Internal Control for Governance of Japanese corporation

Title	Internal control for governance of Japanese corporation	日本型企業統治に適した内部統制
Author	Toru Maegawa	前川　徹
Published	July 2006	2006年7月
Index	Background Essence of US SOX-Act of 2002: Section 302 of SOX Act: Section 404 of SOX Act: Section 906 of SOX Act: Cost impact of SOX-Act: COSO Framework of 2004: Framework of J-SOX Act: Dishonesty by employees or employers: Dishonesty by employees or employers: Natural skepticism on internal control:	背景: 米国SOX法(2002)の概要 SOX法 302条の概要: SOX法 404条の概要: SOX法 906条の概要 SOX法対応のコスト: COSOフレームワーク (2004): 金融商品取引法と内部統制: 従業員の不正と経営者の不正: 従業員の不正と経営者の不正: 内部統制に関する素朴な疑問:
Why?	Mr. Toru Maegawa, former METI bureaucrat, now visiting professor of Waseda Univ. and researcher of Glocom of IUJ delivered lecture at Glocom in June 2006. He had been a famous watcher of US IT industry reporting to METI as 'another Maegawa Report' when he worked at JETRO NY. This is a summary of his lecture about the internal control issue to be applied for governance of Japanese corporations held at Glocom, IUJ in July 2006.	前川徹氏は、以前は経済産業省官僚であり、現在は早稲田大学客員教授、国際大学Glocom主幹研究員である。 彼は、米国ITレポートを「もう一つの前川レポート」としてJETRO-NYから経済産業省へ送り続けたことでも有名である。 これは、国際大学Glocomで2006年7月に日本企業の統治に適用すべき内部統制の問題を講演したサマリーである。
Key	;; Financial Products Transaction Act ; ; Framework of J-SOX Act; Maturity model of Internal control; Process of internal control system: ; Sarbanes-Oxley Act (US SOX Act); ;

English	Japanese
>Top 0. Background: As background related to the internal control, various news and scandals recently occurred both in US and Japan. in US: 1992: COSO (the Committee of Sponsoring Organization of the Treadway Commission) report framework published. Dec. 2001: Enron Corp. failed (debt: $31B); exposed Oct. Jul. 2002: Worldcom failed (debt: $41B); exposed Jun. Jul.30, 2002: >Top SOX Act (Sarbanes-Oxley Act) is enacted. Paul Sarbanes, Sen, D-MD Michael G. Oxley, HR, R-OH Oct. 2002: Arthur Anderson vanished. in Japan: Sep. 2000: Representative suit against Daiwa Bank's illicit trade in NY (loss: $1.1B) ;judged directors' responsibility.　 Apr. 2002: Representative suit against Kobe Steel against negligence of establishing internal control system; judged representative directors' responsibility. Jun. 2003: METI published a report of risk and internal control study group. Oct. 2004: Seibu Railway Co. false financial report was exposed Jan. 2005: Tokyo Stock Exchange required timely disclosure with written oath of rep. director. Apr.2004: Kanebo accounting fraud Dec. 2005: Business Accounting Council published guideline of internal control >Top Jun.7, 2006: Financial Products Transaction Act (=Investment Service Act, so-called J-SOX Act.) enacted	0. 背景: 内部統制に関連して、最近日米でさまざまなニュースや不祥事が発生している。 米国： 1992: COSOレポート：内部統制の総合的枠組み公表 2001/12: エンロン破綻 (負債$310億) 10月発覚 2002/7: ワールドコム破綻 (負債$410億) 6月発覚 2002/7/30: 米国SOX法 (サーベンス・オクスリー法、米国企業改革法) 成立 3003/10: アーサーアンダーセン消滅 日本： 2000/9: 大和銀行株主代表訴訟判決 (損失$11億) 取締役の責任を認める 2002/4: 神戸製鋼株主代表訴訟判決。代表取締役に内部統制システム構築の責任を認める。 2004/10: 西武鉄道、有価証券虚偽申告発覚 2005/1: 東京証券取引所は会社情報の適時報告に代表者の宣誓書提出義務化 2005/4: カネボウ粉飾決算 2006/6/7: 金融商品取引法 (=投資サービス法、いわゆるJ-SOX法) 成立
>Top Maturity model of Internal control: Maturity model of Internal control: 　（内部統制の成熟モデル） CPM= Corporate Performance Management BAM= Business Activity Monitoring
