_Provisional translation_ by dfgh4bnmu

VIEWS: 2 PAGES: 213

									                                                         (Provisional translation)




   System Management Standards – Supplementary Edition

      (Guidance for IT Controls over Financial Reporting)




                         Released on March 30, 2007

        Ministry of Economy, Trade and Industry (METI)


 The original texts of these Standards are prepared in Japanese, and this translation is to
be used solely as a reference material to aid in the understanding of these Standards.
 For all purposes of interpreting and applying these Standards in practice, users should
consult the original Japanese texts available on the following website:
http://www.meti.go.jp/




                                           -1-
Members of the Committee to Study and Discuss IT Controls by Enterprises

[Chairperson]

Moriyuki Torii: Professor, Faculty of Cultural Information Resources, Surugadai
University

[Committee members]

Eijiro Oki: Leader of the Guarantee-Type Audit Promotion Project Team, Japan
Information Security Audit Association (JASA)

Hiroshi Kiire: Director, Japan Society for Systems Audits (JSSA)

Shin Koriyama: Manager, Security & Audit Research Department, Center for Financial
Industry Information Systems of Japan (FISC)

Naoki Goto: Leader of the Planning Promotion Group, Security Technology
Department, Technology Development Division, KDDI Corporation

Yuji Shimada: Institute of Internal Auditors (IIA)

Keiko Shimizu: Expert Member, Audit IT Expert Committee, IT Committee, Japanese
Institute of Certified Public Accountants

Toshinori Chikara: Manager, Audit Department, Corporate Auditing Bureau, NEC
Corporation

Shuichi Nishio: Vice Chairperson, Security Department, Security Committee, Japan
Information Technology Services Industry Association (JISA) (NTT Data Corporation)

Yonosuke Harada: Specially Appointed Professor, Graduate School of Engineering,
Osaka University

Masayuki Horia: Professor, College of Commerce, Nihon University

Akira Matsuo: Professor, Aoyama Gakuin University

Eiichi Matsubara: Committee member, Research and Study Committee, Japan Users
Association of Information Systems (JUAS)

Mitsuhiko Maruyama: Vice President, Tokyo Chapter, Information Systems Audit and
Control Association (ISACA)

Kyosuke Wagai: Vice President, Systems Auditors Association of Japan (SAAJ)




                                          -2-
Members of the Working Group of the Committee to Study and Discuss IT
Controls by Enterprises

[Chairperson]

Moriyuki Torii: Professor, Faculty of Cultural Information Resources, Surugadai
University

[Committee members]

Takashi Ishijima: Associate Professor, Faculty of Modern Management Information,
Osaka Seikei University, and Affiliate Professor, Graduate School of Hosei University

Toshiya Kato: Certified Public Accountant

Keiko Shimizu: Certified Public Accountant (Expert Member, Audit IT Expert
Committee, IT Committee, Japanese Institute of Certified Public Accountants)

Futoshi Tanaka: Administrative Chief Researcher, Security & Audit Research
Department, Center for Financial Industry Information Systems of Japan (FISC)

Kazuyuki Chieda: Member of the Corporate Information Management Study
Committee, Japan Users Association of Information Systems (JUAS)

Motohiko Nakamura: Certified Public Accountant

Kiyomi Nakayama: Certified Public Accountant

Yonosuke Harada: Specially Appointed Professor, Graduate School of Engineering,
Osaka University

Masayuki Horie: Professor, College of Commerce, Nihon University

Eiichi Matsubara: Committee member, Research and Study Committee, Japan Users
Association of Information Systems (JUAS)

Mitsuhiko Maruyama: Vice President, Tokyo Chapter, Information Systems Audit and
Control Association (ISACA)




                                        -3-
                                   Table of Contents

Introduction

Chapter I
Composition of and Terms in the Supplementary Edition
1. Composition
2. Terms

Chapter II
Overview of IT Controls
1. Financial reporting and IT controls
(1) Relations between internal controls provided by the Financial Instruments and
    Exchange Law and IT
(2) Relations between financial reporting and IT controls
2. Control items in IT controls
(1) Company-level IT controls
(2) IT general controls
(3) IT application controls

Chapter III
Assessment of IT Controls by Management
1. Roadmap for assessment of IT controls
2. Determination of the scope of assessment and identification of IT to be assessed
3. Assessment of company-level IT controls
4. Assessment of IT controls in business processes
5. Determination of effectiveness of IT controls

Chapter IV
Guidance on Introduction of IT Controls (Illustration of IT Controls)
Table of Contents
1. How to Use of this Guidance
2. Company-level IT controls
3. IT general controls
4. IT application controls
5. Monitoring

References:

Appendix
Appendix 1 Correspondence of the “System Management Standards – Supplementary
Edition” to other standards
Appendix 2 Usage of control objectives for the System Management Standards
        Correspondence of control items and control objectives in the System
        Management Standards (Examples)
Appendix 3 Illustration of IT controls and specific information technologies (IT)
Appendix 4 Recording and retention of assessment procedures



                                          -4-
Appendix 5 Sampling
Appendix 6 Examples of a Risk Control Matrix
       Description of IT General Controls Assessment
       Description of Company-level IT Controls Assessment
       Description of IT Application Controls Assessment in Business Processes




                                       -5-
Introduction

Following the rapid growth of IT, Japanese corporations have increased their reliance on
IT in a wide range of business processes from core fields such as procurement,
manufacturing, sales and physical distribution to administrative functions such as
financial accounting, personnel management and payroll processing.

The “Financial Instruments and Exchange Law 1,” enacted in June 2006, obliges
management to assess and report the effectiveness of the design and operation of internal
controls over financial reporting, but in the context of the higher reliance on IT as stated
above, “Response to IT” is also referred to as one of the basic factors of internal control in
the “Standards for Management Assessment and Audits concerning Internal Control Over
Financial Reporting” and “Practice Standards for Management Assessment and Audits
concerning Internal Control Over Financial Reporting (hereinafter referred to as “Practice
Standards”),” both of which were composed by the Internal Control Committee, the
Business Accounting Council, and the Financial Service Agency (FSA). 2

In Japan, the “System Audit Standards” were established in 1985 for appropriate control
of information systems, and have been followed by Japanese corporations.

Then, to respond to the recent advance of information technologies and increasing
importance of information security measures, the Ministry of Economy, Trade and
Industry (METI) established “System Management Standards” and “Information
Security Management Standards” (hereinafter, collectively referred to as “Management
Standards”) independently from the “System Audit Standards.” At present, these
“Management Standards” are spreading throughout Japanese corporations as effective
guidelines on information system control.

In view of this tend, it is considered that many corporations need to use an information
system based on such “Management Standards” for establishing and implementing
internal control over financial reporting, and materializing the “Response to IT” required
for internal control over financial reporting.

Since details of how to establish and assess IT controls for internal control over
financial reporting are not laid down in the “Management Standards,” however, the
clear definition of correspondence of the “Management Standards” to “Response to IT”
may be crucial for corporations using the “Management Standards” to enable the
development of the “Response to IT” required for their internal control over financial
reporting.

1
   The “Securities Exchange Law” was revised and renamed as the “Financial
Instruments and Exchange Law” according to the “Law to Partially Amend the
Securities Exchange Law” (enacted in June 2006, Law No. 65).
2
  “On the Setting of the Standards and Practice Standards for Management Assessment
and Audits concerning Internal Control Over Financial Reporting (Council Opinion)”
(by the Business Accounting Council, dated February 15, 2007)



                                            -6-
This Supplementary Edition is intended to provide concepts of IT controls, assessment
by management and guidance on introduction, assuming major cases with a view to the
“Management Standards” and the Internal Control and Reporting System over financial
reporting based on these current situations of Japanese corporations.

What is provided in this Supplementary Edition are nothing more than referential
materials assuming major cases, and how each business constructs its own IT controls
and how its management assesses effectiveness are left to individual businesses
depending on their business types and organizational structures.

Therefore, it is essential for each corporation not to apply the requirements indicated in
the “Guidance on Introduction of IT Controls” as they are, but to fully understand the
concepts of construction and assessment of IT controls described in Chapters II and III
of this Supplementary Edition, and perform operations according to actual conditions by
modifying, deleting and adding to the points explained in Chapter IV as needed.




                                          -7-
Chapter I Composition of and Terms in the Supplementary Edition

1. Composition

This Supplementary Edition is composed of “Chapter II Overview of IT Controls,”
“Chapter III Assessment of IT Controls by Management,” “Chapter IV Guidance on
Introduction of IT Controls (Illustration of IT Controls)” and “Appendix.”

Theory volume                     Introduction               Appendix

  Chapter II                        Chapter IV                Correspondence of the
  Overview of IT Controls           Guidance on               “System Management
  1. Financial reporting            Introduction of IT        Standards –
  and IT controls                   Controls                  Supplementary
  2. Management items in            (Illustration of IT       Edition” to other
  IT controls                       Controls)                 standards
                                    1. Usage of the
                                    guidance
  Chapter III                       2. Company-level          Usage of control
  Assessment of IT                  IT controls               objectives for the
  Controls by                       3. IT General             System Management
  Management                        Controls                  Standards
  1. Roadmap for                    4. IT application         (Other appendices)
  assessment of IT                  controls
  controls                          5. Monitoring
  2. Determination of the
  scope of assessment and                                     Examples of the risk
  identification of IT to be                                  control matrix
  assessed
   (And other sections)


Chapter II describes Relations between IT controls and financial reporting, significance,
type and other information on IT controls, and the basic concept of IT controls. Chapter
III states how to assess IT controls in view of assessments by management of internal
control over financial reporting. These two chapters can be regarded as the theory
volume of this Supplementary Edition, presenting basic frameworks for IT controls.

Chapter IV provides guidance for the construction and assessment of IT controls, and
illustrates IT controls for each area of company-level controls, general controls and
business process controls. This guidance describes how to introduce and assess IT
controls for each field of IT controls by presenting “guidelines on controls,” “examples
of control objectives” and “examples of control and control assessment procedures.”

“Chapter IV Guidance on Introduction of IT Controls” just contains illustrations based
on experts’ experiences, not Best Practices. Depending on their condition,




                                          -8-
characteristics and risk levels, enterprises are expected to select corresponding cases, or
add any functions they deem necessary to build an adequate IT controls scheme.




                                           -9-
2. Terms

Outlined below are simple descriptions to avoid confusion in using terms because their
definitions are different from the “Practice Standards” established by the Financial
Service Agency (FSA) and the “Management Standards” published by the Ministry of
Economy, Trade and Industry (METI).

  Scope of the information system

The “Practice Standards” define An “Information system” as “a manual or automated
mechanism designed to process and communicate information”. Information entered
into an information system is processed according to the purpose. (e.g. classification,
organization, selection, and calculation (“processing”)) (1. 2 (4) 1 of the “Practice
Standards.” Thus, “The “Practice Standards” includes manual tasks in the IT-based
information system. This Supplementary Edition, however, limits the scope of an
information system to “Functions to use IT to sort, organize, extract or compute
information according to objectives.”

  Concepts of IT controls

The “Practice Standards” categorizes “Response to IT” into three types of “1 Readiness
for an IT environment,” “2 Use of IT” and “3 IT controls,” and defines 3 IT controls
as “Functions to control an information system that uses information technologies.”
This Supplementary Edition, however, calls only “3 IT controls” “IT controls.”

1 Response to IT          Concerns regarding the situation of usage of IT outside and
environment               inside the corporation
2 Use of IT               Use of IT in the materialization of internal control
                          concerning the reliability of financial information
                          (Ex. Restrictions on access to financial information with the
                          access control functions)
3 IT controls             Internal control over an information system that uses IT
                          (Ex. Control over ID and passwords to make access
                          restrictions effectively work for financial information with
                          access control functions)

  Concepts of “IT general controls” and “IT application controls”

The “Practice Standards” use the words “IT general controls” and “IT application
controls”. This Supplementary Edition, however, classifies “IT Controls” into the
following categories to distinguish the portion directly over IT from others:

Company-level IT          Comprehensive internal control over an information system
controls                  including policies on and procedures of IT to ensure an
                          environment for effective functions of internal control.
                          This assumes control as a consolidated group as a whole, but
                          may sometimes denote control of a subsidiary or



                                        - 10 -
                            establishment ⇒ (II 3. (2) 1 Practice Standards).

IT ceneral controls         IT general controls refer to control activities intended to ensure an
                            environment in which application controls function effectively.
                            Usually, they are internal controls established on an IT
                            infrastructure among policies and procedures associated with
                            multiple business process controls. (⇒ I 2. (6) 2 [IT controls])
                            B, a, Practice Standards).
IT application controls     IT application controls refer to the control activities that are
                            incorporated into business processes to ensure that all of the
                            authorized business activities are accurately processed and
                            recorded in the business process management system (⇒
                            I. 2. (6) 2 [IT controls]) B, b, Practice Standards).

  Reliability of financial information as the objective of IT controls

In the “Practice Standards,” the objectives of internal controls that should ensure the
reliability of financial information are listed, and the reliability and completeness of the
information are described. As shown in the table below, however, their definitions are
different from those generally used in the ordinary information system field. This
supplementary edition makes the definitions of reliability and completeness match those
in the “Practice Standards.”

    Term             “Practice Standards”                     Information System Field
Reliability  Information is approved according           Functions and services supplied
             to the organization’s will and              by the system concerned work and
             intention, and accurately                   generate correct results as
             recorded/processed without                  expected within a specified period
             omission (validity, accuracy, and           under given conditions
             completeness)                               ⇒ (Guideline for Improvement of
             ⇒ (I 2. (6) 2 [IT controls]) A, c,          Reliability of the Information
             Practice Standards).                        System published in April 2006).
Completeness The fact that all of the transactions       The property of safeguarding the
/Integrity   are recorded without omission or            accuracy and completeness of
             duplication                                 assets
             ⇒ (I 2. (6) 2 [IT controls]) A,             ⇒ (JIS Q27001, 3.8)
             Practice Standards).

  Concept of the IT infrastructure

The term “IT infrastructure” appears in the “Practice Standards.” No clear definition is
given, however. Therefore, this supplementary edition interprets IT infrastructure as “a
composition of organizational units involved in IT, rules and procedures over IT,
configuration of hardware, formation of software, makeup of networks, and situation of
outsourcing.”




                                            - 11 -
  Utilization spreadsheets and other tools

Recently, more personal computers (hereinafter referred to as “PCs”) have been used for
calculation, summing, and consolidation of financial information. In general cases, PCs
run spreadsheets and the like (tabulation and database-managing software including
mathematical expressions, macro codes, and programs created by such software). These
cases are characterized by the fact that user departments, not the information system, are
in charge of inputting mathematical expressions and process-automating macro codes,
creating data, and performing various kinds of maintenance. Without control functions
to protect information from falsification or errors, therefore, resulting financial
information cannot be reliable. In the “System Management Standards,” however,
control points for the spreadsheet and end-user computing (hereinafter referred to as
“EUC”) are described independently of other factors. This is because the “System
Management Standards” are based on the perception that basic ideas should be the same
regarding the information system management, whether a system is operated by the
information system department or a user department. Considering that spreadsheets and
the like used by the accounting department and others have a major impact on financial
reporting, however, this supplementary edition deals with control points in the
spreadsheet and the like independently, different from the “System Management
Standards.”

  Development and maintenance of the information system

In the “System Management Standards,” “development” of an information system is
discussed separately from its “maintenance.” The “Standards” refer to development as
the creation of functions of an information system (software), and to maintenance as the
conservation and updating of the functions of an information system (software). In the
“Practice Standards,” on the other hand, maintenance is included in development.
Therefore, this supplementary edition also discusses development together with
maintenance from the viewpoint of consistency with the “Practice Standards.” While the
“System Management Standards” also include modifications to software accompanying
maintenance, the supplementary edition deals with such modifications as “change
management.”

  Financial reporting or information and IT controls

IT can be categorized into IT used directly in business processes (⇒ II 2. (2), Practice
Standards) concerning book closing and financial reporting (⇒ II 1. (1), Practice
Standards), and IT not used directly. The former includes accounting systems, and the
latter, automated order-processing systems. The flow of information down to financial
reporting in particular is called financial information. Financial information is extracted
from various business processes, aggregated, and finally organized into financial
reporting. Therefore, IT controls should be applied to financial reporting to ensure that
there is no falsification or illegality.

  Parties to be involved in IT controls




                                          - 12 -
This supplementary edition introduces various parties, as shown below, involved in
development and operations of IT infrastructures and application systems:

Management            Management has ultimate responsibility for all the activities of an
                      organization; it has roles and responsibilities in the design and
                      operation of internal control based on the basic policies
                      determined by the board of directors (representative director,
                      representative operating officer, etc.) (I 4, (1), Practice
                      Standards).
Chief information     Top officer responsible for IT inside the organization
officer (CIO)
Persons responsible   Responsible for instructions to persons in charge and
                      implementation of control. Persons responsible for system
                      development, operations, or acceptance tests
Persons in charge     Persons authorized to handle financial information by the person
                      responsible
Persons in charge     Persons in charge of operation of an IT infrastructure, and
of operations         inputting into and outputting from an actual application system
Persons in charge     Persons in charge of or responsible for program development of
of development        an information system (not allowed to access the financial
                      information system)


  Managed items and control points

The “System Management Standards” and the “Information Security Management
Standards” refer to measures for risk reduction as “management items,” but this
supplementary edition sometimes addresses these items as “control items” from the
viewpoint of “IT controls over financial information.”




                                         - 13 -
Chapter II Overview of IT Controls

This chapter first describes relations between financial reporting and IT controls in the
first section, followed by discussion of control items in IT controls. Appendix 1
compares this supplementary edition with other standards.

1. Financial reporting and IT controls

(1) Relations between internal control provided by the Financial Instruments and
Exchange Law and IT

1 Financial reporting and the Internal Control Report

Sub-clause 4, Clause 4, Article 24 of the Financial Instruments and Exchange Law
requires listed companies and the like among those issuing a “Financial Statement
Report” to submit a report to the Prime Minister every fiscal year on assessment in line
with a Cabinet Office ordinance conducted for the system as provided by the Cabinet
Office ordinance (hereinafter referred to as “internal control over financial reporting) as
a requirement to ensure the validity of statements and other information concerning
financial accounting in the corporate group that the company concerned belongs to and
the company concerned (hereinafter referred to as the “Internal Control Report”). In
addition, the companies concerned are also required to have their Internal Control
Report audited by a Certified Public Accountant or audit corporation (hereinafter
referred to as “CPA”). Thus, the Financial Instruments and Exchange Law obliges
companies issuing a Financial Statement Report to assess and report their internal
control to ensure the reliability of financial reporting, and to have the report audited by
CPA to secure the contents of the report.

This system can be illustrated as shown in Figure II 1-1 together with the conventional
creation of financial statements and auditing:




                                          - 14 -
          Figure II 1-1 Audits of Financial Statements and Internal Control




    Management                                             CPA                          Investors
                                       Auditing
         Creation                                                Guaranteeing
                                                                                   Relying & Using




  Conventionally       Financial
                      statements                    Financial
                                                   statements                                Financial
                     Valid financial                                             Financial   Statement
                     statements               Financial statements              statements     Audit
                                              are valid.                                      Report



                                                     Internal
                        Internal
                                                     Control
 Further expansion      Control                                                                Internal
                                                      Audit                      Internal
 from FY 2008            Report                                                                Control
                                                      Report                     Control
                                                                                  Report        Audit
                     Internal control over                                                      Report
                                              The Internal Control
                     financial reporting is
                                              Audit Report is valid.
                     effective.




To ensure the reliability of financial reporting, a company has to establish an accounting
system for identifying, obtaining, processing, and delivering financial information, and
properly control the system by defining adequate policies and procedures for controlling
the system. Today, PCs are very often used for such accounting systems from the
viewpoint of efficiency and effectiveness of business. On the other hand, IT used in
accounting systems need control functions to properly control financial information to
ensure the reliability of financial reporting.

2 Basic factors of internal control and IT

Under these circumstances, Response to IT is added to the basic scheme of internal
control defined in the “Practice Standards” as one of the basic factors.

The basic factors compose the internal controls needed for achieving the objectives of
internal control. To declare that internal control is effective, all of the basic factors have
to be embedded and functioning validly. Response to IT is not mandatory, however, and
when IT is used for five other basic factors, IT is regarded as a basic factor. If IT is not
used, internal controls can work effectively.




                                                  - 15 -
At assessment of response to IT, since response to IT does not exist independently of the
other five factors, it should be assessed together with the other five factors as shown in
Figure II 1-2:

Figure II 1-2 Relations between Internal Control and IT in the Practice Standards


Control environment


Risk assessment              (information technologies)
and response
                                   Response to IT




Control activities


Information &
communication

Monitoring
(monitoring activities)


Response to IT is composed of adaptation to the IT environment, use of IT, and IT
controls. IT controls are further categorized into company-level IT controls, IT general
controls, and IT application controls. Although the five basic factors of internal control
are associated with IT controls in each field, this supplementary edition describes
company-level common issues in the sub-section on company-level IT controls.
Moreover, monitoring is discussed independently from the viewpoint of company-level
control.

(2) Relations between financial reporting and IT controls

1 IT controls in a corporation

A corporation operates a lifecycle from the establishment of effective IT strategies to
planning, development, operations, and maintenance of information systems toward
realization of IT governance of the organization in line with the management strategies.
To reduce the risks facing the information system, the corporation prepares and operates
control over the information system (IT controls) based on the System Management
Standards (⇒ Preface to the System Management Standards).

Therefore, what is required of a corporation that has prepared and is executing IT
controls over its own information system using the System Management Standards is
only managing IT controls over financial information on the information system based
on the System Management Standards.




                                                          - 16 -
2 Relations between financial reporting and IT controls

The creation of information necessary for financial reporting involves business
processes such as sales, purchases, and inventory management, and processes of book
closing and financial reporting in which results of business processes are summed. In
these business processes, transactions are processed by various application systems, and
financial information is sent to the accounting system in charge of financial reporting.
Therefore, IT application controls directly affect the reliability of financial information
processed by the application systems. IT infrastructures support the information system
needed for running the application systems. Control activities compose IT general
controls to ensure an environment for effective IT application controls of IT
infrastructures. Then, company-level IT controls play the role of controlling application
systems and IT infrastructures as a whole in a planned and consistent manner.
Company-level IT controls cover the entire IT in the organization, and makes up the
basis of IT general controls and IT application controls. Figure II 1-3 shows the
relations among these control activities.

In internal control over financial reporting, IT application controls and IT general
controls are targeted only at assurance of the reliability of application systems and IT
infrastructures handling financial information because the objective of this type of
control is limited to the design and assessment of control concerning the reliability of
financial reporting. General corporations, however, do not always prepare and operate
their IT controls only for the reliability of financial reporting. To assess the reliability of
the entire IT controls, company-level policies, plans, and procedures over IT should
comprehensively be interpreted as company-level IT controls.




                                            - 17 -
        Figure II 1-3 Relations between Financial Reporting and IT Controls

                                                     Company-level controls
                                                    Company-level IT controls
                                                (Policies, plans, and procedures over IT
                                                        in the entire corporation)

                         Financial reporting
                (disclosed information seriously affecting
                 financial statements and their reliability)


                                                                                                  Internal control in
                         Business processes
                                                                                                 business processes
                        Application systems                                                   IT application controls
                                                                                           - Assurance of completeness,
                                                                                           accuracy, and validity of input data
                Consolidated                      General                                  - Corrections to exception
                book-closing                     accounting                                operations (errors) and reprocessing
                  system                           system                                  - Maintenance of master data
                                                                                           - Control over authentication and
    Purchase     Manufacturing    Physical         Sales        Personnel      Control     access for use of systems
   Management    Management      Distribution   Management     Management
     system        system          system         system         system
                                                                                                IT general controls
                                                                                           - Control over development and
                                                                                           maintenance of IT systems
                                                                                           - Operations and control of systems
                          IT infrastructures                                               - Control over access from outside
        (Hardware, operating system, networks, and databases)                              and inside
                                                                                           - Control over contracts concerning
                                                                                           outsourcing




2 Relations between financial reporting and application systems

Figure II 1-4 illustrates the “flow of information” in a typical group company from
application systems over the financial reporting stated above to financial reporting.
Information generated by various application systems in Financial Statement Report-
issuing companies, consolidated subsidiaries, and equity method-applied affiliate
companies is gathered to the financial accounting system (here, this means the general
ledger system for non-consolidated book closing, i.e., the portion called the general
accounting system).

Figure II 1-4 highlights in green the portions over financial information among
application systems used by these companies (those application systems other than the
financial accounting system (non-consolidated book closing) include processes over and
not over financial information).

The financial accounting system of each of these companies sends both kinds of
information for non-consolidated book closing (individual financial statements) and for
consolidation to the consolidated book-closing system. Financial statement report-
issuing companies organize information for consolidated and non-consolidated book-
closing, and other information to be disclosed, and operate a financial statement
generation system to create financial statement reports and other documents.
Consolidated financial statements and financial reports may sometimes be prepared



                                                               - 18 -
with a spreadsheet application or the like. Assessment for the purpose of IT application
controls is applied only to accounting systems (financial accounting system,
consolidated book-closing system, and financial statement report generation system)
and portions related to financial information among functions application systems
concerning the business processes regarded as being within the scope of assessment.

3 Advantages and disadvantages of IT-based internal control

While they are allowed to manually carry out internal control, use of IT enables
companies to implement more efficient and accurate control. That is, using IT results in
continuous control over financial reporting unless modified intentionally or by mistake
(⇒ I 2 (6) 2, [IT controls] B, a, Practice Standards).

Internal control using of IT has also disadvantages. If no internal control is prepared
against input data, for example, an incorrect data record can be passed on to the
following steps as the correct one. When an incorrect program is incorporated, or a
wrong result cannot be detected, the reliability of financial reporting will be lost (⇒ I 2
(6) 2, [IT controls] B, a, Practice Standards).




                                          - 19 -
Figure II 1-4 Relations between Financial Reporting and Application Systems

   Purchase        Physical          Sales                 Consolidated
  Management      Distribution    Management               subsidiary A
    system          system          system




                                           Financial accounting system
         Financial information
                                         (non-consolidated book closing)



   Personnel    Fixed asset          Bill           Fund
  Management    management       Management      Management
    system        system           system          system




   Purchase      Manufacturing     Physical          Sales                       Financial Statement
  Management     Management       Distribution    Management                     Report-issuing company P
    system         system           system          system




                                                                           Consolidated        Financial report
                                           Financial accounting system                            Creation
         Financial information                                             book-closing
                                         (non-consolidated book closing)                           system
                                                                             system



   Personnel    Fixed asset          Bill           Fund
  Management    management       Management      Management
    system        system           system          system




   Purchase        Physical         Sales   Equity-method-applied
  Management      Distribution   Management affiliate company B
    system          system         system



                                                                                          : Flow of financial information
                                           Financial accounting system
         Financial information
                                         (non-consolidated book closing)



   Personnel    Fixed asset          Bill           Fund
  Management    management       Management      Management
    system        system           system          system




                                                      - 20 -
2. Control items in IT controls

(1) Company-level IT controls

1 Company-level internal control and IT

Company-level IT controls are internal controls over IT used throughout a company
group (including its consolidated subsidiaries) established for sound maintenance and
supervision of IT within the entire company group. (⇒II 3 (2) Practice Standards).

The management is responsible for the design of company-level IT controls, and the
“Practice Standards” recommend checking the items listed in Figure II 2-1. The second
section of Chapter IV of this supplementary edition describes guidelines for concrete
controls, sample objectives of controls, sample controls, and sample control
assessments.

                             Figure II 2-1 Response to IT

 Response to IT

 • Does the management establish appropriate strategies, plans, etc. in regard to IT?

 • Does the management, when designing internal controls, adequately understand the
 company’s IT environment and clearly present policies based on such knowledge?

 • Does the management make proper judgments as to the areas in which to use IT-
 based controls and the areas in which to use manual controls in order to mitigate the
 risks to achievement of the reliability of financial reporting?

 • When using IT for the design of control activities, are the risks that accompany the
 use of IT taken into account?

 • Does the management adequately establish policies and procedures regarding IT
 general controls and IT application controls?

 ⇒ (II. (Reference 1) Response to IT, Practice Standards)


2 Overview of company-level IT controls

It is recommended to design and conduct company-level IT controls as follows,
considering the basic factors of internal control shown in Figure II 1-2, for example.

a. Design and specification of basic policies concerning IT (control environment)

Specification of basic policies on the using of IT and IT controls delivers ideas of the
management, so this should be done by the management itself. Following these policies,



                                         - 21 -
the CIO of the corporation constructs an environment to use and control IT. Design of a
company-level IT environment based on the basic policies contributes to an
improvement of the quality of business activities and internal control depending on the
extent of the spread of such policies. Employees should be informed of the policies of
the management through education.

b. Assessment of and measures against risks over IT (assessment of and measures
against risks)

IT provides users with efficiency and effectiveness in business processes, but on the
other hand, it may threaten corporate value if not adequately controlled. A risk
management department, for example, has to sort out and assess every appropriate risk
and devise countermeasures to prevent business activities from being affected from the
viewpoint of company-level control.

The IT department should also assess (identify, sort, analyze, and assess) company-level
risks concerning IT, and select countermeasures against the risks (to avoid, reduce,
move, or accept).

c. Design and dissemination of control procedures (control activities)

The management should establish IT controls, and devise and disseminate basic
policies.

d. Construction of a formation and a scheme of information delivery (information and
    communication)

The management’s policies and instructions need to be communicated to related parties
through adequate means, but these communication means should be reviewed following
advances in technology. “IT-based communications,” for example, through e-mails
and use of the intranet, are useful for company-level penetration of the outlines of IT
controls.

e. Check of company-level implementation situations (monitoring)

The management should check and verify the effectiveness of plans and control
activities through reporting by implementation departments and internal auditing
parties. At these checks and verifications, IT use is desirable for higher efficiency and to
ensure the effectiveness of monitoring of control implementation situations.

IT-based monitoring functions, for example, should work in a timely manner, so they
are able to efficiently issue warnings to parties in charge of internal control.

(2) IT general controls

IT general controls are control activities that are established to materialize an
environment for effective functioning of control over business processes directly



                                           - 22 -
influencing the reliability of financial information. Concrete examples are 1 control of
development and maintenance, 2 System operation and administration, 3 Ensuring
system security including access control from inside/outside the organization, and 4
Control of outsourcing contract management (⇒ I 2 (6) 2 [IT controls] B, a, Practice
Standards).

1 Scope of IT general controls over financial information

In the system life cycle from planning to development, operation, and maintenance of
IT, a business is required to appropriately establish and operate controls to reduce risks
(Preface to the System Management Standards).

In the IT general controls described in this supplementary edition, on the other hand, its
target is limited to the reliability of information associated with financial reporting, and
programs and data that handle such information. That is, IT general controls are control
activities to secure the reliability of programs and data as the infrastructure for
assurance of the reliability of information in business processes concerning financial
reporting, and these types of reliability are secured through the following steps:

• After its reliability is tested and authorized, a new program is transferred to the live-
operation environment.

• In the case of maintenance of a program, the program is transferred to the live-
operation environment after its reliability is tested and authorized. Data converted from
an old system to a new system undergo the same steps.

• In operation of programs, unauthorized or fraudulent processing is prevented.

• Only persons authorized in advance are allowed to access a program or data
(preventive control). Monitoring unauthorized access prevents programs or data from
being falsified (detective control).

• When development, maintenance, and/or operations are outsourced, the trustee
(including an external service provider) secures the reliability of programs and data
through the measures described above.

IT general controls only require proper recovery of a program or data, and assurance of
reliability. Therefore, it is desirable for a business continuance plan to be implemented
by the corporation concerned. However, the scope of IT general controls over the
reliability of financial information does not include any comprehensive business
continuance plan.




                                           - 23 -
2 Examples of IT general controls

From the viewpoints stated above, control items to be assessed can be listed as follows:

a. Control over development and maintenance of the system

• Development and procurement of software
• Construction of IT infrastructures
• Change management
• Tests
• Design and maintenance of procedures for development and maintenance

b. Operations and control of the system

• Operation management
• Manage configuration (maintenance of software and IT infrastructures)
• Manage data control

c. Assurance of safety of the system including control over access from inside and
outside

• Frameworks of information security
• Security measures including access control
• Manage Information security incidents

d. Control over contracts on outsourcing

• Contracts with external service providers
• Definition and control of service levels at external service providers

⇒ (II. 3 (2) 5 D, a, Practice Standards), (5. Consignment / Entrustment, IV. Common
Processes, System Management Standards)

(3) IT application controls

IT application controls means internal controls incorporated into business processes to
ensure that all of the authorized business processes are run and recorded with IT
controlling the business processes concerned (⇒ I 2 (6) 2 [IT controls] B, b, Practice
Standards).

1 Relations between data processing and IT application controls

Data processing in of itself is not a part of IT application controls. When computing a
rebate, for example, computation using IT is nothing more than data processing, and
checking that the rebate is correctly computed in line with the rules is control. That is, a
mechanism that ensures that the rebate computed is within a range is IT application



                                           - 24 -
controls. Partial verification of the rebate calculation by hand of a person in charge is
also a kind of control.

2 IT application controls incorporated into business systems

Application controls are a kind of control incorporated into application systems for
business processes such as sales and purchases, and are implemented as a combination
of IT-automated controls (IT application controls) and manual checking.

a. Non-automated IT application controls

In information systems constructed centering on a host computer, a total control scheme
is made up of controls incorporated in internal processes, manual checks of data input,
and collation of output with slips. Here, the reliability of financial information is
ensured by manual procedures.

b. Automated IT application controls

Thanks to the spread of the Internet, IT application controls (order placement data are
inputted, or figures are correct) may be implemented inside the information system
without manual procedures on order exchange systems using ordering on Web pages
and in EDI. In these business processes, control of reliability (completeness, accuracy,
and validity) is embedded in programs. This control is built in during development of
the business system and tested before the system is transferred to live operation.

3 Objectives of IT application controls and requirements for the creation of
adequate financial information

IT application controls to secure the reliability of financial information implement the
following control measures in the input, the output, and the internal processes for
assurance of reliability (completeness, accuracy, and validity) of transaction records in
accounting:

• Manage input
• Manage output
• Manage data

Figure II 2-2 illustrates concrete examples of IT application controls.




                                          - 25 -
             Figure II 2-2 Concrete Examples of IT application controls

 • Controls to ensure completeness, accuracy, and validity of entry data
 • Correction and reprocessing of errors
 • Maintenance and control of master data
 • Access control (user authentication, limiting the scope of operation, etc.)
 ⇒ (I. 2 (6) 2 [IT controls] B, b, Practice Standards)
 • Spreadsheets and the like

IT application controls include control over transactions, and files and databases.

a. IT application controls over transactions

In the case of transaction data (trade data) handled through business processes, the
objective of control is that sales data are recorded accurately, in a timely manner, and
adequately, or with reliability (completeness, accuracy, validity). Control functions are
embedded in application programs, for example, so that when a quantity or price goes
out of range, an error status is generated.

b. IT application controls over files

In the case of files or databases, the objective of control is that the master tables
recorded are the latest, are continuously available (file continuity), and assure reliability
(completeness, accuracy, validity) of the master files. To ensure the reliability of the
master files, documents and slips that should exist are collated with the files. Reliability
of the master file for credit limits, for example, is ensured by being collated with the list
of the latest credits limits.

4 Spreadsheets and similar software

In more businesses, the spreadsheet and similar application systems are used by user
departments. Since these types of application program run on user PCs, they are likely
to be omitted from company-level control. For example, a spreadsheet or data generated
by a spreadsheet may not be satisfactorily backed up, so the data are lost. Sometimes,
on the other hand, results of an accounting process are outputted from a spreadsheet or
the like, and loaded onto another application system to compose financial reporting, so
during these steps, data can be lost or falsified.

When using spreadsheets or similar types of programs, the management is
recommended to define procedures for recalculation by a person other than the initial
operator to ensure the accuracy of the data or process, and educate employees about
backups. When operating an application system to process data in a spreadsheet, the
management should check that the application system is equipped with functions to
prevent data from being lost or falsified. Considering the risks of false disclosure, costs
of preventive measures, and effects of control, the management has to select a method
that best suits the organization.




                                           - 26 -
Chapter III Assessment of IT Controls by the Management

1. Roadmap for assessment of IT controls

(1) Flow of internal control assessment

The management plays a role to establish and conduct internal control, and should
ensure the reliability of assessment of internal control over financial reporting (⇒ II 1
Practice Standards). IT controls are designed and operated as a part of internal control.
Pursuant to generally accepted standards for internal control assessment, the
management is required to assess the effectiveness of internal control, and provide its
results to the public. IT controls also need to be assessed as a part of internal control.
Figure III 1-1 shows the roadmap for assessment of IT controls.

               Figure III 1-1 Roadmap for Assessment of IT Controls




                                                                                    6 Consultations with auditors (CPAs and other)
 1 Determination of the scope of IT to be assessed


 2 Assessment of and countermeasures against risks facing IT



 3 Assessment of IT controls



 4 Judgment, recording, and retention of effectiveness of IT control



 5 Analysis of assessments of IT control related to financial
 information, and prioritization of improvement measures

1 Determination of the scope of IT to be assessed

This issue is described in the second section “Determination of the assessment scope
and identification of the targeted IT” of Chapter III.

2 Appropriate assessment of and countermeasures against risks

• Business processes that are likely to cause serious falsified expressions of financial
information should be specified. Here the assessment of and countermeasures against
risks facing information and information systems are examined.

• Internal controls related to business process should be identified. Attention is needed
in cases where using IT may strengthen controls (for example, disenabling the



                                          - 27 -
falsification of figures by running a program, or unauthorized modification by accessing
a database), and cases where using IT may increase new types of risk of illegality or
falsification. In fields where high risks are expected in particular, a wider range of tests
should be carried out, or more control items added.

3 Assessment of IT controls

This issue is described in the third section “Assessment of company-level IT controls”
and the fourth section “Assessment of IT application controls” of Chapter III.

4 Judgment, recording, and retention of the effectiveness of IT controls

This issue is described in the fifth section “Judgment of effectiveness of IT controls” of
Chapter III, and Appendix 4 “Recording and retention of assessment procedures.”

5 Analysis of assessments of IT controls over financial information, and
prioritization of improvement measures

a. Assessment of IT controls examines continuous implementation of controls over
items including IT users.

b. Strict examinations are made on control over any significant IT controls (for example,
any item of IT general controls on which IT application controls depends). The
significance here can be determined based on impacts of IT controls on falsification of
financial information or financial reporting.

c. IT tasks may sometimes be outsourced. Because the responsibilities for
implementation of internal control lie with the outsourcing corporation, the outsourced
tasks need to be assessed from the viewpoint of IT controls.

d. The management analyzes the results of IT controls assessment, prioritizes points in
descending order of the gravity of the risk, and implements solutions.

6 Consultations with auditors (CPAs and others)

In assessment of IT controls, management should discuss with the auditor, as
appropriate (⇒ II 2 (2) [Communication with external auditor(s)], Practice Standards).
In “1 Determination of the scope of IT to be assessed,” for example, a discrepancy with
the auditor on the scope of IT controls may cause the auditor to point out a deficiency in
IT controls for a subsidiary excluded from the scope of control. If such indication is
made at book closing in particular, the corporation in question may not have time to
correct the deficiency pointed out. At an early stage of the design of IT controls,
therefore, it is advised to consult the auditor regarding the scope of control for
agreement. This type of consultation is also recommended for each step of 2 – 5.

2. Determination of the assessment scope and identification of the targeted IT




                                           - 28 -
(1) Whole picture of IT

Assessment of the effectiveness of internal control should be started with getting the
whole picture of IT across the consolidation group (hereinafter referred to as “the
group”) from the viewpoint of financial reporting.

First, since situations of IT utilization vary from industry to industry, the group needs to
know the IT environment and the situations of IT utilization in the industry it belongs
to. Here, it will be enough to draw a rough chart of IT connections inside the group, i.e.,
the whole picture of linkages among significant systems.

Next, the group should outline application systems over its financial information and
relevant IT infrastructures. It will be enough to know relations among application
systems in the unit of “XX sales system” and “YY inventory management system,” for
example, but for designs excluded from the scope of consolidation, some business
processes should also be included in the scope of control, depending on their
importance. In addition, organizational structures, rules, and standards need to be
checked for company-level IT controls of the group.

(2) Determination of the assessment scope

An assessment scope of IT controls should be determined based on the assessment
scope of internal control (⇒ II 2 (1) 1, Practice Standards). While all of the IT
functions for processes concerning book closing and financial reporting of the group
need to be included in the assessment scope of IT controls, some IT functions for other
business may also be included in the assessment scope of IT controls. For example, the
assessment scope includes not only business processes over important account titles of
designs to be assessed, but also application systems and supporting IT infrastructure that
handle these accounts.

(3) Factors to be identified

It will be helpful to identify and indicate account titles from the angles of both business
flow and data flow (⇒ II Reference 2, Practice Standards).

Figure III 2-1 shows factors to be identified in relation to IT.

           Figure III 2-1 Sample Factors to be Identified in Relation to IT

• Business process
• Application system over the business process
• IT infrastructure (outlines of hardware, basic software and networks, situations of
outsourcing, etc.)
• Organizational unit and policy over IT
⇒ (II. 3 (3) 5 B, b, Practice Standards)




                                           - 29 -
(4) Considerations for determination of the assessment scope

1 Assessment of IT concerning company-level control

When IT is employed not only for control activities but also basic functions such as the
control environment, assessment of and measures against risks, information and
communications, and monitoring, these IT functions need to be included in the
assessment scope.

For example, if any intra-corporate networks such as LANs play an important role in the
control environment, assessment of and measures against risks, information and
communications, and monitoring, the intra-corporate network may be assessed. If a
system is established for the management to check on a terminal, any important
information is automatically transmitted from a business process to the management, so
the application system automatically transmitting the information should be included in
the IT assessment scope for assessment of IT application controls and IT general
controls at the stage of business process assessment.

