Basle Committee on Banking Supervision (BIS) announced [Framework for the evaluation of Internal Control] in 1998 aiming at improvement in risk management levels in banks on the basis of the report [Internal Control Integrated framework] which was announced in 1992 by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in U.S.
Association of the Institutes of Chartered Accountants in England Established [Turnbull Report] which was imposed on Listed Enterprises of London stock exchange in 1999 based on this frame work. Starting from Daiwa Bank case in Japan, building the system in the establishments such as committees etc. became mandatory as per the Exceptional Commercial Code which empowers the director to build internal management system

When it comes to financial reports, the occurrence of improper audit cases and embellishment of huge amounts such as Enron case and WorldCom case in U.S brought into light many listed without proper structure to prevent frauds and mistakes even in Japan. In this connection, when it comes to Financial Instruments and Exchange Act, mechanism was built based on the principle of dual responsibility in which the finance authority prepares the internal control reports that measured the effectiveness and maintenance status of internal control and certified accountant, later, audits it. In layman’s terms, it is known as J-SOX rules. These rules which are based on SOX rules in U.S. were implemented from the financial year starting from 1st April, 2008 (Year Heisei 20).
In future, maintenance and application status of internal control are simply reported in the form of [Internal control report] but as a secondary effect, it is also expected to improve the maintenance of internal control as per the requirements.

1. Effectiveness and efficiency of business
Improve effectiveness and efficiency of the business in order to achieve the objectives of business activities.

2. Authenticity of financial reports
Assure authenticity of the information which may have a major impact on financial statements and financial statements which are disclosed

3. Compliance with the regulation
Comply with the rules and regulations pertaining to business activities and code of ethics and guidelines of respective companies

4. Safeguarding of assets
Take action to safeguard the assets in such a way that the acquisition, usage and disposal of assets of the company (Tangible, intangible, manpower etc.) are carried out in a proper manner as per the procedures and approval.

1. Control environment
Control environment refers to the platform where the climate for the organization is determined, contributes towards the consciousness of the people in the organization about the control and at the same time, it establishes the foundation for other basic elements and carries out risk evaluation and risk handling, control activities, information and transmission, monitoring and support for IT.

2. Risk evaluation and handling
Evaluation of risk refers to the process which involves the phenomenon that contributes towards achieving the organization targets, identification, analysis and evaluation of the causes as the risks that hinder the achievement of the organization targets. Risk handling refers to the process which involves the selection of proper handling of the risks (Prevention, minimization, imputation, acceptance (Expenses)) after the evaluation.

3. Control activities
Control activities refer to the policies and procedures established for ensuring proper execution of rules and instructions of the finance authority. (ex; It represents the situation where the final authority of a certain job is finalized who in turn controls that particular job).

4. Information and transmission
Information and transmission refers to identification of required information, proper understanding and processing and ensuring proper transmission of the information within and outside the organization and also to the persons concerned (ex: establish clear rules for preventing sexual harassment etc. which hinder the smooth handling of communication, reporting and consultations) and ensure thoroughness in prevention of the same.

5. Monitoring
Monitoring refers to the process of evaluation to find out if the internal control is effectively functioning or not (The focus will be on auditing and smooth collection of the samples for auditing the control activities by audit people).

6. Support for IT
Support for IT involves establishment of proper policies and procedures (Information management regulations) in advance in order to achieve the targets of the organization and apply them properly towards IT inside and outside the organization to perform business. (Ex: It involves building of information system on the basis of the aforementioned 4 objectives and 6 basic elements, exact recording of update history pertaining to the updation of the previous data by maintenance/management department of IT)

These are the reports submitted by the enterprises every year in compliance with Financial Instruments and Exchange Act ?Clause 24-4-4. Internal control reports are the reports as per which the finance person evaluates the constitution of the aforementioned 6 basic elements and their implementation status with a view to prove the [Authenticity of financial reports] which is one of the aforementioned 4 objectives and it is essential to obtain the audit certificates from a certified accountant or auditing firm.

In case of false internal control report, this offence is charged with imprisonment upto 5 years or a fine of 5000000 yen or both. If there is a violation by corporate, five hundred million yen are charged as fine.

