規定に準拠していることを要求する。
  • SECは、この倫理規定が変更された場合は、直ちに様式に従いその変更を公表するよう内規を改定する。
  • <409条>:
  • <906条>:
  • 書類保存期限:5年
  • 時効:不正行為後5年または不正発覚後2年いずれか早い方
  • 不法行為の内部告発者に対しては法的保護 (Whistle-blower protection)を与える
  • 罰則 : 最高禁固10年

4. What is the impact of J-SOX Act?:

  • As a background, social distrust is increasing against fraud caused by corporations or producers.
  • Transparency of individual, corporations, and society is getting possible due to IT.
    • Drastic decrease of illegal ride: solved by IC-card of 'Suika.'
    • Public safety watched by surveillance camera, which seems more important than privacy.
    • Businessmen's behaviors are also surveilled by IT:
      BAM = Business Activity Monitoring.
    • Sexual offenders' residence are surveilled: change of sense of value.
  • As a result, informatization of corporations and society are promoted:
    • Through control by IT is indispensable to comply with SOX-Act.
    • Discovery of abnormal behavior:
      Improvement of business process, which makes more efficient.
    • Installation of EDI to business partners, which will expand to non-public corporations.
  • Three-stage changes:
    • 2000: Y2K
    • 2005: Personal Data Protection Act.
    • 2009: Japanese SOX Act.

4. J-SOX法のインパクト:

  • 企業や生産者の不正に対する社会的不信
  • ITがもたらす個人・企業・社会の透明性:
    • Suicaが導いた不正乗車激変
    • 監視カメラ設置による街の治安:Privacy観の変化
    • ITが監視するビジネスマンの活動:
      (BAM=Business Activity Monitoring)
    • 性犯罪者の居住地情報不可欠:価値観の変遷
  • 結果としての企業・社会の情報化推進:
    • SOX法の遵守にはITによる徹底管理が不可欠
    • ITで異常現象の発見:
      Business Process革新→効率化促進
    • 取引先にもEDIを要求:上場企業以外にも普及
  • 変化の三段階:
    • 2000: Y2K(2000)
    • 2005: 個人情報保護法
    • 2009: J-SOX法

5. Enforced corporate informatization:

  • Public corporations must comply with J-SOX Act.
    • Otherwise, through informatization or delisting
  • Additional IT investment in US: about $5M/corp.
    • IDC estimates $6M.
    • which is 1.5 times bigger investment than estimate.
    • In Japan, the investment may be bigger, because of lower level of informatization.
  • SOX Act should be applied to public corporation only?:
    • Screening of transaction by compliance of SOX Act.
    • Avoidance of EDI transaction without Privacy-mark (P-mark)
    • SOX-compliant=white sox, while SOX-noncompliant=red sox
    • imprisonment for 20 years max
    • top priority of IT investment due to a sense of crisis
    • reluctance in Japanese economic world: balance with personal data protection

5. SOX法が強制する企業の情報化:

  • 上場企業は日本版SOX法に従わざるを得ない。
    • 徹底的にIT化か、または、上場廃止か
  • 米国の追加IT投資は、一社平均$5M
    • IDCは、$7Bと予測
    • 米国では事前予測の1.5倍
    • 日本は基礎低レベル→1社当たりの経費増大
  • 上場企業だけのルールか
    • SOX法に対応できない企業とは取引を控えろ
    • Pマークのない取引先のデータ交換の敬遠
    • SOX法対応=White Sox、SOX法未対応=Red Sox
  • 企業経営者の処罰:
    • 経営者報告の義務付け:米国では最高20年禁固
    • IT投資の優先度トップに:上場企業の経営者の危機感
    • 日本は経済界の抵抗大きい:個人情報「過保護法」との均衡

6. Controversy of SOX Act.:

  • Double audits
    • audit by auditor and assessment by management
    • independent auditor and management in US
  • Burden of cost: $500M/corporation
    • Clarification of business process due to internal control
    • Cost for employee training, surveillance, and internal control.
    • No clear boundary of sphere of internal control: to what extent it should do.
  • Inordinate responsibility of management:
    • is imprisonment too much?
    • should the management more focus on corporate development? Does it sap the vitality?
    • is it excess reformation of corporations?