2 Differences between IT and organizational segmentation

The assessment scope of internal control for business processes not affecting book
closing or financial statements is selected based on business designs such as the head
office, subsidiaries, branches, and divisions according to the amount of sales, for
example (⇒ II 2 (2) 1, Practice Standards). The assessment scope of IT controls should
basically be determined by matching the organizational segmentation of the business
design with the coverage of application systems and supporting IT infrastructures.
Attention needs to be paid to the fact that the organizational segmentation of business
designs may not always correspond to the coverage of application systems and IT
infrastructures. Below are described examples of such discrepancies:

• When the organizational segmentation does not correspond to the coverage of an
application system (IT application controls)

As shown in Figure III 2-2, for example, shipment information, the key data for
accounting of sales, may be generated by the inventory management application system
operated by a specific subsidiary. In this case, regardless of the amount of sales at the
subsidiary concerned, the shipment process of the subsidiary needs to be included in the
assessment scope as the application system related to the sales system.

• When the organizational segmentation does not correspond to the support
coverage of IT infrastructures (IT general controls)

When IT infrastructures are managed at a data center belonging to another subsidiary,
the data center concerned should be included in the assessment scope, regardless of the
sales of the subsidiary. Thus, IT infrastructures do not always correspond to the
organizational segmentation of an “important business design from the viewpoint of the
consolidated amount of sales,” and multiple IT infrastructures are built in a business



                                         - 30 -
base or shared by multiple organizations. In any of these cases, therefore, assessment of
IT controls need to be arranged and conducted according to relations to the application
systems to be assessed. In the case illustrated in Figure III 2-2, for example, three
application systems of sales, inventory management, and purchasing are collectively run
on a single host computer, and if these application systems are supported by an IT
infrastructure, the data center operating these application systems should be included in
the assessment scope of IT controls.

When determining the assessment scope, the management should consult the auditor for
the method and the basis of determination as necessary (⇒ II 2 (2) [Determining the
scope of assessment of business processes] 2 B, d and II 2 (2) [Communication with
external auditor(s)], Practice Standards).


               Figure III 2-2 Example of the Assessment Scope for IT


 %     : Sales to outside the consolidation group                  0%
       : Flow of information among systems                  Company P
       : Use of IT infrastructures


                                        100%                 0%           0%            0%
  Business establishments       Company A           Company B      Company C     Company D

     Business processes          Amount of           Physical
                                                                    Purchase
                                   sales            distribution

                                   Sales
                                  activities
     Application systems
                                                 Inventory
                                                                   Procurement
                                                management



      IT infrastructures        Data center                                      Data center




3. Assessment of company-level IT controls

(1) Meanings of company-level IT controls

The management should determine the scope and the method of assessment of internal
control in business processes based on the results of assessment of company-level
internal control (⇒ II 3 (2) 3, Practice Standards).

Specifying company-level policies and procedures concerning IT is essential for IT
controls to work effectively. If policies are established and implemented company-level



                                           - 31 -
on the construction and management of networks, or on the selection of basic software,
platforms, and others, for example, the IT management system of the corporation can be
considered to be kept at a certain level. In this case, it will be easy for the organization
to assess IT general controls and IT application controls supported by company-level IT
controls. When it is confirmed that company-level IT controls are functioning
appropriately, and multiple business establishments are being constructed and operating
IT under common policies, the assessment scope of IT application controls may be
narrowed down to fewer establishments.

By contrast, if company-level IT controls are not working satisfactorily due to
incomplete penetration of company-level policies, for example, networks or basic
software products may be installed for each application system separately without
consistency. When rules concerning IT are not defined completely or employees are
poorly informed of IT-related rules, the level of IT controls may be different among
establishments. If there is concern that this type of incompleteness may result in
seriously falsified reporting, the corporation must increase the number of
establishments, or add business processes to be assessed for IT general controls and IT
application controls.

In assessment for company-level IT controls, the points indicated in Figure III 3-1 need
to be considered:

    Figure III 3-1 Considerations for Assessment of Company-level IT Controls

1 Is the management aware of the importance of IT supporting internal control? This
point is the foundation of company-level controls.
2 Is the management considering assessment of and measures against risks for the
reliability of IT over financial information? Policies against risks lead to company-level
policies and rules.
3 Does the management approve budgets for the introduction and operation of IT over
financial information? Appropriate introduction and operations require management
resources such as human resources, goods, and funds, and appropriate introduction and
operation cannot be implemented without budget approval.
4 Is the organization equipped with any scheme for the management to report on and
improve installation and operations of IT over financial information? Information,
communication, and monitoring make up the PDCA (plan-do-check-act) cycle.
5 Is the organization equipped with any rules or frameworks concerning the acquisition
and retention of records over IT controls? If not, assessment by the management or
audits by the auditor may be hindered in the future.

(2) Cases of and lessons from incompleteness of company-level IT controls

As cases of incompleteness of company-level IT controls, it should be kept in mind that
if a corporation fails to upgrade a large-scale system, business processes are confused,
or financial reporting includes errors or cannot be prepared in a timely manner. At
system integration following a bank merger, for example, an extremely serious problem
occurred. In this case, it was reported that the management were not aware of risks to IT



                                           - 32 -
caused by business consolidation and did not establish any proper integration plan, so
failures in system integration disabled services such as ATM operations and account
transfers, and the bank’s entire business activities stagnated. To prevent this type of
disaster, as well as defects in internal control that will seriously affect the reliability of
financial reporting, the management is required to conduct checks with an awareness of
risks whether total optimization is planned for the entire business processes and
systems, considering the impacts on other systems based on IT strategies in line with
management strategies.

4. Assessment of IT application controls

Assessment of IT application controls requires assessment of both IT general controls,
controlling IT infrastructures supporting business application systems, and IT controls
over business processes.

(1) Significance of IT application controls

1 IT general controls

IT General Controls means control activities to ensure an environment for effective
functioning of control over business processes, and in general, is composed of policies
and procedures for control over multiple business processes.
(⇒ I 2 (6) 2 [IT controls] B, a, Practice Standards)

The management should assess whether IT general controls are effectively established
and operated in the following areas, for example:
• Development and maintenance of information systems
• Operation and administration of information systems
• Security of information systems, including access control from inside/outside the
organization
• Outsourcing contract management
⇒ (II 3 (3) 5 D, a, Practice Standards)

Figure III 4-1 shows examples of IT general controls and sample considerations for
assessment:




                                            - 33 -
     Figure III 4-1 Sample Considerations for IT General Controls Assessment

a. Development and maintenance of systems

• The management should check whether control measures are established and carried
out for the development of new information systems, introduction of software packages,
and the operation and management of IT. If the corporation is not controlling
development properly, no function is prepared to prevent unauthorized transactions, for
example, and the validity of a completed system is not ensured, so this organization is
regarded as lacking control capabilities.

• The management is also required to verify that user departments are involved in
testing of a system under development, and for maintenance, that modification is
appropriately controlled.

b. Operations and control of systems

• The management should check whether control measures are established and carried
out for proper programs to process proper data and generate reliable results.

c. Assurance of safety of systems such as control of access from outside and inside

• The management should check whether control measures are established and carried
out for access monitoring to protect data, software, hardware, and related equipment
from being illegally used, data or information falsified, or destroyed, and financial
information from being lost due to natural disasters.

d. Control of contracts for outsourcing

• When outsourcing development and/or operations of any information system, the
management should check whether control measures are established and carried out for
managing outsourced tasks. The management is required to understand criteria for
selecting service providers, procedures for acceptance of deliverables, and control by
the service provider, and assess impacts on control of the outsourcing organization.

• If the outsourced task is part of the core business processes, a failure in the system
used by the service provider may affect the operations of the outsourcing organization.
Therefore, the management should check whether the service level is maintained as
specified by the outsourcing contract with the service provider.

As an example of risk assessment, below is described a case where an off-the-shelf
software package is used as is without developing an application system in house. In
risk assessment for this case, attention needs to be paid to the points listed in Figure III
4-2:




                                           - 34 -
      Figure III 4-2 Sample Considerations When Using a Software Package

• If no modification is made to a purchased software package, it is regarded that the
package is protected against the risks that the application will be exposed to when an
incorrect program is developed in house.

• Since any modification, such as upgrading, to a program is made by the external
specialized vender who developed the package concerned, risks of any improper
program modification are limited.

• If the package is equipped with functions of IT process control, the user organization
is must ensure consistency among business processes, automate collation steps,
automatically create exception reports, and authenticate access according to job
position, so the range of risks is limited.

If any function is added, or a modification is made in house to an off-the-shelf software
package, however, the user organization should note that risks are not limited to those
described in Figure III 4-2.

Even when using an off-the-shelf software package without modification, the user
organization should implement operational control measures such as access restrictions
(⇒ I. (6) 2 “IT controls” b a, Practice Standards).

2 IT application controls

IT application controls represents IT functions for the internal control incorporated in
business processes to ensure that all authorized business processes are correctly carried
out and recorded (⇒ I 2 (6) 2 “IT controls” b b, Practice Standards).

The management should check whether all IT controls functions for business processes
are properly incorporated and operated in business processes (⇒ II 3 (3) 5 d b, Practice
Standards).

For the management to understand IT application controls for ensuring the reliability of
financial reporting of the corporation, categorized here are IT-related control activities
as follows:

• Control activities embedded in application systems (automated control activities)

• Control activities to be implemented through combinations of manual work and IT
(control activities using IT information)

When assessing IT application controls, the management should understand and check
the functions of business processes equipped with IT, and the situations of
implementation of control and monitoring activities by associating them with
assessment requirements (hereinafter referred to as “assertions”).




                                          - 35 -
As for business process control, it is useful for the management to understand by
walkthrough that the activities applied to business processes are carried out in an
integrated manner (tracing activities from the start of transactions concerning financial
reporting to the creation of financial statements), regardless of whether they are carried
out by hand or using IT.

(2) Identification and arrangement of business processes to be assessed

The management should assess IT controls over financial reporting (IT general controls
and IT application controls) in association with each business process. The scope of
assessment of IT general controls and IT application controls is limited to business
processes concerning financial reporting and financial information. The management is
required to look at IT usage situations and clarify relations to business processes.

In the Practice Standards, business processes are grouped into two categories (⇒ II 2
(2), Practice Standards).

1 Processes for book closing and financial reporting
2 Processes for business fields other than book closing and financial reporting

“Processes for book closing and financial reporting” are business processes concerning
book closing and financial reporting executed mainly by accounting departments,
centering on the system that controls procedures from the creation of financial
statements based on the general ledger to the generation of descriptions to be disclosed
in financial statements, so every establishment operating these processes should be
assessed according to company-level internal control.

“Processes for the creation of consolidated financial statements” are business processes
where the parent company, subsidiaries, and affiliated companies enter financial
information into a report format for the parent company to create consolidated financial
statements by aggregating these pieces of information.

In “processes for book closing and financial reporting,” spreadsheet programs or the
like may sometimes be used in addition to dedicated application systems such as the
financial accounting system and the consolidated book-closing system, a failure in
copying a formula or an error in a formula may directly affect the accuracy or
completeness of financial reporting. So control of spreadsheet programs or the like also
needs to be assessed.

For “processes for business fields other than book closing and financial reporting,” on
the other hand, the corporation should check outlines of business application systems
used in those business processes and the flow of financial information in those business
application systems.

Figure III 4-3 shows how financial information concerning account titles such as sales
and accounts receivable is created from the sales process (composed of order processing
and shipment functions) and the money receipt process (composed of billing and



                                          - 36 -
collection functions), and aggregated into financial statements. In this case, transaction
data are passed from the “sales management system” and the “accounts receivable
management system” to the “financial accounting system” for the creation of financial
statements. Therefore, the “sales management system” and the “accounts receivable
management system” are regarded as equivalent to application systems over financial
information, and assessed. Thus, it is essential for a corporation to determine “what
application systems generate transaction data to be included in financial information”
(⇒ II 3 (3) 5 c, Practice Standards).

In the case illustrated in Figure III 4-3, shipment functions are linked to the “physical
distribution & inventory system,” so the assessment scope includes the portion handling
shipment in the “physical distribution & inventory system.” Furthermore, since various
types of accounting basis are applied to the account titles of sales, such as the shipment
basis, the delivery basis, and the inspected acceptance basis, depending on the trade
format of the corporation, attention should be paid to compliance, i.e., “procedures are
compliant with the proper accounting basis defined by the corporation,” at assessment
of IT application controls for the account titles of sales.

      Figure III 4-3 Relations between Account Titles and Application Systems

                                                         Financial statements



                                                    Financial accounting system




                                                                                                         Miscellaneous
                     PL     Sales
 Assessment items                                                                                            losses
  (Account titles)                  Unbilled accounts                    Billed accounts   Consumption
                     BS                                    Cash
                                       receivable                            receivable        tax



                           Sales process                      Money receipt process
   Business processes
                                                                                                     Adjustment of
                               Order
                                             Shipment               Billing            Collection     differences In
        Functions            processing
                                                                                                     money received


                                                                   Accounts            Accounts          Accounts
                          Order-processing    Sales               Receivable          Receivable         Receivable
   Application systems        module          module                -billing          -collecting        -collecting
                                                                    module              module             module
                             Sales management system                  Accounts receivable management system


      Associated                                 Physical distribution
   application system                            & inventory system




                                                  - 37 -
Source: Partially modified Page 5 of “Procedures for Auditors to Assess Risks and
Handle the Assessed Risks of Seriously Falsified Indications concerning Information
Systems Using Information Technologies (IT) Detected in Audits of Financial
Statements,” Report No. 3 by the IT Committee of the Japanese Institute of Certified
Public Accountants


(3) Control to identify risks that may cause false indications and to reduce such
risks in IT utilization in business processes

The management should check whether assertions are fulfilled (existence or occurrence,
completeness, rights and obligations, valuation, allocation, and presentation and
disclosure (⇒ II 3 (3) (II) a, Practice Standards)) in the business processes assessed. If
any of these assertions are not fulfilled, there is concern regarding the possibility of
false indications in financial information.

Business application systems are equipped with IT controls functions to reduce risks of
illegalities and errors. When assessing business processes, the management has to prove
that these risks of illegalities or errors are reduced by achievement of the IT control
objectives, and verify that IT controls meets the assertions. For example,
“completeness,” one of the IT control objectives, is a control intended to ensure that all
orders placed by a customer are processed without any omission or duplication in the
sales application system. On the other hand, this “completeness” of the sales
management system leads to recording the amount of sales in financial statements
without any omission or duplication, and as a result, “completeness,” one of the
assertions, is fulfilled. Assurance of “completeness,” one of the IT control objectives, is
a control measure to reduce risks that may cause a false indication of sales due to an
omission.

Figure III 4-4 shows examples of relations between the IT control objectives and
assertions:

    Figure III 4-4 Examples of Relations between the IT Control objectives and
                                    Assertions

IT control objectives   Assertion (Requirements for the Creation of Proper Financial
                        Information)
Completeness            Completeness, allocation
Accuracy                Existence or occurrence, valuation, allocation, presentation and
                        disclosure
Validity                Existence or occurrence, rights and obligations, valuation

In addition to the above, the IT control objectives include file continuity that ensures
that the master tables recorded are the latest, there is no inconsistency among the master
tables, and they are continuously usable (2 (3) 3 of Chapter II).

5. Measurement of the effectiveness of IT controls



                                          - 38 -
(1) Measurement of the effectiveness of company-level IT controls

1 Methods of measuring the effectiveness of company-level IT controls

Measurement of the effectiveness of company-level IT controls should start with
interviews with and collection and analysis of materials from departments in charge of
internal control and those managing IT throughout the group. If there is no department
controlling the entire group, or a department is assigned to control the group, but the
control is not working practically, the internal control of the group may be considered
defective because the status of the internal control over the entire group cannot be
confirmed (⇒ II 3 (4) 1 b, Practice Standards).


2 Measures against defects in company-level IT controls

If any defects are found during assessment of company-level IT controls, the
organization should prepare a list of the defects, and determine whether they are fatal
defects, checking whether any alternative control measures are available. Some defects
may be covered by IT internal control in business processes. In some cases, the scope of
assessment initially planned may be extended to IT general controls and IT application
controls. For example, when a corporation operating many stores is employing
company-level IT controls with a defect for which there is no procedure or rules
concerning IT shared by all of its stores, the corporation should increase the number
stores to be assessed for IT general controls and IT application controls (⇒ II 3 (4) 1
c, Practice Standards).

(2) Measurement of the effectiveness of internal control in business processes over
financial reporting

1 Methods of measuring the effectiveness of situations of implementation and
operations of IT controls to business processes

Assessment of internal control using IT should be conducted separately for
implementation and operations. When internal control is automated, however, the
measurement of the effectiveness of implementation may lead to an assessment of
operations.

Even if internal control by manual work is surely applied to the actual business
operation at a certain point, this fact may not always ensure that internal control is
working throughout the assessment period.

When IT general controls are working effectively over automated business processes
and controls, completeness is likely to be maintained, so measurements of the
effectiveness of implementation may ensure the effectiveness of operations.

Figure III 5-1 shows sample assessment methods of IT controls:



                                         - 39 -
              Figure III 5-1 Sample Assessment Methods of IT Controls

• Interviews with persons in charge (development leaders, system administrators and
business process leaders)
• Observation of implementation and operations of IT controls (observation of
situations of business processing through system operations)
• Collection and analysis of documents prepared for the purposes of implementing and
operating IT controls
• Collation of results of IT processing (accounting records) with evidenced documents
(supporting results such as receipts)
• Examination of data flow on systems

2 Measures against defects in IT general controls

Since defects in IT General Controls are closely related to IT application controls, it is
important for a corporation to estimate the gravity of impacts of defects and the
possibility of false indications in financial reporting. If any defect in IT general controls
is likely to lead directly to a risk of a false indication of a significant issue in financial
reporting, such a defect has to be quickly solved (III 4 (2) 4 d, Practice Standards).

• When a defect in IT general controls does not result in a serious problem in internal
control over financial reporting:

Since the defect in IT general controls does not result directly in a risk of a false
indication of a significant issue in financial reporting, it is not immediately regarded as
a serious defect.

When documentation regarding a modification to a program is imperfect, for example,
this imperfection may not be regarded as a defect if the effectiveness of IT application
controls is proved by function tests equivalent to acceptance inspection of the program
at the development stage.

• When a defect in IT general controls results in a serious problem in internal control
over financial reporting:

If any appropriate IT application control is built in an application system, but the
operation scheme of IT general controls is not working effectively, IT application
controls concerned may be regarded as ineffective.

If IT application controls are working in each application system, for example,
information is falsified due to incomplete control over access to files, in such cases, the
organization should make IT general controls work effectively by adding measures to
prevent data from being easily falsified.

3 When IT application controls are defective




                                            - 40 -
When IT application controls are defective, the corporation has to thoroughly assess the
possibility of false indications in financial statements.

If a defect lies in automated control activities, the corporation should check whether the
defect repeats its effect. Concretely, for example, if a wrong customer code is not
detected during the order-processing operation, there is a risk that this defect will repeat
its effect and cause a false indication in financial reporting. In this case, if the program
that should detect this type of error cannot be corrected, this imperfection of IT
application controls needs to be covered by a control measure not using IT such as
manual work.




                                           - 41 -
Chapter IV Guidance on the Introduction of IT controls (illustration of IT
controls)

This chapter illustrates how this supplementary version should be applied. It first
discusses how IT risks concerning financial information should be related to IT controls,
and it then delineates company-level IT controls, IT general controls, IT application
controls, and monitoring. What is provided here is just reference information that may
be useful in major cases and is not applicable to all companies, so it is assumed that
modifications, deletions, additions, etc., may take place where necessary. Note that
companies are not recommended to implement all of the controls illustrated here and
each company should choose and apply only those that are necessary for its important
risks.

Table of Contents of this Chapter

1. How to Use this Guidance .......................................................................................... 44
   (1) Risk Factors ...........................................................................................................44
   (2) Risk Assessment ....................................................................................................44
   (3) Selection of Control Objectives Necessary for the Design and Assessment of
       IT Controls.............................................................................................................45
   (4) Instructions regarding the Use of this Chapter ......................................................47
2. Company-level IT Controls ........................................................................................ 48
   (1) Preparation and Indication of Basic IT Policy (Control Environment) .................48
   (2) Assessment and Response of IT-related Risks (Risk Assessment and
       Response) ..............................................................................................................50
   (3) Use of IT and IT Controls (Control Activities)......................................................51
   (4) Establishment of Information Systems and Processes (Information and
       Communication) ....................................................................................................52
   (5) Checking of the Implementation Status in the Company (Monitoring) ................53
3. IT General Controls .................................................................................................... 55
   (1) Development and Procurement of Information System Software .........................55
       1 System Development and Procurement ............................................................55
       2 Establishment of IT Infrastructure ....................................................................57
       3 Change Management ........................................................................................59
       4 Tests ..................................................................................................................63
       5 Development and Maintenance of Development and Maintenance
          Procedures ........................................................................................................66
   (2) System Operation and Management ......................................................................67
       1 Manage Operation.............................................................................................67
       2 Manage Configuration ......................................................................................70
       3 Manage Data .....................................................................................................72
   (3) System Safety Assurance by Internal/External Access Control etc. ......................74
       1 Information Security Framework......................................................................74
       2 Access Control and Other Security Measures...................................................75
       3 Control of Information Security Incidents ........................................................79
   (4) Trustee Control ......................................................................................................80
       1 Contracts with Trustees.....................................................................................81



                                                             - 42 -
       2 Definition and Control of the Service Level with the Trustee ..........................84
       3 Risk Control Matrix for IT General Controls ...................................................85
4. IT Application Controls .............................................................................................. 86
   (1) Manage Input (Input Control)................................................................................86
   (2) Manage Data (Processing Control)........................................................................87
   (3) Manage Output (Output Control)...........................................................................90
   (4) Manage Spreadsheet and other tools......................................................................92
   (5) Risk Control Matrix for IT Application Controls ..................................................95
5. Monitoring .................................................................................................................. 96
   (1) Routine Monitoring................................................................................................96
   (2) Independent Monitoring (Monitoring by Internal Audit Department etc.)............97
       1 Monitoring of Company-level IT Controls.......................................................98
       2 Monitoring of IT General Controls...................................................................99
       3 Monitoring of IT Application Controls...........................................................100




                                                             - 43 -
1. How to Use this Guidance

(1) Risk Factors

When evaluating the effectiveness of IT controls for financial reports, companies first
check company-level IT controls over financial reports. If they know the level of their
company-level IT controls, they can understand how information system risks should be
addressed. Next, if IT is used in business processes related to financial reports,
application system risk factors are determined. If the application system risks are related
to the IT infrastructure, risk factors affecting business processes will be identified. Risk
factors may include, without limitation, those specified in Chart IV 1-1.

                               Chart IV 1-1 Risk Factors

Risk factor                    ← High                          Risk               Low →
Opportunity for improper       No or loose controls               Effective controls
transaction, etc.
External environment           Major change in the                No change in the external
                               external environment               environment
                               Strong pressure from the           Low pressure from the
                               outside (shareholders,             outside (shareholders,
                               financial institutions, etc.)      financial institutions, etc.)
Technical factors              Complicated system                 Simple system
                               Original system                    Standard system
Human factors,                 Shortage of experienced            Experienced personnel and
inducement, pressures          personnel                          experts
                               Inadequate training                Adequate training
                               Lack of IT knowledge               Sharing and application of
                                                                  IT knowledge
                               Dissatisfaction with the           Workplace with high
                               workplace (demand for              employee morale
                               higher salary, etc.)
                               Excessive emphasis on        Reasonable emphasis on
                               results (pressure to achieve results
                               sales targets, etc.)
Locational factor              Installation of a business Centralized system
                               application system at more
                               than one location

(2) Risk Assessment

1 In risk assessment, risks affecting financial reports and IT risks over financial
information are taken into consideration (⇒ I 2 (2) 1, Practice Standards). If the risks
that need to be addressed are identified, risk management measures are implemented to
reduce the risks to a level acceptable to the company (⇒ I 2 (2) 2, Practice Standards).




                                           - 44 -
For IT risk management measures, it is appropriate to use the control items specified in
the System Management Standards or the Information Security Management Standards.

2 In risk assessment, both the degree of impact and the incidence are examined.
Items relating to the incidence may include the following.

- The number of IT-related accidents and incidents in the past
- The number of transactions executed in application systems
- The types and complexity of the IT infrastructure and application systems
- The frequency and complexity of program modifications
- The percentage of package programs

Responsibility for handling IT risks over financial reports primarily lies with the
company. However, companies having only limited experience in evaluating IT risks
may have difficulty putting appropriate internal controls in place in a short period of
time for risk assessment. For this reason, an example of risk assessment based on the
degree of impact on financial information and the incidence is shown in Chart IV 1-2. In
this example, risks are evaluated (high/medium/low) on the basis of (a) the degree of
impact on financial information (large/medium/small) and (b) the incidence
(high/medium/low). Note that this example is intended for companies having only
limited experience, and companies that can analyze their own risks and take appropriate
measures should perform assessment by their established methods (⇒ II 4 (2) 4 B,
Practice Standards).

                     Chart IV 1-2 Examples of Risk Assessment

                                         (a) Degree of impact on financial information
                                        High            Medium               Low
                      High              High            Medium            Medium
 (b) Incidence       Medium            Medium           Medium               Low
                      Low              Medium             Low                Low

Management will take risk management measures, beginning with the “high” risks.
Note that no risk management measures are necessary for “low” risks that managements
are ready to accept (⇒ III 4 (2) 4 B, Practice Standards).

(3) Selection of Control Objectives Necessary for the Design and Assessment of IT
Controls

Risk management measures are determined after the risks that need to be addressed are
identified. Risk management measures include avoidance, reduction, transfer, and
acceptance, which may be applied singly or in combination (⇒ I 2 (2)2, Practice
Standards).




                                         - 45 -
Companies are required to design, operate, and assessment IT controls. Chart IV 1-3
shows the process of selecting the control objectives necessary for the design and
assessment of IT controls.

                Chart IV.    1-3 IT Control Objective Selection Process

1 Risk analysis and assessment (assessment of one’s own IT controls)


2 Handling of important risks yet to be addressed


3 Use of the control objectives specified in the System Management Standards

1 Risk Analysis and Assessment

Companies perform risk analysis and controls to reduce the possibility of false or
incorrect information being contained in their financial reports. With respect to IT-
related risks, companies evaluate whether the controls are functioning effectively. Such
assessments may be performed in this way: first, companies evaluate whether IT risks
over financial reports are reduced, using the IT control items that are implemented at the
company or in their industry.

2 Handling of important risks yet to be addressed

If risk analysis shows that all important risks have been addressed, IT controls are
functioning effectively. On the other hand, if there are any critical IT risks related to the
misrepresentation of financial reports, an assessment made as to whether such a risk is
attributable to the lack of sufficient internal controls. If such an assessment reveals that
it is necessary to address such a risk, IT controls will be deployed. IT control items for
this purpose are selected from among those listed in the System Management Standards
or the Information Security Management Standards established by the Ministry of
Economy, Trade and Industry, insofar as they are appropriate for the reduction of the
company’s risks. The companies confirm that these control items work to reduce the
risk related to the misrepresentation of financial reports to an acceptable level. If the
risk remaining after necessary IT controls are implemented is not at a negligible level,
additional non-IT control items are applied. For example, for risks related to the
reliability of financial information, a control consisting of the act of manually checking
results generated by the system may be one of the options.

3 Use of the Control Objectives Specified in the System Management Standards

Companies may use the System Management Standards and the Information Security
Management Standards to reduce risks related to the misrepresentation of financial
reports. What is important in applying the System Management Standards or the
Information Security Management Standards is not to implement all the control




                                           - 46 -
measures, but to perform those control measures that are sufficient to reduce the
company’s own IT-related risks.

In the selection of control items, the control objectives or examples set forth in Sections
2 to 5 of this chapter may be used. These are a simplification of the steps shown in
Chart IV 1-3 and provide “examples of risks,” “examples of IT controls,” and
“examples of IT control assessment procedures,” setting forth “control guidelines,”
“examples of control objectives,” and “examples of controls and control assessment
procedures” for each control item. Companies may check the control items and
examples related to the areas in which they are exposed to high risks and may learn
from the controls and control assessments provided.

How control items should be selected when the System Management Standards are
applied is shown in Appendix 2 “How to Use the Control Objectives Specified in the
System Management Standards” (each reference to the System Management Standards
consists of the relevant chapter number, major category, and section number).

If control items for reducing the risk of false information being included in financial
reports are designed or assessed, it may be convenient to list necessary control items
and make a risk control matrix for design or assessment control purposes. An example
of this risk control matrix is provided in Appendix 6 “Examples of a Risk Control
Matrix.”

 (4) Instructions regarding the Use of this Chapter

This chapter discusses specific control objectives for the design and assessment of IT
controls in order to assure the reliability of financial reports (“it is not intended to
directly require organizations to design and operate IT control for the achievement of
objectives other than the reliability of financial reporting.” ⇒ I 2 (6) 2 [IT controls] A,
Practice Standards) Therefore, the examples of IT controls provided in this Chapter are
provided only for the purpose of the design and assessment of IT controls related to
financial reports. Note that companies should determine at their own discretion which
IT control items should be used.
The controls set forth in the System Management Standards etc. may not be applicable
to companies in certain industries, in which case, such companies may be required to
implement their original control measures.




                                          - 47 -
2. Company-level IT Controls

(1) Preparation and Indication of Basic IT Policy (Control Environment)

[Control Guidelines]

Companies are requested to properly understand the IT environment, set a clear basic
policy through the preparation of IT strategies, plans, budgets, etc., for the organization,
and make use of IT through the recruitment and development of appropriate personnel,
and responsibility for taking these actions lies with the corporate manager (⇒ II
(Exhibit 1) Response to IT, Practice Standards).

The elements of the control environment related to IT may include the following.
(a) The corporate manager’s interest in and attitude toward IT
(b) The preparation of IT-related strategies, plans, budgets, etc., and the establishment of
relevant systems
(c) The organization staff’s basic knowledge of IT and ability to use IT
(d) Policy on IT education and training
(⇒ I 2 (6) 2 [Use of IT] A, Practice Standards)

[Examples of Control Objectives]

2-(1)-1        Management sets strategies and plans for dealing with IT related to
               financial reports. (⇒ I Strategic IT Plan 1.1 (1) to (2), I Strategic IT Plan
               1.1 (4), I Strategic IT Plan 1.3 (1), I Strategic IT Plan 1.4 (1), System
               Management Standards)
2-(1)-2        A company-level organization to determine IT policies and plans is
               established and operated effectively. (⇒ I Strategic IT Plan 1.1 (1), I
               Strategic IT Plan 2.1 (1), System Management Standards)
2-(1)-3        The division of work related to IT, and responsibility and authority for IT
               are clearly defined. (⇒ VI. Common Processes 4.1 (1) to (3), I Strategic
               IT Plan 2.2. (1) to (2), System Management Standards)
2-(1)-4        The staff of the IT and user departments engaged in IT-related activities
               are properly recruited, developed, and trained. (⇒ VI Common
               Processes 4.3 (1) to (3), System Management Standards)
2-(1)-5        A basic information security policy is set. (⇒ I Strategic IT Plan 1.1 (6),
               System Management Standards)




                                           - 48 -
[Examples of controls and control assessment procedures]

          Example of risk         Example of control         Example of control
                                                             assessment procedure
          The reliability of      A policy on Response to Make sure that management’s
          financial reports is    IT related to financial    IT policy is incorporated into
          impaired because IT     reports is presented by    IT plans (which refers to
2-(1)-1




          measures are not        management and             mid-term, annual, or other IT
          taken systematically    approved by the board of plans), annual budgets, etc.,
          by the organization.    directors, etc.            and is approved by the board
                                                             of directors, the management
                                                             council, etc.
          A response to IT for    A corporate organization Make sure that an
          financial reports are   for determining and        information system
          not taken properly      implementing specific IT implementation committee
          because of              policies, including        etc. is organized to ensure
          inadequacies in the IT- response to IT for         company-level coordination
2-(1)-2




          related organization.   financial reports, is      with respect to response to IT
                                  established and operated or that such coordination is
                                  effectively.               carried out by the board of
                                                             directors, the management
                                                             council, etc., whichever is
                                                             appropriate for the relevant
                                                             company group.
          Improper transactions The division of roles in     Make sure that the roles and
          or mistakes are         and responsibility for IT- responsibilities of the IT
          overlooked or the       related activities are     department, user
          reliability of          clearly defined.           departments, and trustees
2-(1)-3




          information is not                                 (including information
          secured because of                                 system subsidiaries) are
          undefined                                          properly defined in job
          responsibility for the                             description rules, etc. and are
          management and                                     fully communicated to
          implementation of IT-                              related departments and
          related activities.                                group companies.




                                             - 49 -
          IT-related activities     The personnel of IT and     Make sure that policies on
          are not carried out       user departments            the recruitment and
          properly because of       engaged in IT-related       development of the personnel
          the lack of appropriate   activities are properly     of IT and user departments
          personnel.                recruited, developed,       engaged in IT-related
                                    and trained (and the        activities are incorporated
2-(1)-4




                                    possibility of entrusting   into IT plans, annual budgets,
                                    such activities to an       etc., and approved by the
                                    outside business instead    board of directors, the
                                    of hiring employees is      management council, etc.
                                    also considered).           If such activities are
                                                                entrusted to an outside
                                                                business, the relevant policy
                                                                of such businesses should
                                                                also be checked.
          Appropriate               A basic information         Make sure that a basic
          information security is   security policy is          information security policy is
2-(1)-5




          not ensured unless        established and             established, approved by the
          there is a clear          approved by the             corporate manager, and fully
          information security      corporate manager.          communicated to the relevant
          policy.                                               departments and group
                                                                companies.

(2) Assessment and Response of IT-related Risks (Risk Assessment and Response)

[Control Guidelines]

The assessment and management of IT-related risks for a company consist of
performing an appropriate assessment of risks related to the IT environment
surrounding the company and implementing necessary measures based on such an
assessment. Any new risks that may be created as a result of applying IT to control
activities require consideration (⇒ II (Exhibit 1) Response to IT, Practice Standards),
and means to establish a system to re-assess risks and take appropriate action upon the
occurrence of any single change that may have a substantial impact on the preparation
of reliable financial reports is also required (⇒ II (Exhibit 1) Risk Assessment and
Response, Practice Standards).

[Examples of Control Objectives]

2-(2)-1             A policy on the assessment of IT-related risks is set and applied (⇒ I
                    Strategic IT Plan 4 (2), System Management Standards).
2-(2)-2             Any new risks which may be created as a result of applying IT to
                    control activities are taken into consideration (⇒ II. Planning processes
                    2 (5), III System Development 1 (4), System Management Standards).




                                              - 50 -
[Examples of Controls and Control Assessment Procedures]

           Example of risk       Example of control       Example of control
                                                          assessment procedure
2-(2)-1    Important risks are   Rules for IT risk        Make sure that IT risk
           overlooked because    assessment are laid      assessment rules for the entire
           IT risk assessment    down, and risk           company and business
           is not performed      assessment and           processes are laid down and
           (appropriate          management are           that important problems are
           measures are not      carried out in           reported to the corporate
           taken).               accordance with          manager.
                                 such rules.
2-(2)-2    A new risk is         Risk management          Make sure that any change in
           created as a result   measures are taken       IT development, etc. that may
           of applying IT to     with due                 have a substantial impact on
           control activities.   consideration given      financial reports is properly
                                 to any new risks         understood and that risk re-
                                 created as a result of   assessment and management
                                 applying IT to           are carried out in accordance
                                 control activities.      with the procedures specified
                                                          in the IT risk assessment rules.

(3) Use of IT and IT Controls (Control Activities)

[Control Guidelines]

The relationship between control activities and IT has two aspects: how policies and
procedures related to IT general controls and IT application controls should set and
implemented (⇒ II ( Exhibit 1) Response to IT, Practice Standards), and how IT should
be incorporated into business processes and properly applied where IT is applied to
control activities (⇒ I 2 (6) 2 [Use of IT] C, Practice Standards).

With respect to policies and procedures related to IT general controls and IT application
controls, rules related to business processes related to IT and financial reports and
information are established under the responsibility of the corporate manager and fully
communicated to related departments and group companies.

On the other hand, control activities can be performed without IT, but may be carried
out more accurately and efficiently with IT. For example, if an inventory verification
program is incorporated into a production management system and entries by the
manufacturing department of the quantity of raw materials delivered from the
warehouse in accordance with production order data and entries by the warehouse of
data on the daily inventory of raw materials are incorporated into business processes, it
would be helpful in recognizing any difference between the book and actual inventory
and identifying problems. This would allow information to be processed more quickly
than when done manually and prevent careless mistakes, making it easier to implement
procedures at the internal control assessment and audit stages (⇒ I. 2 (6) 2 [Use of IT]



                                         - 51 -
C, Practice Standards). Therefore, management should desirably set policies and
procedures for any new use of IT, fully communicating them to related departments and
group companies.

[Examples of Control Objectives]

2-(3)-1    Policies and procedures related to IT general controls and IT application
           controls are established properly (⇒ I Strategic IT Plan 1.1 (5) to (6),
           System Management Standards).
2-(3)-2    Policies and procedures are set for the application of IT to control activities
           (⇒ I Strategic IT Plan 4 (1), System Management Standards).


[Examples of Controls and Control Assessment Procedures]

           Example of risk        Example of control       Example of control
                                                           assessment procedure
2-(3)- 1   The reliability of     Policies for the         Make sure that policies for
           financial reports is   introduction of IT       the introduction of IT
           not ensured because general controls and IT general controls and IT
           IT control activities application controls are application controls are
           are not performed      set and fully            approved by the board of
           properly.              communicated to          directors, the management
                                  related departments and council, etc., and fully
                                  group companies.         communicated to related
                                                           departments and group
                                                           companies.
2-(3)-2    Where IT is applied In anticipation of IT       Make sure that in
           to control activities, being applied to control anticipation of IT being
           IT is not used         activities, policies for applied to control
           properly because       applying IT to           activities, policies for
           there are no           application systems      incorporating IT into
           appropriate policies related to financial       application systems related
           or procedures          reports in order to      to financial reports as a
           thereof.               ensure proper control    control activity are set and
                                  activities are set and   fully communicated to
                                  fully communicated to related departments and
                                  related departments and group companies.
                                  group companies.

(4) Establishment of Information Systems and Processes (Information and
Communication)

[Control Guidelines]

IT information and communication means the communication of management’s IT
policy to each level of the organization, and systems and processes to communicate



                                         - 52 -
information on the status of IT-related activities. With respect to the communication of
the corporate manager’s IT policy, the matters specified in Chapter IV, Section 2(1)
apply.

With respect to systems and processes to communicate information on the status of IT-
related activities, it is desirable to properly establish and implement systems and
processes to ensure the two-way communication and sharing of information within the
company (the corporate manager, the IT department, user departments, and related
departments) and business trustees (where business activities are entrusted to non-group
companies).

[Examples of Control Objectives]

2-(4)-1     Information on the status of IT-related activities is identified, understood,
            and processed, and a system to communicate such information to interested
            parties on the inside and outside is established and properly implemented.

[Examples of Controls and Control Assessment Procedures]

            Example of risk        Example of control           Example of control
                                                                assessment procedure
2-(4)-1     IT-related risks are   Policies and procedures      Make sure that
            not properly           requiring the corporate      information on important
            handled because        manager to                   IT problems (e.g., system
            important IT           communicate important        failure, change, action
            problems (e.g.,        IT problems (e.g.,           status) in IT-related
            system failure,        system failure, change,      activities and projects is
            change, action         action status) in IT-        communicated within the
            status) are not        related activities and       company (the corporate
            properly               projects within the          manager, the IT
            communicated           company (the corporate       department, user
            within the company     manager, the IT              departments, and related
            (the corporate         department, user             departments) or to
            manager, the IT        departments, and             business trustees, partners,
            department, user       related departments) or      suppliers, etc., and shared
            departments, and       to business trustees,        by them whenever
            related                partners, suppliers, etc.,   necessary.
            departments) or to     are established and
            business trustees,     implemented.
            partners, suppliers,
            etc.


(5) Checking of the Implementation Status in the Company (Monitoring)

Monitoring will be discussed in detail in Chapter IV, Section 5 (Monitoring).




                                          - 53 -
Risk Control Matrix for Company-level IT Controls

Company-level IT controls do not immediately ensure the reliability of financial
information, but provide a basis for ensuring the effectiveness of IT general controls and
IT application controls. Therefore, a detailed examination of control activities may be
performed as part of an assessment of IT general controls and IT application controls,
while an examination of company-level IT controls only needs to include an assessment
as to whether corporate policies and procedures are set at the responsibility of
management.

In order to assess the implementation status of company-level IT controls, it may be
convenient to prepare a risk control matrix. An example is provided below. An example
of a concrete risk control matrix is provided in Appendix 6 “Examples of a Risk Control
Matrix.”




                                          - 54 -
3. IT General Controls

This section discusses common control items related to financial information, including
IT infrastructure. The important point about IT general controls is the development of a
new information system that handles financial information and the implementation of
the developed IT. For the latter, it is important to control access to the information
system after implementation, and control software and data changes. Common IT
control items from development to implementation will be illustrated below.
IT general controls related to IT infrastructure are implemented to reduce the risk of
financial information related to IT application processes being misrepresented and do
not cover IT infrastructure alone.

(1) Development and Procurement of Information System Software

(⇒ III 4 (2) 2 B a, Practice Standards)

1 System Development and Procurement

[Control Guidelines]

The development and procurement of information system software related to financial
information is an important process for the attainment of management objectives, so
standardized development techniques, tests, and full-fledged implementation procedures
are used to prevent errors and improper transactions.

When a company uses information systems to process its financial information, it may
develop software for information systems related to financial information (e.g., systems
for sales administration, receivables control, and the preparation of financial statements)
on its own or purchase a package of such software. In either case, it is important to
provide and implement control functions that prevent erroneous or improper
inputs/outputs or internal information processing, and any inadequacy in such functions
may have a substantial impact on the reliability of financial information.