>Top 1. Essence of US SOX-Act of 2002: The Sarbanes-Oxley Act of 2002 (SOX or SarbOx), aka the Public Company Accounting Reform and Investor Protection Act., including 11 titles 69 sections. Internal Control is stated at Section 303 and 404. Major provisions include: Title I: Public Company Accounting Oversight Board (PCAOB) Sec101: Establishment of board Sec102: Registration with board Sec103: Auditing, quality control, and independence standards Title II: Auditor Independence Sec201: Services outside the scope of practice of auditors Sec203: Audit partner rotation Sec204: Auditor reports to Audit Committees. Sec206: Conflicts of interest Title III: Corporate Responsibility Sec301: Public Company Audit Committee Sec302: Corporate responsibility for financial reports Sec303: Improper influence on conduct of audits Sec304: Forfeiture of certain bonuses and profits Sec306: Insider trades during pension fund blackout periods prohibited Title IV: Enhanced Financial Disclosures Sec401: Disclosures in periodic reports Sec402: Enhanced conflict of interest disclosures Sec403: disclosures of transactions involving management and principal stockholders Sec404: Management assessment of internal controls Sec405: Exemption Sec406: Code of ethics for senior financial officers Sec407: Disclosure of Audit Committee Financial Expert Title V: Analyst Conflicts of Interest Sec501: Treatment of securities analysts by registered securities associations Title VI: Commission Resources And Authority Sec601: Authorization of appropriations Sec602: Appearance and practice before the Commission Sec604: Qualifications of associated persons of brokers and dealers Title VII: Studies And Reports Sec701: GAO study and report regarding consolidation of public accounting firms Sec702: Commission study and report regarding credit rating agencies Sec703: Study and report on violators and violations Sec704: Study of enforcement actions Sec705: Study of investment banks Title VIII: Corporate And Criminal Fraud Accountability Sec802: Criminal penalties for altering documents Sec803: debts nondischargeable if incurred in violation of Securities Fraud Laws. Sec806: Protection for employees of publicly traded companies who provide evidence of fraud Sec807: Criminal penalties for defrauding shareholders of publicly traded companies Title IX: White-Collar Crime Penalty Enhancements Sec902: Attempts and conspiracies to commit criminal fraud offenses Sec903: Criminal penalties for mail and wire fraud Sec904: Criminal penalties for violations of the Employee Retirement Income Security Act of 1974 Sec906: Corporate responsibility for financial reports Title X: Corporate Tax Returns Sec1001: Sense of the Senate regarding the signing of corporate tax returns by CEO Title XI: Corporate Fraud And Accountability Sec1102: Tampering with a record or otherwise impeding an official proceeding Sec1105: Authority of the Commission to prohibit persons from serving as officers or directors Sec1106: Increased criminal penalties under Securities Exchange Act	1. 米国SOX法(2002)の要点: 2002年のサーベンス・オクスリー法 (SOX法) は、上場企業会計および投資者保護法が正式名称。11章69の条文からなる。但し、内部統制関連は302条と404条。主な条文は以下。 第1章: 上場企業会計監督委員会の設置 PCAOBの設置とその業務 第2章: 会計監査人の独立: 監査と非監査サービスを同じ監査人が実施することの禁止など 第3章: 企業責任: 財務報告書に対する経営者の責任、監査への不当な干渉の禁止など 第4章: 財務の開示強化: 財務報告書における開示事項、経営者に対する利益相反規制の強化など 第5章: アナリストの利益相反: 証券アナリストの潜在的な利益層反の管理に関する規定など 第6章: 証券取引委員会(SEC)の強化: SECの人員強化、SECの権限の強化など 第7章: 調査および報告(SECなどの調査報告義務): SECとGAO (Government Accountability Office) の調査報告義務など 第8章: 企業および犯罪者の不法行為に対する責任: 書類改竄に対する刑事罰の強化など 第9章: 知的犯罪の刑罰強化: 詐欺行為の計画および共同謀議の刑罰、郵便や通信回線を用いた犯罪の刑罰強化など 第10章: 法人所得税申告: 法人所得税申告はCEOが署名すること 第11章: 企業の不正行為とその責任: 記録改竄、公務執行妨害の刑罰強化、証券取引法違反の刑罰強化など