Concrete internal structure is developed in accordance with the procedure as per the figure below.


Here, an important thing is a process of "Documentation" that precedes "Efficacy evaluation of the system of internal management" in the construction process of the internal control.
The process of documentation is to make so-called "One set of the configuration with three point unit" of "Business flow", "Risk control matrix", and "Business description book" generally. The current state of the business process is described by this one set that consists of three point unit, and it evaluates it based on it.
The management activity at the business process level is evaluated by the following aspects of "IT application control" that composes "Application control" intended for the entire business processing and the part.

1. Business process control (Manually done)
(A) Matching operation
　It includes matching operation for the documents and vouchers and matching operation for auxiliary book and general ledger. Matching operation ensures completeness and accuracy of the business.
(B) Approval operation
　Approval by the approving authority as per business rules ensures accuracy based on the process in accordance with the rules and accuracy of the process.
(C) Segregation of work
　For example, when it comes to the division of person in charge of debt declaration and person in charge of payments, mutual checking becomes effective by segregating the job responsibilities between a number of people and it minimizes the possibility for intentional faulty operations (False process). This process ensures substantiality.
（D）Check exceptional cases
　Confirmation of Delivery exception list makes it possible to check the possible delivery time. In this way, it becomes possible to ensure the accuracy of the delivery period which is associated with sales.
（E）Check spot goods
　Inventory check based on physical stock taking refers to deposit check and balance check in case of accounts receivable. This inventory check ensures a sense of belongingness to duties and rights and substantiality.
2. IT Business process control
IT business process control refers to the control that mainly ensures financial assertion by achieving (1) accuracy, (2) Authenticity, (3) Completeness and (4) Continuity of the data for individual business process systems. It aims at ensuring proper entry/processing/output of the data.
（A）Entry control
（1）Accuracy
・Function that prevents wrong entries through record count check, hash total check, serial no. check, record duplicity check etc.
・Checks the input data by proof list
・Detection of exception and abnormal data and list output.
・Log management function for monitoring/recording/correction outcome in case of error status.
（2）Authenticity
・Mechanism which incorporates into the system only the data that has been through proper approval channel i.e., Work flow.

When it comes to the allowable amount for transactions by user authentication, it is the mechanism in which the range for allowable amount for transactions is set.
（3）Completeness
・It should enable the the usage of output information in accordance with the objectives and without any omissions in the information which ・When it comes to the allowable amount for transactions by user authentication, it is the mechanism in which the range for allowable amount for transactions is set.
（3）Completeness
・It should enable the usage of output information in accordance with the objectives and without any omissions in the information which ought to be input and which ought to be processed and input without any duplication.
・Serial No. Management for input document
・No. Of records entered should be matched with the total.
（4）Continuity
・Linked operation with subsequent processes of the input data by integration of database
（B）Process control
（1）Accuracy,（3）Completeness
・Function that enables accuracy of the entire data processing, completeness check/validation
・Function that validates the receipt of the data between the systems.
・Function that maintains audit trials for maintenance of consistency and finding out the causes for the problems.
（4）Continuity
・Function which enables detection of process abnormalities and exception status without fail
・Auto validation function for consistency in case of updating process for a number of databases.
・Auto validation function for consistency in case of updating process for multiple number of Masters.
（C）Output control
（1）Accuracy, （3）Completeness
・Validation function for completeness of output process results and accuracy
・Confirm total value of output reports and summary files and balance total.
・Log management function pertaining to monitoring/recording/modification results in case of error conditions.
（2）Appropriateness
・Function which allows only the authorized person to refer the output files and reports.
・Function that distributes output files and reports properly
（4）Continuity
・Function which detects the abnormalities in the function and exception status.
・Confirm the total value of output reports and summary files and balance total.

３．Overall IT control
In case of Association of the Institutes of Chartered Accountants in Japan, Overall IT control indirectly supports continuous application of business process control and ensures reliability of the information; to be more concrete, it includes control activities such as network operation management, system/software acquisition, development and maintenance.

　On the other hand, when it comes to SOX rules in U.S, overall IT control refers to the control of IT which has a wider impact on achievement of a large number of control targets. In this way, it offers the guidelines for 4 aspects such as (1) Program development, (2) Program change, (3) Computer Operation, (4) Program and data base access.