If a company develops the software in-house, it should implement controls that prevent
the occurrence of program errors and the embedding by developers of unauthorized
programs, in the design process in which system requirements are determined and in the
software development process. The corporate manager also ensures that the
organization’s standard development techniques are set and followed in order to prevent
the willful conducting of alterations or irregularities in this process. Furthermore, upon
the completion of development, the developed software is fully tested to make sure that
it is implemented in accordance with the specifications. Software testing should
desirably be carried out independently of software development.

If package software is purchased, it should be noted that adequate control is not realized
by such software as purchased. For example, where an authentication function is used to
limit access, no control is in fact in place unless an ID and a password are set for each
relevant person and the scope of access granted to him/her is defined.



                                          - 55 -
[Examples of Control Objectives]

a. Development

3-(1)-1-A    There are information system development policies, procedures, and
             techniques (development standards) approved by the person responsible
             (⇒ III System Development 1. (1) to (2), III System Development 2. (1),
             III System Development 3. (1), System Management Standards).
3-(1)-1-B    Development techniques take the integrity, accuracy, and correctness of
             financial information into consideration (⇒ III System Development 2.
             (4) to (5) and (11), System Management Standards).
3-(1)-1-C    Information systems are designed to prevent errors and improper
             transactions, ensure availability, and consistent with other systems (⇒ III
             System Development 2. (9), System Management Standards).

b. Procurement

3-(1)-1-D    The procurement of information systems related to financial information
             is planned in accordance with the corporate IT policy (⇒ II Planning
             processes 3. (1), System Management Standards).
3-(1)-1-E    Adequate and appropriate testing is carried out to verify that controls are
             in place and implemented effectively (⇒ III System Development 2.
             (12), 4. (4), 5. (1) to (13), System Management Standards).


[Examples of Controls and Control Assessment Procedures]

             Example of risk       Example of control     Example of control
                                                          assessment procedure
3-(1)-1-A    Unauthorized          There are              - Examine past projects
             programs are          standardized policies related to financial
             willfully             and procedures for     information and check how
             embedded in IT at     IT development, and the development policies
             the development       IT is developed and    and procedures were used in
             stage or              renewed in             development and renewal.
             transaction errors    accordance with        - Make sure from
             emerge.               such policies and      documents, work products,
                                   procedures.            etc. that each
                                                          development/renewal
                                                          process was carried out
                                                          properly.
3-(1)-1-B    Willful improper      It is ensured that     - Obtain standards etc. for
             transactions or       integrity, accuracy,   the development of
             transaction errors    and correctness        application systems and
             may occur in the      controls to ensure the check whether they contain




                                        - 56 -
              IT development       reliability of           a description of a
              process.             financial information    development process to
                                   are realized in the IT   prevent errors and improper
                                   development              transactions.
                                   process.                 - Check up on the
                                                            implementation of the
                                                            controls in the IT
                                                            development process
                                                            (For example, make sure
                                                            that an appropriate IT
                                                            transaction control function
                                                            is considered and
                                                            incorporated in concept and
                                                            detailed design processes).
3-(1)-1-E     Errors may occur     Control functions        Check whether tests were
              if error or          related to the           conducted in past
              improper             reliability of           development projects
              transaction          financial information    related to financial
              prevention           are tested during the    information
              functions do not     IT development           (For example, by
              work.                stage (see 4 “Test”      interviewing the persons
                                   below for the details    involved or reviewing
                                   of the test).            records).
                                                            Check whether tests related
                                                            to integrity, accuracy, and
                                                            correctness were carried out
                                                            in the development test
                                                            process for the information
                                                            system related to financial
                                                            information.
                                                            (For example, check
                                                            whether a sales data
                                                            duplicate entry test was
                                                            performed and the test
                                                            results recorded.)


2 Establishment of IT Infrastructure

[Control Guidelines]

A wide variety of application systems related to financial information use information
processing and communication functions provided by the IT infrastructure (e.g., servers,
networks, and databases). Therefore, in order for information processing and
communication functions provided by the IT infrastructure to work properly, the design,
procurement, and introduction of the IT infrastructure should be placed under
appropriate control. In particular, control over servers, networks, databases, and other



                                         - 57 -
components of the IT infrastructure are very important in assuring the reliability of
financial report application systems.

The absence of appropriate IT infrastructure could increase the risk of correct data not
being furnished to financial report application systems, or such systems failing to work
normally, or improper transactions or alterations made prior to financial reporting not
being detected.

[Examples of Control Objectives]

a. Establishment of IT infrastructure

3-(1)-2-A       The IT infrastructure (infrastructure systems such as servers and
                computers, including network equipment and software) can ensure the
                reliability of information equipment related to financial information (⇒
                III System Development 1. (5) to (7), System Management Standards).

[Examples of Controls and Control Assessment Procedures]

                Example of risk          Example of              Example of control
                                           control              assessment procedure
3-(1)-2-A     The data being         The IT                - Check the IT infrastructure
              handled is not         infrastructure        which is important for
              reliable if the IT     interface is tested   financial reporting to make
              infrastructure         to make sure that     sure that accuracy is verified
              interface is not       transmitted data is   by data transmission/receipt
              reliable.              reliable.             tests and the test results are
                                                           recorded.
                                                           - If uniform architecture etc.
                                                           is adopted for the IT
                                                           infrastructure, confirm it.
3-(1)-2-A     The system does        The IT                Make sure from records of
              not work normally      infrastructure        settings and maintenance that
              if the IT              settings are kept     the IT infrastructure is
              infrastructure         appropriate (there    properly set and maintained.
              settings are not       is no unexplained     (For example, on the PCs
              appropriate.           alteration).          used by responsible persons,
                                                           operating systems and
                                                           software are used and access
                                                           limited in accordance with
                                                           standards set by the
                                                           company.)




                                         - 58 -
3 Change Management

For IT related to financial reports, changes and alterations made to maintain the
integrity, accuracy, and correctness of information processing are controlled by change
management.

Change management is control over changes and alterations and the impact thereof.
Therefore, the absence of adequate change management could result in system
malfunction or shutdown or uncontrolled data alterations etc., affecting the reliability of
financial reports.

Change management should consist of appropriate control over software changes,
system changes, and changes upon software maintenance, or data changes so that
programs or important data will not be altered without permission.

[Control Guidelines]

Change management is essential for companies to maintain the reliability of their final
financial reports after the functionality of information systems related to financial
information is modified. Inadequate change management could have a substantial
impact on financial reports. For example, if items of accounts are modified, appropriate
pre-modification approval is obtained and post-modification testing conducted to ensure
the integrity of the classification and reports.

For system changes, adequate examination is performed to make sure that such system
changes are consistent with the existing systems, and records of the change process are
preserved.

[Example of Control Objectives]

a. Change management

3-(1)-3-A        Change management rules and procedures are set and approved by the
                 persons responsible for the relevant business process, development,
                 and maintenance (⇒ VI Common Processes 6.1 (1), System
                 Management Standards).
3-(1)-3-B        If there is a request for Change management, its potential impact on
                 other systems is considered (⇒ VI Common Processes 6.2. (2),
                 System Management Standards).
3-(1)-3-C        Urgent change requests are made in writing and in accordance with
                 change management procedures.

b. Change management for General Software (When Programs are Developed)

3-(1)-3-D        System designs, program designs, etc., are changed in accordance with
                 maintenance plans, and such changes are approved by the persons
                 responsible for the relevant business process and activity and for



                                          - 59 -
               maintenance (⇒ V Maintenance 3. (1), System Management
               Standards).
3-(1)-3-E      Program changes are approved by the person responsible for
               maintenance in accordance with change management procedures (⇒
               V Maintenance 3. (2), System Management Standards).
3-(1)-3-F      It is verified that programming is in accordance with the program
               designs (⇒ V Maintenance 3. (3), System Management Standards).
3-(1)-3-G      Program tests are conducted in accordance with test plans (⇒ V
               Maintenance 4. (1), System Management Standards).
3-(1)-3-H      Program tests are conducted with the participation of the person
               responsible for the relevant business activity etc. (⇒ V Maintenance.
               4. (3) System Management Standards).
3-(1)-3-I      Program test results are approved by the persons responsible for the
               relevant business activity, operation, and maintenance (⇒ V
               Maintenance 4. (4) System Management Standards).
3-(1)-3-J      The fully-fledged operation of programs is initiated by the person
               responsible for operation.
3-(1)-3-K      Records of the results of program tests and the commencement of
               fully-fledged operation are taken and preserved (for records and
               preservation, see the test section) (⇒ V Maintenance 4. (5) System
               Management Standards).

c. Change management for Package Software

3-(1)-3-L      Functional additions or other changes are made only when necessary.
3-(1)-3-M      It is verified that the latest approved patches have been introduced.
3-(1)-3-N      Tests are conducted and test results preserved.
3-(1)-3-O      Fully-fledged operation is initiated only by the person responsible for
               operation.

d. Change Result Management

3-(1)-3-P      Change results are approved by the persons responsible for the
               relevant business activity and development. Changes resulting in a
               major change in the operation or maintenance of the IT infrastructure
               are approved by the persons responsible for operation and
               maintenance (⇒ VI Common Processes 6.2. (3), System Management
               Standards).
3-(1)-3-Q      The status is documented from proposal until completion to keep track
               of the progress (⇒ VI Common Processes 6.1. (3), System
               Management Standards).




                                       - 60 -
 [Examples of Controls and Control Assessment Procedures]

             Example of risk   Example of control     Example of control assessment
                                                                 procedure
3-(1)-3-A    Programs are      Program changes       - Check whether change
             tampered with     including system      management procedures are
             or altered        software changes,     documented and the current
             without           and system changes    status of IT is understood (it is
             approval.         and maintenance       desirable that all changes in the
                               control are in        actual operational environment,
                               accordance with       including program changes,
                               Change                system maintenance control,
                               management            and infrastructure changes, be
                               procedures            controlled in accordance with
                               (standardized,        change management
                               recorded, approved,   procedures; and that change
                               and documented).      requests be approved and kept
                                                     track of until the programs are
                                                     developed, tested, and put into
                                                     fully-fledged operation).
                                                     - Check whether program
                                                     changes are conducted properly
                                                     (e.g., with relevant duties duly
                                                     divided) under a controlled
                                                     environment in accordance with
                                                     change management
                                                     procedures.
                                                     (For example, select several
                                                     applications and other changes
                                                     made in the past and check if
                                                     they were properly tested and
                                                     approved prior to the launch of
                                                     fully-fledged operation. Also
                                                     check if the functional
                                                     requirements, security,
                                                     connectivity with the IT
                                                     infrastructure, etc., were
                                                     examined and tested.)
                                                     - Check whether there is any
                                                     unapproved, unexplained
                                                     change.
                                                     (For example, obtain records of
                                                     changes in fully-fledged
                                                     operation and check if all the
                                                     change requests, approvals,
                                                     changeover, etc., are
                                                     explained.)



                                      - 61 -
3-(1)-3-C   Programs are      Urgent change          - Check whether there are
            tampered with     requests are in        procedures for urgent change
            or altered        accordance with        management.
            without           written official       (For example, check if there are
            approval in       change                 change logs for all the activities
            times of          management             that were conducted urgently,
            emergency.        procedures.            and if such logs were
                                                     approved.)
                                                     - Check if the urgent change
                                                     management procedures
                                                     include cancellation
                                                     procedures.
                                                     - Make sure that all urgent
                                                     changes were tested and in
                                                     accordance with standard
                                                     approval procedures after
                                                     change.
                                                     (For example, investigate cases
                                                     of change for which “urgent
                                                     change” is indicated and check
                                                     whether they were approved,
                                                     and where special access was
                                                     granted, if such access was
                                                     deleted after the completion of
                                                     the change. Also make sure that
                                                     the changes were recorded.)
3-(1)-3-D   Programs are      When the changed       - Check if approval is obtained
3-(1)-3-E   tampered with     programs are put       before the program is put into
            when the          into fully-fledged     fully-fledged operation.
            change results    operation, such        (For example, make sure that
            are transferred   transfer is approved   approval is obtained from the
            into the actual   by the responsible     persons responsible for the
            operational       person and             relevant process, system
            environment.      conducted with         development, the relevant
                              relevant authority     business activity, etc.)
                              duly divided.          - In connection with the
                                                     initiation of fully-fledged
                                                     operation, make sure that
                                                     responsibilities for such
                                                     initiation and system
                                                     development are separated or
                                                     checked properly.
                                                     (For example, make sure from
                                                     the implementation records,
                                                     result reports, and other records
                                                     that the initiation of fully-
                                                     fledged operation is not left to



                                      - 62 -
                                                        the discretion of the system
                                                        developer.)

4 Test
[Control Guidelines]

When new information systems or the IT infrastructure are modified or introduced into
the actual operational environment, appropriate tests are conducted to make sure that the
application systems are working as designed. Without appropriate testing, the
application systems or the IT infrastructure would not function as designed, impairing
the reliability of financial information.

[Examples of Control Objectives]

a. Test Policies and Procedures

3-(1)-4-A     Test policies and procedures are set for the testing of application system
              software and the IT infrastructure (⇒ III System Development 2. (2),
              System Management Standards).
3-(1)-4-B     Test plans are approved by the persons responsible for development and
              testing (⇒ III System Development 5. (1), System Management
              Standards).

b. Test Environment

3-(1)-4-C     Tests are conducted in an environment isolated from the actual
              operational environment (⇒ III System Development 5. (5), System
              Management Standards).
3-(1)-4-D     When testing, test cases covering all requirements and taking actual use
              into consideration are set and test data is taken (⇒ III System
              Development 5. (8), System Management Standards).
3-(1)-4-E     When testing, the load expected to be generated in the anticipated
              environment is taken into consideration. If the peak load has a substantial
              impact on the tolerance of the information system, a peak load test is
              conducted (⇒ III System Development 5. (8), (9), System Management
              Standards).

c. Separation of Test Authority and Preservation of Results

3-(1)-4-F     Tests are conducted with the participation of persons not involved in
              development (e.g., persons responsible for operation and maintenance)
              (⇒ III System Development 5. (10), System Management Standards).
3-(1)-4-G     Solutions and risks are clearly defined for each of the problems found
              upon testing. Records thereof are preserved (⇒ III System Development
              5. (12), System Management Standards).




                                         - 63 -
[Examples of Controls and Control Assessment Procedures]

               Example of risk         Example of control           Example of control
                                                                   assessment procedure
3-(1)-4-A    Without the testing     - Unit, system,             - Check the past
             of the information      integration, and            important development
             transmission            acceptance tests are        projects related to
             functionality of the    conducted to verify         financial information
             IT infrastructure, it   whether there are           and projects for the
             is impossible to        procedures for testing      functional renewal of
             verify whether          the functionality of the    the IT infrastructure.
             financial               IT infrastructure and       Make sure that there
             information is          whether data is             were test plans for the
             accurately              exchanged as                projects and the projects
             exchanged between       contemplated by the         were pursued in
             systems.                application system or       accordance with such
                                     the application system      plans.
                                     works normally.             - Make sure that as part
                                     - At the time of the        of such projects,
                                     renewal of the IT           functional items related
                                     infrastructure, tests are   to the reliability of
                                     conducted in                financial information
                                     connection with the         were tested. (For
                                     distribution of master      example, if it is likely
                                     data in application         that data transmissions
                                     systems etc., data          between systems on the
                                     conversion and              IT infrastructure are
                                     transmission between        erroneous or tampered
                                     new and old systems,        with (integrity is not
                                     the distribution of         ensured fully), the
                                     financial information,      reliability of financial
                                     etc.                        information cannot be
                                                                 ensured.)
3-(1)-4-B    If IT infrastructure    IT infrastructure test      Check the past IT
             testing is not          plans are checked in        infrastructure tests
             planned in advance,     advance by relevant         related to financial
             one or more of the      personnel so that all       information. Make sure
             necessary test items    necessary tests and test    that these tests and the
             may be omitted.         items are included.         plans were referred to
                                                                 and checked by relevant
                                                                 personnel in advance.
3-(1)- 4-E   The IT                  Load and marginal           - Check the past
             infrastructure and      performance tests are       important development
             application systems     conducted in                projects related to
             do not work             accordance with test        financial information
             normally under a        plans and established       and projects for the
             heavy load.             test standards.             functional renewal of



                                         - 64 -
                                                               the IT infrastructure.
                                                               - Make sure that in these
                                                               projects, if there was
                                                               concern that
                                                               performance might
                                                               deteriorate at the peak
                                                               load, load and marginal
                                                               performance tests were
                                                               conducted. (Load and
                                                               marginal performance
                                                               tests are appropriate, for
                                                               example, in terms of the
                                                               number of transactions
                                                               and the amount of
                                                               traffic. And when
                                                               testing, it would be
                                                               good if the impact on
                                                               the performance of
                                                               other services was
                                                               examined.)
3-(1)- 4-D   If no test is          The data transferred to    - Check the records
             conducted when         the new system is          related to the transfer of
             financial              collated against those     financial information
             information data is    in the old system in       data.
             transferred from an    order to verify the        Check whether approval
             old system to a new    reliability of the data.   was obtained from the
             system, it is not                                 person responsible for
             possible to tell                                  data transfer and the
             whether the                                       receiving party. Check
             transferred data is                               whether the items
             correct or not.                                   specified below were
                                                               conducted at the time of
                                                               transfer.
                                                               - A collation test was
                                                               performed for data
                                                               conversion and no
                                                               discrepancy was found.
                                                               - Verification of any
                                                               new additional function.
                                                               - Verification of transfer
                                                               procedures.
                                                               - Implementation of an
                                                               acceptance test.
3-(1)- 4-F   If an acceptance       Acceptance tests for       Choose financial
             test is conducted by   information systems        information system
             the person             related to financial       projects in the past.
             responsible for        information are            Make sure from the



                                        - 65 -
              system                   conducted with the         records of acceptance
              development, it is       participation of persons   tests that the tests were
              likely that errors or    other than the system      not conducted solely by
              improper                 developers.                the system developers.
              transactions are
              overlooked.
3-(1)- 4-G    If test result records   For important tests        Choose financial
              are not preserved, it    (e.g., acceptance test)    information system
              is not possible to       of information systems     projects in the past.
              demonstrate that         related to financial       Make sure that for such
              the functions were       information, records of    projects, important tests
              developed properly.      test items and results     were implemented and
                                       are taken and              test result records taken
                                       preserved.                 and preserved (it would
                                                                  be better if a problem
                                                                  control sheet and the
                                                                  results are preserved).

5 Development and Maintenance of Development and Maintenance Procedures

[Control Guidelines]

If IT policies and procedures are developed or revised in response to changes in the
external environment, then software development methodology, procurement,
application development and maintenance control, and necessary documentation
processes are reviewed. Policy and procedure revision helps to maintain the reliability
of financial reports.


[Examples of Control Objectives]

3-(1)-5-A     Corporate development and maintenance procedures are reviewed and
              revised periodically in response to changes in the environment (⇒ I
              Strategic IT Plan. 1.3. (5), 1.4. (2), System Management Standards).

[Examples of Controls and Control Assessment Procedures]

3-(1)-5-A     The risk becomes         There are policies and     Check whether the
              greater if polices       procedures concerning      revision of policies or
              and procedures           program development,       procedures related to IT
              related to               program change             for financial reports, if
              development,             management, program        any, was approved by
              program change           and data access control,   the corporate manager
              management,              and computer               and the responsible
              access control, and      operation, which are       person.
              operation are not        periodically reviewed,
              revised in response      renewed, and approved



                                           - 66 -
               to changes in the      by the corporate
               external               manager.
               environment.

(2) System Operation and Management

(⇒ III 4 (2) 2 B b, Practice Standards)

1 Manage Operation

[Control Guidelines]

It is desirable that companies should operate IT related to financial reports in such a
way that ensures the reliability of day-to-day business transactions, such as the entry,
registration, processing, summation, reporting, etc., of financial information. In
particular, if there is any inadequacy in the operation of IT related to financial reports,
the reliability of financial reports may be affected considerably.

For example, if a sales administration system fails, sales data may be lost, impairing the
integrity, accuracy and correctness of financial information as well as the reliability of
financial reports based on the results generated from such sales administration system.

[Examples of Control Objectives]

a. Development of and Compliance with Operation Management Rules

3-(2)-1-A      Operation management rules are laid down and complied with (⇒ IV.
               Operation Processes 1 (1) to (2), System Management Standards).
3-(2)-1-B      Operation plans pursuant to the operation management rules are prepared
               and developed (⇒ IV Operation Processes 2. (1) to (3), System
               Management Standards).
3-(2)-1-C      Operation management rules cover operations for handling exceptions
               (⇒ IV Operation Processes 2. (6), System Management Standards).

b. Approval of Operation Rules

3-(2)-1-D      The information system is operated in accordance with a job schedule
               which takes the scale, date and time of transaction, system
               characteristics, and priorities in transaction into consideration (⇒ IV
               Operation Processes 2. (4), (5), (8), System Management Standards).

c. Taking and Preservation of Operation Records and Logs

3-(2)-1-E      It is desirable to monitor the information system operation status
               including access records, and records of information security incidents
               are taken and preserved for a specified period (⇒ IV Operation




                                          - 67 -
               Processes 2. (9), System Management Standards).
3-(2)-1-F      In order to identify problems occurring in the information system, logs of
               system operations, failures, and causes are taken and preserved. The logs
               taken should desirably be kept in such a way that protects them from
               unauthorized alteration (⇒ IV Operation Processes 2. (11) to (12),
               System Management Standards).

d. Education

3-(2)-1-G      Before the information system is put into use, support and
               education/training programs for responsible persons are established and
               provided (⇒ IV Operation Processes 2. (13) to (14), System
               Management Standards,).


[Examples of Controls and Control Assessment Procedures]

                 Example of risk        Example of control         Example of control
                                                                  assessment procedure
3-(2)-1-A      Incorrect             Standard operation         - Check whether
               transactions are      procedures are             operation procedures are
               performed as a        documented and             documented and
               result of improper    followed so that all       whether the
               operation.            transactions related to    administrator knows
                                     financial information      how such procedures
                                     performed in the actual    are applied.
                                     operational                (For example, check
                                     environment meet           from daily reports etc.
                                     integrity, accuracy, and   whether the system is
                                     correctness                operated in accordance
                                     requirements.              with the procedures.
                                                                Check whether the
                                                                system is operated in
                                                                accordance with the job
                                                                schedule, or if
                                                                exceptions are handled,
                                                                whether the exceptions
                                                                are approved and the
                                                                integrity and accuracy
                                                                of transactions related to
                                                                financial information
                                                                are ensured.)
                                                                - In the case of an
                                                                automated information
                                                                system which is
                                                                operated for 24 hours a
                                                                day, 365 days a year,



                                         - 68 -
                                                          verify the continuity of
                                                          transactions and that
                                                          there are no operational
                                                          changes.
                                                          (For example, if
                                                          unmanned information
                                                          system operation is
                                                          introduced, check
                                                          supplementary controls
                                                          such as access control.
                                                          Without supplementary
                                                          controls, unauthorized
                                                          alterations can be
                                                          made.)
3-(2)-1-F   Improper             With respect to the      Make sure that the
            operations cannot    information system and company has a policy
            be detected.         data processing, the     on log taking. Next,
                                 company has a policy     make sure that
                                 on log taking and        necessary logs
                                 analysis, pursuant to    (improper operations
                                 which logs are taken     and other items
                                 and necessary items are necessary for
                                 monitored.               monitoring) are taken
                                                          and preserved and can
                                                          be made available.
3-(2)-1-F   The reliability of   Logs of the information Make sure that logs are
            data processed by    system and data          protected from
            the information      processing are taken     unauthorized alteration
            system is not        and the integrity,       and deletion during
            ensured.             accuracy and             recording or
                                 correctness of log files preservation
                                 are ensured (logs are    (For example,
                                 recorded and preserved investigate the status of
                                 without alteration).     operations related to the
                                                          information system and
                                                          data processing. Obtain
                                                          samples of logs of the
                                                          time periods
                                                          investigated. Based on
                                                          the samples, verify the
                                                          integrity and accuracy
                                                          of the logs obtained.)
3-(2)-1-G   If persons           When a new               Check the education
            responsible for      information system       curriculum and schedule
            information          related to financial     for responsible persons
            systems related to   information is           (with respect to
            financial            introduced, appropriate financial information)



                                     - 69 -
              information are not    education for the         and who received such
              educated with          responsible person is     education.
              respect to risks and   planned and provided.
              appropriate
              operation methods,
              their improper
              operation may
              cause system
              failure or improper
              transactions.


2 Manage Configuration

[Control Guidelines]

Configuration management is to manage the results of controls, such as the purchase
and installation of information assets and the management and disposal of fixed assets,
as asset information and indirectly supports control over information systems related to
financial information.

Configuration management manages results generated from change management and is
effective when conducted in conjunction with change management.

Configuration management has the function of managing and providing basic
information about information system configuration, including system, network,
software, and master data configuration. If configuration management is not
implemented properly, the development and processing of financial information may be
affected, so configuration management should be conducted in a timely and appropriate
manner.

If configuration management is given the function of drawing attention to the effective
period of information assets, the administrator can be made aware of when action
should be taken to prevent the degradation of information assets. The administrator can
maintain the reliability of financial information by taking appropriate measures.

[Examples of Control Objectives]

a. Software, Hardware, and Network Configuration Management

3-(2)- 2-A    Control rules and procedures are set and approved by the person
              responsible for operation (⇒ IV Operation Processes 6. (1), 7. (1),
              System Management Standards).
3-(2)- 2-B    The use of software and hardware which are not permitted is prohibited
              (⇒ IV Operation Processes 6. (2), System Management Standards).




                                         - 70 -
b. Software, Hardware and Network Configuration, Supplier, and Support Conditions

3-(2)- 2-C    Records of introduced or procured software, hardware, and networks are
              properly reflected in the control register.
3-(2)- 2-D    Supporting arrangements with suppliers are maintained (⇒ IV Operation
              Processes 9. (2), System Management Standards).
3-(2)- 2-F    There are measures to handle failures, including emergencies (⇒ IV
              Operation Processes 7. (4), 8. (4), System Management Standards).
3-(2)- 2-F    Tests and assessments are performed to verify that the settings are
              appropriate.

c. Hardware and networks are introduced or modified after the degree of impact has
been fully examined.

3-(2)- 2-G    Possible risks are identified and handled (⇒ IV. Operation Processes
              7. (2), 9. (3), System Management Standards,).

[Examples of Controls and Control Assessment Procedures]

                Example of risk        Example of control         Example of control
                                                                 assessment procedure
3-(2)- 2-A    Processing errors or   Appropriate               Check whether the
              system shutdown        information system        information system
              may result from the    control (e.g.,            handling financial
              unauthorized           purchasing, installation, information is
              installation or        fixed asset, and          accurately reflected in
              disposal of            disposal) is conducted    the configuration
              software, hardware,    to ensure that no         management register
              application            unauthorized              and fixed asset control
              systems, etc.          information systems       (make sure that there are
                                     are used.                 no information systems
                                                               which are brought in
                                                               without permission).
3-(2)- 2-C    System                 The results of change     - Collate the results of
              inconsistency may      management are            change management
              occur because          reflected in              against the
              changes are not        configuration             configuration
              accurately reflected   management in a           management register to
              in system control      timely manner.            determine whether
              information.                                     appropriate information
                                                               control is in place.
                                                               - Check whether
                                                               changes in system
                                                               configuration
                                                               information and master
                                                               information are properly
                                                               reflected.



                                         - 71 -
3-(2)- 2-C    Processing errors     The effective periods of   - Make sure from the
              may result from the   information assets are     configuration
              continued use of      properly controlled and    management register
              hardware etc.         renewed.                   that the effective periods
              whose effective                                  of information assets are
              period has already                               accurately recorded and
              expired.                                         the assets are not used
                                                               after the effective
                                                               periods.
                                                               - Check whether the
                                                               renewal of information
                                                               assets is reflected in IT
                                                               plans with the effective
                                                               period control function
                                                               of the configuration
                                                               management register.
3-(2)- 2-B    Data alteration or    Employees using IT         Obtain the basic
              system shutdown       assets are prohibited      information security
              may result from the   from using                 policy and check
              use of unauthorized   unauthorized software      whether it prohibits the
              software.             (for employees’ PCs,       use of unauthorized
                                    privileged ID and          software. (For example,
                                    administrator authority    investigate samples of
                                    are prohibited).           the servers and PCs in
                                                               the information system
                                                               related to financial
                                                               information to check
                                                               whether unauthorized
                                                               software is used on
                                                               these servers or PCs.)

3 Manage Data

[Control Guidelines]

Appropriate data management is used to ensure the integrity, accuracy, and correctness
of financial information entered, registered, processed, summated, reported, or
otherwise handled by companies. If there is any inadequacy in this data management,
the reliability of financial information can be impaired. For example, if no control is
implemented over the approval of the commencement of transactions, the financial
information generated will not be reliable. Such control applies where application
system databases are physically separate from the system and controlled independently
of business transactions.




                                        - 72 -
[Examples of Control Objectives]

Recorded, processed, or reported data is properly controlled when renewed or stored in
order to ensure its reliability (integrity, accuracy, and correctness).

a. Data management

3-(2)- 3-A    Data management rules and procedures are set and approved by the
              responsible person (⇒ IV Operation Processes 4. (1), (6), System
              Management Standards).
3-(2)- 3-B    When transmitted or received, exchanged, reproduced, or disposed of,
              data is protected against erroneous or improper handling or unauthorized
              disclosure in accordance with the data management rules (⇒ IV
              Operation Processes 4. (6), (7), System Management Standards).

b. Maintenance of Data Integrity

3-(2)- 3-C    Internal data in the information system are protected logically and
              physically from an unauthorized access and falsification (⇒ IV
              Operation Processes 4. (3), System Management Standards).

c. Data Backup

3-(2)- 3-D    Backup copies of financial information and sales administration data are
              made as such data may be lost due to system failure, malfunction, etc.
              (⇒ IV. Operation Processes 4. (5), VI Common Processes. 7.3. (1) to (2),
              System Management Standards; ⇒ III 4 (2) 2 B b, Practice Standards).
3-(2)- 3-E    Recovery from backup media is tested (⇒ IV. Common Processes
              7.4. (2), System Management Standards).


[Examples of Controls and Control Assessment Procedures]

                 Example of risk      Example of control      Example of control
                                                            assessment procedure
3-(2)- 3-B    Financial            There are procedures    Check whether there are
              information may be which ensure that         procedures for the
              lost or cannot be    information related to  handling, distribution,
              communicated if no financial information is and preservation of
              procedures are set   processed properly and processed data and
              for the distribution communicated to         outputs for reporting
              and preservation of appropriate persons in a and whether such
              processing results.  timely manner.          procedures are
                                                           implemented.
                                                           (For example, check
                                                           whether output data is




                                        - 73 -
                                                              delivered to the correct
                                                              recipient and whether
                                                              there was any incidence
                                                              of such data being
                                                              delivered to a person
                                                              who does not have
                                                              authority.)
3-(2)- 3-C    Data may be altered    Financial information    - Check whether
              or copied without      is protected against     information security
              permission during      unauthorized access or   measures (e.g., locking)
              storage or transfer.   alteration during        are implemented when
                                     storage and transfer.    financial information is
                                                              stored or transferred.
                                                              - Check whether
                                                              physical security
                                                              measures such as
                                                              entrance control are
                                                              implemented.
3-(2)- 3-E    Documents and          Document and data        Obtain the procedures
              data may not be        retention periods and    for data retention. Make
              kept properly,         conditions are           sure that such
              important              specified.               procedures include the
              information may be                              retention periods and
              lost, or unnecessary                            conditions for
              data may be                                     documents, data reports,
              retained for a long                             etc., and the documents
              period.                                         etc. are preserved in
                                                              accordance with such
                                                              conditions.
3-(2)- 3-E    Without backup         There are procedures     - Investigate policies
              copies, data would     for data and program     and procedures for data
              not be recovered       backups, and backup      and program backups.
              when lost.             copies are made and      - Obtain samples of data
                                     preserved.               and program backup
                                                              copies and check the
                                                              place and condition of
                                                              storage.

(3) System Safety Assurance by Internal/External Access Control etc.

(⇒ III 4 (2) 2 B c, Practice Standards)


1 Information Security Framework




                                          - 74 -
[Control Guidelines]

IT related to financial information and reports involves the risk of the information being
tampered with or deleted. For such IT, a basic information security policy is developed
and an information security framework is established and followed pursuant to such
policy.

[Examples of Control Objectives]

3-(3)- 1-A     An information security framework for the organization is established in
               accordance with a basic information security policy (⇒ I Strategic IT
               Plan. 1.1. (6), System Management Standards;⇒ Information Security
               Management Standards, 1.1.1.2, 17).

[Examples of Controls and Control Assessment Procedures]

3-(3)- 1-A     Without a basic          An information      - Obtain the basic
               information security     security            information security policy
               guideline and            framework is        and information security
               framework,               established.        standards and manuals and
               information system                           check whether the security
               access control cannot                        framework is functioning at
               be performed                                 the field level.
               properly.                                    - Make sure that there is a
                                                            system to maintain
                                                            information security.

2 Access Control and Other Security Measures

[Control Guidelines]

Application systems related to financial information involve, among others, the risk of
sales, inventory, and other information being tampered with or deleted. In these systems,
access is granted only to duly authorized persons.

Access control is essential in preventing unauthorized access to IT related to financial
information. Access control includes, without limitation, the granting of access authority
to responsible persons, the personnel authentication of responsible persons accessing the
system, the prevention of the denial of entered data, the assignment of security levels,
and the monitoring and recording of system performance and access.

Inadequacies in information security including access control can have a substantial
impact on the integrity, accuracy, and correctness of financial information. For example,
in the case of an accounting system which does not have adequate access control and
does not generate sufficient data to understand when the system was accessed by whom
from where, inaccurate financial reports may be generated if supplementary controls are
conducted manually.



                                          - 75 -
 [Examples of Controls]

a. Access Control

3-(3)- 2-A    The scope of access and the level of access authority appropriate for job
              authority are specified in accordance with business and security
              requirements (⇒ IV Operation Processes 4. (2), 6. (2), 7. (2), System
              Management Standards;⇒ Information Security Management Standards,
              7.1.1).
3-(3)- 2-B    Procedures for registering and deleting the registration of responsible
              persons are laid down and approved (⇒ Information Security
              Management Standards, 7.2.1).
3-(3)- 2-C    Access authority is cancelled immediately upon a change in the role or
              duty of or the retirement of responsible persons (⇒ Information Security
              Management Standards, 7.2.1).
3-(3)- 2-D    IDs for responsible persons are inspected periodically, and any such ID
              which is not used for a long period is deleted, and records of such
              deletion are preserved (⇒ Information Security Management Standards,
              7.2.1).
3-(3)- 2-E    When privileged IDs are granted, they are granted only to limited
              persons for limited periods and used only for relevant purposes (⇒
              Information Security Management Standards, 7.2.2).

b. Password Control

3-(3)- 2-F    Passwords are assigned in accordance with the access procedures (⇒
              Information Security Management Standards, 7.2.3).

c. Network Access Control

3-(3)- 2-G    Responsible persons’ connection to networks is limited in accordance
              with pre-established rules (⇒ Information Security Management
              Standards, 7.4.1).
3-(3)- 2-H    Network access authority granted to responsible persons is maintained
              and renewed in accordance with the access control policy (⇒
              Information Security Management Standards, 7.4.2).


d. Access Control for Operating System

3-(3)-2-I     The system has the function of authenticating authorized persons (⇒
              Information Security Management Standards, 7.5.2).
3-(3)-2-J     Records of successful and failed system authentications are taken and
              preserved (⇒ Information Security Management Standards, 7.7.1).
3-(3)-2-K     The use of specified business software is prohibited and the control of



                                         - 76 -
             access to such software is implemented (⇒ Information Security
             Management Standards, 7.6.1).

[Examples of Controls and Control Assessment Procedures]

              Example of risk        Example of            Example of control
                                        control          assessment procedure
3-(3)-2-I    Without             The system has     - Make sure that the
3-(3)-2-J    appropriate         the function of    authentication of, and the
             authentication,     authenticating all control of access by
             data may be         relevant persons   responsible persons is
             tampered with or    and controlling    introduced. (For example,
             referenced          their access, and  verify from documents the
             illegally.          access is recorded.scope of access granted to
                                                    responsible persons and make
                                                    sure that their access is
                                                    actually restricted.)
                                                    - Make sure that the
                                                    authentication of responsible
                                                    persons and access control is
                                                    recorded in logs. (For
                                                    example, make sure that the
                                                    responsible persons’ PCs have
                                                    time-out functions etc. and
                                                    time-outs are recorded in
                                                    logs.)
3-(3)-2-B    If the issuance,   There are           - Make sure that there are
             suspension, etc.,  procedures for      procedures for the registration,
             of accounts for    application for and change, and deletion of
             responsible        the establishment, accounts for responsible
             persons are not    issuance,           persons and every change is
             placed under       suspension and      handled in a timely manner.
             control, such      cancellation of     (For example, obtain samples
             accounts may be    accounts for        of new registrations and check
             used improperly to responsible         whether the responsible
             alter or disclose  persons, and such person approved access
             data.              applications etc.   authority and whether the
                                are handled in a    approved access authority is
                                timely manner in    consistent with the established
                                accordance with     access authority.)
                                such procedures.    (For example, obtain samples
                                                    of retirees and check whether
                                                    their access authority was
                                                    deleted immediately upon
                                                    retirement.)
                                                    - Make sure that any
                                                    unauthorized access or other



                                      - 77 -
                                                     breach can be detected in a
                                                     timely manner and can be
                                                     traced.
3-(3)-2-A   There is no          There is a control - Make sure that it is reviewed
3-(3)-2-C   appropriate access   process to          periodically whether the
            control function     periodically        responsible persons’ access
            and data may be      review and verify authority is consistent with
            tampered with or     access authority,   their administrative authority.
            referenced           and such process    (For example, examine sample
            illegally.           is followed.        cases where responsible
                                                     persons were transferred and
                                                     their access authority needed
                                                     to be revised and make sure
                                                     that their access authority was
                                                     revised in a timely manner.)
                                                     - Make sure that, in such
                                                     exceptional cases where
                                                     certain persons were granted
                                                     special access authority, that
                                                     such access authority was
                                                     properly handled later on.
3-(3)-2-G   If the Internet is   If the Internet or  - (If the Internet is used for
            used, there is       other external      electronic commerce etc.)
            protection against   networks are used Make sure that external access
            break-ins.           for electronic      control, including firewalls
                                 commerce etc.,      and break-in detection
                                 firewalls, break-in systems, is in place and
                                 detection systems, appropriate.
                                 etc., are used. In  (For example, check whether
                                 addition, there are the company ever performed
                                 appropriate         third-party information
                                 controls to prevent security assessment.)
                                 unauthorized        - Check whether an anti-virus
                                 access, such as the system is used to protect the
                                 application of      security of systems related to
                                 patches based on    financial information.
                                 the results of
                                 susceptibility
                                 assessment.
3-(3)-2-A   If administrative    Application and     Investigate the application and
            authority is not     approval for        approval process for system
            defined,             system and data     and data access authority.
            unauthorized         access authority    Make sure that both are not
            access may occur     are separated from performed by the same person.
            and data may be      each other.
            tampered with.
3-(3)-2-E   Privileged users     There are           - Investigate privileged IDs



                                      - 78 -
              can modify           standards for the      and make sure that they are
              information          exercise of            granted properly to the
              systems and add      privileges and the     appropriate positions.
              or delete            granting of            - If privileged IDs can use all
              responsible          privileges is kept     the functions, make sure that
              persons, so          to a minimum.          split passwords, mutual
              without control,     Privileges are         monitoring (known as dual
              unauthorized         suspended as soon      control), or other controls are
              alteration may       as they become         also in place.
              occur.               unnecessary.
3-(3)-2-A     If access to         Access to facilities   Obtain policies and
              facilities is not    is granted only to     procedures for entrance and
              restricted,          authorized persons     check whether appropriate
              important            and appropriate        authentication is realized.
              financial            IDs and                (For example, select
              information may      authentication are     responsible persons and check
              be accessed or       assigned or            whether their access and
              tampered with by     conducted.             entrees were consistent with
              non-relevant                                their access authority based on
              persons.                                    their administrative authority.)


3 Control of Information Security Incidents

[Control Guidelines]

Information security incidents, such as those related to financial information, are
controlled by companies documenting, notifying responsible persons of, and monitoring
access beyond the authorized scope and violations. If the control is inadequate, the
reliability of the resulting financial reports may be materially affected.

[Examples of Control Objectives]

a. Incident Reports, Records, Handling Rules and Procedures

3-(3)-3-A     Information security incident reporting and handling procedures
              appropriate for the degree of impact thereof are specified (⇒
              Information Security Management Standards, 6.1.3.1).
3-(3)-3-B     The details of information security incidents are recorded and reported to
              the person responsible for information system operation (⇒ Information
              Security Management Standards, 6.1.3, 15, 16).

b. Investigation of the Cause and Prevention of Recurrence

3-(3)-3-C     The cause of information security incidents is investigated and
              recurrence prevention measures are implemented (⇒ Information
              Security Management Standards, 6.1.3.6).