>Top 2. Section 302 of SOX Act: Corporate Responsibility For Financial Reports The Commission shall require, for each company filing periodic reports that the principal executive officer and the principal financial officer certify in each annual or quarterly report filed or submitted that - (1) the signing officer has reviewed the report; (2) the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements not misleading; (3) the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of the periods presented in the report; (4) the signing officers - (A) are responsible for establishing and maintaining internal controls; (B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; (C) have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report;and (D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date; (5) the signing officers have disclosed to the issuer's auditors and the audit committee of the board of directors - (A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and (B) any fraud that involves management or other employees who have a significant role in the issuer's internal controls; and (6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.	2. SOX法 302条の概要: 財務諸表に対する責任 302条は、上場企業のCEOとCFOに対して、年次報告書、四半期報告において、以下の項目を宣誓することを要求。 財務報告を自らレビューしたこと 財務報告書には誤解を招くような重要事実に関する不実記載や脱漏がないこと。 財務諸表などの財務情報が企業の財務状態、経営成績を正しく表していること 内部統制の確率維持に関する責任は、CEOとCFOにあり、連結子会社を含めて内部統制の仕組みが設計されていること。財務報告書の提出日前90日以内に内部統制の有効性を評価しており、その結果を財務報告書に記述したこと 内部統制の設計および運用に間する深刻な欠陥をすべて監査人および監査委員会に開示したこと、内部統制の仕組みにおける重大な弱点を監査人に明らかにしたこと 経営者が絡んだ不正行為を監査人および監査委員会に開示したこと
>Top 3. Section 404 of SOX Act: Management Assessment Of Internal Controls (a) The Commission shall prescribe rules requiring each annual report to contain an internal control report, which shall-- (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.	3. SOX法 404条の概要: 内部統制に対する有効性評価 404条は、上場企業の経営者に財務報告に係る内部統制の有効性評価を義務づける。但し、この条文が直接、義務を定めてはいない。条文はSECに対し、年次報告に次の二点を記載した「内部統制報告書」を記載することを義務づける規定を制定するよう要求。 (2003.5にSECは規則を制定) 経営者が、財務報告に係る適切な内部統制の仕組の確立と維持に関して責任を負っていること 経営者が行った直近の財務報告に係る内部統制の仕組の有効性評価の評価結果 また404条は、当該企業の監査を行う監査法人に対して、内部統制報告書に記述された内部統制の仕組みに対する有効性評価に対する監査および報告 (Direct reporting)を義務づけている。 注) J-SOXにはこのDirect reporting義務なし
>Top 4. Section 906 of SOX Act: Failure of corporate officers to certify financial reports (a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS- Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission shall be accompanied by a written statement by the chief executive officer and chief financial officer of the issuer. "(b) CONTENT- The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of the Securities Exchange Act of 1934 and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer. "(c) CRIMINAL PENALTIES - Whoever "(1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or "(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both."	4. SOX法 906条の概要: 財務諸表虚偽申告に対する罰則 SEC提出書類に虚偽が見つかった場合は、CEOとCFOは個人として責任が問われる 開示内容が不適切であることを知っていた場合は、$100万以下の罰金および/または10年以下の懲役 故意に虚偽を記載していた場合には$500万以下の罰金および／または20年以下の懲役 注) 罰則規定の厳しさはJ-SOXとの大きな相違点