6. SOX法の論点:

  • 二重監査:
    • 会計士監査から経営者自身による評価責任
    • 米国は外部監査人と二重監査
  • 膨大なコスト負担:$500M/1社
    • 内部統制のための業務プロセスの明確化
    • 従業員教育、監視、統制のコスト
    • 統制範囲の明確な基準なし→どこまでやるか
  • 経営者責任の過大さ:
    • 禁固刑(実刑)は過大?
    • 経営者責務は企業発展のための事業運営→活力を削ぐ
    • 企業過剰改革ではないか

7. Concrete measures:

  • COSO Framework + IT utilization:
  • Base element of internal control:
    1. Assessment of risk and proper measure: set of goals
    2. Control activity: certainty of instruction or order by management
    3. Information and communication: identification, process, & communication internally and externally.
    4. Monitoring: continued surveillance and assessment
    5. Utilization of IT: improvement and operation of internal control by IT (Only Japan emphasize IT utilization)
  • COSO = Committee of Sponsoring of the Treadway Commission); James C. Treadway Jr. was a member of SEC and the initial chairman of COSO. International standard for internal control published in 1992

7. 具体的な施策:

  • 基本的にCOSO Framework + IT利用
  • 内部統制の基本的要素
    1. リスクの評価と対応:目標の設定
    2. 統制活動:経営陣の指揮命令の確実化
    3. 情報と伝達:必要な情報の識別・処理・内外への伝達
    4. モニタリング:継続的な監視・評価
    5. ITの利用:ITによる内部統制の整備・運用
  • COSO(The Committee of Sponsoring Organization of the Treadway Commission)1992年公表の内部統制フレームワークの国際標準

8. Accrued business:

  • Establishment of internal control in big corporations:
    • Audit corporation, consultant, accounting firm, human resources development
  • BPM (Business Process Management) and BAM (Business Activity Monitoring) system
    • system integrated business
  • Document storage system for big corporation
    • Database, including affiliates
  • EDI for big corporation
    • expand to business partners
  • EDI for S&M corporations
    • eBusiness; share of server and network
  • Storage and backup business of business record
    • Data center, and time stamp
    • Reuse of micro film for long-term storage
  • Cultivation or dispatch of CIO and CIO-assistant
    • eLearning as a record of internal training; name of trainees and content of training
    • Business process, Disaster recovery (Cf: case of 9.11, able to reopen 2 days after.
    • multi located database like NY, London, or Hong Kong.
    • business continuity

8. 発生するビジネス:

  • 大企業の内部統制体制確立
    • 監査法人、Consultant、会計事務所、教育研修
  • BPM、BAMシステム確立
    • システム統合ビジネス
  • 大企業文書保管システム
    • DB化、子会社を含めたDB化
  • 大企業取引電子化システム
    • 取引先への電子取引化指導
  • 中堅中小企業取引電子化システム
    • 電子取引化、サーバ・NWの提供
  • 記録の保管、保存ビジネス
    • データセンタ、タイムスタンプ
    • 長期保存のためのMicro film化?
  • CIO、CIO補佐などの養成と派遣
    • eLearning;社内教育の記録として:対象者、内容の記録
    • Business process: DR(9.11の例:翌々営業日から再開)
    • NY, LDN, HKGなど世界他地域でのDB, backup
    • BC

9. Q&A: related IT issued:

  • Revival of recruiting by big corporation
  • Dirty, tough, & risky business environment for system engineers:
    • being no popular with students
  • active intermediate recruitment:
    • seeming extension of age limit
  • measures to baby-boomer generation:
    • association of one-man business for risk-sharing
    • M&A of small corporations having several tens of employee; becoming several hundred scale
  • possibility of internet-conscious home appliances:
    • networked refrigerator, or networked washing machine
  • problems of S&M corporations:
    • intergenerational gap, no successor

9. Q&A 最近のIT状況:

  • 大企業の採用復活、
  • SEの3K職場状況:
    • 学生の人気低下
  • 中途採用の活発化:
    • 定年延長はまだみせかけ
  • 団塊世代対策:
    • 個人事業主:協同組合による受注→分担方式
    • 数十人規模の小規模企業は合併により数百人規模に
  • Internet的家電の可能性:
    • NW家電:冷蔵庫や洗濯機
  • 中小企業の問題:
    • 世代間格差、後継者なし、
  • Can SOX Act be a touch off another boom of informatization, just like Y2K, and Personal data protection law?
  • SOX法は、Y2Kや個人情報保護法の時のように情報化ブームの起爆剤となり得るのだろうか?

| Top | Home | Article | Bookshelf | Keyword | Author | Oxymoron |