                                        - 79 -
[Examples of Controls and Control Assessment Procedures]

                Example of risk         Example of             Example of control
                                          control             assessment procedure
3-(3)-3-A     Damage will          If an information     Examine samples of
              increase if the      security incident     information security incident
              information          occurs, it is         reports and check whether the
              security incident is recorded,             incidents were handled
              not properly         analyzed, and         (recorded, analyzed, or
              handled.             settled in a timely   settled) in a timely manner.
                                   manner.
3-(3)-3-C     Logs are not taken The cause of the        Check whether the log
              and the cause of     incident is           contains information which
              the incident         investigated by an    helps to identify the cause of
              cannot be            appropriate log       the incident.
              investigated.        control function.     (For example, choose sample
                                   (If a server is       cases of server incidents and
                                   recovered from        make sure that the incident
                                   shutdown without      was settled by analyzing the
                                   log collection or     log and determining how the
                                   analysis, the         incident occurred.)
                                   possibility of the
                                   recurrence of the
                                   same incident
                                   would be higher.)
3-(3)-3-B     Unapproved acts      Security incident     Make sure that if unapproved
              cannot be            management            acts (including going beyond
              monitored and        functions are in      the scope of authority granted)
              improper acts are    place, such as the    are performed, they can be
              performed,           timely notification   detected immediately and
              causing incidents. of improper acts to     handled properly in a timely
                                   the administrator     manner. Also make sure that
                                   (including the        there is a process that is
                                   locking of the user   prosecuted after the
                                   account).             occurrence of incidents.
                                                         (For example, make sure that
                                                         there is a system to search for
                                                         past cases of violation and, if
                                                         applicable, properly punish the
                                                         violators and prosecute them
                                                         for monetary damage.)

(4) Trustee Control

(⇒ III 4 (2) 2 B d, Practice Standards)




                                          - 80 -
1 Contracts with Trustees

[Control Guidelines]

The control of entrusted activities applies where certain activities are entrusted to
outside businesses for the purpose of the development or operation of information
systems related to financial reports or the development of financial information. Risks
involved in the entrusted development, operation, and maintenance of information
systems may have a substantial impact on the preparation and disclosure of accurate
financial reports by the entrusting company. For example, if control over the accuracy
of activities by the trustee is inadequate, financial reports may be inaccurate.

(It is not possible to list common risks involved in entrustment as different companies
are exposed to different risks and risks may vary according to what activities are
entrusted and how. Each company should analyze its own entrustment cases. Similarly,
risks involved in re-entrustment may also vary according to the type of contract between
the company entrusting and the trustee and the type of activities entrusted, so actual
risks are evaluated from the impact that the risks at the trustee may have on the
entrusting company.)

[Examples of Control Objectives]

a. Entrustment Plan

3-(4)-1-A     If the development, operation, etc., of an information system (directly
              related to financial reports) are entrusted, the relevant entrustment plan is
              approved (⇒ VI Common Processes 5.1. (1), System Management
              Standards).


3-(4)-1-B     The purpose and scope of, and budgets, systems, etc., for entrusted
              activities are clearly specified (⇒ VI Common Processes 5.1. (2), System
              Management Standards).

b. Trustee Selection

3-(4)-1-C     When the development, operation, etc., of information systems are
              entrusted, the trustee is selected in accordance with the organization’s
              trustee selection policy (⇒ V. Common Processes 5.2. (1), System
              Management Standards).
3-(4)-1-D     The candidate’s financial qualification and ability to provide services are
              evaluated.

c. Contract

3-(4)-1-E     The contract specifies the method of controlling the major risks involved
              in the entrusted activities (⇒ V. Common Processes 5.3. (1) to (2), System



                                          - 81 -
            Management Standards).

d. Performance of Entrusted Activities When the Development, Operation, etc., of
Information Systems Related to Financial Information are Entrusted

3-(4)-1-F   The scope of work and responsibility is specified (⇒ VI Common
            Processes 5.3. (6), System Management Standards).
3-(4)-1-G   The implementation status of entrusted activities is understood and
            checked periodically (⇒ VI Common Processes 5.4. (1), 4. (3), 4. (4),
            System Management Standards).
3-(4)-1-H   Work products are accepted in accordance with the entrustment contract
            (⇒ VI Common Processes 5.4. (5), System Management Standards).
3-(4)-1-I   With respect to the reliability of financial information, the service level is
            monitored (e.g., the results of the performance of the entrusted activities
            are verified by sampling) and any problem is reported to the person
            responsible for the relevant activities (⇒ II 2. (1). 2. B. a, Practice
            Standards).


[Examples of Controls and Control Assessment Procedures]

              Example of risk           Example of             Example of control
                                           control            assessment procedure
3-(4)-1-I    If the service level   The responsible      The person responsible for
             is not monitored,      person monitors      management at the trustee
             the integrity,         and reports the      checks the level of services
             accuracy, and          trustee’s service    provided and management
             correctness of         level.               systems for work products.
             processed                                   (For example, choose sample
             financial                                   cases of entrustment and
             information are                             check the contracts and the
             not maintained.                             control status.)
3-(4)-1-C    If policies for        The trustee is       Obtain the company’s trustee
             trustee selection      selected in          control policy and check
             and control are not    accordance with a    whether trustee selection and
             specified clearly,     trustee selection    control are conducted in
             the service level is   policy.              accordance with the policy.
             not maintained
             and the entrusted
             financial
             information is not
             generated
             properly.
3-(4)-1-D    If trustee selection   Prior to trustee     Obtain the trustee selection
             criteria are not       selection, the       criteria.
             clearly specified      responsible person   Check whether these criteria




                                         - 82 -
            and unqualified        evaluates the          include the trustee’s financial
            businesses are         candidate’s            stability and experience and
            selected, service      qualification in       knowledge about IT controls
            quality may be         terms of its ability   related to financial
            poor or the            to provide services    information (e.g., the number
            delivery date may      and financial          of similar projects undertaken
            not be met, so the     viability.             in the past and the number of
            reliability of                                qualified persons).
            financial
            information may
            not be ensured.
3-(4)-1-A   If the service level   There are              Check sample contracts to
            contract with the      procedures that        verify that:
            trustee does not       require the            - the services to be
            cover security         contract with the      implemented are specified;
            control, the           trustee to be          - responsibility for control
            service level is not   approved               over the financial reporting
            maintained and         internally and         system is specified properly;
            financial              executed in            - the trustee agrees to comply
            information is not     writing prior to       with the entrusting company’s
            generated              entrustment, and       security and other policies and
            properly.              such procedures        procedures;
                                   are followed.          - the contract was checked,
                                   These procedures       approved, and signed by
                                   include the            appropriate parties; and
                                   definition of          - the control items for the
                                   internal control       entrusted activities specified
                                   requirements and       in the contract are the same as
                                   the conditions to      those required by the
                                   be undertaken by       company.
                                   the trustee.
3-(4)-1-G   If the trustee’s       Investigate the        Make sure that the trustee
            service level is not   level of reliability   evaluates the realized level of
            reviewed, a            (integrity,            reliability with the entrusting
            decline in service     accuracy,              company’s control items and
            quality, if any,       correctness)           standards. (The entrusting
            cannot be              assured by the         company may, at its
            detected.              trustee.               discretion, obtain reports etc.
                                                          showing the results of the
                                                          assessment of internal controls
                                                          related to the entrusted
                                                          activities from the trustee and
                                                          use them as an alternative
                                                          means for evaluating the
                                                          entrusted activities.) (⇒
                                                          II 2. (2). 2. B. b, Practice
                                                          Standards)



                                         - 83 -
2 Definition and Control of the Service Level with the Trustee

[Control Guidelines]

The process of defining and controlling the service level for entrusted activities concern
how to meet the responsible person’s expectations and ultimately how to achieve the
business objectives. In order to ensure that services are implemented as required, the
trustee’s role and responsibility are defined.
In particular, in such cases where the preparation of financial reports is entrusted, if
there is any inadequacy in the trustee’s information system, the entrusting company’s
financial reports and disclosures may be affected materially.

[Examples of Control Objectives]

a. Service Level

3-(4)-2-A      If the development or operation of information systems related to
               financial reports or information is entrusted, the service level is defined
               and maintained. To this end, it is desirable to conclude a service level
               agreement (SLA) with the trustee.

[Examples of Controls and Control Assessment Procedures]

                   Example of risk        Example of               Example of control
                                            control               assessment procedure
3-(4)-2-A      If the service level   The service level     - Select those entrustment
               is not defined,        related to the        contracts in association with
               stable services        reliability of the    which SLAs were concluded.
               cannot be used         financial reporting   Check whether these contracts
               continuously and       system is defined     specify the service level and
               the reliability of     and controlled.       whether adherence to such
               financial                                    service level was verified.
               information is                               - If financial reporting itself is
               impaired.                                    entrusted, check the
                                                            department and the process
                                                            which verify whether the
                                                            resulting financial reports are
                                                            provided in a timely manner
                                                            and whether the information
                                                            contained in the reports is
                                                            correct.
3-(4)-2-A      If adherence to the    Performance           Obtain the financial reports in
               specified service      indexes to control    connection with which the
               level is not           SLAs are              service level was actually
               monitored, a           established.          evaluated and make sure that
               decline in the                               major performance indexes



                                           - 84 -
               service level, if                          were included and actually
               any, cannot be                             measured.
               detected.


3 Risk Control Matrix for IT General Controls

It is important that the reliability (integrity, accuracy, and correctness) of financial
information is protected against anticipated risks with IT general controls. In order to
evaluate the design and operation of IT general controls, it would be helpful to prepare a
risk control matrix. An example is provided below. An example of a concrete risk
control matrix is given in Appendix 6 “Examples of a Risk Control Matrix.”




                                          - 85 -
4. IT Application Control

(1) Manage Input (Input Control)

Information system data management from the development to storage of input data

[Control Guidelines]

If IT is used in business processes, the development of original input data, the
implementation and checking of input, and the storage and disposal of input data are
managed. Input may be provided directly into information systems manually or
provided via floppy disks, CDs or other magnetic media, EDI or other forms of data
transmission, or via the Internet. If incorrect or improper data input is performed, the
financial information which is processed and generated from these data will be incorrect
or improper. Therefore, there should be controls which ensure that there are no duplicate
data and only correct data are inputted.

[Examples of Control Objectives]

4-(1)-1           Input management rules are established and followed (⇒ IV
                  Operation Processes 3. (1), System Management Standards).
4-(1)-2           Data input is performed accurately in accordance with the input
                  management rules without omission or duplication (⇒ IV Operation
                  Processes 3. (2), System Management Standards).
4-(1)-3           Measures to prevent incorrect or improper data input and protect the
                  confidentiality of data are working effectively (⇒ IV Operation
                  Processes 3. (4), System Management Standards).
4-(1)-4           Input data are stored and disposed of in accordance with the input
                  management rules (⇒ IV Operation Processes 3. (5), System
                  Management Standards).

[Examples of Controls and Control Assessment Procedures]

                Example of risk      Example of control           Example of control
                                                                 assessment procedure
4-(1)-1         There are no       Procedures and             Check whether procedures
                input              verification and           and verification and
                management         approval methods are       approval methods are
                rules for the      established in writing     established in writing as
                data on which      as input management        input management rules
                financial          rules for a series of      for a series of activities
                information is     activities related to data related to data input into
                based, resulting   input into information     information systems,
                in incorrect or    systems, including         including input data
                improper input.    input data                 development, exchange,
                                   development,               verification, inputting,
                                   exchange, verification, post-input checking, and



                                         - 86 -
                                   inputting, post-input      storage.
                                   checking, and storage.
4-(1)-2         There is a         Data management and        Make sure that data
                duplication or     verification are carried   management and
                omission in the    out in accordance with     verification are carried out
                input of           the procedures             in accordance with the
                transaction data   specified in the input     procedures specified in the
                on which           management rules in        input management rules in
                financial          order to prevent data      order to prevent data
                information is     omission or                omission or duplication.
                based.             duplication.
4-(1)-2         Transaction        Data management and        Make sure that data
                data on which      verification are carried   management and
                financial          out in accordance with     verification are carried out
                information is     the procedures             in accordance with the
                based are input    specified in the input     procedures specified in the
                incorrectly or     management rules in        input management rules in
                improperly.        order to ensure correct    order to ensure correct
                                   inputting.                 inputting.
4-(1)-3         Improper data      Input data are             Make sure that input data
                are entered into   developed and handled      are developed and handled
                information        in accordance with due     in accordance with due
                systems related    approval in order to       approval.
                to financial       prevent incorrect or
                information.       improper input or
                                   protect the
                                   confidentiality of data.
4-(1)-4         Financial          Input data are stored      Make sure that input data
                information is     and disposed of in         are stored and disposed of
                lost, stolen, or   accordance with the        in accordance with the
                disclosed.         input management           input management rules.
                                   rules in order to
                                   prevent the loss, theft,
                                   and disclosure of the
                                   data.

 (2) Manage Data (Processing Control)

Management of a series of activities related to data provision and receipt, exchange,
reproduction, and disposal

[Control Guidelines]

With the growth of the Internet, order and purchasing data may be entered and
transmitted by external entities. In such cases, it is desirable that data management be
programmed into the system. For example, without a mechanism that helps make sure




                                         - 87 -
the sender is a recognized customer, it would be impossible to verify the validity of the
received order.

[Examples of Control Objectives]

4-(2)-1      Data management rules are established and followed (⇒ IV Operation
             Processes 4. (1), System Management Standards).
4-(2)-2      Data access control and monitoring are working effectively (⇒ IV
             Operation Processes 4. (2), System Management Standards).
4-(2)-3      Data integrity is maintained (⇒ IV. Operation Processes 4. (3), System
             Management Standards).
4-(2)-4      Data are given and received in accordance with the data management rules
             (⇒ IV Operation Processes 4. (6), System Management Standards).
4-(2)-5      When data are exchanged, measures to prevent improper acts and protect
             the confidentiality of the data are implemented (⇒ IV Operation
             Processes 4. (7), System Management Standards).
4-(2)-6      When data are stored, reproduced, or disposed of, measures to prevent
             incorrect or improper handling and protect the confidentiality of the data
             are implemented (⇒ IV Operation Processes 4. (8), System Management
             Standards).

[Examples of Controls and Control Assessment Procedures]

                 Example of risk          Example of control       Example of control
                                                                 assessment procedure
4-(2)-1      There are no data           In order to ensure the Make sure that rules for
             management rules for        reliability of data,   data handling and
             financial information,      rules for data         management are
             so the reliability of       handling and           established in writing.
             financial information is    management are
             impaired.                   established in
                                         writing.
4-(2)-2      There is unauthorized       Access control and     Make sure that access to
             access to data related to   monitoring are         data is granted only to
             financial information,      carried out in order   duly authorized persons
             resulting in incorrect or   to prevent             and that access is logged
             improper transactions.      unauthorized access and monitored.
                                         to or unauthorized
                                         use of data, protect
                                         the confidentiality of
                                         data, and protect
                                         personal
                                         information.
4-(2)-3      If master data files are    Important master       Important master files
             not correct, the            files are matched to   are matched to the
             reliability of financial    the original data.     original data.




                                          - 88 -
             information is
             impaired.
4-(2)-3      The reliability of data   Verify that the data    Make sure that proper
             related to financial      was renewed             data renewal is verified
             information is impaired   properly.               by control total etc.
             at the time of data
             renewal.
4-(2)-3      There is a malfunction  Check whether the         Make sure that the
             or improper transaction results of data           results of data
             at the time of data     processing are            processing are correct
             processing.             correct (e.g. the         (e.g. the results are
                                     results are within a      within a certain range or
                                     certain range or          match with relevant
                                     match with relevant       figures).
                                     figures).
4-(2)-4      Data are misused, used Data are provided or       Make sure that data are
             improperly, or          received in               provided or received in
             tampered with when      accordance with the       accordance with the
             provided or received.   data management           data management rules.
                                     rules.
4-(2)-5      Errors occur when data When data are              Make sure that when
             are exchanged.          exchanged, error          data are exchanged, all
                                     corrections and the       errors are corrected
                                     contents of data are      completely.
                                     checked.
4-(2)-6      Data are used           Data are stored,          Make sure that improper
             improperly or disclosed reproduced, or            handling prevention and
             when stored,            disposed of with          confidentiality
             reproduced, or disposed required approval or      protection measures
             of.                     otherwise in              (e.g. access control and
                                     accordance with           data deletion) are
                                     rules for the             implemented when data
                                     prevention of             are stored, reproduced,
                                     improper handling         or disposed of.
                                     and the protection of
                                     secrets.


Data management for IT transaction control purposes overlaps with data management
for IT general control purposes. The latter is IT control generally applicable to the IT
infrastructure, while the former applies specifically to each business application. Data
management measures are established and evaluated in line with the configuration of
each IT system and the administrative structure of each company. For example, backup
data management may be evaluated as part of IT General Controls, while customer
ordering data may be evaluated as part of IT transaction control.




                                         - 89 -
(3) Manage Output (Output Control)

Management of a series of activities related to the output of data to information systems,
including output data development, provision and receipt, outputting, post-output
verification, and storage.

[Control Guidelines]

If there is incorrect or improper data output, the reliability of financial information may
be affected materially. For example, if output data on the shipment of products from a
warehouse are incorrect or improper, it means that sales and inventory data are also
incorrect or improper. Therefore, without appropriate output management, there is the
possibility of sales data being illegally altered, with the result that the reliability
(integrity, accuracy, and correctness) of financial information cannot be ensured.

[Examples of Control Objectives]

4-(3)-1      Output management rules are established and followed (⇒ IV Operation
             Processes 5. (1), System Management Standards).
4-(3)-2      It is verified that information is output accurately without omission or
             duplication (⇒ IV Operation Processes 5. (2), System Management
             Standards).
4-(3)-3      When output information is developed or handled, measures to prevent
             incorrect or improper handling or protect confidentiality are implemented
             (⇒ IV Operation Processes 5. (3), System Management Standards).
4-(3)-4      Output information is delivered in accordance with the output
             management rules (⇒ IV Operation Processes 5. (4), System Management
             Standards).
4-(3)-5      Output information is stored and disposed of in accordance with the
             output management rules (⇒ IV. Operation Processes 5. (5), System
             Management Standards).

[Examples of Controls and Control Assessment Procedures]

                 Example of risk         Example of control         Example of control
                                                                   assessment procedure
4-(3)-1      There are no output       Information output        Make sure that
             rules for transaction     procedures and            information output
             data on which             approval rules are        procedures and approval
             financial information     established to prevent    rules are established to
             is based, resulting in    output by incorrect       prevent output by
             incorrect or improper     methods and               incorrect methods and
             handling.                 unauthorized use and      unauthorized use and
                                       disclosure and protect    disclosure and protect
                                       confidentiality and       confidentiality and
                                       personal information.     personal information.




                                          - 90 -
4-(3)-2      There is a duplication   Data management and       Make sure that data
             or omission in the       verification are          management and
             output of transaction    carried out in            verification are carried
             data on which            accordance with the       out in accordance with
             financial information    procedures specified      the procedures specified
             is based.                in the output             in the output
                                      management rules in       management rules.
                                      order to prevent data
                                      inaccuracy, omission,
                                      or duplication.
4-(3)-3      Transaction data on      Data management and       Make sure that data
             which financial          verification are          management and
             information is based     carried out in            verification are carried
             are outputted            accordance with the       out in accordance with
             incorrectly or           procedures specified      the procedures specified
             improperly.              in the output             in the output
                                      management rules in       management rules in
                                      order to ensure correct   order to ensure correct
                                      outputting.               outputting.
4-(3)-4      When data are            Measures to prevent       Make sure that
             outputted from an        incorrect and             measures to prevent
             information system       improper data             incorrect and improper
             related to financial     handling and protect      data handling and
             information, the data    confidentiality are       protect confidentiality
             are altered without      implemented in order      are specified and
             approval.                to ensure that            implemented in
                                      outputted information     accordance with the
                                      is developed and          rules.
                                      handled properly and
                                      will not be tampered
                                      with, stolen, or
                                      disclosed.
4-(3)-5      Outputted financial      Rules and procedures      Make sure that rules and
             information is lost or   for the delivery of       procedures for the
             disclosed when           outputted information     delivery of outputted
             delivered.               are established and       information are
                                      followed.                 established and
                                                                followed.
4-(3)-5      Outputted financial      Storage and disposal      Make sure that storage
             information is lost or   are carried out in        and disposal are carried
             disclosed when stored    accordance with the       out in accordance with
             or disposed of.          output management         the output management
                                      rules.                    rules.


(Note) Measures to prevent incorrect and improper data handling may include the use of
electronic certificates issued by certifying entities accredited under the Electronic



                                         - 91 -
Signature Law (accredited certifying bodies). Confidentiality protection measures may
include properly encrypting output information by encryption algorithms set forth in the
Electronic Government Recommended Code List or ISO/IEC18033 and properly
controlling the decryption keys.

(4) Spreadsheets and other tools

[Control Guidelines]

The use of spreadsheets etc. enhances the efficiency of financial management and is
vital for the preparation of financial reports. However, some spreadsheets and similarly
used software are similar in functionality to software designed and developed by
conventional processes, and those containing programs should be made clear for
maintenance purposes should be subject to the same controls as for the development,
implementation, and maintenance of information systems. However, spreadsheets etc.
are used personally without undergoing system development procedures. Because of
these factors, the use of spreadsheets is both convenient and risky. For example, in some
cases, PCs on which spreadsheets are handled are not covered by company-level
information system control. Moreover, in connection with the preparation of financial
reports, spreadsheets etc., may contain incorrect calculation formulas or account
settlement data may be modified arbitrarily, potentially resulting in false financial
statements. Measures to prevent these risks may include the following:

1 In the case where tables and calculation formulas in spreadsheets etc. are developed
and used by the same person, improper acts or incorrect calculation formulas may be
overlooked if the spreadsheets or macro programs thus created are not checked by a
third party. Measures to prevent this risk may include the separation of the developer
from the user and the establishment of other corporate rules, mechanisms, and check
systems.

2 Programs in spreadsheets etc. may be lost as they are not recorded in writing.
Measures to prevent this risk may include the documentation of repeatedly used
programs.

3 Adequate backup copies are not made for spreadsheets etc. as compared with
application systems, potentially resulting in the loss of data. Measures to prevent this
risk may include making a backup copy of spreadsheets etc. related to financial reports
at regular intervals.

4 Spreadsheets etc. are often used on financial personnel’s PCs, so adequate access
control is not implemented as compared with application systems. In such an
environment, financial report data may be altered or deleted illegally. Measures to
prevent this risk may include establishing a system which prevents persons other than
financial personnel from accessing and modifying the financial report data.

5 If the results of calculation in spreadsheets etc. are not properly verified, the resulting
financial reports may be incorrect or false. Measures to prevent this risk may include, if



                                           - 92 -
only a summation function is used, performing an alternative procedure such as
verification with an electronic calculator.

[Examples of Control Objectives]

Appropriate control measures, including those listed below, are introduced for
spreadsheets etc. having an impact on financial reports so that the reliability of financial
information can be ensured.

a. Policy and Procedure

4-(4)-1        The authority to use spreadsheets etc. and administrative authority
               involved in the use thereof are defined.
4-(4)-2        The use of spreadsheets etc. is approved.
4-(4)-3        If spreadsheets etc. are used for financial information, policies and
               procedures are established and followed with respect to the integrity,
               accuracy, and correctness of financial information.
4-(4)-4        The created spreadsheets etc. are documented and the integrity, accuracy
               and correctness of data processing can thereby be ensured.

b. Backup

4-(4)-5        Backup copies of created spreadsheets and data are made and kept safely.

c. Alteration Prevention Function and System

4-(4)-6        Users are not allowed to modify calculation formulas, macro programs,
               etc., in spreadsheets.
4-(4)-7        Spreadsheets etc. have a system to verify integrity, accuracy, and
               correctness (e.g. check the calculations) or the calculations are checked
               manually.
(Note that the System Management Standards do not address spreadsheets etc. as an
independent item.)

[Examples of Controls and Control Assessment Procedures]

                 Example of risk        Example of         Example of control assessment
                                           control                    procedure
4-(4)-1        Because financial     Policies and         Obtain policies and procedures
               information is not    procedures for       related to spreadsheets etc. and
               properly handled      the integrity,       verify that they contain controls
               in spreadsheets       accuracy, and        with respect to integrity,
               etc. used by          correctness of       accuracy, and correctness. (For
               financial             spreadsheets etc.    example, randomly select
               personnel, the        are established      financial personnel using
               results are not       and followed.        spreadsheets etc. and ask them
               reliable.                                  whether they understand and



                                           - 93 -
                                                      comply with the relevant
                                                      policies.)
4-(4)-2   If financial reports   Approved             If financial information is
          are made with          spreadsheets etc.    handled on the PCs of financial
          unapproved             (including the IT    personnel, check with them
          spreadsheets etc.      infrastructure       whether the information is
          (including the IT      such as PCs) are     controlled and approved.
          infrastructure such    used.
          as PCs), they may
          be falsified.
4-(4)-3   Incorrect              Programs             - Investigate the spreadsheets
4-(4)-7   processing and         contained in         etc. (including the IT
          unauthorized           spreadsheets etc.    infrastructure such as PCs)
          alteration are         are documented       which are actually used.
          highly likely to       and the integrity,   - Check how often the
          occur in               accuracy and         calculation formulas, tables,
          spreadsheets etc.      correctness of the   etc., in the spreadsheet software
                                 processing are       are reviewed for integrity,
                                 verified.            accuracy, and correctness and
                                                      the extent to which they are
                                                      used.
                                                      - Obtain part of the spreadsheet
                                                      software executed in
                                                      spreadsheets etc. and check the
                                                      details and effectiveness of the
                                                      transactions.
                                                      - Check the recalculation
                                                      function of spreadsheets
                                                      (tables).
4-(4)-5   Spreadsheets and       Backup copies of     Check the backup status. (For
          data are damaged       spreadsheets and     example, ask questions about
          when the PCs           data are made        how and when backup copies
          break down,            and kept safely.     are made and where they are
          making it                                   kept, etc.)
          impossible to give
          appropriate
          financial reports.
4-(4)-6   Spreadsheets and       Spreadsheets and     - Check that access control is
          data are altered       data are             implemented in financial
          without                protected with       personnel’s PCs. Check also to
          permission,            access control       ensure the calculation formulas
          resulting in           against alteration   in the spreadsheets cannot be
          incorrect financial    through              modified by the user. (For
          reports.               unauthorized         example, attempt to access their
                                 access and           PCs without authority.)
                                 unauthorized use.    - Check whether there is a
                                                      system to detect unauthorized



                                      - 94 -
                                                        alterations of spreadsheets and
                                                        data.

(5) Risk Control Matrix for IT Application controls

In transaction control, it is important that the reliability (integrity, accuracy, and
correctness) of financial information is ensured and protected against anticipated risks.
To evaluate the maintenance and implementation of IT application controls, it would be
helpful to prepare a risk control matrix. An example is provided below. An example of a
specific risk control matrix is provided in Appendix 6 “Examples of a Risk Control
Matrix.”




                                         - 95 -
5. Monitoring

Companies carry out monitoring to ascertain whether their internal controls are working
effectively. Monitoring includes corrective action taken by companies to continuously
improve their internal controls. Monitoring can be divided into 1 routine monitoring
and 2 independent monitoring.

Monitoring includes actions taken to understand and respond to problems and
exceptional matters at the executive, administrative, and field levels of the company. In
other words, monitoring includes minor improvements such as procedural changes at
the field level, the management’s urgent response to exceptional matters, the revision of
overall management policies, and other improvement activities carried out at each level.
IT monitoring is performed separately for company-level IT controls, IT general
controls, and IT application controls as they relate to each level of the company.

(1) Routine Monitoring

Routine monitoring can be divided into three types:

1 Ordinary monitoring: Monitoring that is carried out ordinarily to check any
difference between certain targets and actual results.

2 Regular monitoring: An inventory of master files etc. is taken (to make sure that the
files are correct) and access logs are checked (to check whether there is any violation of
access authority or unauthorized access) at regular (weekly, monthly, yearly, etc.)
intervals.

3 Abnormality monitoring: Check whether there are any abnormal figures or
irregularities.

Ordinary monitoring differs from mere reporting in that target values are set. Ordinary
monitoring is carried out by measuring progress toward the attainment of the target
values or deviation from the same. In ordinary monitoring based on IT, the differences
between the targets and the actual results are measured immediately and accurately and
reported.

Regular monitoring is intended to verify the reliability (integrity, accuracy, and
correctness) of data and includes, for example, the stocktaking of product master files at
pre-appointed times. It is performed not on business transactions themselves, but on
master files or other accumulations of data. For example, if the inventory of master files
is taken at regular intervals, their reliability can be ensured and they can be confirmed
updated and appropriate for use. In other words, regular monitoring can work to keep
information reliable.

Abnormality monitoring is carried out separately for each of the executive,
administrative, and field levels. The abnormal values which are set are then
communicated by the executive level to the administrative and field levels, whereas any



                                          - 96 -
abnormal values found are reported from the field to the administrative and executive
levels. Abnormalities found in abnormality monitoring are corrected either through
immediate feedback to the field or at the direction of the executive and administrative
levels.

Recently the use of IT has facilitated swifter and more accurate abnormality monitoring.

(2) Independent Monitoring (Monitoring by the Internal Audit Department, etc.)

Independent monitoring is carried out by an internal audit department, an auditor, or
other third party. Internal audits of IT controls as independent monitoring are performed
by a non-IT department. During internal audits, which are one of the independent
monitoring activities, CAAT (computer-assisted audit techniques) may be used. Audits
using these tools verify the originality of data and are carried out such as to avoid
interrupting business activities.

Independent monitoring is conducted either independently of or as a complement to
routine monitoring. It may also be performed for complementary purposes, for example,
in connection with applications for the reimbursement of transportation expenses etc.,
which are automatically approved provided they are below a specified limit and are
audited in detail by internal audit personnel if they exceed the limit. Also for such
applications not exceeding the limit, samples may be taken randomly and audited to
check for any improper application by employees (these verifications may be carried
out by accounting personnel as part of regular routine monitoring).
Generally, when routine monitoring is performed properly, the frequency of independent
monitoring can be reduced.

In the performance of monitoring, the following points should be taken into
consideration:

5-(2)-A      Monitoring procedures are established and followed.
5-(2)-B      Monitoring indexes (e.g. target and abnormal values) are communicated to
             and accepted by the monitoring personnel.
5-(2)-C      The results of monitoring are reported promptly to the administrator.
5-(2)-D      If any problem is detected as a result of monitoring, the corporate
             manager evaluates the priority and urgency of corrective action and makes
             improvements.
5-(2)-E      Monitoring is carried out continuously.
5-(2)-F      The department responsible for independent monitoring is independent of
             the departments responsible for the development and operation of
             information systems related to financial information and for financial
             reports.
5-(2)-G      Evidence for the results of monitoring is preserved for future investigation
             of improper acts.




                                         - 97 -
[Control Guidelines]

The effectiveness of internal controls is evaluated to identify problems. Such problems
are corrected and continuous improvements made to ensure the effectiveness of internal
controls.

[Examples of Control Objectives]

Internal controls based on IT work effectively to ensure the reliability of financial
information. Control objectives can be stated separately for company-level IT controls,
IT general controls, and IT application controls.

1 Monitoring of Company-level IT Controls

[Examples of Control Objectives]

5-(2)-1      A system of monitoring (review and improvement) by an IT-related senior
             organization is established and operated effectively (⇒ I Strategic IT Plan.
             2. 1. (2), System Management Standards).

[Examples of Controls and Control Assessment Procedures]

             Example of risk           Example of control        Example of control
                                                                 assessment procedure
5-(2)-1-A    IT-related problems are   There is a system that    Make sure based on
             not reported and          ensures that IT-related   minutes of meetings
             improvements are not      problems are reported     etc. that IT-related
             made.                     to and corrected by the   problems are reported
                                       management council,       to the management
                                       an information system     council, an information
                                       committee, or other       system committee, or
                                       appropriate               other appropriate
                                       administrator.            administrator and
                                                                 corrective action is
                                                                 examined.
5-(2)-1-F    If the department         The department            Check with an
             responsible for           responsible for           organization chart, job
             financial reports is      financial reports is      description rules, etc.,
             involved in               independent of the        whether monitoring
             monitoring, improper      department in charge      related to information
             acts and errors cannot    of monitoring.            systems (including
             be found.                                           online monitoring and
                                                                 follow-up analysis) is
                                                                 carried out by an
                                                                 independent
                                                                 department.
5-(2)-1-E    Internal audits are not   Internal audits are       Make sure that the



                                         - 98 -
5-(2)-1-F    conducted and             carried out.            results of audits are
             monitoring is not                                 reported to the
             working effectively.                              management council
                                                               etc.

2 Monitoring of IT General Controls

The monitoring of IT general controls is carried out to check whether IT infrastructure
controls are working effectively and to correct any problems identified. IT application
controls can be more efficient in some cases. Therefore, the items set forth below may
be performed as IT application controls.

[Examples of Control Objectives]

5-(2)-2-A    IT-related audit functions are established and operated effectively (⇒ III
             System Development. 2. (14), System Management Standards).
5-(2)-2-B    An IT-based monitoring system is in use and is functioning effectively (⇒
             IV Operation Processes. 2. (15), System Management Standards).

[Examples of Controls and Control Assessment Procedures]

             Example of risk           Example of control      Example of control
                                                               assessment procedure
5-(2)-2-A    There is no function of   There are policies,     - Check whether there
             monitoring IT general     procedures, and rules   are appropriate
             controls, so improper     for the routine         policies and
             and incorrect             monitoring of IT, and   procedures for routine
             transactions cannot be    monitoring activities   monitoring.
             detected.                 are implemented and     - An internal audit
                                       records preserved in    department etc.
                                       accordance with such    verifies that
                                       policies etc.           monitoring is carried
                                                               out in accordance with
                                                               such policies and
                                                               procedures. (For
                                                               example, make sure
                                                               that logs etc. are
                                                               collected and
                                                               analyzed.)
5-(2)-2-B    Improper transactions     Monitoring logs etc.    - Make sure that the
             etc. cannot be detected   are collected           logs selected for
             without continuous        continuously.           monitoring are
             monitoring.                                       collected 24 hours a
                                                               day, 365 days a year.
                                                               - An internal audit
                                                               department etc. checks
                                                               whether the collected



                                         - 99 -
                                                                logs are analyzed.
5-(2)-2-B    Evidence of               Logs and other           - Logs are kept for a
             monitoring is not         information are          specified period.
             properly kept and         properly kept and        - Check whether logs
             preserved.                preserved.               are made available as
                                                                evidence.
5-(2)-2-B    Monitoring                An integrated system     Make sure that a
             information is not        ensures that             system which ensures
             reported promptly to      monitoring               that an abnormal
             an appropriate            information is           ending of processing
             administrator.            promptly reported to     etc. is promptly
                                       an appropriate           reported to an
                                       administrator.           appropriate
                                                                administrator is built in
                                                                and functioning
                                                                properly.

3 Monitoring of IT Application controls

Monitoring of IT Application controls is carried out to check whether business
application system controls are working effectively and correct any problems identified.
Access logs may be monitored as a general control, but if the access logs of a certain
business application can be monitored to achieve the purpose of proper financial
reporting, such monitoring is performed.

[Examples of Control Objectives]

5-(2)-3-A    Procedures and rules for routine monitoring are established and enforced.
5-(2)-3-B    It is verified by internal audits that controls to ensure the reliability
             (integrity, accuracy, and correctness) of financial information are working
             effectively.
5-(2)-3-C    Access records are taken, preserved, and from time to time analyzed.
5-(2)-3-D    Abnormalities and exceptions are reported to the responsible person.
5-(2)-3-E    Error lists are analyzes and problems are corrected.

[Examples of Controls and Control Assessment Procedures]

             Example of risk          Example of control       Example of control
                                                               assessment procedure
5-(2)-3-A    There is no function     Procedures and rules     Check whether
             of monitoring            for the routine          procedures and rules for
             application systems,     monitoring of IT are     the routine monitoring
             so improper and          established, and         of IT are established.
             incorrect transactions   monitoring activities    (For example, make
             etc. cannot be           are carried out and      sure that follow-up
             detected.                records preserved in     reviews of exceptional
                                      accordance with such     cases, such as the



                                        - 100 -
                                      procedures and rules.    recording of sales
                                                               beyond the credit limit,
                                                               are carried out by the
                                                               administrator.)
5-(2)-3-B   The reliability of Master data are                 Make sure that master
            master data on which checked from time to          data are checked and the
            financial information time.                        results are analyzed and
            is based is impaired.                              followed up. (For
                                                               example, make sure that
                                                               a customer master and
                                                               credit limits are collated
                                                               against accounting slips
                                                               and other original data
                                                               at regular intervals.)
5-(2)-3-E   Transaction data on       Certain items are        Review the error lists
            which financial           checked for error,       and make sure that the
            information is based      with error lists         errors have been
            are entered incorrectly   generated.               analyzed and corrected.
            or improperly.
5-(2)-3-C   Data are entered          Access logs are          Make sure that
            incorrectly or            searched on certain      monitoring is carried
            improperly into           conditions for any       out with access logs.
            information systems       abnormal access.         (For example, make
            related to financial                               sure that access logs are
            information or                                     used to perform
            disclosed when such                                monitoring outside the
            entries are made.                                  normal business hours.)
5-(2)-3-C   If information systems    Check in internal        Make sure in internal
            related to financial      audits whether a         audits that it is verified
            information lack the      function of checking     whether a function of
            function to check         processing results is    collating accounting
            processing results,       working effectively in   book data against sales
            improper and              information systems      quantities or input data
            incorrect transactions    related to financial     is realized.
            are overlooked.           information.
5-(2)-3-D   Monitoring                There is a built-in      Make sure that a system
            information is not        system to ensure that    to ensure that
            promptly reported to      monitoring               monitoring information
            an appropriate            information is           is promptly reported to
            administrator.            promptly reported to     an appropriate
                                      an appropriate           administrator is built in
                                      administrator.           and working properly.
                                                               (For example, check
                                                               whether discounts
                                                               exceeding a certain limit
                                                               are reported to the
                                                               administrator.)



                                        - 101 -
References:

(1) System Management Standards, 2004 provisional edition (the Ministry of Economy,
Trade and Industry, Oct. 8, 2005)
http://www.meti.go.jp/policy/netsecurity/downloadfiles/system_kanri.pdf

(2) Information Security Management Standards (the Ministry of Economy, Trade and
Industry, Mar. 26, 2003)
http://www.meti.go.jp/policy/netsecurity/downloadfiles/IS_Audit_Annex01.pdf

(3) Guideline for Improvement of Reliability of Information Systems (the Ministry of
Economy, Trade and Industry, Jun. 15, 2006)
http://www.meti.go.jp/press/20060615002/guideline.pdf

(4) 1st report compiled by the Society for the Study of Trade Practices and Contracts to
Improve the Reliability of Information Systems (information systems, model
transactions, contracts (entrusted development, including planning), maintenance, and
operations) (the Ministry of Economy, Trade and Industry)

(5) Internal Control in the Age of New Risks – Guideline for establishing an internal
control that works as a single piece with risk management (the Society for the Study of
Risk Management and Internal Control, the Ministry of Economy, Trade and Industry,
Jun. 27, 2003)
http://www.meti.go.jp/kohosys/press/0004205/1/030627risk-hokokusyo.pdf

(6) Framework of Disclosure and Appraisal concerning Corporate Governance, Risk
Management and Internal Control – Guideline for construction and disclosure (the
Society for the Study of Disclosure and Appraisal of Corporate Behavior, the Ministry
of Economy, Trade and Industry, Aug. 31, 2005)
http://www.meti.go.jp/press/20050831003/kigyoukoudou-set.pdf

(7) On the Setting of the Standards and Practice Standards for Management Assessment
and Audit concerning Internal Control over Financial Reporting (Council Opinions)
(Business Accounting Deliberation Council, the Financial Services Agency, Feb. 15,
2007)
http://www.fsa.go.jp/singi/singi_kiryou/tosin/20070215.pdf




                                        - 102 -
Appendix 1 Correspondence of the “System Management Standards –
Supplementary Edition” to other standards

Figure 1-1 shows representative IT control frameworks.

                  Fig. 1-1 Representative IT control frameworks

Representative framework      Establisher                    Scope of each framework
System Management             Ministry of Economy,
Standards                     Trade and Industry            IT control in general
COBIT (4th edition)           IT Governance Institute
IT control objectives for     IT Governance Institute
observance of the
Sarbanes-Oxley Act
                                                            IT control over financial
(2nd edition)
                                                            reporting
Report No. 3 released by      Japanese Institute of
the IT Committee              Certified Public
                              Accountants
Information Security          Ministry of Economy,
Management Standard           Trade and Industry
                                                            IT security control
JIS Q 27002                   Japanese Industrial
                              Standard
ISO/IEC 20000:2005            ISO/IEC
Information technology -
Service management
                                                            IT operation control
ITIL (Information             Office of Government
Technology Infrastructure     Commerce
Library)

Agreement is not necessarily reached as to whether all these frameworks can be used
as “IT control standards generally acknowledged as fair and appropriate” to appraise
and audit the status of internal control over financial reporting. For example, some
frameworks contain items that this system does not require or are biased towards a
certain area of activities. In addition, overseas frameworks are formulated based on
the business practices of Western countries, and there are cases in which it is difficult
to apply these frameworks to Japanese companies because the internal control
systems of Japanese companies function based on not only common business
operation concepts but also some non-Western concepts particular to Japan.

Figure 1-2 shows a comparison of three frameworks: (1) System Management
Standards - Supplementary Edition (Guidance for IT controls over financial
reporting) (hereafter called the “Supplementary Edition”); (2) IT control objectives
for observance of the Sarbanes-Oxley Act 2nd edition, September 2006 (hereafter
called “IT Control Objectives V2”); and (3) the 3rd report of the IT Committee
(“Assessment of important misstatement risks in the information system using IT
during the audit of financial statements, and the auditor procedure for dealing with
the evaluated risks,” which was revised on March 17, 2006) (hereafter called the “3rd
IT report”).