　Two definitions mentioned here differ more or less as far as the expression of scope is concerned. But the meaning may be considered almost the same. Overall IT control being indirect control that ensures an environment to enable business process control effectively using IT, it covers development, changes, application, maintenance, access control etc.

LBC accepts internal control system building as a part of ERP system introduction.
１．New introduction
(1) Requirements definition phase
In this phase, study is conducted to find out what type of business process system is to be installed in business process.
In addition to this, LBC selects ERP system which is to be introduced and it is defined separately into manual control (Business process control) and IT control (IT business process control) from the perspective of the system functions.
Based on this, [Risk control matrix] and [Business description] are prepared apart from the [Business Flow] which is prepared at the time of ERP introduction.
In business flow, operations like [Verification operation], [Approval operation], [Job segregation],[Exception issues check] or [Spot goods check]
(2) Installation phase
During this phase, the aspects which ensures control from IT business which have been defined and studied during requirements definition phase are installed in the respective modules (Accounts, sales, purchase, inventory, production etc.) of the ERP system.
In case of Addon development, we handle development in accordance with [Overall IT control] apart from building internal control requirements as defined during requirements definition phase.
To be concrete, we also handle development through the required approval procedures at each phase for designing, production and testing, in addition to the preparation of design documents in compliance with specified standards.
(3) Operation test phase
During this phase, we handle validation of the operation to check if overall business process, inclusive of the manual business process control is workable, in addition to the validation to check if the internal control requirements as defined during requirements definition phase are properly incorporated
Further, when it comes to the judgment of feasibility to migrate to Go-Live, we judge the feasibility of operation in compliance with the procedures formulated by overall IT control.
To be concrete, we judge the feasibility for migration to Go-Live based on the test scenario assimilation status, data migration details etc.
As for data migration, we check if consistency is maintained in case of the entire data stored aftermigration, such as original data, migration data files etc.
2. We check if consistency is maintained for all the data stored after Go-Live.
2. Post Go-Live
During maintenance/helpdesk service phase, we offer services in compliance with the internal controls as specified below after concluding [Service Level Agreement (SLA)].
(1) Day to day introduction issues handling
Based on the statistics related to response time for introduction, we offer management so that it is maintained within the range as specified in SLA.
(2) Changes/Additions in Specifications
We proceed with incident management when the customer requires changes/additions in specifications and retain the evidence of the following procedures. 1) Receipt of the request for spec change
2) Check the description of changes and go for approval
3) Change related work
4) Implement test and check test results
5) Approve to migrate to Go-Live and check for Go-Live migration outcome.

Client's profile
A is a world-wide famous entertainment enterprise having its Headquarters in U.S.
This company requires internal control system to be built in accordance with SOX rules in U.S.

Client's needs
Template for global supply chain to be developed through SAP ERP based on the European business model with a view to optimize supply chain in compliance with the internal control requirements.
The purpose of this template is to carry out the purchase of the products, warehouse entry, shipping and recovery of accounts receivables in a consistent process.

Background of the implementation
implementation in Japan was initially for solutions by SAP ERP. Study was conducted towards a small ERP package with a view to improve cost performance.
During the process, SAP Business One was selected as it was considered easier to meet the internal control requirements.

Implementation details
Based on SAP Business One, LBC built a system which connects the purchase order information to SAP ERP of the supplier, downloads the stock receipt information from the warehouse system of 3 PL transport company and sends shipment instruction data.
At the same time, LBC also linked the accounting information from SAP Business One to SAP ERP which is the accounting system of U.S.



This system was built as specified below in cooperation with the consultant of X company, which belongs to A, an audit firm in U.S with a view to comply with the requirements of SOX rules in U.S.
During the requirements definition phase, review was conducted together on completion of the draft for business flow.
Based on this review, consultant of X company prepared drafts on risk control matrix and business description (Narrative).
During installation stage, LBC incorporated business process control such as workflow for credit management and completed the installation phase by also installing the system for offering audit evidences such as update logs to master file, update history logs etc.
Finally, LBC made alterations pertaining to the system at implementation test stage and completed final business flow, risk control matrix and business description.

↑To page top.