>Top 5. Cost impact of SOX-Act: Unit:$K Est. (2004/1) Est. (2004/7) Actual (2005/1) Internal cost 613 1,283 1,338 External cost 732 1,037 1,717 Audit cost 590 823 1,302 Total 1,935 3,143 4.356 Public corporation's estimate and actual cost related to SOX Act published at FEI (Financial Executive International) Source: Watanabe report (JETRO)	5. SOX法対応のコスト: <左表> 上場企業の内部統制に必要なコストの増大 財務担当役員国際協会が2005/3に発表したSOX遵守に伴うコストの予測と実績 出典: 渡辺弘美 report (JETRO)
>Top 6. COSO Framework of 2004: ERM Framework published in 2004: Object: Strategic Effective & Efficient Operations Credible Financial Report Compliance with rules Factor: Control Environment; education Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring	6. COSOフレームワーク (2004): 目的: 戦略 業務の有効性と効率性 財務報告の信頼性 関連法規の遵守 要素: 統制環境 目標の設定 事象の識別 リスク評価 リスク対応 統制活動 情報と伝達 モニタリング
>Top 7. Framework of J-SOX Act: Difference with US-SOX Act: Explicit expression of "IT Utilization" Explicit expression of "Asset Conservation" Indirect Report: Directors are not required to make independent report. Difference with US SOX Act "Asset conservation" is added as an objective of internal control "IT utilization" is added to fulfill the object of internal control. Adopted 'Top-down' risk approach. (Bottom-up risk approach in US?) Didn't adopt direct reporting by the auditor. Direct reporting is a method of evaluating effectiveness of the internal control by making a report selecting independent checking items by the auditor. One package of external auditing and reporting. Very permissive penalty clause compared to US SOX Act. Japan: not more than \5M ($0.05M) or 5 years imprisonment US: not more than $1M and/or 10 years imprisonment; but $5M and/or 20 years in intentional case.	7. 金融商品取引法と内部統制: 目的: 業務の有効性と効率性 財務報告の信頼性 関連法令等の遵守 資産の保全 要素: ITへの対応 統制環境 リスクの評価 リスクの対応 統制活動 情報と伝達 モニタリング 米国SOX法との違い: 内部統制の目的に資産の保全を追加 内部統制の目的を実現するためにITの利用を追加 トップダウン型のリスクアプローチを採用 監査人によるダイレクト・レポーティングを採用していない。 Direct Reportingとは、監査人が経営者とは別にチェック項目を設定して内部統制の有効性を評価し報告すること 外部監査との一体的実施、報告の一体的作成 罰則規定は米国SOX法に比べて極めて弱い: 日本:500万円/5年以下 米国:$1M/10年、故意は$5M/20年以下
>Top 8. Japanese corporations responding J-SOX: To acknowledge the target area and categorize all possible risks To make the triples documents: Business description Business flow chart Risk control matrix To apply various controls to business procedures. To prevail and acknowledge of the procedure. To conduct the internal control. To show continuous improvement (PDCA cycle)	8. 日本企業の対応状況: 対象範囲の決定とリスクの洗い出し 3点セットの作成 業務記述書 業務フローチャート リスク・コントロール・マトリックス (リスクとコントロールのマトリックス表) コントロールの業務への適用 普及啓蒙・教育活動 内部監査 継続的改善 (PDCAサイクル)
>Top General process of internal control system: Start-up of the project team. Learning background knowledge Collection of internal document Analysis of status-quo Selection of important accounting titles Selection of business process Selection of target division Making of formats Having explanatory meeting Making of the triple document Confirmation of present process Consideration of change of process Evaluation of risks and responsiveness Documentation Confirmation of the documents and registration	一般的な内部統制システム構築手順: プロジェクトチーム立ち上げ 知識習得・学習 社内文書の収集 現状分析 重要勘定科目の選定 業務プロセスの抽出 対象部門の決定 フォーマット等の作成 説明会の実施 ３点セットの作成 現状プロセスの確認 プロセスの変更の検討 リスク評価とその対応 文書化 文書の確認と登録