                                          -1-
 Fig. 1-2 Comparison between the Supplementary Edition and other standards

 Standard name                                                          Supplementary
                                                                            Edition
                                                   IT control          (Guidance for IT
                        3rd IT report
Components                                        objectives V2          controls over
                                                                           financial
                                                                          reporting)
Introduction      I. Purpose of this report     1. Executive          Introduction
                                                summary
Basics of         III. Understanding a          2. Foundation for     II. Overview of
control over      company with internal         reliable              IT controls
financial         control in place and its      financial reporting   1. Financial
reporting         business environment          ・Need for IT          reporting and IT
                  1. Information reliability    control guidance      controls
                  and IT                        3. Manage the         (1) Relations
                  2. Relationships between      human element of      between internal
                  executive assertions and      change                control provided
                  IT control objectives         ・Committing to        by the Financial
                  5. Understanding the          change                Instruments and
                  control environment           ・Assessing the        Exchange Law
                                                current state         and IT
                                                                      (2) Relations
                                                                      between financial
                                                                      reporting and IT
                                                                      controls
Outline of IT     II. General understanding     2. Foundation for     II.2. Control
control           of IT                         reliable              items in IT
(classification   III. Understanding a          financial reporting   controls
of controls)      company with internal         ・Where to find IT     (1) Company-
                  control in place and its      controls              level IT controls
                  business environment          ・Information          (2) IT general
                  3. Relationships among        technology            controls
                  each operation process        controls - a unique   (3) IT application
                  and IT                        challenge             controls
                  4. Understanding the          ・PCAOB
                  relationships among           guidance for IT
                  account titles in financial   controls
                  statements, operation
                                                ・Controls over IT
                  processes, and
                                                systems
                  application systems
                                                4. Setting the
                  6. Understanding the
                                                ground rules
                  information systems for
                  which financial reports       ・COSO defined
                  are prepared and the          ・Applying COSO
                  transmission of               to IT
                  information
                  7. Understanding control



                                         -2-
                activities
                8. Understanding
                monitoring activities
Control frame   Data from outside            Appendix B:          Appendix 2.
and control     sources (report Nos. 29,     COSO and COBIT       Usage of control
objectives      30, and 31 by the            Appendix C: IT       objectives for the
                Watchdog Committee)          general controls     System
                                             ・Activity-level IT   Management
                                             controls             Standards
                                             Appendix D:
                                             Application
                                             controls
                                             ・The importance
                                             of application
                                             controls
                                             ・The business
                                             case for
                                             application
                                             controls
                                             ・Defining
                                             application
                                             controls
                                             ・Establishing the
                                             application
                                             benchmark
                                             ・Examples of
                                             automated
                                             application
                                             controls
Control         IV. Assessment of            5. IT compliance     III. Assessment
activities      important misstatement       road map             of IT controls by
(control and    risks                        ・Sarbanes-Oxley      management
assessment      1. Judgment of               compliance           1. Roadmap for
procedures)     importance of risk                                assessment of IT
                assessment of                                     controls
                information systems                               2. Determination
                2. Points to consider if a                        of the scope of
                shortcoming is found                              assessment and
                with overall controls                             identification of
                3. Points to consider if a                        IT to be assessed
                shortcoming is found                              3. Assessment of
                with operation controls                           company-level IT
                4. Correction of risk                             controls
                assessments                                       4. Assessment of
                V. Communication                                  IT controls in
                between executives and                            business
                auditors                                          processes




                                       -3-
            VI. Performing the                                 5. Determination
            procedure for dealing                              of effectiveness
            with evaluated risks                               of IT controls
            VIII. Using IT specialists
            IX. Defining the relative
            position of outsourcing
Cases and   VII. Examples of IT-         Appendix A:           IV. Guidance on
others      related audit procedures     Sarbanes-Oxley        Introduction of
            1. Perusal of records and    primer                IT Controls
            documents                    Appendix E:           (Illustration of IT
            2. Visiting and observing    Sample                Controls)
            a site where a system is     application and       1. Use of the
            operated                     technology layer      guidance
            3. Questions                 inventory             2. Company-level
            4. Recalculation/CAAT        Appendix G:           IT controls
            5.                           Inherent risk         3. IT General
            Reimplementation/CAAT        assessment and        Controls
            6. Analytical procedure      control               4. IT Application
            X. Issue and application     prioritization grid   controls
                                         ・Risk assessment      5. Monitoring
                                         considerations        Appendix 1.
                                         ・Information          Correspondence
                                         technology risk       of the “System
                                         assessment            Management
                                         ・                     Standards –
                                         Recommendations       Supplementary
                                         on where controls     Edition” with
                                         should be             other standards
                                         considered            Appendix 2.
                                         Appendix H:           Usage of control
                                         Sample control        objectives for the
                                         documentation         System
                                         and testing           Management
                                         template              Standards
                                         Appendix I:           Appendix 3.
                                         Sample deficiency     Illustration of IT
                                         evaluation            controls and
                                         decision tree         specific
                                         Appendix J:           information
                                         Sample approach       technologies (IT)
                                         for spreadsheets      Appendix 4.
                                         Appendix K:           Recording and
                                         Lessons learned       retention of
                                         Appendix L:           assessment
                                         Issues in using       procedures
                                         SAS70                 Appendix 5.
                                         examination report    Sampling
                                                               Appendix 6.
                                         ・Description of



                                  -4-
                                               controls             Examples of the
                                               ・Timing              risk control
                                               ・Nature and extent   matrix
                                               of testing           6-1. Description
                                               ・Qualifications      of IT General
                                               and exceptions       Controls
                                                                    Assessment
                                               ・Service auditor
                                                                    6-2. Description
                                               Appendix M:
                                                                    of Company-
                                               Segregation of
                                                                    level IT Controls
                                               duties in
                                                                    Assessment
                                               significant
                                                                    6.3 Description
                                               accounting
                                                                    of IT Application
                                               applications
                                                                    Controls
                                               Appendix N: List
                                                                    Assessment
                                               of figures


The “3rd IT Report” is compiled with a focus on the concepts and procedures for the
risk assessment of internal controls using IT to be reviewed during accounting audits
conducted by auditors. It is suitable for use by internal auditors or accounting
auditors as a handbook of audit activities.

The IT control objectives were established based on the COSO (Committee of
Sponsoring Organizations of the Treadway Commission) framework, and
disseminated mainly in the U.S.A. After two years of application, they were
reviewed and established as the “IT Control Objectives V2.” This V2 edition is
different from the first edition in that one whole chapter is used as an executive
summary to provide executives with guidance and promote their understanding, and
many assessment criteria and templates are provided as reference data to allow the
materials to be used for a wide range of purposes. It is organized in a way that
enables people concerned with internal controls to use it as a handbook for acquiring
information on the specific tasks that they perform.

While the “Supplementary Edition” is compiled from the perspective of the IT side,
the “IT Control Objectives V2” is based on the standpoint of controlling the status of
IT controls. It is expected, therefore, that people concerned with IT controls will be
able to gain a better understanding of IT controls by referring to both the
“Supplementary Edition” and “IT Control Objectives V2” in a complementary
manner. Additionally, if the viability of applying the performance standard of the
Financial Services Agency to overseas operating bases of Japanese companies
(particularly those in the U.S.A.) is uncertain, it could be useful to refer to the “IT
Control Objectives V2.”




                                         -5-
Appendix 2 How to use the control objectives of System Management Standards

1. Control objectives of System Management Standards

System Management Standards are designed to be used by an organization that wants
to establish IT governance by dealing with the risks accompanying its information
system, specifically by exercising control over its information system and making it
function properly in a cycle comprising planning, development, operation, and
maintenance. Although System Management Standards are designed to be used by
information system operators, system auditors can also use them as criteria for
judgment when conducting system audits.
⇒ (Preface, System Management Standards)

2. Organizing the control items of System Management Standards

To make it easier for a company to use System Management Standards when
improving or evaluating IT controls concerning the reliability of financial reporting,
all control items of System Management Standards have been organized and
tabulated as shown in the pages that follow. The information given below
corresponds to the information shown from left to right in the table.

• Control items are arranged in the order of chapter, section, and items that appear in
System Management Standards.
* Types of control of each control item (company-level IT control, IT general
control, and IT application control) are classified into company, general, application
or – (not applicable).
• Control objectives are shown for each control item.
• For each control item, “C” or “S” is shown. “C” means a control item that
constitutes a greater risk to financial information, and “S” means a control item that
constitutes a relatively small risk to financial information. For a control item that
does not directly concern internal controls over financial reporting, the space is left
blank and neither “C” nor “S” is entered.
• The purposes of each control item (abstracted from the purposes described in the
handbook of System Management Standards) are shown.

3. Control objectives of System Management Standards (examples)

The control objectives (examples) of System Management Standards shall be used as
follows:

1 To understand the control items and purposes of each control item
2 To understand the risks of control items shown in the guidance by clarifying
corresponding control items (examples)
3 If you want to reduce a certain risk, the risk can be defined as a control item.
4 To enable a company to make up a list of control items (examples) and thereby
recognize that the risks involved can be reduced (use of risk control matrix, etc.)




                                         -6-
How the control objectives of System Management Standards are used varies greatly
depending on the company and type of industry. Therefore, the control items
(examples) of System Management Standards shall be applied by taking the actual
situation of each company into consideration.




                                      -7-
Appendix 2-1

Control items of System Management Standards, and corresponding control objectives (examples)

   Item  Control items of System      Control      Control objective      Guidance item                Purpose of the System
                                                                                          C or S
 number Management Standards           type           (example)              number                    Management Standards
 I      Strategic IT Plan
 1      Overall optimization
 1.1    Policies on and goals of     Company
        overall optimization
 (1)    Define policies on IT        Company    Formulating the IT        2-(1)-1         C        The policy for the establishment
        governance.                             governance policy                                  of IT governance must be
                                                (plan).                                            clarified.
 (2)     Define principles for use   Company    Establishing a            2-(1)-1         C        The principles on which
         of IT and IT investment                computerization plan                               investments in computerization
         allocation.                            appropriate for                                    and computerization plans are to
                                                management strategy.                               be determined must be
                                                                                                   established in order to formulate
                                                                                                   a coherent overall optimization
                                                                                                   plan.
 (3)     The goals of the            Company    Making the information                    S        To construct an information
         information system’s                   system optimization                                system that will enable business
         overall optimization                   plan consistent with                               objectives to be accomplished,
         should be based on                     management strategy.                               the objectives of the overall
         business strategies.                                                                      optimization plan must be
                                                                                                   established with consideration
                                                                                                   given to consistency with
                                                                                                   management strategy.
 (4)     Define the model of the     Company    Formulating the overall   2-(1)-1         C        The overall optimization plan



                                                               -8-
      information system for                optimization plan.                      must clearly present an ideal
      the organization.                                                             information system so that the
                                                                                    information system for the
                                                                                    whole organization functions to
                                                                                    accomplish objectives
                                                                                    efficiently and effectively in
                                                                                    such a way that individual
                                                                                    information systems interact
                                                                                    with each other organically
                                                                                    while consistency is mutually
                                                                                    maintained.
(5)   Define policies on         Company    The overall             2-(3)-1     C   As the information system is
      organizational structure              optimization plan shows                 constructed (rebuilt), new
      and business process                  an organization to be                   organizations and operations
      changes caused by                     systematized and                        will be established, and existing
      introducing the new                   changes in operations.                  organizations and operations
      system.                                                                       will be altered or abolished. The
                                                                                    overall optimization plan must
                                                                                    clarify the policies for
                                                                                    establishing new organizations
                                                                                    and operations and for altering
                                                                                    and abolishing existing
                                                                                    organizations and operations.
(6)   Define primary policies    Company/ Making the overall        2-(1)-5     C   Prevention of fraud, security,
      on information security.   general  optimization plan         2-(3)-1         protection of privacy, etc., is the
                                          consistent with the basic 3-(3)-1-A       basis on which sound business
                                          information security                      management activities can be
                                          policy.                                   promoted. Therefore, the policy
                                                                                    for information security



                                                           -9-
                                                                         measures must be clearly
                                                                         presented in the overall
                                                                         optimization plan.

1.2   Approval of the overall     Company
      optimization plan
(1)   Obtain approval on the      Company   The overall              S   Because the overall
      organizational structure to           optimization plan must       optimization plan must be
      develop the overall                   be approved by the top       formulated based on
      optimization plan from                management.                  management strategies as
      the management.                                                    medium- and long-term plans, a
                                                                         planning system must be
                                                                         established and the overall
                                                                         optimization plan created
                                                                         through this planning system
                                                                         must be approved by the top
                                                                         management of an organization.
(2)   Obtain approval on the      Company   The overall              S   Computerization must be
      overall optimization plan             optimization plan must       promoted based on management
      from the management.                  be approved by the top       strategy by maintaining
                                            management.                  consistency throughout an
                                                                         organization. Therefore, the
                                                                         overall optimization plan must
                                                                         be approved by the top
                                                                         management of an organization.




                                                          - 10 -
(3)   Obtain agreement of          Company   Making the overall                   S   Agreement of the stakeholders
      related stakeholders on                optimization plan well                   must be obtained to allow the
      the overall optimization               and widely known to                      overall optimization plan to be
      plan.                                  the people concerned                     implemented smoothly.
                                             both in and outside an
                                             organization.

1.3   Development of the           Company
      overall optimization plan
(1)   Create the overall           Company   Formulating the overall    2-(1)-1   C   The overall optimization plan
      optimization plan based                optimization plan.                       must be formulated based on
      on policies and goals of                                                        policies and objectives so that
      the plan.                                                                       computerization will be
                                                                                      promoted throughout an
                                                                                      organization in a consistent
                                                                                      manner based on management
                                                                                      strategy.
(2)   Consider compliance          Company   Making the overall                   S   To avoid violating related laws
      requirements in the                    optimization plan                        and regulations, voluntary
      development of the                     consistent with the                      standards of industry, etc., the
      overall optimization plan.             compliance policy of a                   overall optimization plan must
                                             company.                                 be prepared with consideration
                                                                                      given to compliance.
(3)   The entire optimization      Company   Acquiring the resources              S   To increase the cost
      plan should define                     needed to implement                      effectiveness of investments in
      policies on IT                         the overall optimization                 computerization, the policy for
      investments and                        plan.                                    investments in computerization
      necessary resources.                                                            and the resources to be acquired
                                                                                      must be clarified in the overall



                                                           - 11 -
                                                                             optimization plan.
(4)   Define how to measure        Company   Calculating the returns     S   To clarify the criteria for
      the return and risks of IT             on investments made             judging whether a plan should
      investments in the overall             and the risks involved in       be adopted or modified, how to
      optimization plan.                     the overall optimization        estimate returns on investments
                                             plan.                           made and the risks involved
                                                                             must be presented in the overall
                                                                             optimization plan.
(5)   Define rules for             Company   Including the               S   To maintain consistency
      standardization and                    standardization for             between information systems in
      quality management                     system construction and         an organization and to construct
      policies for system                    the quality policies of a       and operate a system efficiently
      development and                        company in the overall          while maintaining high,
      operations in the entire               optimization plan.              homogeneous quality, the
      optimization plan.                                                     standardization and quality
                                                                             policies for system construction
                                                                             and management must be
                                                                             defined.
(6)   Define rules to specify      Company   Considering the             S   To reflect the importance and
      the priority of each                   importance and urgency          urgency of challenges in
      development plan in the                of challenges in                business management and to use
      overall optimization plan.             business management in          development resources
                                             the overall optimization        effectively, the order of priority
                                             plan.                           and the rules for prioritization
                                                                             must be defined in the overall
                                                                             optimization plan.
(7)   Consider the use of          Company   Considering the             S   To remove resource-related
      external resources in the              utilization of resources        restraints, the use of not only the
      entire optimization plan.              in the overall                  resources inside an organization



                                                            - 12 -
                                              optimization plan.                      but also external resources must
                                                                                      be considered in the overall
                                                                                      optimization plan.

1.4   Implementation of the         Company
      overall optimization plan
(1)   Ensure that every             Company   Making the overall        2-(1)-1   C   The overall optimization plan
      stakeholder knows about                 optimization plan well                  must be made fully understood
      the overall optimization                and widely known and                    by all stakeholders to allow it to
      plan.                                   promoting a better                      be implemented efficiently and
                                              understanding of it.                    smoothly.
(2)   Review the overall            Company   Maintaining and                     S   To prevent the overall
      optimization plan                       controlling the overall                 optimization plan from losing
      periodically and when                   optimization plan.                      flexibility or becoming
      changes occur in the                                                            outdated, it must be reviewed
      business environment.                                                           periodically to make it fit the
                                                                                      changing business environment.

2     Organizational
2.1   Computerization               Company
      Committee
(1)   Clarify missions of the       Company   Organizing the            2-(1)-2   C   To optimize the whole of an
      committee and allocate                  computerization                         information system based on
      appropriate authorities                 committee to realize                    management strategy, the top
      and responsibilities to the             overall optimization.                   management (executive
      committee based on the                                                          machine) must establish a
      overall optimization plan.                                                      computerization committee to
                                                                                      implement information
                                                                                      strategies, and define the tasks,



                                                             - 13 -
                                                                                       authority, and responsibilities of
                                                                                       this committee.
(2)   The committee should           Company   The computerization       5-(2)-1   C   To plan, develop, operate, and
      monitor all the activities               committee conducts                      maintain an information system
      concerning the                           appropriate supervising                 based on the overall
      information systems in                   activities.                             optimization plan, the
      the organization and                                                             computerization committee has
      implement necessary                                                              the function and responsibility
      corrective measures.                                                             to supervise all information-
                                                                                       related activities conducted in a
                                                                                       company, and must take
                                                                                       appropriate remedial actions if
                                                                                       improper conditions are noted.
(3)   The committee should       Company       Establishing a                      S   To cope with changing trends in
      adopt the technology                     reasonable standard                     information technology quickly
      guidelines to stay current               based on which an                       and properly, a consistent
      with trends in information               information technology                  information technology
      technologies.                            infrastructure is to be                 infrastructure functioning in a
                                               introduced.                             consistent, seamless manner
                                                                                       throughout an organization must
                                                                                       be established, thereby reducing
                                                                                       the risks involved. The
                                                                                       computerization committee
                                                                                       must define the guideline for the
                                                                                       introduction of technologies.
(4)   The committee should           Company   The computerization                 S   To contribute to the decision-
      report its activities to the             committee contributes                   making of business management
      management.                              to the decision-making                  operations, the computerization
                                               of business management                  committee must report the



                                                             - 14 -
                                            operations.                              contents of its activities to the
                                                                                     top management of an
                                                                                     organization at the appropriate
                                                                                     times.
(5)   The committee should        Company   The computerization                  S   The computerization committee
      provide to the                        committee reflects                       must provide the top
      management the                        important matters                        management of an organization
      information necessary for             related to the overall                   with information to support
      strategic decision support.           optimization plan and                    them in making decisions so
                                            information system in                    that a change in the environment
                                            the management                           affecting the overall
                                            policies of a company.                   optimization plan, technical
                                                                                     trends, and conditions of
                                                                                     ongoing development,
                                                                                     operation, and maintenance
                                                                                     activities can be addressed
                                                                                     properly and quickly in
                                                                                     management policies.

2.2   Information System          Company
      Department
(1)   Clarify the missions of     Company   Defining the roles and     2-(1)-3   C   For information system
      the information system                functions of the                         functions to be performed at the
      department and allocate               information system                       appropriate times, the top
      appropriate authority and             department, and                          management of an organization
      responsibilities to the               assigning it appropriate                 must define the roles and
      department.                           authority and                            functions of the information
                                            responsibility.                          system department, and assign it
                                                                                     appropriate authority and



                                                           - 15 -
                                                                                   responsibility.
(2)   The information system        Company   The information system 2-(1)-3   C   To implement the overall
      department should                       department shall be so               optimization plan effectively
      consider reforming the                  organized as to enable it            and efficiently, the information
      organizational structure                to implement the overall             system department must use not
      with separation of duty,                optimization plan                    only resources inside a company
      specialization,                         appropriately.                       but also external resources in an
      authorization and                                                            appropriate manner, while
      outsourcing, based on the                                                    considering an organization’s
      size and characteristics of                                                  need for computerization and
      the organization.                                                            the effect of investment.

2.3   Human Resource              Company
      Management polices
(1)   Identify the current status Company     An organization shall            S   To allow an organization to
      of human resources for IT               acquire the human                    accomplish overall optimization
      and clarify the necessary               resources needed to                  objectives, it is necessary to
      human resources.                        achieve overall                      grasp the present situation of
                                              optimization.                        human resources related to
                                                                                   information technology inside
                                                                                   an organization and to clarify
                                                                                   the human resources and
                                                                                   capabilities that are needed in an
                                                                                   organization.
(2)   Clarify policies on           Company   An organization shall            S   A future plan and the policies
      sourcing and training of                acquire the human                    for the introduction and
      human resources.                        resources for overall                cultivation of human resources
                                              optimization.                        must be documented by taking
                                                                                   note of the present situation of



                                                            - 16 -
                                                                 human resources needed to
                                                                 computerize an organization,
                                                                 and the documented policies
                                                                 must be fully understood
                                                                 throughout the company.

3     IT Investments
(1)   Ensure that the IT         −    Utilizing IT investments   To utilize IT investments to
      investment plan is created      to meet challenges in      solve the problems of business
      in a manner consistent          business management.       management, a computerization
      with corporate strategies.                                 investment plan consistent with
                                                                 management strategy must be
                                                                 formulated from the standpoint
                                                                 of benefits to be brought to
                                                                 business management,
                                                                 improvements to be made to
                                                                 operation procedures, and other
                                                                 factors related to overall
                                                                 optimization.
(2)   Compare multiple IT         −   Determining an IT          To determine an IT investment
      investment plan                 investment plan through    plan through the agreement of
      alternatives based on           the agreement of the       the (people) stakeholders,
      impact, effects, schedule       stakeholders.              multiple choices must be
      and feasibility.                                           presented and studied by
                                                                 considering effects, periods,
                                                                 feasibility, etc., and the most
                                                                 appropriate plan must be
                                                                 selected.
(3)   Execute IT investment       −   Implementing the IT        To implement an IT investment



                                                    - 17 -
      budgets properly.                investment plan.            plan properly, budgets must be
                                                                   executed in appropriate amounts
                                                                   through appropriate contracts at
                                                                   appropriate times.
(4)   Establish the standard       −   Evaluating the effects of   To evaluate the effects of IT
      methodology for                  IT investments              investments objectively and to
      estimating the return on         objectively, and            reflect the evaluation results in a
      IT investments.                  reflecting the evaluation   future IT investment plan, it is
                                       results in a future IT      necessary to define a method of
                                       investment plan.            calculating the return on
                                                                   investments.
(5)   Assess financial             −   Detecting financial         To detect financial problems in
      performance of the entire        problems in the overall     the overall results of an
      information system and           achievements of an          information system and the
      individual projects, and         information system and      results of individual projects as
      take the necessary actions       the achievements of         early as possible and take
      to solve any problems.           individual projects as      appropriate corrective measures,
                                       early as possible, and      it is necessary to conduct
                                       taking appropriate          monitoring activities from a
                                       countermeasures.            financial standpoint. To deal
                                                                   with the types of financial
                                                                   problems that are expected to
                                                                   occur, procedures for dealing
                                                                   with them must be established
                                                                   beforehand.
(6)   Review whether IT            −   Making IT investments       IT investments must be made as
      investments have been            as planned, and making      planned, and appropriate
      properly executed or not.        adjustments if there is a   adjustments must be made if
                                       divergence from the         there is a divergence from the IT



                                                      - 18 -
                                          plan.                                     investment plan. To achieve
                                                                                    this, it is necessary to grasp all
                                                                                    related data, including the
                                                                                    amount invested, for what
                                                                                    purposes investments are made,
                                                                                    etc.

4     Policies on Information   Company
      Asset Management
(1)   Define policies of        Company   Managing information        2-(3)-2   C   To manage information assets
      information asset                   assets - one important                    properly, which are important
      management and                      business management                       assets for business management,
      establish appropriate               asset - properly, and                     and to use them effectively, an
      organizations.                      using them effectively.                   information assets management
                                                                                    policy and information assets
                                                                                    system must be established.
(2)   Assess risks for          Company   Maintaining the             2-(2)-1   C   To maintain the reliability and
      information assets, and             reliability and safety of                 safety of information assets,
      take appropriate measures           information assets.                       apparent and potential risks of
      to reduce those risks.                                                        information assets must be
                                                                                    identified, the level of each risk
                                                                                    must be determined, and
                                                                                    measures to deal with each risk
                                                                                    must be taken.
(3)   Consider efficient and    Company   Achieving the                         S   To achieve the objectives
      effective use of                    objectives specified in                   specified in management and
      information assets.                 management and                            information strategies,
                                          information strategies.                   information assets must be used
                                                                                    efficiently and effectively, based



                                                          - 19 -
                                                                   on the IT investment policy.
(4)   Consider productivity        −   Achieving the               To achieve the objectives
      improvement through              objectives specified in     specified in management and
      information asset sharing.       management and              information strategies,
                                       information strategies.     productivity must be improved
                                                                   through sharing of information
                                                                   assets.

5     Business Continuity Plan
(1)   Establish policies for       −   Securing the business       To secure the business
      ensuring the business            continuity of an            continuity of an organization, a
      continuity of the                organization.               business continuity policy
      information system.                                          related to an information system
                                                                   must be established.
(2)   Establish the business      −    Establishing                A highly viable business
      continuity plan by all           preparedness so that all    continuity plan must be
      stakeholders, and obtain         people concerned can        prepared in an organization, in
      the approval of the head         perform the given           which stakeholders are
      of the organization for the      functions if an incident    included, and the top
      plan.                            affecting the business      management of an organization
                                       continuity occurs.          must approve the plan, so that
                                                                   all stakeholders are able to deal
                                                                   smoothly with an incident
                                                                   affecting business continuity.
(3)   Ensure that policies for     −   Performing procedures       The policy for personnel
      the business continuity          specified in the business   education and training must be
      plan include employee            continuity plan quickly     presented in the business
      training.                        and properly when a         continuity plan to enable them
                                       threat to business          to perform the procedures



                                                      - 20 -
                                       continuity occurs.         specified in the business
                                                                  continuity plan quickly and
                                                                  properly if a threat to the
                                                                  continuity of business occurs.
(4)   Ensure that all necessary    −   Increasing the viability   To increase the viability of the
      personnel in the relevant        of the business            business continuity plan, the
      departments are reformed         continuity plan.           plan must be fully understood
      of the business continuity                                  by the people concerned.
      plan.
(5)   Review the business          −   Maintaining the            To maintain the effectiveness of
      continuity plan as and           effectiveness of the       the business continuity plan, the
      when necessary.                  business continuity        plan must be reviewed and
                                       plan.                      updated as necessary.

6     Compliance
(1)   Establish an organization −      Observing and              To observe laws and regulations
      for legal and regulatory         managing laws and          and manage their application, a
      compliance and appoint           regulations properly.      department responsible for the
      management for it.                                          management of laws and
                                                                  regulations must be established
                                                                  in an organization, and a laws
                                                                  and regulations management
                                                                  system must also be established.
(2)   Identify laws and            −   Identifying and            To observe laws and regulations
      regulations applicable to        specifying the laws and    and manage their proper
      the organization, and            regulations that must be   application, laws and
      inform and educate               observed in an             regulations to be observed in an
      stakeholders.                    organization.              organization must be identified
                                                                  and specified. A training system



                                                      - 21 -
                                                                  must then be established to
                                                                  enable the people concerned to
                                                                  have a good understanding of
                                                                  the identified laws and
                                                                  regulations.
(3)   Define the information       −   Observing and              To allow laws and regulations to
      ethics, and inform and           managing laws and          be observed and managed
      educate related persons.         regulations properly as    properly in an organization, an
                                       an organization.           ethical code for information
                                                                  security must be established as
                                                                  the rules to be observed in an
                                                                  organization, and the people
                                                                  concerned inside and outside an
                                                                  organization must be oriented
                                                                  and educated to allow them to
                                                                  have a good understanding of
                                                                  the ethical code.
(4)   Establish policies           −   Establishing policy that   For personnel to observe laws
      regarding processing of          clearly shows the          and regulations, an organization
      personal information,            organizational             must establish its policies for
      protection of intellectual       philosophy.                the handling of personal
      property rights and for                                     information, protection of
      the provision of                                            intellectual property rights,
      information disclosure.                                     provision of data to the outside
                                                                  world, etc., from the standpoint
                                                                  of protection of various rights in
                                                                  and outside an organization.
(5)   Assess level of              −   Checking and               To observe and manage laws
      compliance with laws,            evaluating the status of   and regulations properly, the



                                                      - 22 -
      regulations, and the                   observance in an              status of observance of
      information ethics, and                organization                  identified laws and regulations
      take necessary actions for             periodically, and             and that of observance of the
      improvement.                           improving the                 ethical code for information
                                             shortcomings that are         security, which are established
                                             pointed out.                  as internal rules, must be
                                                                           evaluated periodically, and
                                                                           measures necessary to improve
                                                                           the shortcomings found must be
                                                                           implemented.


II    Planning processes
1     Development Plans            General
(1)   Obtain approval for the      General   Making a decision to      S   To confirm that the development
      development plan from                  put the development           plan is based on the overall
      the management.                        plan of an organization       optimization plan and
                                             into practice.                implement the development
                                                                           plan, it is necessary for the top
                                                                           management of an organization
                                                                           to approve the development
                                                                           plan.
(2)   Establish the                General   The information system    S   The information system to be
      development plan                       to be developed shall         developed and other information
      considering its                        have the maximum              systems must together perform
      consistency with the                   possible beneficial           the assigned functions through
      overall optimization plan.             effect on an                  the division of roles to allow an
                                             organization.                 organization to deliver its best
                                                                           performance. To achieve this,



                                                           - 23 -
                                                                           the development plan must be
                                                                           formulated with consideration
                                                                           given to consistency with the
                                                                           overall optimization plan.
(3)   Define the development       General   The people concerned      S   To allow the people concerned
      plan to specify its                    shall share a common          to have a common
      objective, target process,             understanding of the          understanding of the purposes,
      cost, system development               purposes, functions,          functions, etc., of an
      structure and cost                     etc., of an information       information system and to
      efficiency for investment.             system, and confirm the       verify the returns on
                                             returns on investments        investments made in an
                                             made in an information        information system, the
                                             system.                       development plan must describe
                                                                           purposes, operations to be
                                                                           performed, costs, schedule,
                                                                           development system, returns on
                                                                           investments, etc.
(4)   Define the development       General   Maintaining the quality   S   To maintain the quality of an
      plan to include education              of an information             information system specified in
      and training programs for              system, and achieving         the development plan and
      stakeholders.                          the goals of an               construct this information
                                             information system as         system as scheduled, the people
                                             scheduled.                    concerned with development
                                                                           must be guided to have a
                                                                           common understanding of the
                                                                           contents of the development
                                                                           plan, and an education and
                                                                           training plan must be
                                                                           established to improve technical



                                                           - 24 -
                                                                             competence.
(5)   Define the development       General   Performing                  S   To allow development,
      plan to specify the roles              development, operation,         operation, and maintenance
      of the user department                 and maintenance tasks           work to be performed
      and of the information                 effectively.                    effectively, the division of roles
      system development                                                     between the user department
      department.                                                            and the information system
                                                                             department must be clarified
                                                                             and mutually confirmed by both
                                                                             departments.
(6)   Define the development       General   Calculating the costs of    S   To calculate the costs of an
      plan to indicate the cost              an information system           information system during its
      calculation methodology                during its life cycle           life cycle reasonably, the
      for system development,                reasonably.                     development plan must clarify
      operation and                                                          the grounds for calculating
      maintenance.                                                           development, operation, and
                                                                             maintenance costs.
(7)   Define the development       General   Estimating the life of an   S   To estimate the system life of an
      plan to specify conditions             information system              information system reasonably,
      for defining system life               reasonably.                     the system life conditions must
      cycle.                                                                 be clarified.
(8)   Ensure that the              General   Developing an               S   To develop an information
      formulation and the                    information system with         system with the highest
      system development                     the highest efficiency          efficiency while maintaining
      methodology are defined                while maintaining               consistency with the overall
      based on a target scale                consistency with the            optimization plan, the
      and specific system                    overall optimization            development plan must be
      requirements when                      plan.                           formulated by considering the
      designing the                                                          system characteristics and the



                                                            - 25 -
      development plan.                                                     scale of development and by
                                                                            selecting an appropriate
                                                                            information system
                                                                            configuration and development
                                                                            method.
(9)   Ensure that a feasibility    General   Realizing the functions,   S   To realize the functions,
      study with alternatives is             capabilities, quality,         capabilities, quality, etc.,
      studied to achieve the                 etc., required of an           required of an information
      objectives of the                      information system with        system with the highest
      information system when                the highest efficiency.        efficiency, multiple system
      designing the                                                         implementation plans must be
      development plan.                                                     prepared, compared, and
                                                                            evaluated.

2     Analysis                  General
(1)   Obtain approval of        General      Having all departments     S   To allow user, development,
      responsible personnel                  (user, development,            operation, and maintenance
      from the user department,              operation, and                 departments to share a common
      the system development                 maintenance) share a           understanding of the contents of
      department, the operation              common understanding.          the requirement definitions,
      department and the                                                    persons in charge at all these
      application maintenance                                               departments must approve the
      department for the                                                    requirement definitions.
      defined requirements
      based on the development
      plan.
(2)   Define target, scope and  General      Reflecting user needs      S   To address user needs
      methodology for user                   accurately.                    appropriately, it is necessary to
      requirement survey.                                                   define targets to be surveyed,



                                                           - 26 -
                                                                                      the scope of a survey, and a
                                                                                      survey method prior to
                                                                                      conducting a survey of user
                                                                                      needs.
(3)   Analyze the present states General      Understanding the                   S   To analyze the operations now
      of information systems                  flows, procedures,                      being performed correctly and
      with personnel who are                  workloads, etc., of                     efficiently and to grasp the
      familiar with the business              operations now being                    flows, procedures, workloads,
      process from the user                   performed.                              etc., of operations now being
      department, the system                                                          performed, persons in charge at
      development department,                                                         user, development, operation,
      the operation department                                                        and maintenance departments
      and the application                                                             who have a good knowledge of
      maintenance department.                                                         daily operations must analyze
                                                                                      the present status of operations.
(4)   Ensure that user             General    Reflecting the results of           S   To reflect the results of surveys
      requirements are                        surveys of user needs in                of user needs properly in the
      documented and                          the development plan                    development plan, user needs
      confirmed by the user                   and development work.                   must be documented, and a
      department.                                                                     person in charge at the user
                                                                                      department must confirm the
                                                                                      contents of documented user
                                                                                      needs.
(5)   Analyze potential risks in   Company/ Analyzing the risks that      2-2-2   C   To ensure the sound operation
      introducing the              General  will accompany the                        of an information system, the
      information system.                   introduction of an                        risks that may occur with the
                                            information system to                     introduction of an information
                                            ensure the sound                          system must be analyzed.
                                            operation of an



                                                             - 27 -
                                            information system.
(6)   Ensure that affected       General    Having a correct          S   To have a correct understanding
      business processes,                   understanding of the          of the effects that the
      management structures                 effects that the              introduction of an information
      and rules/procedures are              introduction of an            system will produce on
      reviewed and assessed                 information system will       operations, management
      regarding the introduction            produce on operations,        systems, various rules, etc., and
      of the information                    management systems,           to operate an information
      system.                               various rules, etc.           system smoothly, it is necessary
                                                                          to establish new operations,
                                                                          modify or abolish existing
                                                                          operations, change management
                                                                          systems, and review various
                                                                          rules.
(7)   Assess the effectiveness    General   Monitoring the            −   To calculate the effects of
      from both qualitative and             development plan              introducing an information
      quantitative perspectives             (evaluating the effects       system reasonably based on the
      when introducing the                  quantitatively and            results of calculations made in
      information system.                   qualitatively).               the development plan, the
                                                                          effects of an information system
                                                                          must be evaluated quantitatively
                                                                          and qualitatively.
(8)   Ensure that suitability     General   Monitoring to review      −   To verify that an information
      with user requirements is             the appropriateness of        system can perform the
      assessed before                       introducing a plan            expected functions and produce
      implementing software                 (evaluating package           the expected results, it is
      packages.                             software).                    necessary to confirm the
                                                                          compatibility of user needs with
                                                                          package software with respect



                                                           - 28 -
                                                                                   to functions and effects prior to
                                                                                   introducing package software.

3     Acquisition               General
(1)   Define acquisition        General   Listing the requirements 3-(1)-1-D   C   To realize the functions, quality,
      requirements from the               for the functions,                       and other requirements for an
      development plan and                performance, quality,                    information system to be
      user requirements. Obtain           etc., of an information                  constructed according to plan,
      approval of the                     system to be                             requirements for the
      responsible personnel               constructed based on                     procurement of the various
      from the user department,           the development plan.                    resources needed to construct an
      the system development                                                       information system must be
      department, the operation                                                    listed based on the development
      department and the                                                           plan and user needs, and
      application maintenance                                                      persons in charge at user,
      department for the                                                           development, operation, and
      defined requirement                                                          maintenance departments must
      based on the development                                                     approve the requirements.
      plan.
(2)   Ensure that hardware,     General   Realizing a system                   S   To realize a system
      software and networking             configuration that                       configuration that allows the
      products are acquired               should allow the                         required functions, capabilities,
      based on the procurement            required functions,                      etc., to be realized, it is
      requirements.                       capabilities, etc., to be                necessary to select software,
                                          realized.                                hardware, network, etc., based
                                                                                   on the development plan and
                                                                                   user needs.
(3)   Ensure that necessary     General   Developing an                        S   To develop an information
      staff members, budgets,             information system as                    system as scheduled, it is



                                                          - 29 -
      facilities and periods are            scheduled.                  necessary to acquire the
      prepared for completing                                           required personnel, budget,
      system development.                                               equipment, period, etc.
(4)   Ensure that skills required General   Developing an           S   To realize the functions,
      for staff members are                 information system as       performance, and quality
      specified clearly.                    scheduled.                  specified in the development
                                                                        plan, it is necessary to clarify
                                                                        what skills are required of
                                                                        personnel inside and outside an
                                                                        organization.
(5)   Ensure that hardware,      General    Developing an           S   To procure the resources needed
      software and networking               information system as       for development at the
      products are procured in              scheduled.                  appropriate times while
      accordance with                                                   ensuring compatibility with
      procurement rules.                                                requirements, it is necessary to
                                                                        procure software, hardware, and
                                                                        a network based on the rules.
(6)   Ensure that acquired       General    Developing an           S   To use resources effectively
      resources are managed in              information system as       according to the development
      accordance with                       scheduled.                  plan, procured resources must
      acquisition rules.                                                be controlled by the rules.


III   System Development
1     System Development         General
      Methodology




                                                          - 30 -
(1)   Obtain approval for         General   Confirming that the          3-(1)-1-A   C   To confirm that the system
      system development                    system development                           development methodology
      methodology from the                  methodology meets the                        meets the requirements for the
      responsible personnel in              requirements for the                         personnel, budget, period, etc.,
      the system development                personnel, budget,                           specified in the system analysis
      department.                           period, etc., specified in                   report and requirement
                                            the system analysis                          definitions, a person responsible
                                            report and requirement                       for supervising development
                                            definitions.                                 activities must approve the
                                                                                         documented system
                                                                                         development methodology.
(2)   Define development          General   Standardizing the            3-(1)-1-A   C   To carry out development
      procedures based on the               development procedure                        activities consistently and
      system development                    throughout an                                efficiently in an organization,
      methodology.                          organization.                                the development procedure must
                                                                                         be prepared based on the system
                                                                                         development methodology that
                                                                                         is standardized throughout an
                                                                                         organization.
(3)   Determine system            General   Developing an                            S   To develop an information
      development procedures                information system                           system efficiently while
      considering the size of               efficiently, and                             maintaining the required quality,
      system development and                achieving the required                       the development procedure must
      characteristics of the                quality.                                     be determined with
      system.                                                                            consideration given to the scale
                                                                                         of an information system,
                                                                                         development period, system
                                                                                         characteristics, etc.
(4)   Assess potential risks of   Company/ Developing an                 2-(2)-2     C   To develop an information



                                                            - 31 -
      system development, and     General   information system of                      system of high quality
      take necessary actions.               high quality efficiently                   efficiently according to the
                                            according to a                             development plan, it is
                                            development schedule.                      necessary to list all the risks
                                                                                       involved in development
                                                                                       processes and implement
                                                                                       measures necessary to remove
                                                                                       or reduce the risks.

2     System Design Phase         General
(1)   Obtain approval for         General   Securing the quality     3-(1)-1-A     C   The quality of the system design
      system design                         specified in the system                    documentation must be
      documentation from the                design documentation,                      maintained, consistency
      user department, the                  ensuring consistency                       between the system design
      system development                    between the system                         document and requirement
      department, the operation             design document and                        definitions must be ensured, and
      department and the                    requirement definitions,                   the system design document
      application maintenance               and providing the                          must be provided as a common
      department.                           system design document                     property to be used by user,
                                            as a common property                       development, and operation
                                            to be used by both                         departments. To achieve all this,
                                            development and                            persons in charge at user,
                                            operation personnel.                       development, operation, and
                                                                                       maintenance departments must
                                                                                       approve the system design
                                                                                       documentation.
(2)   Define basic policies on    General   Carrying out operation     3-(1)-4-A   C   To carry out operation and
      operations and                        and maintenance work                       maintenance work smoothly and
      application maintenance               smoothly and                               effectively, basic operation and



                                                           - 32 -
      before starting design                effectively.                                maintenance policies must be
      procedures.                                                                       established at the system design
                                                                                        phase so that they can be
                                                                                        reflected in the system design
                                                                                        documentation.
(3)   Ensure that input-output    General   Preventing data entry                   S   To prevent data entry mistakes,
      screens and print-out                 mistakes, improving                         improve work efficiency, and
      formats are considered                work efficiency, and                        increase the utilization
      convenient by the users               increasing the                              efficiency of output information,
      of the system.                        utilization efficiency of                   it is necessary to design the
                                            output information.                         input and output forms, input
                                                                                        and output screens, and codes
                                                                                        by ensuring that they are easy
                                                                                        for users to use.
(4)   Ensure that the databases   General   Storing, searching, and     3-(1)-1-B   C   A large volume and great
      are designed based on the             updating a large volume                     diversity of data must be stored
      business processes and                and great diversity of                      efficiently, and the data must be
      characteristics of the                data efficiently.                           able to be searched and updated
      system.                                                                           with a level of performance that
                                                                                        meets the requirement
                                                                                        definitions. To achieve this, a
                                                                                        database must be designed with
                                                                                        consideration given to the
                                                                                        contents of specific operations.
(5)   Ensure data integrity.      General   Guaranteeing the            3-(1)-1-B   C   The accuracy of data processing
                                            accuracy of data            3-(1)-2-A       must be guaranteed, and data
                                            processing.                                 must be free of mistakes,
                                                                                        overlaps, omissions, or
                                                                                        alterations. To achieve this, the



                                                           - 33 -
                                                                                      integrity of data must be
                                                                                      ensured.
(6)   Ensure that the network is General   Making the                 3-(1)-2-A   C   To transmit a large volume and
      designed based on                    performance of a                           great diversity of data with a
      business processes and               network meet the                           level of performance that meets
      the characteristics of the           requirement definitions.                   the requirement definitions, a
      system.                                                                         network must be designed with
                                                                                      consideration given to operation
                                                                                      and system characteristics.
(7)   Ensure that the           General    Accomplishing the          3-(1)-2-A   C   To realize the results that an
      performance criteria of              results that an                            information system is expected
      the information system               information system is                      to produce, the performance of
      meet the defined                     expected to produce.                       an information system must
      requirements.                                                                   meet the requirement
                                                                                      definitions.
(8)   Ensure that operability   General    Ensuring the smooth                    S   An information system should
      and maintainability are              operation of an                            operate smoothly, the cause of
      considered in the                    information system,                        problems should be identified
      information system                   identifying the cause of                   quickly, and maintenance work
      design.                              problems quickly,                          should be performed effectively
                                           taking effective                           and efficiently to allow
                                           corrective measures,                       corrective measures to be
                                           and performing                             implemented. To meet all these
                                           effective maintenance                      requirements, an information
                                           work to make                               system must be designed with
                                           improvements.                              consideration given to
                                                                                      performance and configuration
                                                                                      management, and actions to take
                                                                                      to deal with cases of failure, all



                                                          - 34 -
                                                                                         of which are needed to
                                                                                         accomplish operation and
                                                                                         maintenance tasks.
(9)    Ensure that inter-          General   Making an information       3-(1)-1-C   C   An information system must be
       operability with other                system compatible with                      designed with consideration
       information systems is                the IT infrastructure and                   given to not only matters related
       considered for the                    other information                           to the information system to be
       information system                    systems.                                    designed but also compatibility
       design.                                                                           with the IT infrastructure and
                                                                                         other information systems.
(10)   Ensure that potential       General   Preventing the                          S   To prevent the failure of an
       incidents are considered              occurrence of                               information system, keep the
       in the information system             information system                          effects of failure to a minimum,
       design.                               failure, keeping the                        and recover an information
                                             effects of failure to a                     system from failure quickly, it is
                                             minimum, and allowing                       necessary to design an
                                             an information system                       information system with due
                                             to recover from failure                     consideration given to specific
                                             quickly.                                    procedures and measures for
                                                                                         recovering it from failure.
(11)   Ensure that error           General   Ensuring the safety and     3-(1)-1-B   C   To ensure the safety and sound
       prevention, fraud                     sound operation of an                       operation of an information
       prevention and                        information system.                         system, an information system
       information security are                                                          must be designed with
       considered in the                                                                 consideration given to the
       information system                                                                functions for preventing
       design.                                                                           mistakes, preventing
                                                                                         misconduct, protecting security,
                                                                                         and protecting privacy.



                                                            - 35 -
(12)   Ensure that the test plan    General   Verifying correctly and    3-(1)-1-E   C   To confirm correctly and
       has a clearly specified                efficiently that an                        efficiently that an information
       objective, scope,                      information system has                     system has been developed
       methodology and                        been developed                             according to the design
       schedule.                              according to the design                    specification, it is necessary to
                                              specification.                             verify the purpose and scope of
                                                                                         the test plan, test method, test
                                                                                         schedule, etc.
(13)   Establish policies on user   General   Introducing an                         S   To introduce an information
       training, the course plan              information system                         system smoothly and allow it to
       and the schedule for the               smoothly, and allowing                     produce the expected results, it
       information system.                    it to produce the                          is necessary to clarify the policy
                                              expected results.                          for user education regarding the
                                                                                         use of an information system,
                                                                                         education schedule, etc., at the
                                                                                         design stage.
(14)   Ensure that monitoring       General   It should be verifiable    5-(2)-2-A   C   To verify that after an
       functions are considered               that an information                        information system starts
       in the system design                   system is delivering the                   operation, it is delivering the
       phase.                                 level of performance                       designed performance specified
                                              specified in the design                    in the system development plan,
                                              specification.                             it is necessary to incorporate a
                                                                                         monitoring function into the
                                                                                         information system, and to
                                                                                         collect and analyze data.
(15)   Review documentation         General   The system design                      S   Because the system design
       for the system design.                 documentation should                       documentation must reflect
                                              properly reflect users’                    users’ requests of an information
                                              requests of an                             system properly, it must be



                                                             - 36 -
                                            information system.                        reviewed and evaluated with all
                                                                                       people concerned at user,
                                                                                       development, operation, and
                                                                                       maintenance departments in
                                                                                       attendance at a review meeting.

3     Program Design Phase        General
(1)   Obtain approval for         General   Ensuring the quality of    3-(1)-1-A   C   To secure the quality of the
      program design                        the program design                         program design documentation,
      documentation from the                documentation,                             ensure consistency between the
      responsible personnel for             maintaining                                program design documentation
      system development                    compatibility with                         and system design, and allow
      (project manager).                    system design, and                         efficient programming work to
                                            allowing efficient                         be performed, a person in
                                            programming work to                        charge of development must
                                            be performed.                              approve the program design
                                                                                       documentation.
(2)   Design programs based       General   Reflecting the functions               S   To reflect the functions and
      on the system design                  and system structure                       system structure defined by the
      documentation.                        defined by system                          system design accurately in a
                                            design in a program                        program without any excess or
                                            without any excess or                      shortage, it is necessary to
                                            shortage.                                  design a program based on the
                                                                                       system design documentation.
(3)   Define and document the     General   Verifying the                          S   To verify the appropriateness of
      test requirements.                    appropriateness of the                     the results of program design
                                            results of program                         and programming, it is
                                            design and                                 necessary to define and
                                            programming.                               document test requirements.



                                                          - 37 -
(4)   Review program design        General   Enhancing the quality      S   To enhance the quality of
      documents and the test                 of program design.             program design, it is necessary
      requirements.                                                         to review the program design
                                                                            documents and test
                                                                            requirements.
(5)   Return to the system         General   Ensuring consistency       S   To ensure consistency between
      design phase to resolve                between system design          system design and program
      contradictions in the                  and program design.            design, the inconsistencies in
      system design found                                                   the system design noted during
      during program design.                                                the program design must be
                                                                            resolved by making a review of
                                                                            the system design.

4     Programming Phase            General
(1)   Perform programming          General   Reflecting the functions   S   To reflect the functions defined
      based on the                           defined by the program         in the program design
      specifications of the                  design documentations          documentations accurately in a
      program design                         accurately in a program        program without ay excess or
      documentations.                        without any excess or          shortage, programming must be
                                             shortage.                      carried out based on the
                                                                            program design documentations.
(2)   Ensure that programming      General   Securing the program       S   To ensure the quality of a
      activity complies with the             quality by observing the       program, program codes must
      coding standards.                      coding standards.              conform to the coding
                                                                            standards.
(3)   Ensure that the program      General   Verifying that             S   It must be confirmed that
      codes and test results are             programmed functions           programmed functions work
      assessed properly,                     work accurately as             accurately as specified in the
      recorded and stored.                   specified in the program       program design document



                                                           - 38 -
                                               design document                          without any excess or shortage,
                                               without any excess or                    and the appropriateness of a
                                               shortage, and                            program test must be verified.
                                               confirming the                           To achieve this, program codes
                                               appropriateness of the                   must be evaluated, and the
                                               program test.                            results of a program test must be
                                                                                        recorded and kept.
(4)   Ensure that important          General   Preventing mistakes and 3-(1)-1-E    C   To prevent mistakes and
      programs are tested by                   misconduct associated                    misconduct associated with
      someone other than the                   with programming.                        programming, important
      software developer.                                                               programs must be tested by a
                                                                                        person other than the person
                                                                                        who wrote them.

5     System Tests and User-         General
      acceptance Tests Phase
(1)   Obtain approval for the        General   Ensuring the             3-(1)-1-E   C   To verify the appropriateness of
      system test plan from the                appropriateness of a     3-(1)-4-B       a system test plan, a system plan
      responsible personnel for                system test plan.                        must be approved by persons in
      the software development                                                          charge of development and
      project and the test leader.                                                      testing.
(2)   Obtain approval for the        General   Ensuring the             3-(1)-1-E   C   To verify the appropriateness of
      user-acceptance test plan                appropriateness of a                     a user acceptance test plan, a
      from the responsible                     user-acceptance test                     user-acceptance test plan must
      personnel in the user                    plan.                                    be approved by persons in
      department and the                                                                charge of user services and
      system development                                                                development.
      department.
(3)   Prepare potential test         General   Verifying that system    3-(1)-1-E   C   To verify that system



                                                             - 39 -
      cases covering all the               requirements are met.                     requirements are met, a test case
      system requirements for                                                        must be set up by listing all
      system tests.                                                                  system requirements and a
                                                                                     system test must be conducted.
(4)   Prepare test data and      General   Accomplishing the         3-(1)-1-E   C   To accomplish the purposes of a
      perform system tests in              purposes of a system                      system test accurately and
      accordance with the test             test accurately and                       efficiently, test data must be
      plan.                                efficiently.                              prepared and a system test must
                                                                                     be conducted based on a test
                                                                                     plan.
(5)   Ensure that system tests   General   Conducting a system       3-(1)-1-E   C   Because conducting a system
      are performed in an                  test in a way that does   3-(1)-4-C       test may adversely affect the
      environment separated                not affect the                            production environment, a
      from the production                  production                                system test must be conducted
      environment.                         environment.                              in an environment separated
                                                                                     from the production
                                                                                     environment.
(6)   Ensure that system tests   General   Verifying equitably and   3-(1)-1-E   C   To verify equitably and
      are performed by                     objectively that the                      objectively that a developed
      personnel who are not                development                               information system as a whole
      members of the software              information system as a                   is functioning properly,
      development team.                    whole functions                           personnel other than those
                                           properly.                                 involved in the development
                                                                                     work must attend a system test.
(7)   Ensure that appropriate    General   Conducting a system       3-(1)-1-E   C   To conduct a system test
      testing methodologies                test efficiently and                      efficiently and effectively,
      and standards for system             effectively.                              appropriate test methods and
      tests are used.                                                                standards must be adopted and
                                                                                     used.



                                                          - 40 -
(8)    Ensure that the user-      General    Verifying the             3-(1)-1-E   C   To verify the appropriateness of
       acceptance test is                    appropriateness of user   3-(1)-4-D       user requirements, the user
       performed in an                       requirements.                             acceptance test must be
       environment similar to                                                          conducted in much the same
       the production                                                                  environment as the production
       environment.                                                                    environment.
(9)    Prepare test cases based   General    The user conducts the     3-(1)-1-E   C   The user conducts the user-
       on user manuals and                   user-acceptance test      3-(1)-4-E       acceptance test from the user’s
       simulate the live                     from the user’s                           standpoint by assuming
       processes in the user-                standpoint by assuming                    operations in the production
       acceptance tests.                     operations in the                         environment. The test is
                                             production                                conducted to obtain final
                                             environment.                              confirmation. It must be
                                                                                       conducted in accordance with
                                                                                       the requirement definitions and
                                                                                       user manual by establishing a
                                                                                       test case in which operations in
                                                                                       the production environment are
                                                                                       assumed.
(10)   Ensure that personnel       General   Conducting the user-      3-(1)-1-E   C   The user-acceptance test is
       from the user department              acceptance test by        3-(1)-4-F       conducted to obtain final
       and the operation                     assuming operations in                    confirmation by assuming
       department are involved               the production                            operations in the production
       in the user-acceptance                environment.                              environment. To minimize the
       tests, and that they review                                                     problems that may occur after
       the user-acceptance test                                                        the start of production, the user
       results.                                                                        acceptance test must be attended
                                                                                       by persons in charge in the user
                                                                                       and operation departments.



                                                           - 41 -
(11)   Obtain approval for the     General   Unifying the               3-(1)-1-E   C   To unify the understanding of
       results of system tests and           understanding of the                       the results of the system test and
       user-acceptance tests                 results of the system test                 user-acceptance test, the test
       from responsible                      and user-acceptance                        results must be approved by
       personnel in the user                 test.                                      persons in charge in the user,
       departments, the system                                                          development, operation, and
       development department,                                                          maintenance departments.
       the system operations and
       application maintenance
       departments.
(12)   Ensure that the progress    General   Using the records of the   3-(1)-1-E   C   The results of the system test
       and results of the system             progress and results of    3-(1)-4-G       and user acceptance test must be
       tests and the user-                   the system test and user                   recorded, and the recorded data
       acceptance tests are                  acceptance test as basic                   must be retained as basic data to
       documented, recorded                  data for identifying the                   be used to identify the cause of
       and stored.                           cause of problems                          problems occurring during
                                             occurring during                           operations and to perform
                                             operations.                                maintenance work.
(13)   Ensure that the software    General   Confirming that the        3-(1)-1-E   C   If an information system is
       package developer has                 package software                           constructed by introducing
       tested the quality of the             developer has                              packaged software, the quality
       software before                       conducted quality tests.                   of the information system is
       implementing the                                                                 affected by the quality of the
       package.                                                                         packaged software. Therefore, it
                                                                                        must be confirmed that the
                                                                                        packaged software developer
                                                                                        has conducted tests to verify the
                                                                                        packaged software quality.




                                                           - 42 -
6     Promotion to Production       General
(1)   Establish the promotion       General   Smoothly and                C   The development department
      plan, and obtain approval               efficiently moving from         carries out the promotion
      from the responsible                    the system development          process to turn over the
      personnel in the user                   and testing stages to the       information system to the user,
      departments, the system                 operation stage.                operation, and maintenance
      development department,                                                 departments. A promotion plan
      the system operations                                                   must be prepared to move
      department and the                                                      smoothly and efficiently from
      application maintenance                                                 the system development and
      department.                                                             testing stages to the operational
                                                                              stage, and it must be approved
                                                                              by persons in charge in each
                                                                              department.
(2)   Document the promotion        General   Ensuring smooth             S   To ensure smooth operations in
      processes, and obtain                   operations in the               the operation stage, the results
      approval from the system                operation stage.                of promotion work performed to
      operation department.                                                   move the results of development
                                                                              work into the production
                                                                              environment must be recorded
                                                                              and documented, and a person
                                                                              in charge must approve the
                                                                              contents of this documented
                                                                              data.
(3)   Define the criteria for the   General   Confirming that an          S   To confirm that an information
      completion of promotion                 information system is           system is ready to operate in the
      to production in the                    ready to be operated in         production environment, how
      promotion plan.                         the production                  the completion of promotion
                                              environment.                    can be verified must be



                                                             - 43 -
                                                                          described in the promotion plan.
(4)   Ensure that the necessary   General   Performing operations     S   To perform promotion work as
      staff, budgets and                    as scheduled in the           scheduled and specified in the
      equipment are secured                 promotion plan.               promotion plan, it is necessary
      based on the promotion                                              to prepare the personnel,
      plan.                                                               budget, equipment, etc., needed
                                                                          to carry out the promotion
                                                                          process.
(5)   Prepare procedure           General   Preventing omissions,     S   To perform promotion work as
      manuals for promotion                 overlaps, insufficient        specified in the promotion plan
      and follow them.                      evaluations or                and to prevent omissions,
                                            confirmations, etc.,          overlaps, insufficient
                                            when carrying out             evaluations or confirmations,
                                            promotion.                    etc., a promotion procedure
                                                                          must be prepared to train
                                                                          personnel for promotion and to
                                                                          make prior confirmations.
(6)   Consider contingency        General   Identifying the harmful   S   To clarify the effects of harmful
      plans for the potential               events that may occur         events occurring during
      risks.                                during promotion.             promotion and to minimize their
                                                                          effects, it is necessary to
                                                                          identify the risks involved in the
                                                                          promotion process and prepare
                                                                          measures for dealing with the
                                                                          risks.
(7)   Hand over all necessary     General   Making sure that the      S   Personnel at the operation and
      development documents                 system operations can         maintenance departments of the
      and tools from the                    be performed and              system should be able to start
      development team to the               maintenance work can          specific operations smoothly



                                                          - 44 -
      system operations                     be performed smoothly                     upon completion of promotion
      department and the                                                              before the start of production.
      application maintenance                                                         To achieve this, design
      department.                                                                     documents, test results,
                                                                                      promotion results, various tools,
                                                                                      operation manuals, etc., must be
                                                                                      turned over from a person in
                                                                                      charge of development to
                                                                                      persons in charge in the
                                                                                      operation and maintenance
                                                                                      departments.
(8)   Ensure that the             General   Preventing promotion                  S   To prevent promotion from
      stakeholders are informed             from hampering the                        hampering the operations of this
      of the completion of the              operations of other                       system and other related internal
      promotion.                            systems related to this                   and external systems, it is
                                            system.                                   necessary to make the outline of
                                                                                      promotion fully understood by
                                                                                      the people concerned.

IV    Operation Processes
1     Operation Management        General                                         C
      Rules
(1)   Obtain the approval of      General   Establishing and          3-(2)-1-A   C   Operations management rules
      the responsible personnel             approving the operation                   and operation procedures are
      from the operation                    management rules and                      needed to perform operations
      department for the                    procedures.                               smoothly and efficiently. A
      operation management                                                            person in charge of supervising
      rules and procedures.                                                           operations must confirm the
                                                                                      contents and approve them.



                                                           - 45 -
(2)   Define operation           General   Managing operations       3-(2)-1-A   C   Basic principles of the
      management rules based               based on the basic                        operations management rules
      on the operation                     principles of operation                   are specified in the application
      management design.                   management design.                        operation management design
                                                                                     and infrastructure operation
                                                                                     design. Therefore, they must be
                                                                                     established based on these
                                                                                     operation designs. If an
                                                                                     operations management method
                                                                                     is determined based on the
                                                                                     general optimization plan for a
                                                                                     large-scale system or if an
                                                                                     operations management method
                                                                                     is based on the use of services,
                                                                                     operations management rules
                                                                                     must be established based on
                                                                                     such basic operation
                                                                                     management methods.
(3)   Define operation           General   Performing operations                 S   To perform operations
      procedures based on the              efficiently.                              efficiently, it is necessary to
      operation management                                                           determine operation procedures
      design and rules                                                               based on the operation design
      considering the target                                                         and operations management
      scale, periods and                                                             rules, with consideration given
      specific system                                                                to scale, period, system
      requirements.                                                                  characteristics, etc.
(4)   Ensure that responsible    General   Designating a person in               S   To perform operations smoothly,
      personnel are selected               charge of supervising                     persons in charge of operating
      based on the operational             operations.                               specific operations must be



                                                          - 46 -
      management design and                                                           designated. This is particularly
      rules.                                                                          important in a situation where a
                                                                                      decision must be made quickly,
                                                                                      for example, when handling
                                                                                      exceptions, faults, etc.
                                                                                      Specifically, persons in charge
                                                                                      should be designated for each
                                                                                      set of system functions.

2     Operation Management         General
(1)   Define the annual            Company   Formulating an annual    3-(2)-1-B   C   An information system must be
      operation plan and obtain              system operation plan.                   operated smoothly, and the
      approval from the                                                               events of each information
      responsible personnel for                                                       system must be processed and
      the annual system                                                               completed as scheduled. To
      operation plan.                                                                 achieve this, the system
                                                                                      operation plan must be
                                                                                      formulated every year, a person
                                                                                      in charge must obtain the
                                                                                      agreement of the people
                                                                                      concerned and approve the plan,
                                                                                      and the system operation plan
                                                                                      approved must be made fully
                                                                                      understood by the people
                                                                                      concerned.
(2)   Ensure that monthly and      Company   Operating an             3-(2)-1-B   C   To operate an information
      daily system operation                 information system                       system smoothly and efficiently,
      plans are created from the             smoothly and                             it is necessary to prepare a
      annual operation plan.                 efficiently.                             monthly operation plan, a daily



                                                           - 47 -
                                                                                       operation plan, etc., based on
                                                                                       the annual operation plan.
(3)   Ensure that the operation    General   Preventing mistakes and 3-(2)-1-B     C   Operations must be
      activities comply with the             misconduct related to an                  standardized, and mistakes and
      operation management                   information system.                       misconduct related to an
      rules.                                                                           information system must be
                                                                                       prevented. To achieve this,
                                                                                       operations must be managed
                                                                                       based on the management
                                                                                       system, procedures, and rules.
(4)   Ensure that job schedules    General   Using operation           3-(2)-1-D   S   To use resources effectively and
      are organized according                resources effectively.                    perform operations in a way that
      to the priorities of the                                                         meets user needs, a job schedule
      business processes.                                                              must be established with
                                                                                       consideration given to the
                                                                                       priority of operations.
(5)   Ensure that the system       General   Preventing operation      3-(2)-1-D   C   To use resources effectively and
      operation complies with                mistakes and                              prevent operation mistakes and
      the job schedules and                  misconduct.                               misconduct, operations must be
      operational instructions.                                                        performed based on the job
                                                                                       schedule and instruction sheets.
(6)   Ensure that exceptional      General   Preventing operation      3-(2)-1-C   C   To prevent operation mistakes
      operation of the system is             mistakes and                              and misconduct and to perform
      handled based on the                   misconduct.                               operation smoothly, exception
      operation management                                                             handling must be carried out
      rules.                                                                           properly based on the operations
                                                                                       management rules.
(7)   Ensure that shift            General   Performing operations                 S   To carry out operations
      handovers are carried out              smoothly and accurately                   smoothly and accurately,



                                                            - 48 -
       in accordance with the                                                              operators must be rotated based
       operation management                                                                on the operations management
       rules.                                                                              rules.
(8)    Ensure that job schedules     General   Preventing operation        3-(2)-1-D   C   Operation mistakes and
       are recorded with                       mistakes and                                misconduct must be prevented,
       operation logs and the                  misconduct.                                 and operations must be
       differentials from the                                                              performed smoothly. To achieve
       original ones are                                                                   this, any differences between
       analyzed.                                                                           the job schedule and operation
                                                                                           records must be analyzed.
(9)    Ensure that operational       General   Investigating the causes    3-(2)-1-E   C   To investigate the causes of
       records are retained for a              of operation mistakes,                      operation mistakes, operation
       certain period in                       misconduct, incidents,                      misconduct, incidents, or
       accordance with                         and failures.                               failures, the operation records
       operation management                                                                must be retained for a specified
       rules.                                                                              period of time based on the
                                                                                           operation management rules.
(10)   Define a reporting system     General   Dealing with an                         C   Because the effect of incidents
       and procedures in                       incidents or failure by                     or failure varies greatly
       proportion to the levels of             considering the scale                       depending on its scale and
       impact of incidents or                  and the degree of effect.                   where it occurs, an escalation
       failures.                                                                           flow for coping with a situation
                                                                                           flexibly according to the scale
                                                                                           and the degree of effect must be
                                                                                           established so that the most
                                                                                           appropriate action can be taken
                                                                                           quickly to keep the effect of an
                                                                                           accident or failure to a
                                                                                           minimum.



                                                              - 49 -
(11)   Ensure that all records of   General   Recovering an              3-(2)-1-F   C   To recover an information
       incidents or failures are              information system                         system from incidents or
       retained and reported to               from incidents or                          failures quickly and to prevent
       the responsible personnel              failures quickly, and                      them from occurring again, the
       for operation                          preventing it from                         contents of incidents or failures
       (management).                          occurring again.                           must be recorded, and reported
                                                                                         to a person in charge of
                                                                                         supervising operations.
(12)   Ensure that root causes of   General   Achieving fast recovery    3-(2)-1-F   C   To prevent an accident or failure
       incidents or failures are              from an accident or                        from occurring, its cause must
       investigated, and take                 failure, and preventing                    be identified when it occurs, and
       proper actions to prevent              it from occurring again.                   measures must be taken to
       reoccurrences.                                                                    prevent it from occurring again.
(13)   Establish a support          General   Contributing to EUC        3-(2)-1-G   C   The opportunity for users to
       environment to help and                operations, and                            perform information-processing
       assist users of the                    performing EUC tasks                       tasks by using computers is
       information system.                    smoothly.                                  expanding quickly; a typical
                                                                                         example is EUC (End-user
                                                                                         Computing). To contribute to
                                                                                         increasing the efficiency of
                                                                                         information-processing
                                                                                         operations, the information
                                                                                         system department must play
                                                                                         the leading role in establishing a
                                                                                         user support system.
(14)   Provide users with           General   Enhancing users’           3-(2)-1-G   C   To enhance users’ awareness of
       information security                   awareness of                               information security, education
       education and training.                information security.                      and training must be provided.
(15)   Establish a monitoring       General   Confirming and             5-(2)-2-B   C   To confirm and control the



                                                             - 50 -
       framework for system                     managing the reliability,                 reliability, safety, efficiency,
       operations.                              safety, efficiency,                       effectiveness, resources, etc., of
                                                effectiveness, resources,                 an information system, it is
                                                etc., of an information                   necessary to establish a
                                                system.                                   monitoring system regarding the
                                                                                          operations of an information
                                                                                          system.
(16)   Ensure that operational      General     Increasing the cost                   S   To increase the cost
       efficiency is attained for               effectiveness of an                       effectiveness of an information
       the information system to                information system.                       system, operation records must
       improve performance and                                                            be analyzed based on the results
       the utilization of                                                                 of monitoring information
       resources.                                                                         system operations, and the
                                                                                          results of analyses must be used
                                                                                          to control the status of
                                                                                          performance and to use
                                                                                          resources effectively through
                                                                                          discussion with the people
                                                                                          concerned.

3      Manage Input                 Operation
(1)    Define and comply with       Operation   Documenting                 4-(1)-1   C   A series of operations
       input control rules.                     procedures, verification                  performed to input data into an
                                                methods, and                              information system, including
                                                authorization methods                     preparation of data to be
                                                regarding a series of                     inputted, giving and receiving of
                                                operations performed to                   data, verification of data, data
                                                input data into an                        input, checking of data after it is
                                                information system.                       inputted, storage of data, etc.,



                                                               - 51 -
                                                                                         shall be documented as a data
                                                                                         input procedure. A data
                                                                                         verification method and data
                                                                                         approval method must also be
                                                                                         established as data input
                                                                                         management rules. This
                                                                                         procedure and these rules must
                                                                                         be observed.
(2)   Ensure that input data is  Applicati     Preventing errors in        4-(1)-2   C   When inputting data into an
      accurate and without       on            data input, such as data                  information system, a procedure
      omissions or duplications,               omissions, double                         described in the input
      and comply with input                    inputs, etc.                              management rules must be
      control rules.                                                                     performed, and data must be
                                                                                         input carefully by taking care to
                                                                                         prevent errors in data input,
                                                                                         such as data omissions, double
                                                                                         inputs, etc.
(3)   Ensure that error            Applicati   Preventing the                        S   To prepare and handle data to be
      prevention, fraud            on          misconduct that may                       inputted properly and prevent
      prevention and                           occur when preparing                      misconduct in data input, it is
      confidentiality protection               data to be input,                         necessary to implement
      measures are included in                 handling data, etc.                       measures for preventing
      creation procedures and                                                            mistakes and misconduct and
      operational procedures                                                             protecting confidentiality during
      for input data.                                                                    data preparation, data handling,
                                                                                         and data input.
(4)   Ensure that error            Applicati   Inputting data correctly.   4-(1)-3   S   Measures taken to input data
      prevention, fraud            on                                                    correctly, specifically measures
      prevention and                                                                     taken to prevent mistakes and



                                                              - 52 -
      confidentiality protection                                                          misconduct and to protect
      for input data are put in                                                           confidential and personal
      place effectively.                                                                  information must work
                                                                                          effectively.
(5)   Define procedures for        Applicati   Preventing the loss,       4-(1)-4     S   To prevent the loss, theft,
      input data storage or        on          theft, leakage, etc., of                   leakage, etc., of inputted data,
      disposal and ensure they                 data.                                      data must be retained or
      comply with input data                                                              discarded based on the input
      control rules.                                                                      management rules.

4     Manage Data                  Applicati
                                   on
(1)   Define and ensure they       General/    Preventing data-           3-(2)-3-A   C   To prevent data-processing
      comply with data control     Applicati   processing mistakes and    4-(2)-1         mistakes and to protect
      rules.                       on          protecting confidential                    confidential and personal
                                               and personal                               information, it is necessary to
                                               information.                               document the rules for handling
                                                                                          and managing data at each
                                                                                          development, operation, and
                                                                                          maintenance department, and to
                                                                                          observe them.
(2)   Ensure that access control General /     Preventing unauthorized 3-(3)-2-A      C   To prevent unauthorized data
      and monitoring data        Applicati     access to data and      4-(2)-2            access and abuse of data and to
      (creation, changes, and    on            unauthorized use of                        protect confidential and
      deletion) are put in place               data, and protecting                       personal information, it is
      effectively.                             confidential and                           necessary to verify that the
                                               personal information.                      access control and monitoring
                                                                                          functions are working
                                                                                          effectively.



                                                               - 53 -
(3)   Ensure that data integrity   General /   Making data accurate       3-(2)-3-C   C   To ensure that data is accurate
      is assured.                  Applicati   and complete.              4-(2)-3         and complete or that data
                                   on                                                     integrity is maintained, data
                                                                                          must be updated correctly.
(4)   Ensure that data usage is    Applicati   Preventing unauthorized                S   To prevent the abuse of data, the
      recorded and analyzed        on          use of data.                               situation with regard to the use
      periodically.                                                                       of data must be monitored and
                                                                                          recorded, and data collected this
                                                                                          way must be analyzed
                                                                                          periodically.
(5)   Define the scope, method Applicati       Minimizing the effects     3-(2)-3-D   C   The effects of failed data-
      and timing of data backup on             of failed data-recording                   recording media, operation
      according to business                    media, operation                           mistakes, computer viruses, etc.,
      requirements, the data                   mistakes, computer                         must be minimized by creating a
      processing structure and                 viruses, etc.                              backup of data. In creating a
      data restoration.                                                                   backup, the types of data for
                                                                                          which the backup is to be
                                                                                          created and the timing to create
                                                                                          the backup must be determined
                                                                                          with consideration given to the
                                                                                          contents of operations, data-
                                                                                          processing methods, and data
                                                                                          recovery methods.
(6)   Ensure that data delivery    General/    Preventing the use of      3-(2)-3-A   C   To prevent the use of wrong
      complies with data           Applicati   wrong data,                3-(2)-3-B       data, abuse of data, falsification
      control rules.               on          unauthorized use of        4-(2)-4         of data, etc., data must be given
                                               data, falsification of                     and received in accordance with
                                               data, etc.                                 the data management rules.
(7)   Ensure that fraud            General/    Preventing the use of      3-(2)-3-B   C   To prevent the misconduct and



                                                              - 54 -
       prevention and                Applicati   wrong data, abuse of        4-(2)-5       leakage of confidential
       confidentiality protection    on          data, falsification of                    information associated with an
       measures are used                         data, etc.                                exchange of data, necessary
       whenever data is                          Preventing the abuse of                   measures must be taken to
       exchanged.                                data and leakage of                       prevent misconduct and to
                                                 confidential                              protect confidential and
                                                 information, and                          personal information.
                                                 protecting personal
                                                 information.
(8)    Ensure that procedures        Applicati   Preventing the abuse of     4-(2)-6   C   To prevent data including
       for data retention,           on          data, leakage of data,                    personal information from being
       duplication and                           abuse of personal                         abused or leaked, it is necessary
       destruction are taken for                 information, etc.                         to establish measures for
       error prevention, fraud                                                             preventing such mistakes or
       prevention and                                                                      misconduct from occurring
       confidentiality protection.                                                         whenever data is stored, copied,
                                                                                           or discarded.
(9)    Ensure that data is           Applicati   Protecting data from                  S   To protect data from computer
       protected from computer       on          computer viruses.                         viruses, measures must be taken
       viruses.                                                                            to eliminate computer viruses.
(10)   Ensure that the               −           Protecting the                            To protect the intellectual
       intellectual property                     intellectual property                     property rights of data and to
       rights of data are                        rights of constructed                     prevent the infringement of
       managed properly.                         data, and preventing                      intellectual property rights
                                                 intellectual property                     introduced from outside
                                                 rights of data introduced                 sources, the management of
                                                 from outside sources                      intellectual property rights must
                                                 from being infringed.                     be carried out properly.




                                                                - 55 -
5     Manage Output                 Applicati
                                    on
(1)   Define and comply with        Applicati   Preventing output          4-(3)-1   C   Mistakes in the output method
      output control rules.         on          mistakes, and abuse and                  and the abuse or leakage of
                                                leakage of output data,                  output data must be prevented,
                                                and protecting                           and confidential and personal
                                                confidential and                         information must be protected.
                                                personal information.                    To achieve this, it is necessary
                                                                                         to establish and observe a data
                                                                                         output procedure, data approval
                                                                                         procedure, related rules, etc.
(2)   Ensure output data is      Applicati      Preventing errors,         4-(3)-2   C   To ensure that data output from
      accurate and free from     on             omissions, double                        an information system does not
      omissions or duplications.                outputs, etc., in output                 contain errors, omissions,
                                                data.                                    double outputs, etc., a procedure
                                                                                         described in the output
                                                                                         management rules must be
                                                                                         performed in a careful, strict
                                                                                         manner.
(3)   Ensure that output data       Applicati   Preventing the             4-(3)-3   C   Data to be outputted must be
      control and operational       on          falsification, theft,                    prepared and handled carefully
      procedures are taken for                  leakage, etc., of data                   by taking care to prevent the
      error prevention, fraud                                                            falsification, theft, leakage, etc.,
      prevention and                                                                     of data. Specific measures must
      confidentiality protection.                                                        be taken to prevent mistakes,
                                                                                         misconduct, or the leakage of
                                                                                         confidential information during
                                                                                         the preparation and handling of
                                                                                         data.



                                                               - 56 -
(4)   Ensure that output data is    Applicati   Preventing output data.    4-(3)-4     C   To prevent output data from
      delivered based on output     on          from being delivered to                    being delivered to a wrong
      data control rules.                       a wrong party, lost,                       party, lost, stolen, etc., it is
                                                stolen, etc.                               necessary to establish a data
                                                                                           delivery procedure and related
                                                                                           rules, and to observe them.
(5)   Ensure that output data       Applicati   Preventing output data     4-(3)-5     C   To prevent the loss, theft,
      retention or destruction is   on          from being lost, stolen,                   leakage, etc., of output data, it is
      based on output data                      leaked, etc.                               necessary to store or discard
      control rules.                                                                       data in accordance with the
                                                                                           output management rules.
(6)   Ensure that errors            Applicati   Maintaining the                        S   To maintain the accuracy of
      occurring in the output       on          accuracy of output data.                   output data, the status of errors
      process are recorded and                                                             must be recorded, and analyzed
      reviewed periodically.                                                               periodically.
(7)   Ensure that usages of         Applicati   Utilizing output data.                 S   To use output data effectively,
      output data are recorded      on                                                     the situation with regard to the
      and reviewed                                                                         use of output data must be
      periodically.                                                                        recorded, and analyzed
                                                                                           periodically.

6     Software Management           General
(1)   Define and comply with                    Using software             3-(2)-2-A   C   To ensure that software is used
      software control rules.                   equitably and                              properly and to prevent software
                                                preventing misconduct.                     from being abused, rules for
                                                                                           handling and management of
                                                                                           software must be established
                                                                                           and observed at each
                                                                                           development, operation, and



                                                               - 57 -
                                                                                      maintenance department.
(2)   Ensure that access control General    Preventing the abuse of   3-(2)-2-B   C   To prevent the abuse of
      and monitoring functions              software.                 3-(3)-2-A       software, it must be verified that
      for software are put in                                                         the access control and
      place effectively.                                                              monitoring functions are
                                                                                      working effectively.
(3)   Ensure that software        General   Preventing the abuse of               S   To increase the operating
      usage information is                  software.                                 efficiency of software and
      stored and reviewed                                                             prevent the abuse of software,
      periodically.                                                                   the situation with regard to the
                                                                                      use of software must be
                                                                                      recorded, and analyzed
                                                                                      periodically.
(4)   Define the scope, method    General   Minimizing the risks                  S   To minimize the effects of failed
      and timing of software                associated with the                       recording media of software,
      backups according to                  failure of recording                      operation mistakes, computer
      business requirements                 media of software,                        viruses, etc., it is necessary to
      and the data processing               operation mistakes,                       determine for which software a
      structure.                            computer viruses, etc.                    backup is to be created and the
                                                                                      backup method with
                                                                                      consideration given to the
                                                                                      contents of operations and data-
                                                                                      processing methods.
(5)   Ensure that software        General   Preventing software                   S   To prevent software from being
      delivery is complies with             from being used in a                      used in a wrong way, abused,
      software control rules.               wrong way, abused,                        falsified, etc., software must
                                            falsified, etc.                           handled based on software
                                                                                      management rules that specify a
                                                                                      giving and receiving procedure,



                                                          - 58 -
                                                                            a delivery method, etc.
(6)   Ensure that procedures        General   Preventing software       S   Measures must be taken to
      for software data                       from being used in a          prevent software and related
      retention, duplication and              wrong way, abused,            data from being abused, leaked,
      destruction are taken for               falsified, etc.               etc., when data is stored, copied,
      error prevention, fraud                                               or discarded.
      prevention and
      confidentiality protection.
(7)   Ensure that software is       General   Protecting software       S   To protect software from
      protected from computer                 from computer viruses.        computer viruses, measures
      viruses.                                                              must be taken to eliminate
                                                                            computer viruses.
(8)   Ensure that the               −         Protecting the                The intellectual property rights
      intellectual property                   intellectual property         of developed software must be
      rights of software are                  rights of developed           protected, and the intellectual
      managed properly.                       software, and                 property rights of introduced
                                              preventing the                software must be prevented
                                              intellectual property         from being infringed. To
                                              rights of software that       achieve this, the management of
                                              has been introduced           intellectual property rights must
                                              from being infringed.         be carried out properly.
(9)   Define policies for the       General   Minimizing the risks      S   Although free software offers a
      utilization of free                     associated with the use       great advantage in terms of cost,
      software (open source).                 of free software.             there are the risks involved in
                                                                            using free software: no
                                                                            guarantee of processed results,
                                                                            the possibility of computer
                                                                            viruses lurking within them,
                                                                            possible infringement of



                                                            - 59 -
                                                                                     intellectual property rights, etc.
                                                                                     To use free software, an
                                                                                     organization must establish a
                                                                                     policy for its use.

7     Manage Hardware            General
(1)   Define and comply with     General   Promoting the proper      3-(2)-2-A   C   To promote the proper use of
      hardware management                  use of hardware,                          hardware, prevent hardware
      rules.                               preventing failure from                   failure, and to protect hardware
                                           occurring, protecting                     from natural hazards and
                                           hardware from natural                     misconduct, etc., it is necessary
                                           hazards and                               to establish hardware
                                           misconduct, etc.                          management rules and observe
                                                                                     them.
(2)   Ensure that hardware is    General   Minimizing the effects    3-(2)-2-G   C   To minimize the effects of
      installed in an                      of failure, natural       3-(3)-2-A       failure, natural hazards,
      environment resilient to             hazards, misconduct,                      misconduct, etc., on an
      potential risks.                     etc., on an information                   information system, hardware
                                           system.                                   must be installed in an
                                                                                     environment that allows an
                                                                                     organization to deal with
                                                                                     assumed risks properly.
(3)   Ensure that periodical     General   Preventing hardware                   S   To prevent hardware failure
      maintenance is provided              failure from stopping                     from stopping the operation or
      for hardware.                        the operation and/or                      deteriorating the functions of an
                                           deteriorating the                         information system,
                                           functions of an                           maintenance must be conducted
                                           information system.                       periodically.
(4)   Ensure that proper         General   Preventing the            3-(2)-2-E   C   To prevent the suspension of the



                                                          - 60 -
      measures are taken for                  suspension of the                operation or deterioration of the
      hardware failures.                      operation and/or                 functions of an information
                                              deterioration of the             system and to achieve fast
                                              functions of an                  recovery in the event of
                                              information system.              hardware failure, it is necessary
                                                                               to establish measures for
                                                                               handling cases of hardware
                                                                               failure.
(5)   Ensure that hardware          General   Using hardware               S   To allow hardware to be used
      usage is recorded and                   effectively, and                 effectively and prevent the
      reviewed periodically.                  preventing the abuse of          abuse of hardware, the situation
                                              hardware.                        with regard to the use of
                                                                               hardware must be recorded, and
                                                                               recorded data must be analyzed
                                                                               periodically.
(6)   Ensure that procedures        General   Preventing the leakage       S   Cases in which a piece of
      for hardware retention,                 of confidential                  hardware is stolen or lost and it
      relocation and disposal                 information that may             is used by a person other than
      are taken for error                     occur if hardware is             the one entitled to ownership
      prevention, fraud                       stolen, lost, disposed of,       must be avoided, and data and
      prevention and                          etc.                             other information assets must be
      confidentiality protection.                                              protected. Therefore, measures
                                                                               must be taken to prevent the
                                                                               misconduct and leakage of
                                                                               confidential information that
                                                                               may occur when hardware is
                                                                               stored, relocated, or disposed of.