>Top 9. Dishonesty by employees or employers: Mainly due to dishonest employee: Sales of inventory to illegal channels Peculation of rebate, or padding Fictious sales and returns in the following term. Embezzlement of claw-back Fraud upon client Excess payment and peculation of returns Padding bill and peculation of kickback Pocketing of petty cash Embezzlement of deposit Padding of entertainment expenses Fictitious billing Fictive travel Mainly due to dishonest employer: Excess debt and kickback False description of financial statements Accounting fraud Give favors to corporate extortioner and raise of off-the-book funds Purchase of securities and kickback Camouflage Failing to report recalls Prebidding agreement (Dango) Failure of quality control False description and mendacious assertion	9. 従業員の不正と経営者の不正: 主に従業員の不正: 在庫の横流し リベートの着服・水増し 架空売上と翌期の返品処理 回収金の着服＆ラッピング 取引先からの詐欺 過大支払いの返金の横領 水増し請求＆キックバックの着服 小口現金の着服 預金の横領 交際費の水増し 架空請求 カラ出張 主に経営者の不正: 過剰借入＆キックバック 有価証券報告書の不実記載 粉飾決算 総会屋への利益供与&裏金作り 債券購入＆キックバック 偽装事件 リコール隠し 談合 品質管理 虚偽表示、虚偽申告
>Top 10. Natural skepticism on internal control: Dishonest: Can it prevent dishonesty conduct of employer? Is this a really effective way? is heavy penalty for the employer effective? Is an internal whisle-blower protected? Is an incentive needed? Object: What will be the object of internal control? Companies Act is for general internal control, while Financial Product Transaction Law is for correct financial statement. Cost: How is cost of internal control? How is cost of maintaining and improving internal control? Is productivity affected by the process of internal control? Dead letter: Are the triple documents the object? Do they emphasize irection and measures only? (manual-addict) Noboby can hold by excessive rules and manuals? Consistency (PDCA Cycle): Is the project team temporal? Who continues PDCA cycle? Understanding of CEO: Does CEO consider internal control as his or her own problem? Does CEO entrust staff to follow it? Does CEO consider documentation as the only object? Outcome: Is there any company without internal control? Does the present system function well? Is the documentation sufficent? Responsibility: Top-down approach vs. Entrustment Cost performance by internal control Can reparation be exempt by internal control? IT Utilization: Does IT really improve business efficiency? Does IT utilization become an advantage? Does flexible operation become impossible? ERM ( Enterprise Risk Management) What about ISMS, protection of personal data, compliance, CSR, ERM, .... or foreseeable risk?	10. 内部統制に関する素朴な疑問: 不正: 経営者の不正を防止できるか 有効な方法は何か？ 罰則強化か？ 内部告発者を守る仕組み？インセンティブの付与？ 目的: 内部統制の目標は何か？ 会社法は内部統制全般、金融商品取引法は財務報告に係る内部統制 コスト: 内部統制のコストは? 内部統制の維持・改善のコストは？ 内部統制で生産性は落ちないか？ 形骸化: ３点セットの作成自体の目的化？ 傾向と対策のみか？ 規定やマニュアルが複雑に、誰も守れない 継続性 (PDCA Cycle) : プロジェクトチームは一時的？ 誰がPDCAを回していくのか？ 経営者の認識: 内部統制を自分の問題として認識しているか？ 誰かに任せればよいと思っているか？ 文書化すればよいと思っているか？ 成果: 内部統制のない会社はないはず？ 現状の内部統制が機能しているか？ 文書化しているか？ 義務・責任: トップダウン・アプローチ対お任せ 業務効率対内部統制 内部統制によって賠償責任は免れるか？ IT利用: 業務効率を向上させるか？ IT利用による競争力強化は？ 柔軟な業務処理は可能か？ 企業リスク管理: ISMS、個人情報保護、コンプライアンス、CSR、ERM、予測可能リスクは？

Comment

It is shameful that crimes derived from internal organization (inside job) are increasing. The corporations are required to prepare too many rules. The more moral organization should be less ruled organization. Dying words of Ishikawa Goemon, so-called master thief of 16C in Japan, "The number of grains at a seashore might run out, but the seeds of thief would be countless." Ancient Chinese philosophers argued weather humans were born inherently good or bad. How they feel about present internal control?

内部組織からの犯罪が増加しているのは情けない。会社はますます多くの規則が必要となる。 モラルの高い組織は規則の少ない組織であるべきである。 石川五右衛門の辞世：「石川や浜の真砂は尽きるとも世に盗人の種は尽きまじ」 古代中国の哲学者は、性善説と性悪説とで論争になった。彼らは今日の内部統制をどう思うだろうか。