8     Manage Network                General



                                                              - 61 -
(1)   Define and comply with    General    Operating the network                 S   To operate the network normally
      network management                   normally and efficiently.                 and efficiently, network
      rules.                                                                         management rules must be
                                                                                     established and observed.
(2)   Ensure that access control General   Preventing hacking or                 S   To prevent hacking or abuse of
      and the monitoring                   abuse of the network.                     the network and to detect cases
      functions for the network                                                      of hacking or abuse as quickly
      are put in place                                                               as possible, it must be ensured
      effectively.                                                                   that the control of network
                                                                                     access and monitoring is
                                                                                     functioning effectively.
(3)   Ensure that the network is General   Preventing hacking or                 S   To detect cases of network
      periodically reviewed for            abuse of the network.                     hacking or abuse and take
      monitoring logs.                                                               necessary action, it is necessary
                                                                                     to analyze network monitor logs
                                                                                     periodically.
(4)   Ensure that proper        General    Ensuring the availability 3-(2)-2-E   C   To ensure the availability of an
      measures are taken                   of an information                         information system, electronic
      against failures in the              system, electronic mail,                  mail, Web, and other various
      network.                             Web, and other various                    services, measures must be
                                           services.                                 established to cope with a
                                                                                     possible failure of the network.
(5)   Ensure that the network   General    Operating the network                 S   To operate the network stably
      usage is periodically                stably and efficiently.                   and efficiently, the situation
      analyzed from stored                                                           with regard to the use of the
      records.                                                                       network must be recorded, and
                                                                                     the recorded data must be
                                                                                     analyzed periodically.
(6)   Define organization       General    Allowing an                           S   An organization’s policy for



                                                          - 62 -
      policies for services                organization to use the                    information-providing services
      provided by network                  network efficiently.                       using the network must be
      operators.                                                                      clarified to use the services
                                                                                      efficiently.

9     Manage Configuration       General
(1)   Ensure that the scope of   General   Managing software,                     S   Persons in charge of user and
      software management,                 hardware, and networks                     network management must
      hardware management                  properly.                                  coordinate properly with
      and network management                                                          vendors by clarifying the
      is clearly defined. Ensure                                                      division of responsibilities for
      that a proper management                                                        specific pieces of software and
      level is provided.                                                              hardware and networks in order
                                                                                      to avoid a situation where a
                                                                                      piece of software or hardware or
                                                                                      a certain network is doubly
                                                                                      overseen by both persons of the
                                                                                      organization and the vendor or
                                                                                      not overseen at all by either.
(2)   Ensure that system         General   Maintaining the            3-(2)-2-D   C   To maintain the functions of an
      configuration, venders               functions of an                            information system and achieve
      and support conditions               information system, and                    fast recovery in the event of
      for software, hardware               achieving fast recovery                    failure, it is necessary to clarify
      and networks are clearly             in the event of failure.                   software, hardware, and
      specified.                                                                      network configurations,
                                                                                      procurement sources, support
                                                                                      conditions, etc.
(3)   Ensure that the            General   Preventing the             3-(2)-2-G   C   To ensure the stable operation of
      introduction and                     suspension of the                          an information system by



                                                          - 63 -
      replacement of software,                operation of an                preventing the suspension of its
      hardware and networks is                information system and         operation and the deterioration
      decided before an                       the deterioration of its       of its functions, software,
      assessment of its impact.               functions to ensure the        hardware, or the network shall
                                              stable operation of the        be introduced, and the existing
                                              information system.            software, hardware or network
                                                                             must be replaced with new ones
                                                                             after carefully considering the
                                                                             extent of the impact.
(4)   Ensure that the             General     Minimizing the effects     S   To minimize the effects on an
      introduction and                        on an information              information system, it is
      replacement of software,                system.                        necessary to introduce software,
      hardware and networks is                                               hardware, or a network or to
      planned systematically.                                                replace the existing software,
                                                                             hardware, or network according
                                                                             to the plan.

10    Manage Facilities and         General
      Equipment
(1)   Ensure that facilities are    General   Designing buildings and        To minimize the effects
      located in an environment               facilities so that they        (damage) of the suspension of
      resilient to potential risks.           function to minimize           the operation or the breakdown
                                              the effects (damage) of        of an information system,
                                              the suspension of the          buildings and related facilities
                                              operation of an                must be established in an
                                              information system, the        environment that allows an
                                              breakdown of an                organization to avoid assumed
                                              information system, etc.       risks properly.
(2)   Ensure that accesses to     General     Separating an                  To protect an information



                                                             - 64 -
      facilities and machine                 information system to       system from misconduct,
      rooms are controlled for               protect it from             measures for preventing
      fraud prevention and                   misconduct.                 misconduct and protecting
      protection of                                                      confidentiality must be included
      confidentiality.                                                   as part of the control of entry
                                                                         and exit into/from buildings and
                                                                         rooms.
(3)   Ensure that facilities are   General   Allowing an                 Related facilities must be
      properly operated.                     information system to       operated continuously and
                                             operate in the same         stably by establishing and
                                             stable environment.         observing rules for managing
                                                                         and operating them.
(4)   Ensure that maintenance      General   Preventing the failure of   Periodic maintenance must be
      of facilities is provided              related facilities from     conducted on related facilities to
      periodically.                          suspending the              prevent their failure from
                                             operation or                causing the suspension of the
                                             deteriorating the           operation of the information
                                             functions of the            system, the deterioration of its
                                             information system, etc.    functions, etc.
(5)   Ensure that proper           General   Preventing the failure of   To prevent the failure of related
      measures against failures              related facilities, and     facilities and achieve fast
      are taken.                             recovering them from        recovery in the event of failure,
                                             failure quickly.            measures for dealing with cases
                                                                         of failure must be established.
(6)   Ensure that the access       General   Identifying the persons     The control of entry and exit
      logs to the facilities and             who enter a building or     into/from buildings and rooms
      machine rooms are                      room so that a follow-      requires that persons who enter
      recorded and reviewed                  up can be conducted at      a building or room when an
      periodically.                          a later date (to prevent    accident occurs be identified so



                                                            - 65 -
                                          misconduct or crime).          that a follow-up investigation
                                                                         can be conducted. Therefore,
                                                                         entry into buildings and rooms
                                                                         must be recorded, and the
                                                                         recorded data must be analyzed
                                                                         periodically by a person in
                                                                         charge of entry and exit control.


V     Maintenance
1     Maintenance Procedures    General
(1)   Obtain approval for       General   Conducting                 C   To standardize maintenance
      maintenance rules and               maintenance smoothly.          operations and perform
      procedures from the                                                maintenance operations
      person responsible for                                             smoothly while ensuring
      maintenance.                                                       reliability, maintenance rules
                                                                         and a maintenance procedure
                                                                         must be established and a
                                                                         person responsible for
                                                                         supervising maintenance
                                                                         operations must approve them.
(2)   Define maintenance        General   Conducting                 S   To conduct maintenance
      procedures according to             maintenance efficiently.       efficiently, a maintenance
      the scale and necessary                                            procedure must be determined
      period of maintenance                                              based on the maintenance rules,
      and specific system                                                the scale of maintenance,
      requirements.                                                      period, system characteristics,
                                                                         etc.
(3)   Assess potential risks    General   Preventing system          S   To prevent maintenance work



                                                        - 66 -
      inherent in the                       failure or other types of       from causing system problems
      maintenance, and develop              problems from                   or other types of problems, it is
      necessary preventive                  occurring.                      necessary to identify all
      measures.                                                             assumed risks and to take
                                                                            necessary measures after
                                                                            evaluating each risk.

2     Maintenance Plan            General
(1)   Obtain approval for the     General   Clarifying the scope of     S   To clarify the scope of
      maintenance plan from                 maintenance and the             maintenance and the contents of
      the personnel responsible             contents of maintenance         maintenance work, a
      for maintenance.                      work.                           maintenance plan must be
                                                                            formulated based on the results
                                                                            of surveys and analyses, and
                                                                            persons in charge in the service
                                                                            and maintenance departments
                                                                            must approve it.
(2)   Examine and analyze the     General   Performing                  S   To have a correct understanding
      contents and influence of             maintenance work                of the contents of a request to
      maintenance against                   smoothly.                       change a maintenance plan and
      change requests.                                                      conduct maintenance smoothly,
                                                                            it is necessary to survey and
                                                                            analyze the contents of
                                                                            maintenance work and the
                                                                            extent of the impact.
(3)   Define the objective,       General   Conducting                  S   To allow a maintenance test to
      scope, methodologies,                 maintenance smoothly.           be conducted smoothly, a test
      and schedule for the                                                  plan describing the purpose,
      maintenance test plan.                                                scope method, schedule, etc.,



                                                           - 67 -
                                                                                     must be prepared.

3     Maintenance                General
      Implementation
(1)   Ensure that any            General   Preventing or reducing    3-(1)-3-F   C   To prevent or reduce mistakes,
      modifications of the                 maintenance-related                       misconduct, performance
      system design documents              mistakes, misconduct,                     failure, etc., a system design
      and the program design               failure of performance,                   document, program design
      documents are                        etc.                                      document, etc., must be
      implemented according to                                                       changed, and persons in charge
      the maintenance plan.                                                          in the user and maintenance
      Prior to the modification,                                                     departments must approve the
      obtain approval for any                                                        changed documents.
      changes of documents
      from the personnel
      responsible for
      maintenance, together
      with the appropriate
      stakeholders.
(2)   Ensure that all program    General   Preventing the mistakes   3-(1)-3-G   C   To prevent the mistakes and
      modifications are                    and misconduct that                       misconduct that may occur
      implemented according to             may occur when a                          when a program is changed, a
      the authorized                       program is changed.                       person in charge of maintenance
      maintenance procedures.                                                        must approve the contents of the
      Prior to modifications,                                                        program change.
      changes must be
      approved by the
      personnel responsible for
      maintenance.



                                                         - 68 -
(3)   Verify that programming General          Preventing the mistakes   3-(1)-3-H   C   To prevent mistakes during
      is written according to the              that may occur during                     programming, it must be
      modified program design                  programming.                              verified that programming is
      documents.                                                                         carried out based on a changed
                                                                                         program design document.

4     Maintenance Verification       General
(1)   Ensure that tests of           General   Conducting a program      3-(1)-3-I   C   To test a changed program
      modified programs are                    test smoothly.                            properly and smoothly, a test
      performed in accordance                                                            must be conducted based on a
      with the maintenance test                                                          maintenance test plan.
      plan.
(2)   Ensure that any tests of       General   Preventing a changed                  S   To prevent the deterioration of
      modified programs are                    program from affecting                    functions and performance of an
      performed taking into                    the functions and                         information system, a test must
      account of the range of                  performance of an                         be conducted on a changed
      impact of the tests.                     information system.                       program with consideration
                                                                                         given to the extent of the
                                                                                         impact.
(3)   Ensure that the user           General   Confirming that an        3-(1)-3-J   C   To verify that an information
      department of the system                 information system                        system meets the requirements
      is involved in the tests for             meets requirements,                       for a change request, etc., the
      the modified program,                    including those                           user must attend a program test,
      and that the tests are                   specified in a change                     and the test must be conducted
      performed in accordance                  request.                                  based on a user manual.
      with the user manuals.
(4)   Obtain approval of the         General   Checking the functions    3-(1)-3-K   C   To verify the appropriateness of
      results of the tests of the              and performance of an                     a test and the functions and
      modified programs from                   information system.                       performance of an information



                                                             - 69 -
      the appropriate                                                                 system, test results must be
      stakeholder and personnel                                                       approved by persons in charge
      responsible for operations                                                      at user, operation, and
      and maintenance.                                                                maintenance departments.
(5)   Ensure that the results of General     Confirming the           3-(1)-3-L   C   To verify the appropriateness of
      the tests of the modified              appropriateness of the                   a test and to use test results as
      programs are properly                  conducted test.                          basic data for investigating the
      recorded and stored.                                                            cause of failure and other types
                                                                                      of problems, test data and test
                                                                                      results must be recorded and
                                                                                      retained.

5     Promotion to Production      General
(1)   Define promotion             General   Performing the                       S   To perform the promotion
      procedures taking into                 promotion process                        process correctly and smoothly,
      account of the promotion               accurately and                           it is necessary to clarify the
      conditions.                            smoothly.                                period, method, system, and
                                                                                      other promotion conditions and
                                                                                      to prepare a promotion
                                                                                      procedure.
(2)   Ensure that backups of       General   Providing for possible               S   To provide for the possible
      the pre-modified program               promotion-related                        problems that may occur during
      and data are created.                  problems.                                promotion, backups of a
                                                                                      program and data to which a
                                                                                      change is not yet made must be
                                                                                      created.
(3)   Ensure that the personnel    General   Preventing promotion                 S   To prevent the deterioration of
      responsible for operations             from causing the                         functions and performance of
      and the maintenance                    deterioration of the                     other information systems,



                                                           - 70 -
      department ensure that              functions and                persons in charge in the
      the modified system does            performance of other         operation and maintenance
      not affect other                    information systems.         departments must verify the
      information systems.                                             effects of information system
                                                                       promotion.

6     Disposal of Old           General
      Information Systems
(1)   Define the disposal plan  General   Minimizing the risks     S   To abolish an old information
      of old information                  associated with the          system smoothly and
      systems accounting for              abolishment of an            completely, an abolishment plan
      any risks that may be               information system.          must be prepared with
      incurred. Obtain approval                                        consideration given to risks, and
      for the plan by the                                              an old information system must
      appropriate stakeholders                                         be abolished with the approval
      and the responsible                                              of persons in charge at user,
      personnel in the                                                 operation, and maintenance
      operations and                                                   departments.
      maintenance departments.
(2)   Decide the disposal       General   Preventing the           S   To prevent misconduct and
      measure and timing of               misconduct, leakage of       protect confidentiality and
      disposal of old                     confidential                 privacy, the method of
      information systems,                information, or breach       abolishing an old information
      taking measures to                  of privacy that may          system and the time to abolish it
      prevent fraud and protect           occur when an                must be determined with
      confidentiality.                    information system is        consideration given to measures
                                          abolished.                   for preventing misconduct and
                                                                       protecting confidentiality.




                                                        - 71 -
VI    Common Processes
1     Document Management
1.1   Document Creation          Company
(1)   Obtain approval for        Company   Ensuring the quality of     S   To verify the quality of
      created documents from               documents and making            documents and to make
      the appropriate                      documents the common            documents the common
      stakeholders and                     property of an                  property of an organization,
      responsible personnel in             organization.                   documents must be approved by
      the information system                                               persons in charge at user and
      department.                                                          information system
                                                                           departments.
(2)   Define and comply with     Company   Making documents            S   To make documents consistent
      documentation rules.                 consistent in appearance        in appearance and quality
                                           and quality throughout          throughout an organization, it is
                                           an organization.                necessary to define how a
                                                                           document should be organized,
                                                                           its description format,
                                                                           descriptive content, etc., as the
                                                                           rules to be observed.
(3)   Define the documentation   Company   Preparing required          S   To prepare required documents
      plan.                                documents efficiently.          efficiently, a document
                                                                           preparation plan must be
                                                                           formulated.
(4)   Define the type, the       Company   Preparing documents         S   Required types of documents
      objective and the method             efficiently in a way that       should be specified without
      of creation of                       suits the intended use.         excess or shortage, and
      documentation.                                                       documents should be prepared
                                                                           efficiently in a way that suits the



                                                          - 72 -
                                                                           intended use. To achieve this,
                                                                           types and purposes of
                                                                           documents, document
                                                                           preparation methods, etc., must
                                                                           be clarified in a document
                                                                           preparation plan.
(5)   Ensure that all documents   Company   Preparing documents by     S   To prepare documents by
      are created in accordance             including all required         including all necessary
      with the documentation                information, and getting       information and get them ready
      plan.                                 them ready for use by          for use by the time they are
                                            the time they are              needed, documents must be
                                            needed.                        prepared based on a document
                                                                           preparation plan.

1.2   Documentation Control       Company
(1)   Obtain approval for the     Company   Ensuring the quality of    S   To check the quality of updated
      contents of any                       updated documents.             documents and make them the
      modifications to                                                     common property of an
      documents from the                                                   organization, persons in charge
      appropriate stakeholders                                             in the user and information
      and the responsible                                                  system departments must
      personnel in the                                                     approve the documents.
      information department.
(2)   Define and comply with      Company   Maintaining the            S   To maintain the of compatibility
      documentation control                 documents congruous            documents with the contents of
      rules.                                with the contents of an        an information system and to
                                            information system, and        make them easy to use, rules for
                                            making them easy to            managing original and
                                            use.                           distributed documents must be



                                                          - 73 -
                                                                              established and observed.
(3)   Update descriptions in        Company   Maintaining the             S   To maintain the compatibility of
      documents and record the                compatibility of                documents with the contents of
      update history following                documents with the              an information system and to
      any modification to the                 contents of an                  show the latest status of each
      information system.                     information system, and         document, the contents of
                                              showing the latest status       related documents must be
                                              of each document.               updated when a change is made
                                                                              to an information system, and
                                                                              updates must be recorded in the
                                                                              update record.
(4)   Ensure that document          Company   Preventing documents        S   To prevent documents from
      storage, duplication and                from being abused,              being abused, leaked, etc.,
      destruction measures are                leaked, etc.                    measures must be taken to
      taken in accordance with                                                prevent the misconduct or
      fraud prevention and                                                    leakage of confidential
      confidentiality protection.                                             information that may occur
                                                                              when documents are stored,
                                                                              copied, or discarded.


2     Perform Project
      Management
2.1   Implementation             General
(1)   Define a project           General      Performing planning,        S   To perform planning,
      management approach                     development, operation          development, operation, and
      and structure based on the              and, maintenance                maintenance operations as
      project plan, and obtain                operations as planned.          planned, each planning,
      approval from the                                                       development, operation, and



                                                             - 74 -
      appropriate stakeholders                                              maintenance department must
      and the personnel                                                     clarify an appropriate progress
      responsible for planning,                                             management method and
      development, operations                                               progress management system,
      development and                                                       and a person in charge in each
      maintenance                                                           department must approve them.
      development.
(2)   Ensure that stakeholders      General   Detecting problems as     S   To detect problems as early as
      and the personnel                       early as possible.            possible, persons in charge at
      responsible in the                                                    user, planning, development,
      planning department, the                                              operation, and maintenance
      development, the                                                      departments must have a correct
      operations department                                                 understanding of the progress of
      and the maintenance                                                   operations.
      department are
      monitoring the progress
      of the project.
(3)   Ensure that the               General   Performing planning,      S   To perform planning,
      appropriate measures are                development, operation,       development, operation, and
      taken against delays.                   and maintenance               maintenance operations as
                                              operations as planned.        planned, measures must be
                                                                            taken to keep delays to a
                                                                            minimum.

2.2   Assess Project                General
      Management
(1)   Analyze and assess            General   Reviewing a plan for      S   To review a plan for the next
      project performance                     the next operation            operation process, improve the
      against the project plan at             process, improving the        progress management method,



                                                            - 75 -
      the end of each phase of              progress management             and provide feedback
      the project, and obtain               method, and providing           information to a plan for an
      approval for the                      feedback information to         operation process performed
      assessment result from                the plan for an operation       simultaneously or a plan for an
      the project manager.                  process performed               operation process of the same
                                            simultaneously or an            type to be performed in the
                                            operation process of the        future, it is necessary to analyze
                                            same type that will be          and evaluate the results of
                                            performed in the future.        performance by checking them
                                                                            against a plan upon completion
                                                                            of a planning process,
                                                                            development process, operation
                                                                            process, or maintenance
                                                                            process.
(2)   Ensure that the             General   Increasing the              S   To increase the feasibility of a
      assessment results are                feasibility of a plan for       plan for the next process, the
      properly reflected in the             the next process.               results of evaluation must be
      plan for the next                                                     reflected in a plan for the next
      subsequent phase of the                                               operation process.
      project.
(3)   Ensure that the             General   Performing the progress     S   To perform the progress
      assessment results are                management task                 management operations
      properly reflected in                 efficiently and                 efficiently and effectively, the
      improvements to the                   effectively.                    results of evaluation must be
      approach and the                                                      used to improve the progress
      structure of project                                                  management method, progress
      management.                                                           management system, etc.

3     Quality Assurance



                                                            - 76 -
3.1   Quality Management
      Plan
(1)   Develop a quality           General   Maintaining a level of   S   A quality management plan is
      management plan                       quality worthy of the        required to maintain a level of
      according to quality                  effort made to achieve       quality worthy of the effort
      criteria, and obtain                  organizational               made to achieve organizational
      approval of the plan from             objectives.                  objectives in all life cycles of an
      the appropriate                                                    information system and to
      stakeholders and the                                               perform quality management
      responsible personnel in                                           operations smoothly and
      the planning department,                                           effectively. Persons in charge in
      the development                                                    the user, planning, development,
      department, the                                                    operation, and maintenance
      operations department                                              departments must approve the
      and the maintenance                                                quality management plan.
      department.
(2)   Define the quality          General   Operating the quality    S   To operate the quality
      management plan                       management system of         management system of an
      methodology, systems                  an organization              organization smoothly, it is
      and so on.                            smoothly.                    necessary to clarify how the
                                                                         quality management plan should
                                                                         be implemented, the quality
                                                                         management plan
                                                                         implementation system, the time
                                                                         to implement it, etc. The quality
                                                                         management plan must present
                                                                         the quality management policy
                                                                         specified in the general
                                                                         optimization plan in a concrete



                                                          - 77 -
                                                                          form.

3.2   Perform Quality              General
      Management
(1)   Analyze and assess           General   Evaluating the quality   S   To verify that operations have
      quality performance                    management objectives        been performed as planned and
      against the quality                    for each operation.          quality management objectives
      management plan at the                                              have been achieved, the results
      completion of each phase                                            of performance must be
      of the project, and obtain                                          analyzed and evaluated based
      approval of the result                                              on the quality management rules
      from the project manager.                                           by checking them against a
                                                                          plan. The results of analysis and
                                                                          evaluation must be approved by
                                                                          a person in charge.
(2)   Ensure that the              General   Achieving the quality    S   The results of quality
      assessment results are                 management objectives        management evaluation must be
      properly reflected in                  of an organization.          reflected in the quality
      improvements on quality                                             management standard, quality
      management standards,                                               management method, quality
      approaches, and systems.                                            management system, etc., to
                                                                          improve the activities conducted
                                                                          to achieve the quality
                                                                          management objectives of an
                                                                          organization.

4     Human Resource
      Management
4.1   Roles and                    Company



                                                          - 78 -
      Responsibilities
(1)   Define roles and             Company   Preventing mistakes and 2-(1)-3     C   Planning, development,
      responsibilities for each              misconduct and                          operation, and maintenance
      member of personnel in                 protecting confidential                 operations must be performed
      accordance with the                    information.                            efficiently, mistakes and
      characteristics and                                                            misconduct must be prevented,
      requirements assigned to                                                       and confidential information
      the personnel.                                                                 must be protected. To achieve
                                                                                     all this, the responsibility and
                                                                                     authority of personnel must be
                                                                                     clearly defined.
(2)   Verify roles and             Company   Coping with changes in   2-(1)-3    C   To cope with changes in the
      responsibilities of each               the operation                           operation environment and
      member of personnel in                 environment and                         information environment, the
      accordance with changes                information                             responsibility and authority of
      in the business and the IT             environment.                            personnel must be reviewed
      environment.                                                                   periodically or with appropriate
                                                                                     timing.
(3)   Provide each member of     Company     Performing operations     2-(1)-3   C   To perform planning,
      personnel is provided                  efficiently and                         development, operation, and
      with appropriate                       effectively, and ensuring               maintenance operations
      orientation and chances to             good coordination                       efficiently and effectively and to
      communicate so as to                   between personnel.                      ensure good coordination
      maintain their awareness                                                       between personnel, assigned
      of their roles and                                                             responsibility and authority
      responsibilities.                                                              must be made fully understood
                                                                                     by all personnel.

4.2   Job Performance              General



                                                           - 79 -
(1)   Ensure that each member       Company/ Preventing mistakes and 2-(1)-3   C   To prevent mistakes and
      of personnel complies         General  misconduct.                           misconduct and to perform
      with his/her assigned                                                        planning, development,
      roles and responsibilities.                                                  operation, and maintenance
                                                                                   operations efficiently and
                                                                                   effectively, personnel must obey
                                                                                   the assigned authority.
(2)   Verify that assigned tasks    General   Ensuring the quality of          S   To perform planning,
      and work volume is                      a target product.                    development, operation, and
      appropriate for each                                                         maintenance operations
      member of personnel on                                                       according to plan and to ensure
      the basis of their                                                           the quality of target products,
      knowledge, skills and so                                                     the division of duties and
      on.                                                                          workload must be determined
                                                                                   based on the knowledge, ability,
                                                                                   etc., of personnel.
(3)   Ensure that shifts are        General   Preventing the mistakes          S   Personnel rotation must be
      handed over carried out                 and misconduct                       practiced with consideration
      with error and, fraud                   associated with                      given to preventing mistakes
      prevention and                          personnel rotation.                  during takeover, preventing the
      confidentiality protection.                                                  misconduct of personnel who
                                                                                   have been taken over and are off
                                                                                   duty, and protecting confidential
                                                                                   information.
(4)   Ensure that a reserve         General   Maintaining the                  S   To maintain the continuity of
      staffing plan is prepared               continuity of operations.            planning, development,
      for contingencies.                                                           operation, and maintenance
                                                                                   operations, substitute personnel
                                                                                   must be arranged for to prepare



                                                             - 80 -
                                                                                       for unforeseen occurrences.

4.3   Education and Training       Company
(1)   Develop and update the       Company   Providing education and 2-(1)-4       C   To provide education and
      educational training plans             training based on a                       training based on a consistent
      and curriculums in                     consistent policy of an                   policy of an organization, a
      accordance with the                    organization.                             curriculum must be prepared
      human resource                                                                   based on the policy for human
      management policies.                                                             resource management, and it
                                                                                       must be reviewed to cope with
                                                                                       advances in information
                                                                                       technology.
(2)   Ensure that the              Company   Improving the quality of 2-(1)-4      C   The educational training
      educational training plans             personnel.                                curriculums must be prepared
      and curriculums are                                                              for the purpose of improving the
      prepared on the basis of                                                         quality of personnel,
      the improvement of                                                               specifically increasing their
      technological skills, the                                                        technical competence, and
      acquisition of business                                                          allowing them to learn the
      knowledge, the assurance                                                         knowledge of each operation, as
      of information security of                                                       well as ensuring the security of
      the information system,                                                          an information system.
      and so on.
(3)   Provide educational          Company   Allowing personnel to       2-(1)-4   C   To allow personnel to acquire
      training chances to each               learn the knowledge,                      the knowledge, ability, etc.,
      member of personnel                    acquire the skills, etc.,                 needed to perform planning,
      periodically and                       needed to perform                         development, operation, and
      effectively, based on the              operations.                               maintenance operations
      educational training plans                                                       efficiently, education and



                                                             - 81 -
      and curriculums.                                                   training must be provided
                                                                         periodically and effectively
                                                                         based on the education and
                                                                         training curriculum.
(4)   Develop a career path    Company   Allowing personnel to       S   To allow personnel to acquire
      program for each member            learn the knowledge,            the knowledge, ability, etc.,
      of personnel, and review           acquire the skills, etc.,       needed to perform planning,
      it in accordance with              needed to perform               development, operation, and
      changes in the business            operations.                     maintenance operations
      and IT environment.                                                efficiently, a career path must be
                                                                         established, and it must be
                                                                         reviewed as required to cope
                                                                         with changes in the operation
                                                                         environment and information
                                                                         environment.

4.4   Healthcare
(1)   Ensure that the work        −      Personnel remain                Personnel remain physically and
      environment is properly            physically and mentally         mentally fit so that they are able
      managed in accordance              fit so that they perform        to perform planning,
      with healthcare                    given tasks efficiently.        development, operation, and
      considerations.                                                    maintenance operations
                                                                         efficiently. To achieve this, the
                                                                         working environment must be
                                                                         improved with healthcare
                                                                         considerations.
(2)   Carry out regular medical   −      Taking care of the              To maintain the health of
      examinations and prepare           physical and mental             personnel, health checkups and
      mental healthcare                  aspects of personnel.           counseling about their physical



                                                         - 82 -
      programs.                                                                        and mental health must be
                                                                                       conducted.

5     Consignment /
      Entrustment
5.1   Consignment or              General
      Entrustment Business
      Plans
(1)   Develop consignment or      General   Preparing consignment      3-(4)-1-A   C   The policies for fulfilling a
      entrustment business                  or entrustment business                    consignment or entrustment are
      plans in accordance with              plan in concrete form.                     described in the use of “External
      the overall optimization                                                         Resources” in the overall
      plan, and obtain approval                                                        optimization plan (I Strategic IT
      to those plans from the                                                          Plan, 1. Overall optimization,
      management.                                                                      1.3 Development of the overall
                                                                                       optimization plan (7)). To
                                                                                       prepare consignment or
                                                                                       entrustment business plan in
                                                                                       concrete form, the consignment
                                                                                       or entrustment business plan
                                                                                       must be prepared, and approved
                                                                                       by persons in charge.
(2)   Define the objectives,      General   Clarifying the contents    3-(4)-1-B   C   The contents of the actual
      scopes, budget, and                   of the actual                              consignment or entrustment
      structure of the                      consignment or                             business must be clarified to
      consignment or                        entrustment business to                    allow related operations to be
      entrustment business.                 allow related operations                   performed smoothly.
                                            to be performed                            Specifically, the purposes,
                                            smoothly.                                  scope, system, budget, etc., of



                                                          - 83 -
                                                                                       these projects must be clarified.
(3)   Assess concrete effects     General   Performing the tasks                   S   Expected results, problems,
      and potential problems of             associated with                            risks, etc., must be carefully
      the consignment or                    contractor and                             considered before concluding
      entrustment business                  consignee operations                       the consignment or entrustment.
      make decisions based on               efficiently.                               This step is necessary to
      the results of the                                                               accomplish the purposes of the
      assessments.                                                                     consignment or entrustment
                                                                                       operations project completely.

5.2   Selection of the Service    General
      Provider of Consignment
      Business
(1)   Define selection criteria   General   Selecting a consignee      3-(4)-1-C   C   To select a consignee based on
      of service providers.                 based on the plan for                      the plan for operations as a
                                            operations as a                            contractor, the criteria for
                                            contractor.                                selecting a consignee must be
                                                                                       clarified.
(2)   Present requirement         General   Clarifying the                         S   Required specifications must be
      specifications to                     conditions for working                     presented to a candidate
      candidate service                     as a consignee when                        contractor to clarify the
      providers.                            preparing a proposal.                      conditions for working as a
                                                                                       consignee when preparing a
                                                                                       proposal.
(3)   Assess proposals            General   Selecting the most                     S   To select the most appropriate
      submitted by candidate                appropriate consignee in                   consignee in a fair manner,
      service providers.                    a fair manner.                             proposals presented by
                                                                                       candidate consignees must be
                                                                                       compared and evaluated based



                                                          - 84 -
                                                                                         on the criteria for selection.

5.3   Contracts                   General
(1)   Conclude contracts in       General   Concluding a contract        3-(4)-1-E   C   A contract to be concluded with
      compliance with the                   with a selected                              a consignee must be in
      consignment contract                  consignee.                                   accordance with the rules for
      rules and/or the                                                                   concluding a contract as a
      entrustment contract                                                               contractor or the rules for
      rules.                                                                             concluding a contract as a
                                                                                         consignee.
(2)   Define provisions           General   Preventing the abuse or      3-(4)-1-E   C   To prevent the abuse or leakage
      concerning compliance.                leakage of information                       of information and breach of
                                            and breach of privacy.                       privacy, measures for preventing
                                                                                         misconduct and protecting
                                                                                         confidential information shall be
                                                                                         clarified when concluding a
                                                                                         contract.
(3)   Define whether to allow     General   Preventing problems                      S   To prevent problems related to
      re-commission.                        related to the reselection                   the reselection of consignees,
                                            of consignees.                               whether the reselection of
                                                                                         consignees is allowed must be
                                                                                         clarified when concluding a
                                                                                         contract.
(4)   Define the holders of the   General   Preventing problems                      S   To prevent problems related to
      intellectual property                 related to intellectual                      intellectual property rights, the
      rights.                               property rights.                             ownership of intellectual
                                                                                         property rights must be clarified
                                                                                         when concluding a contract.
(5)   Define the special          General   Assuming the                             S   To deal with problems that are



                                                            - 85 -
      agreement and disclaimer               occurrence of problems.                     expected to occur, special
      clauses.                                                                           agreement clauses and waiver
                                                                                         clauses must be included in a
                                                                                         contract.
(6)   Define details of services   General   Supporting a consignee      3-(4)-1-F   C   The contents of subcontracted
      and the sharing of                     in performing                               operations and the division of
      responsibilities.                      subcontracted                               duties must be clarified in a
                                             operations smoothly.                        contract and specifications so
                                                                                         that a consignee can perform
                                                                                         subcontracted operations
                                                                                         smoothly.
(7)   Reexamine contents of        General   Clarifying the contents                 S   If there is a change in or
      the contract in case of                of subcontracted                            addition to the contents of
      additions to or changes in             operations and                              subcontracted operations after a
      the contract.                          supporting a consignee                      contract is concluded, the
                                             in performing                               contents of a contract must be
                                             operations smoothly.                        reexamined to check the
                                                                                         contents of subcontracted
                                                                                         operations at a consignee and
                                                                                         help the consignee perform
                                                                                         operations smoothly.
(8)   Define policies for          General   Ensuring the reliability,               S   To ensure the reliability, safety,
      system audit.                          safety, and efficiency of                   and efficiency of operations
                                             operations being                            being performed at a consignee,
                                             performed by a                              the policy for system auditing
                                             consignee.                                  must be included in a
                                                                                         subcontracting contract.

5.4   Consignment                  General



                                                            - 86 -
(1)   Assess consistencies        General   Having the actual          3-(4)-1-G   C   To allow a consignee to perform
      between the actual                    consigned business                         subcontracted operations
      consigned business and                without excess or                          without excess or shortage, the
      the contracted business.              shortage.                                  contents of subcontracted
                                                                                       operations performed by a
                                                                                       consignee must be in agreement
                                                                                       with the contents described in a
                                                                                       subcontracting contract.
(2)   Provide necessary           General   Having a consignee                     S   To allow a consignee to perform
      specifications, data and              perform subcontracted                      subcontracted operations
      other materials according             operations according to                    according to a plan for
      to the contract.                      a plan for operations as                   operations as a contractor, it is
                                            a contractor.                              necessary to provide a
                                                                                       consignee with the required
                                                                                       specifications, data, materials,
                                                                                       etc., based on a subcontracting
                                                                                       contract.
(3)   Monitor progress of the     General   Performing the             3-(4)-1-G   C   To allow a consignee to perform
      consigned business, and               consigned business                         subcontracted operations as
      take necessary measures               according to a plan for                    specified in a plan for
      against delay of the                  operations as a                            operations as a contractor, the
      project.                              consignee.                                 progress of subcontracted
                                                                                       operations must be monitored,
                                                                                       and measures must be
                                                                                       implemented to avoid or deal
                                                                                       with the risks properly.
(4)   Monitor the status of       General   Preventing mistakes,       3-(4)-1-E   C   To prevent mistakes,
      error prevention, fraud               misconduct, leakage of                     misconduct, leakage of
      prevention and                        confidential                               information, breach of privacy,



                                                           - 87 -
      confidentiality protection              information, breach of                      etc., as specified in a
      at the consigned partners,              privacy, etc., as                           subcontracting contract, the
      and take measures as and                specified in a                              status of measures implemented
      when necessary.                         subcontracting contract.                    to prevent mistakes and
                                                                                          misconduct and to protect
                                                                                          confidentiality must be
                                                                                          monitored, and appropriate
                                                                                          action must be taken as
                                                                                          required.
(5)   Ensure that the               General   Confirming that the         3-(4)-1-H   C   Products must be subjected to a
      acceptance of                           purposes of                                 receiving inspection based on a
      deliverables is carried out             subcontracting have                         subcontracting contract to see if
      based on the consignment                been accomplished.                          the purposes of subcontracting
      contract.                                                                           are accomplished.
(6)   Ensure that the restitution   General   Preventing unfair                       S   After subcontracted operations
      and/or disposal of data                 competition and                             are completed, it must be
      and materials that are                  protecting security after                   confirmed that data, materials,
      provided for the                        subcontracted                               etc., provided to a consignee to
      consignment are properly                operations are                              prevent unfair competition and
      executed after completion               completed.                                  protect confidentiality have
      of the consigned services.                                                          been withdrawn or disposed of.
(7)   Assess and analyze            General   Reflecting the results of               S   To reflect the results of analysis
      results of the consigned                analysis and evaluation                     and evaluation in future plans
      services.                               in the next plan for                        for operations as a contractor
                                              operations as a                             and in selecting consignees, it is
                                              contractor and in                           necessary to analyze and
                                              selecting consignees.                       evaluate the results of
                                                                                          subcontracted operations
                                                                                          performed.



                                                             - 88 -
5.5   Entrustment                Company
(1)   Ensure that the actual     Company   Having the actual          S   To act entrusted business
      entrusted business is                entrusted business             without excess or shortage, the
      consistent with the                  without excess or              contents of entrusted business
      contracted provisions.               shortage.                      must be in agreement with the
                                                                          contents described in a contract.
(2)   Monitor progress of the    Company   The entrusted business     S   To act entrusted business
      entrusted business, and              according to a plan for        according to a plan for entrusted
      take measures against                operations as a                business, the progress of
      potential risks.                     consignee.                     entrusted business must be
                                                                          monitored, and measures must
                                                                          be implemented to avoid or
                                                                          reduce the risks.
(3)   Implement a quality        Company   Managing the quality of    S   Quality management must be
      management process for               products based on a            carried out by a consignee so
      deliverables.                        contract as a consignee.       that the quality of a product
                                                                          reaches the product acceptance
                                                                          standard specified in a contract
                                                                          as a consignee.
(4)   Ensure that restitution    Company   Preventing unfair          S   After operations are completed,
      and/or disposal of data,             competition and                it must be verified that data,
      materials and other                  protecting                     materials, etc., provided by a
      resources supplied from              confidentiality after          contractor to prevent
      the contracted party are             operations are                 misconduct and protect
      properly executed in                 completed.                     confidentiality have been
      accordance with the                                                 withdrawn or disposed of.
      contract, after the
      completion of the



                                                          - 89 -
      contracted business.

6     Change Management
6.1   Change Management          General
(1)   Define change              General    Making changes           3-(1)-3-A   C   Change management rules and a
      management rules, and                 smoothly and                             change procedure are required
      obtain approval of the                effectively.                             to make changes smoothly and
      rules from the appropriate                                                     effectively, and must be
      stakeholders and the                                                           approved by persons in charge
      responsible personnel in                                                       at user, development, and
      the development                                                                maintenance departments. Large
      department and the                                                             changes must be controlled by a
      maintenance departments.                                                       development department on the
                                                                                     system management standard.
(2)   Ensure that the decisions   General   Not disturbing the                   S   How changes in case of
      made for change                       smooth operation of an                   modifications to specifications,
      management issues                     information system in                    problems, unresolved issues,
      appropriately take into               operation.                               and so on., should be handled
      account impacts on other                                                       through change management
      systems, in case of                                                            issues must be determined with
      modifications to                                                               consideration given to the
      specifications, problems,                                                      effects on other systems by
      unresolved issues and so                                                       taking care not to hamper the
      on.                                                                            smooth operation of the
                                                                                     information system.
(3)   Track change                General   Making the changes       3-(1)-3-E   C   The progress of matters being
      management issues from                necessary for                            processed through change
      the proposal to its                   organizational                           management issues must be
      completion, and                       operations at the                        monitored from when proposals



                                                          - 90 -
      periodically analyze               appropriate times.                     are made to when the matters
      uncompleted issues.                                                       are resolved to ensure that the
                                                                                changes necessary for
                                                                                organizational operations are
                                                                                being made at the appropriate
                                                                                times. Matters that remain
                                                                                unresolved must be analyzed
                                                                                periodically.

6.2   Implement Change         General
      Management
(1)   Implement change         General   Carrying out change                S   Change management issues
      management issues in               management smoothly                    must be carried out in
      compliance with change             and safely.                            accordance with the change
      management rules.                                                         management rules so that
                                                                                changes can be made smoothly
                                                                                and safely.
(2)   Ensure that the          General   Avoiding system        3-(1)-3-B   C   If a change has been made to a
      environment of other               problems caused by a                   matter to be handled by change
      related systems is                 change, and making                     management issues, a change
      changed simultaneously             changes efficiently.                   must also be made to the
      when implementing                                                         environment of a related
      change management                                                         information system to prevent
      issues.                                                                   the change from causing
                                                                                problems to the information
                                                                                system and to make the change
                                                                                efficiently.
(3)   Obtain approval of the   General   Confirming that a      3-(1)-3-D   C   It must be verified that a change
      results of change                  change has been made                   has been made as specified by a



                                                       - 91 -
      management issues from          as specified by a change    change request, and the change
      the appropriate                 request.                    must be approved by persons in
      stakeholders and the                                        charge at user, development,
      responsible personnel in                                    and maintenance departments.
      the development
      department, the operation
      department and the
      maintenance department.

7     Disaster Recovery
7.1   Risk analysis
(1)   Assess potential risks      −   Presenting the              To illustrate what actions are
      such as earthquakes and         countermeasures for         taken to protect information
      the range of impacts on         protecting an               systems from a disaster or an act
      the information system.         information system          of terrorism, it is necessary to
                                      from a disaster or an act   clarify the types of risks,
                                      of terrorism.               including earthquake, flood,
                                                                  terrorism, etc., and the extent of
                                                                  the impact on information
                                                                  systems.
(2)   Analyze potential damage −      Clarifying the              To clarify the importance and
      to the organization             importance and urgency      urgency of recovering
      suffered from a shutdown        of recovering operations    operations relative to the
      of the information system       relative to the             magnitude of a disaster, the
      and so on.                      magnitude of a disaster.    extent of loss caused to an
                                                                  organization due to the
                                                                  breakdown of an information
                                                                  system must be analyzed.
(3)   Assess the acceptable       −   Minimizing the              The allowable operation



                                                     - 92 -
      recovery time for each                  suspension of              recovery time and the order of
      business processes and                  operations caused by a     priority of recovery must be
      prioritize them.                        disaster and the           determined to minimize the
                                              resultant effects, and     suspension of operations caused
                                              recovering information     by a disaster and the resultant
                                              systems efficiently        effects and to achieve efficient
                                                                         recovery.

7.2   Contingency Plan              General
(1)   Develop contingency           General   Implementing               A disaster contingency plan
      plans based on risk                     appropriate                must be formulated by ensuring
      analysis and ensure that                countermeasures            consistency with the business
      the plan is consistent with             quickly and efficiently    continuity plan so that
      the business continuity                 and minimizing             appropriate actions can be taken
      plan.                                   confusion if a disaster    quickly with the least confusion
                                              occurs.                    if a disaster occurs.
(2)   Obtain approval for the       General   Taking appropriate         The top management of an
      contingency plan from                   actions quickly with the   organization must approve the
      the top management of                   least confusion if a       contingency plan to make it
      the organization.                       disaster occurs.           fully understood by the people
                                                                         concerned so that appropriate
                                                                         measures can be implemented
                                                                         quickly with the minimum
                                                                         possible confusion if a disaster
                                                                         occurs.
(3)   Assess the feasibility of     General   Ensuring the continuity    To ensure the continuity of
      the contingency plan.                   of operations in a way     operations in a way
                                              commensurate with the      commensurate with the degree
                                              degree of damage, and      of damage and to achieve



                                                            - 93 -
                                              achieving recovery in a   recovery in a reliable manner, it
                                              reliable manner.          is necessary to confirm the
                                                                        feasibility of the contingency
                                                                        plan.
(4)   Define educational            General   Having a good             To have a good understanding
      training policies for                   understanding of the      of the countermeasures
      employees in the                        countermeasures           specified in the contingency
      contingency plan.                       specified in the          plan and to implement them in a
                                              contingency plan, and     reliable manner, the policy for
                                              implementing them in a    employee education and training
                                              reliable, efficient       must be clarified, and education
                                              manner.                   and training must be provided
                                                                        periodically based on the
                                                                        contingency plan.
(5)   Communicate and inform General          Having a good             To have a good understanding
      related departments of the              understanding of the      of the countermeasures
      contingency plan.                       countermeasures           specified in the contingency
                                              specified in the          plan and to implement them in a
                                              contingency plan, and     reliable manner, education and
                                              implementing them in a    training must be provided based
                                              reliable, efficient       on the contingency plan, and the
                                              manner.                   contents of the countermeasures
                                                                        must be made fully understood
                                                                        by all departments concerned.
(6)   Update the contingency        General   Maintaining the           As the business and operation
      plan regularly and ensure               feasibility of the        environments change, the
      that the plan is kept up to             contingency plan by       contingency plan must be
      date.                                   modifying its contents    reviewed at the appropriate
                                              to cope with changes in   times to maintain feasibility.



                                                            - 94 -
                                            the business and
                                            operation environments.

7.3   Backups                    General
(1)   Define methods and         General    Recovering an             3-(2)-3-D   C   To recover an information
      procedures for backing up             information system in a                   system from failure in a reliable
      the system, data and                  reliable manner with                      manner with consideration
      forget necessary                      consideration given to                    given to recovery work
      resources to meet the                 recovery work                             efficiency and the cost
      recovery objectives of the            efficiency and the cost                   efficiency of recovery work, it is
      businesses.                           efficiency of recovery                    necessary to establish backup
                                            work.                                     methods and procedures with
                                                                                      consideration given to operation
                                                                                      recovery goals.
(2)   Assess and confirm the                Recovering an             3-(2)-3-D   C   To verify the feasibility of
      backup methods and                    information system in a                   backup methods and procedures
      procedures by the                     reliable manner.                          established, a person
      responsible personnel in                                                        responsible for the operation of
      the operations                                                                  an information system must
      department.                                                                     verify the appropriateness of the
                                                                                      backup methods and
                                                                                      procedures.

7.4   Alternative Operations      General
      and Recovery
(1)   Define and assess           General   Continuing operations                     Alternative processing
      alternative processing                by using alternative                      procedures and structures must
      procedures and structures             methods until an                          be established to continue
      until resumption. This                information system is                     operations until an information



                                                          - 95 -
      task should be conducted             recovered from failure.                   system is recovered from
      by the appropriate                                                             failure. Persons in charge at user
      stakeholders and the                                                           and operation departments must
      responsible personnel in                                                       verify the feasibility of the
      the operations                                                                 alternative processing
      department.                                                                    procedures and structures.
(2)   Define and assess          General   Recovering an             3-(2)-3-E   C   Recovery procedures and
      recovery procedures and              information system                        structures must be established to
      structures. This task                from failure in a                         recover a failed information
      should be done by the                smooth, reliable                          system in a smooth, reliable
      appropriate stakeholders             manner.                                   manner. Persons in charge at
      and the responsible                                                            user and operation departments
      personnel in the                                                               shall verify the feasibility of the
      operations department.                                                         recovery procedures and
                                                                                     structures.




                                                         - 96 -
Appendix 3 Examples of IT controls and IT

1. Prevention and indication of input errors

(1) Input screen functions for preventing input errors

Typical functions are as follows:

1 Showing a pull-down menu so that the operator who inputs data makes a choice
instead of inputting a code on the keyboard
2 Showing a pull-down menu of part numbers related to specific customers or
suppliers to narrow the scope of selection in inputting data
3 Showing the items most recently inputted by a specific operator or the items that
he or she inputs with a high degree of frequency
4 Limiting the range of codes that can be inputted according to the scope of
responsibilities assigned to each operator
5 Showing a warning if a specific operator inputs a code or abnormal value that he
or she has never inputted before

(2) Program functions for preventing input errors

A program validates data when data is input on the input screen or when it performs
an input data acceptance process (data received from outside suppliers is included in
the data processed by this acceptance process). The main functions of this program
are shown in Table 3-1 below.

    Table 3-1 Program’s functions for preventing and indicating input errors

Function               Description
Checking the           Data that is lost or data that is mistakenly left unprocessed are
completeness of data   detected based on the number of data processed, control
processing             totals, hash totals, results of sequential number checks, etc.

                       Notes:

                       1. Control totaling is checking for omissions or overlaps in a
                       particular processing step by comparing the total amount of
                       money calculated before and after this processing step, as
                       well as hash total, the number of records, etc.

                       2. Hash totaling is checking data for completeness by totaling
                       the numerical values, totaling of which is usually
                       meaningless. For example, the total quantity of a certain part
                       number (if the part number is expressed as a number) shown
                       on original input forms is calculated manually, and this total
                       quantity calculated is compared with the total quantity of the
                       same part number shown on the screen during data input.
Performing             Incorrect data is prevented from be mixed in by performing



                                        - 97 -
arithmetic              limit value checking, crossfooting, balance checking, etc.
calculation checks
                        Notes:
                        1. Limit value checking is checking to see if input data
                        deviates from the predetermined range of values.
                        2. Crossfooting is checking data for the consistency between a
                        total in the vertical direction and that in the horizontal
                        direction. In payroll calculations, for example, a gross pay,
                        total deduction and take-home pay are calculated, and the
                        total take-home pay is validated as against the total take-home
                        pay calculated by subtracting total deduction from gross pay.
                        Crossfooting is similar to this payroll calculation.
                        3. Balance checking is checking to see if a total debit is equal
                        to a total credit in journalizing in an accounting procedure.
Using check digits      Numerical values (check digits) are embedded into codes to
                        allow a program to detect mistakenly inputted codes or
                        prevent incorrect codes from being inputted.

                        Note: Check digits are used to prevent incorrect codes from
                        being inputted. Specifically, the value of a sequence of five
                        digits, from the first to the fifth digits, of a six-digit code is
                        calculated, and a value calculated from this five-digit value is
                        put into the sixth digit of this six-digit code to verify the
                        validity of the input code.

Checking the data       A blank test, a test to discern a numerical value or a character,
format                  a sign test, etc., are conducted to detect the data containing
                        errors or to prevent different types of data from mixing.

                        Notes:
                        1. A blank test is for checking to see if data is mistakenly
                        inputted into a space that should always be a blank space.
                        2. A sign test is for checking to see if positive numerical data
                        designated as always being positive is input as negative
                        numerical data or vice versa.
Checking the logical    The relationships between pieces of inputted data are
reasonableness          checked, and only the data that is logically reasonable is
                        accepted.
Checking input data     Input data is checked against registered credit limits, payment
against predefined      limits, quantity limits, unit price limits, etc., so that data
control values          larger or smaller than a specified limit is not accepted.
Checking input data     Purchase data is collated with data in ordering files, data on
against related files   shipping orders are collated with data in files of accepted
                        orders, etc., to verify the consistency between mutually
                        related data.




                                         - 98 -
2. Preventing or indicating errors in the data processing process

A large volume of data is processed and totaled in the data processing process, and
there are cases in which errors contained in the results of data processing remain
unnoticed for a long time.

Functions for preventing or indicating errors in data must be provided to maintain the
accuracy, completeness and file continuity of information processing operations.
Table 3-2 shows these functions.

Table 3-2 Functions for preventing or indicating errors in the data processing
process

Function               Description
Indicating errors      An error message is shown during an update of files of
when data is           transaction data or other data if data cannot be updated with
updated, and           the conditions specified by the system design or if
conducting a follow-   inconsistencies in data are detected. This is a basic function to
up                     be implemented by program design. Based on information
                       given by an error message, the contents of data and those of
                       related programs must be investigated to identify the cause of
                       the error.
Automatically          The total number of data, total quantity, total amount, etc. of
checking the           multiple files shown below are automatically collated to
consistency of the     check the consistency of data between files so that the
results of updating    presence or absence of errors can be detected and thereby the
                       accuracy and completeness of the results of updating can be
                       ensured.
                       1 Detail file containing the original data to be used for
                       updating
                       2 Contents of an update to be made to the file that is to be
                       updated by the original data
                       3 Summary file containing the original data to be used for
                       updating
Unifying               Basic transaction data and aggregate data databases (itemized
information sources    account, account balance, production results, stock, records of
by integrating         goods put into and taken out of storage, etc.) are unified, and
databases              various types of output information are output from a unified
                       database so that the errors caused by the inconsistencies
                       between files can be prevented.
Checking for the       Errors during the preparation of output forms are prevented
sameness between       by collating total values, total balances, etc., output to output
the totals and         forms with data in summary files.
balance totals of
output forms and
those of summary
files
Review of output       Output forms are reviewed by management personnel at a



                                        - 99 -
forms conducted by     user department or persons in charge of operation
managing personnel     management who are familiar with the contents of data so
at a user department   that errors or inconsistencies in data can be detected.

3. Function for ensuring the relevance between application data and system data

This function is for ensuring the relevance (possibility of mutual tracing) between
data related to financial reporting and data related to financial information. The
relevance between data must be ensured to enable an automatic transfer (automatic
journalizing, automatic coordination, etc.) of data between applications and systems.
Table 3-3 shows examples of how data is cross-referenced.

Table 3-3 Function for ensuring the relevance between application data and
system data

Function               Description
Individual reference   The individual reference method is used to allow applications
method                 and systems to recognize their individual reference
                       counterparts.
                       In this case, serial numbers, form numbers (same numbers or
                       same numbers with sub-numbers), etc., are recorded on both
                       application and system data to ensure the relevance between
                       data.
Total reference        If the result of totaling in a certain application or system must
method                 be transferred to another application or system, the total
                       reference method is used to allow the application or system to
                       recognize its reference counterpart by recording its own
                       information (application or system, the range of totaling, etc.)
                       in that counterpart.
                       In the case of this method, the relevance is maintained by
                       recording the items to be totaled (account titles, departments,
                       etc.), the period during which totals are calculated, etc., in
                       transferred data of an application or system as abstracts in
                       textual form or by recording the ID of an application or
                       system from which data is to be transferred, automatic
                       journalizing patterns, etc.




                                        - 100 -
Appendix 4 Recording the assessment procedure, etc.

1. Records of IT controls

Items shown below shall be recorded to demonstrate that appropriate IT controls are
placed in operation and operated properly and that the status of IT controls in
operation has been assessed in an appropriate manner. Although only IT controls are
described in this appendix, not only IT controls but also overall internal controls
must be described in management’s assessments.

1 Policies and procedures for the introduction and operation of IT controls over
financial reporting
2 Status of the introduction and operation of each assessment item to be adopted by
management when the company-level IT controls are assessed
3 Outline of operation processes related to important account titles and items to be
disclosed (including the system flows of each operation process, outline of IT
application controls, listing of systems used, etc.)
4 Risks of important deceptive indications occurring in each operation process, and
the contents of IT controls carried out to reduce involved risks
5 Status of the introduction and operation of IT controls concerning (4) above
6 Procedure for making an assessment of the effectiveness of IT controls over
financial reporting, assessment results, identified shortcomings, and measures taken
to correct the shortcomings
7 Records of assessment plans
8 Records of a decision made concerning the range of assessment (including a
method for determining the range of assessment, and the grounds for adopting the
method)
9 Procedure for making an assessment of implemented IT controls, and records of
assessment results, corrective measures, etc.

(⇒ II 3 7, Practice Standards)

2. Keeping records

The range of internal control records related to financial reporting to be kept, a
method for records keeping, a period during which records are kept shall be
determined through a proper judgment of each company with consideration given to
the relationships with vouchers. It is recommended that these records be kept for a
period identical to the inspection period (5 years, etc.) of annual security reports and
attached documents, based on an appropriate range of records by using an
appropriate method of records keeping (magnetic media, paper, film, etc.).
(⇒ II 3 (7) 2, Practice Standards)

If electronic media are used, there is the possibility that records may be overwritten
or deleted after assessment due to errors in the system setting. Additionally, records
shall be kept properly and safely with consideration of intentional falsification.
Assessment results, related documentary evidence, etc., shall also be kept properly
and safely. For example, related documentary evidence can be printed on sheets of



                                        - 101 -
paper or stored on the type of media that cannot be overwritten. To prevent the
falsification of records, it will be possible to introduce electronic signatures.

The results of management’ assessment shall be recorded so that auditors can review
them at a later date.

Prior discussions with auditors shall be held to determine how assessment results
should be retained, to what extent the documentary evidence used for assessment
should be retained, how the documentary evidence should be stored (for example,
printing on paper or such electronic media as CD-ROMs, etc., whether measures
should be taken to prevent falsification, and so forth.)




                                      - 102 -
Appendix 5 Sampling

1. Points to notice when conducting sampling

The following two points shall be considered when determining a method for making
an assessment of the status of internal controls in operation processes (the number of
sampled cases, the period during which sampling is conducted, etc.).

1 Forms and features of internal controls, etc.
2 Account settlement and financial reporting processes

Concerning the forms and features of internal controls, the following shall be
considered when determining a method for making an assessment of the status of
internal controls:

a. Importance of internal controls
b. Complexity of internal controls
c. Nature of judgment made by persons in charge
d. Ability of persons who carry out internal controls

Because IT controls are carried out by performing a set of operations repeatedly in a
consistent manner, the amount of assessment work can usually be decreased if IT
controls are considered to be operating effectively, on the condition that IT general
controls are also working effectively; specifically, the number of cases to be sampled
can be decreased (the number of operations performed by personnel should remain
the same), the period during which cases are sampled can be shortened, etc.
(⇒ III 4 (2) 2 C, Practice Standards)

2. Types of sampling

Types of sampling are generally classified into two as shown below, depending on
what sample extraction method and estimation method are used.

1 Statistical sampling
2 Nonstatistical sampling (sampling based on the experience of persons who make
assessments, etc.)

When estimating the conditions of the whole of a population, assessments are usually
made by using a statistical sampling approach. Therefore, it is thought that statistical
sampling will be used more frequently when making an assessment of the status of
IT controls in operation. However, because a population is small during quarterly
processing, monthly processing, weekly processing, etc., the amount of available
data may not be sufficient and, therefore, means other than statistical sampling can
be used.

3. Number of cases to be sampled

(1) If assessments are made manually



                                        - 103 -
Although it is inappropriate to mention a proper number of cases to be sampled in a
generalizing manner, the conditions of internal controls in operation processes may
be assessed by referring to a table like Table 5-1, which shows the number of cases to
be sampled and the allowable number of deviations. The frequency of sampling
applies to the number of cases used to make an assessment of the conditions of
internal operations; for example, the number of transactions.

                   Table 5-1 Example of the quantity of samples

Frequency of sampling               Number of cases to be Allowable number of
                                    sampled               deviations
Many samples in one day             25                    0
Daily                               25                    0
Weekly                              5                     0
Monthly                             2                     0
Quarterly                           2                     0
Yearly                              1                     0

Table 5-1 shows that when making an assessment of the effectiveness of a population
in which many internal controls are carried out daily, 25 cases should be sampled in a
random manner, and internal controls should be considered to be working effectively
if there is no one deviation in these 25 cases sampled. The number of cases to be
sampled and the allowable number of deviations shown to the right of “Many
samples in one day” and “Daily” were calculated by using a statistical method. If 25
cases are sampled from an infinitely large population and if no one deviation is found
in these 25 cases, the number of deviations accounts for 9% or less of the total
number of samples collected can be expressed as 90% confidence level. (⇒ III 4 (2)
1 B a, Practice Standards) In Table 5-1, the number of cases to be sampled and the
allowable number of deviations shown to the right of “Weekly,” “Monthly,”
“Quarterly,” and “Yearly” are calculated using a means other than a statistical
method.

Although IT general controls do not have a direct effect on misstatements concerning
financial reporting, they guarantee that the IT application controls are working
effectively and, therefore, the amount of work expended to validate application
systems based on each IT application control will be able to be lessened. In this case,
the number of cases to be sampled can be determined by using information in Table
5-1 as reference information.

(2) If internal controls are automated

Once internal controls are placed in operation, IT controls continue functioning in a
consistent manner until the time when a change or error occurs. Therefore, operation
tests can be conducted based on the policies shown in Table 5-2. (⇒ II 3 (3) 5 D c,
Practice Standards)




                                        - 104 -
            Table 5-2 Operation tests for automated internal controls

Condition                            Operation test
• It is considered from the          One application is validated with respect to one
results of assessments made on       IT-related application control.
the status of introduction and
operation of related general
controls that general controls are
working effectively.
In addition to the above             The fact that internal controls conform to all four
condition, the following three       conditions is recorded, and the results of internal
conditions are applicable:           controls assessments made in the previous year
• Shortcomings in internal           are used as is.
controls were not found in the
previous year.
• A change is not made to
internal controls after they are
assessed the last time.
• Failure, errors and other
problems have not occurred.




                                         - 105 -
Appendix 6 Example of the risk control matrix

This appendix describes the risk control matrix concerning company-level IT
controls, IT general controls and IT application controls.

1. Items of the risk control matrix

To support a company in using the risk control matrix, a table is provided so that a
company can make an assessment of each control item of IT application controls,
company-level IT controls and IT general controls. This table exemplifies risks,
control objectives, actual control conditions, whether controls are newly introduced
or are already in place and operating, prevention or detection through controls,
automated or manual controls, assertion, control frequency, control assessment
procedure, items to be assessed and detected, related audit working paper, assessment
results, etc. All this information is provided as examples. Based on these examples, a
company should customize the table in a way that suits its needs and conditions.

• Risks: Risks of misstatement being made in financial reporting are described.
Types of risk that should be of interest for companies are listed.
• Control objectives: Control objectives for each types of risk (system management
standard) are described.
• Situation of controls (control activities): The situation of applicable controls at
companies are outlined.
• Placed in operation or now in operation: Whether controls are newly introduced or
now in operation is indicated.
• Frequency: The frequency with which controls are carried out (quarterly, yearly,
monthly, weekly, daily, etc.) is shown.
• Automated or manual: Whether control objectives are achieved through an
automated IT system or a combination of IT and manual work is shown.
• Items to be assessed: IT application controls to be assessed are shown; specifically,
completeness, existence, period allocation, attribution of rights and duties, valuation,
and presentation (indication).
• Control assessment procedure: What kind of control assessments is made is shown
as a procedure.
• Assessments and items to be detected: The results of assessment are entered. If a
problem is noted, the contents of the problem are entered.
• Document number: Documents and forms (including electronic media) used to
record the results of control assessments are shown.
• Assessment results: Whether the target risks have been reduced or not is entered. If
the risks are considered high, a review of control items must be made.

2. How to use the risk control matrix

The risk control matrix should be used as follows:

1 Enter the name of a specific risk.




                                        - 106 -
2 Enter the controls being carried out (or to be constructed), and enter information
on related items in the risk control matrix.
3 Understand the situation of controls, and make an overview of what assessment
items should be addressed. To assess the status of controls, enter information in the
control assessment procedure, and carry out an assessment of controls.
4 To assess the status of controls, whether the assumed risks about selected control
items have been reduced or not is examined.
5 To construct controls, make a list of candidate control items, and select the most
appropriate control items that will enable the reduction of risks.
6 Enter the results of assessment in the assessment space and the space for matters
detected, and enter reduced risks in the assessment result space on the extreme right.




                                       - 107 -
Appendix 6-1

Company-level IT control assessment
Company name                                                                                                                                   Originator and data created
Settlement term                                                                                                                                Official position and name of a person who answered
                                                                                                                                               questions

   Basic          Risk                                 Control objectives                     No.   Situation of controls                      Placed in operation or     Control assessment procedure           Assessment and items            Document number   Assessment result
  element                                                                                                                                      now in operation           (to be assessed from the aspects of    detected
                                                                                                                                                                          documentation, education, level of     (If there are detected items,
                                                                                                                                                                          understanding on the part of           what effects they will
                                                                                                                                                                          personnel, system, implementation,     produce must be clarified)
                                                                                                                                                                          monitoring, and improvement).
Control           Because an approach to the           The management shall establish               IT-related policies concerning financial   Placed in operation, now   It must be confirmed that the                                          Omitted           Low
environment       introduction of IT is not            the strategies and plans for dealing         reporting are described in an annual       in operation               management’s policy for IT is
                  organizational or systematic, the    with IT concerning financial                 business management plan, and are                                     described in an annual business
                  reliability of financial reporting   reporting and financial                      approved by the management council                                    management plan, and is approved
                  is impaired.                         information.                                 and the board of directors.                                           by the management council and the
                                                                                                                                                                          board of directors.
                  IT concerning financial reporting    A companywide organization is                A computerization committee is             Placed in operation        The “computerization committee                                         Omitted           Low
                  is not addressed properly due to     established to establish IT-related          established to determine specific IT-                                 rules” and the “list of committee
                  organizational weaknesses in         policies and plans, and it is being          related policies and implement them.                                  members” were reviewed. Based on
                  handling IT-related matters.         operated effectively.                                                                                              the results of this review, the
                                                                                                                                                                          standing and functions of the
                                                                                                                                                                          committee were identified, and it
                                                                                                                                                                          was confirmed that the committee is
                                                                                                                                                                          organized by the members capable
                                                                                                                                                                          of company-wide coordination and
                                                                                                                                                                          adjustment.
                                                                                                    A computerization committee is             Now in operation           By reviewing the meeting minutes                                       Omitted           Low
                                                                                                    managed effectively.                                                  of the computerization committee, it
                                                                                                                                                                          must be verified that specific IT-
                                                                                                                                                                          related policies are discussed and
                                                                                                                                                                          necessary actions are taken based
                                                                                                                                                                          on the results of discussions.
                  The rest is omitted.
Assessment
and handling
of risks
Control
activities
Information
and
communicati
on
Monitoring




                                                                                                                                     - 108 -
Appendix 6-2

IT general control assessment
                                                                                                                                                                                                                                      Originator and data created                  2007/1/23
                                           Company name                                                                                                                                Placed in operation
                                           Settlement term                                                                                                                                                                          Person who answered questions




                                                                                                                                                                                                      implementatio
                                                                                                                                                                                                                                         (name of department)
                                           Business location




                                                                                                                                                                                Document


                                                                                                                                                                                            Process


                                                                                                                                                                                                      System
                                           System to be assessed                     Sales system




                                                                                                                                                                                                      n
Risk                                                                                 No.            Situation of controls       Placed in Prevention or Manual or                                                                 Control assessment procedure           Assessed and detected items                       Document Assessment




                                                                                                                                                                                                                      Frequency
                                                             Control objective                                                  operation   detection   automated                                                                                                        (if there are detected items, what effects they   number   result
                                                                                                                                or now in                                                                                                                                will produce must be clarified)
                                                                                                                                operation


                                                              Point to notice

                                                         Check that malicious                Standardized policies and                                                                                NA                          It was verified that the system to be None                                               Omitted   Low
                                  Development




                                                                                                                               Placed in operation




                                                                                                                                                     Prevention




                                                                                                                                                                  Manual work




                                                                                                                                                                                                                      Quarterly
procured properly, confidence cannot be put in




                                                         programs are not                    procedures for system                                                                                                                assessed is developed in accordance
 Because a system affecting the reliability of
  financial information is not developed and

  the financial information generated by the




                                                         embedded into a system              development are in place.                                                                                                            with standardized procedures and
                                                         during system                       Based on the policies and                                                                                                            documents.
                                                         development or that there           procedures, IT is developed and
                                                         are no mistakes in the              updated.
                                                         results of processing
                                                         operations performed by
                    system.




                                                         the system
                                                         Check that no intentional           In the system development         Now in                Prevention                                       NA                          It was verified based on the results   None                                              Omitted   Low




                                                                                                                                                                  Manual work




                                                                                                                                                                                                                      Quarterly
                                                         misconduct is committed             process, a system is so           operation                                                                                          of reviews of development
                                                         and all processing tasks            constructed as to enable it to                                                                                                       specifications, basic design
                                                         are programmed into a               achieve the reliability of                                                                                                           documents (conceptual design
                                                         system with no mistakes.            financial information,                                                                                                               documents), etc., that control
                                                                                             specifically financial                                                                                                               functions are integrated into the
                                                                                             information’s validity, integrity                                                                                                    system to ensure the reliability of
                                                                                             and accuracy.                                                                                                                        financial information.
                                                         The rest is omitted.
                                                         Check that a program is             System change management          Placed in                                                              NA                          It was confirmed that the change       Although the absence of evidence of approval Omitted        Low
                                           Maintenance




                                                                                                                                                     Detected




                                                                                                                                                                  Manual work




                                                                                                                                                                                                                      Monthly
                                                                                                                                                                                                                      Weekly
properly, the reliability of application




                                                         not altered or changed              and system maintenance            operation                                                                                          management rules are in place. It      was noted with one out of 25 cases, it was
   If maintenance is not conducted




                                                         without authorization.              management are carried out in     or now in                                                                                          was also confirmed that changes are    explained that a person in charge mistakenly left
                                                                                             accordance with the change        operation                                                                                          managed according to the change        the space for affixing a seal blank and, therefore,
                                                                                             management procedure                                                                                                                 management rules by conducting         approval is actually given. As a result of
            controls is lost.




                                                                                             (standardized, recorded,                                                                                                             tests on 25 cases.                     conducting another test on additional 25 cases,
                                                                                             approved, and documented).                                                                                                                                                  there was no case of the space for affixing a seal
                                                                                                                                                                                                                                                                         being left blank. It was judged, therefore, that
                                                                                                                                                                                                                                                                         the absence of evidence of approval found is
                                                                                                                                                                                                                                                                         due to a simple mistake of not affixing a seal
                                                                                                                                                                                                                                                                         caused by a lack of care.
                                                                                             The rest is omitted.




                                                                                                                                                                                - 109 -
Appendix 6-3

IT application control assessment
                                            Company name                                                                        XX Company, Ltd.




                                                                                                                                                                                                                                                                               and
                                                                                                                                                                                                                                        or




                                                                                                                                                                                                                                                                                                 Presentation and
                                            Settlement term                                                                     Year and date




                                                                                                                                                                                                                         Completeness
                                                                                                                                                                                                                                                                                                                                Originator and date created
                                            Location                                                                            Order receiving center                                                                                                                                                                                                                                      2006/12/23




                                                                                                                                                                                                                                                                   obligations
                                                                                                                                                                                                                                        occurrence
                                                                                                                                                                                                                                                      Allocation




                                                                                                                                                                                                                                                                                                 disclosure
                                                                                                                                                                                                                                        Existence




                                                                                                                                                                                                                                                                                     Valuation
                                            Transaction cycle                                                                   Sales cycle                                                                                                                                                                                     Person who checked the contents, and date




                                                                                                                                                                                                                                                                   Rights
                                            Function                                                                            Order receiving                                                                                                                                                                                 checked                                                      2007/1/24
                                            Related account titles                                                              Amount of sales, account receivable

Risk                                                       Control                                                     No.      Main control activities                                                                                              Requirement                                                    Placed in   Control assessment procedure                      Assessed and detected




                                                                                                                                                                                                    Manual
                                                                                                                                                                                                 Automated



                                                                                                                                                                                                             Frequency




                                                                                                                                                                                                                                                                                                                                                                                                             Document



                                                                                                                                                                                                                                                                                                                                                                                                                        Assessment
                                                                                                                                                                                                                                                                                                                                                                                                               number



                                                                                                                                                                                                                                                                                                                                                                                                                             result
                                                           objective                                                                                                                                                                                                                                                operation                                                     items
                                                                                                                                                                                                                                                                                                                    Now in                                                        (If there are detected
                                                           Points                                                 to                                                                                                                                                                                                operation                                                     items, what effects they
                                                           notice                                                                                                                                                                                                                                                                                                                 will produce must be
                                                                                                                                                                                                                                                                                                                                                                                  clarified)



                                                                                                                       1        The order receiving operations using EDI are controlled by                                                                                                                          Placed in   Select a particular month, and check that the     None




                                                                                                                                                                                                      ed

                                                                                                                                                                                                             Quarterly




                                                                                                                                                                                                                                        NA




                                                                                                                                                                                                                                                                   NA

                                                                                                                                                                                                                                                                                      NA

                                                                                                                                                                                                                                                                                                 NA
                                                                                                                                                                                                 Automat




                                                                                                                                                                                                                                                                                                                                                                                                             Omitted



                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                            Completeness



                                                           Are all orders received recorded




                                                                                                                                performing the JCA procedure. If illicit data transmission is                                                                                                                       operation   system operation report is reviewed,
Omissions or overlaps occur in




                                                                                                                                attempted, mail is sent to a person responsible for the                                                                                                                             Now in      abnormal termination is reported to a person
                                                           without omissions or overlaps?




                                                                                                                                system operations.                                                                                                                                                                  operation   in charge according to the JCA procedure,
    financial information




                                                                                                                                                                                                                                                                                                                                and a follow-up is conducted.
                                                                                                                       2       A facsimile transmission is received at the call center. After                                                                                                                       Now in      Select 25 cases in a particular month, and        None




                                                                                                                                                                                                                                                                                                                                                                                                             Omitt
                                                                                                                                                                                                  Auto



                                                                                                                                                                                                             day




                                                                                                                                                                                                                                        NA

                                                                                                                                                                                                                                                      NA

                                                                                                                                                                                                                                                                   NA

                                                                                                                                                                                                                                                                                      NA

                                                                                                                                                                                                                                                                                                 NA




                                                                                                                                                                                                                                                                                                                                                                                                               ed
                                                                                                                                                                                                 mated
                                                                                                                                                                                                 Manu




                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                               it is received, one person enters a serial number, and then                                                                                                                          operation   check that the collation with the proof list is
                                                                                                                               outputs a proof list. Another person checks the contents of                                                                                                                                      carried out.
                                                                                                                               the proof list against the received facsimile transmission.
                                                                                                                       3       Only the orders to which goods in stock are allocated can                                                                                                                            Placed in   Check that persons in charge at a sales           None

                                                                                                                                                                                                      ed
                                                                                                                                                                                                  Manual
                                                                                                                                                                                                             day




                                                                                                                                                                                                                                                      NA

                                                                                                                                                                                                                                                                   NA




                                                                                                                                                                                                                                                                                                 NA
                                                                                                                                                                                                 Automat




                                                                                                                                                                                                                                                                                                                                                                                                             Omitted



                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                                                                                                                                                                                     ×
                                                                                                                               be registered in a delivery order file. Persons at a sales                                                                                                                           operation   department conduct a follow-up of each
                                                                                                                               department shown in a back order file conduct a follow-up                                                                                                                            Now in      back order in the back order file until each
                                                                                                                               of each back order to which goods in stock are not allocated                                                                                                                         operation   ordered quantity is delivered in full to
                                                                                                                               until each ordered quantity is delivered in full to customers.                                                                                                                                   customers.
                                                                                                                             4 Orders received by EDI are checked for existence by                                                                                                                                  Placed in   Select 25 cases in a particular month, and        None
Financial information cannot be recorded



                                            Accuracy




                                                                                          of orders received?
                                correctly




                                                                                                                                                                                                 Automated



                                                                                                                                                                                                             day


                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                      NA




                                                                                                                                                                                                                                                                                                 NA
                                                           Are there any mistakes in the status of registration




                                                                                                                                                                                                                                                                                                                                                                                                             Omitted



                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                               referring to the customer master and merchandise master. If                                                                                                                          operation   check the situation of error file processing.
                                                                                                                               errors are found, an error file is created, the data with which                                                                                                                      Now in
                                                                                                                               an error was found is sent to a customer, and the customer                                                                                                                           operation
                                                                                                                               is requested to resend the order. The error file is retained
                                                                                                                               until the customer sends corrected data.
                                                                                                                             5 A facsimile transmission is received at the call center. After                                                                                                                       Placed in   Select 25 cases in a particular month, and        None
                                                                                                                                                                                                      ed
                                                                                                                                                                                                  Manual
                                                                                                                                                                                                             day


                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                      NA




                                                                                                                                                                                                                                                                                                 NA
                                                                                                                                                                                                 Automat




                                                                                                                                                                                                                                                                                                                                                                                                             Omitted



                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                               it is received, one person enters a serial number, and then                                                                                                                          operation   check that the collation with the proof list is
                                                                                                                               outputs a proof list. Another person checks the contents of                                                                                                                          Now in      carried out. (Same as in 2 above)
                                                                                                                               the proof list against the received facsimile transmission.                                                                                                                          operation
                                                                                                                               (Same as in 2 above)
                                                                                                                             6 The date when an order is received is generated by the                                                                                                                               Placed in   Check the date-of-sale setting, and confirm       None




                                                                                                                                                                                                                                                                                                                                                                                                             Omitt
                                                                                                                                                                                                  Auto



                                                                                                                                                                                                             day


                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                   NA

                                                                                                                                                                                                                                                                                      NA

                                                                                                                                                                                                                                                                                                 NA




                                                                                                                                                                                                                                                                                                                                                                                                               ed
                                                                                                                                                                                                 mated




                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                               system, and registered.                                                                                                                                                              operation   that the date in the data on sales is generated
                                                                                                                                                                                                                                                                                                                    Now in      by the system.
                                                                                                                                                                                                                                                                                                                    operation
                                                                                                                             7 If a customer code is input, the name of a customer is                                                                                                                               Placed in   Check that a customer name can bee                None




                                                                                                                                                                                                                                                                                                                                                                                                             Omitt
                                                                                                                                                                                                  Auto



                                                                                                                                                                                                             day


                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                      NA




                                                                                                                                                                                                                                                                                                 NA




                                                                                                                                                                                                                                                                                                                                                                                                               ed
                                                                                                                                                                                                 mated




                                                                                                                                                                                                                                                                                                                                                                                                                        Low
                                                                                                                               loaded from the customer master.                                                                                                                                                     operation   registered by inputting a customer code on
                                                                                                                                                                                                                                                                                                                    Now in      the screen.
                                                                                                                                                                                                                                                                                                                    operation




                                                                                                                                                                                                                                          - 110 -
                                                                                                        8 Unit prices registered for each customer in the customer                                                            Placed in   Check that a unit price is automatically          None




                                                                                                                                                                                                                                                                                                   Omitt
                                                                                                                                                                            Auto



                                                                                                                                                                                       day


                                                                                                                                                                                                   NA




                                                                                                                                                                                                          NA

                                                                                                                                                                                                               NA




                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                     ed
                                                                                                                                                                           mated




                                                                                                                                                                                                                                                                                                             Low
                                                                                                          master are automatically loaded. These unit prices cannot                                                           operation   registered and cannot be changed by
                                                                                                          be changed on order receiving terminals.                                                                            Now in      inputting data on the keyboard.
                                                                                                                                                                                                                              operation
                                                                                                        9 Customers other than those registered in the customer                                                               Placed in   Check that only the customers registered in  None




                                                                                                                                                                                                                                                                                                   Omitt
                                                             Aren’t invalid orders registered?
False financial information is recorded




                                                                                                                                                                            Auto



                                                                                                                                                                                       day


                                                                                                                                                                                                   NA




                                                                                                                                                                                                          NA




                                                                                                                                                                                                                    NA

                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                     ed
                                                Validity




                                                                                                                                                                           mated




                                                                                                                                                                                                                                                                                                             Low
                                                                                                          master cannot be registered.                                                                                        operation   the customer master can be registered (check
                                                                                                                                                                                                                              Now in      the setting in the master registration).
                                                                                                                                                                                                                              operation
                                                                                                       10 Unit prices registered for each customer in the customer                                                            Placed in   Check that registered unit prices are         None




                                                                                                                                                                                                                                                                                                   Omitt
                                                                                                                                                                            Auto



                                                                                                                                                                                       day




                                                                                                                                                                                                          NA




                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                     ed
                                                                                                                                                                           mated




                                                                                                                                                                                                                                                                                                             Low
                                                                                                                                                                                                   ×
                                                                                                          master are automatically loaded.                                                                                    operation   automatically input and they cannot be input
                                                                                                                                                                                                                              Now in      on the keyboard (check registered unit
                                                                                                                                                                                                                              operation   prices in the master registration).
                                                                                                       11 The input of orders received is controlled by the ID and                                                            Placed in   Check that the screen for order receiving can None




                                                                                                                                                                           Automated



                                                                                                                                                                                       day


                                                                                                                                                                                                   NA




                                                                                                                                                                                                          NA

                                                                                                                                                                                                               NA

                                                                                                                                                                                                                    NA

                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                   Omitted



                                                                                                                                                                                                                                                                                                             Low
                                                                                                          password assigned to each person in charge.                                                                         operation   be opened only if the ID and password of a
                                                                                                                                                                                                                              Now in      person in charge are input.
                                                                                                                                                                                                                              operation   Note: In the case of single sign-on, the
                                                                                                                                                                                                                                          password setting must be checked by using
                                                                                                                                                                                                                                          general controls. However, to verify that the
                                                                                                                                                                                                                                          authority to access the sales system can be
                                                                                                                                                                                                                                          established in the same way as the
                                                                                                                                                                                                                                          operation-related authority, application
                                                                                                                                                                                                                                          controls must be used.
                                                                                                       12 If the amount of an order received exceeds the credit limit                                                         Placed in   Check that an order cannot be input if its    None




                                                                                                                                                                                                                                                                                                   Omitt
                                                                                                                                                                            Auto




                                                                                                                                                                                        erly
                                                                                                                                                                                                   NA




                                                                                                                                                                                                          NA

                                                                                                                                                                                                               NA

                                                                                                                                                                                                                    NA

                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                     ed
                                                                                                                                                                           mated




                                                                                                                                                                                                                                                                                                             Low
                                                                                                                                                                                       Quart
                                                                                                          of a customer, such an order cannot be input.                                                                       operation   amount exceeds the specified credit limit.
                                                                                                                                                                                                                              Now in
                                                                                                                                                                                                                              operation
                                                                                                       13 Omitted                                                                                                                         Omitted
                                                                                                       14 A change in data in a file of received orders is controlled by                                                      Placed in   Check that only persons in charge can             None




                                                                                                                                                                                ed

                                                                                                                                                                                       Quarterly




                                                                                                                                                                                                                         NA
                                                                                                                                                                           Automat




                                                                                                                                                                                                                                                                                                   Omitted



                                                                                                                                                                                                                                                                                                             Low
                                                                   changed with malicious intent?
Financial information is not kept up to date,
and cannot be used in a continuous manner.




                                                             Isn’t data in a file of received orders
                                                Continuity




                                                                                                          the ID and password assigned to each person in charge.                                                              operation   access a file of received orders. (If databases
                                                                                                                                                                                                                              Now in      are integrated, there are cases in which the
                                                                                                                                                                                                                              operation   authority to access to a file of received
                                                                                                                                                                                                                                          orders is checked by using general controls.)
                                                                                                       15 Logs of access to a file of received orders are monitored.                                                          Placed in   Check that the logs of access to master data      None


                                                                                                                                                                              Manual
                                                                                                                                                                           Automated



                                                                                                                                                                                       Quarterly


                                                                                                                                                                                                   NA




                                                                                                                                                                                                          NA

                                                                                                                                                                                                               NA

                                                                                                                                                                                                                    NA

                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                   Omitted



                                                                                                                                                                                                                                                                                                             Low
                                                                                                                                                                                                                              operation   are monitored according to specified
                                                                                                                                                                                                                              Now in      conditions. (Although there are cases in
                                                                                                                                                                                                                              operation   which access logs are monitored through
                                                                                                                                                                                                                                          general controls, it should be noted that the
                                                                                                                                                                                                                                          range of monitoring can be narrowed by
                                                                                                                                                                                                                                          monitoring them through application
                                                                                                                                                                                                                                          controls.)
                                                                                                       16 The inventory master is collated with the master at the                                                             Placed in   Check that the inventory master is replaced.      None




                                                                                                                                                                                                                                                                                                   Omitt
                                                                                                                                                                            Auto




                                                                                                                                                                                                                                                                                                     ed
                                                                                                                                                                           mated



                                                                                                                                                                                        erly




                                                                                                                                                                                                          NA

                                                                                                                                                                                                               NA

                                                                                                                                                                                                                    NA

                                                                                                                                                                                                                         NA




                                                                                                                                                                                                                                                                                                             Low
                                                                                                                                                                                       Quart



                                                                                                          distribution center by batch processing every night to                                                              operation   (There are cases in which the normal
                                                                                                          prevent a mismatch between data of these two masters.                                                               Now in      completion of batch processing can be
                                                                                                                                                                                                                              operation   checked by using general controls.)




                                                                                                                                                                                                        - 111 -

								
To top