“Convergence, Communication and Interactive Data”December 3-6, 2007

Vancouver, British Columbia, Canada

Internal Reporting Track XBRL application to Internal

Controls

December 4th, 2007Yuji Furusho

CISA (Certified Information Systems Auditor)Fujitsu Limited

Background Annual documentation and evaluation of Internal Controls are

“formal activities” for listed companies in the following countries:◦ U.S. - Sarbanes and Oxley Act (so-called SOX)◦ Canada - Bill-198 / Regulation 52-109◦ Japan - Financial Products Exchange Act (so-called J-SOX)◦ Korea, France, etc.

Evaluation of Internal Controls in accordance with the significance of the impact on the financial statements is key.◦ This means that evaluation of the internal controls should

be consistent with the significance of related accounts, and therefore consistent with the ultimate impact in the financial statements.

- 1 -

Basic Idea 1 Enterprise Model – connecting FS, GL, and

business process

Financial Statement (PL) sales (BS) A/R (BS) inventory ┆

General Ledger

Hardware sales Maintenance sales ┆ ┆ ┆

Sales Process- Head Quarter- related accounts:

(n) risk (n) control ┆

(PL) sales

Software sales

Software sales

Sales Process- North Region- related accounts:

(n) risk (n) control ┆

Software sales

A/R - Software

A/R - Software

- 2 -

Basic Idea 2 Internal Control Taxonomy to handle non-financial

business process information. ◦ Definition of “Control Objective”, “Risk”, and

“Control Activity” in a business process. ◦ “Design effectiveness”, “Operational

effectiveness”, and “Remediation plan/status” as values.

◦ Utilization of “COSO elements” For comprehensive Risk/Control identification. For focusing not only “Risk” but also “Opportunity”.

- 3 -

Internal Control Taxonomy Architecture

Instance Document

locationprocess

coso: activity

(n) subprocess

Fixed element

s

COSO element

s

related acct

key controlresult (score)

result (narrative)

remediation

status

issue

F,O,C,S

Internal Control Dimension

(n)control activityrelated

assertion(n)control activity

・ incomplete evidence・ control exception　（ exception on

approval, processing, etc.)

assertion

- 4 -

Company

Extension

(n)risk (n)risk

(n)control objective (n)control objectiveF,O,C

COSO Taxonomy – activities in COSO tool 25 activities illustrated in COSO tool.

1/Activity : INBOUND2/Activity : OPERATIONS 　3/Activity : OUTBOUND 　4/Activity : MARKETING AND SALES 　5/Activity : SERVICE 　6/Activity : PROCUREMENT 　7/Activity : TECHNOLOGY DEVELOPMENT 　8/Activity : HUMAN RESOURCES 　9/Activity : MANAGE THE ENTERPRISE10/Activity : MANAGE EXTERNAL RELATIONS11/Activity : PROVIDE ADMINISTRATIVE

SERVICES 　12/Activity : MANAGE INFORMATION TECHNOLOGY13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 　

15/Activity : PLAN16/Activity : PROCESS ACCOUNTS PAYABLE 　17/Activity : PROCESS ACCOUNTS RECEIVABLE 　18/Activity : PROCESS FUNDS19/Activity : PROCESS FIXED ASSETS 　20/Activity : ANALYZE AND RECONCILE21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 　22/Activity : PROCESS PAYROLL 　23/Activity : PROCESS TAX COMPLIANCE 　24/Activity : PROCESS PRODUCT COSTS 　25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING

- 5 -

Basic Idea 3 Using element / value to “link” taxonomies;

◦ FR taxonomy and GL taxonomy“xbrlinfo” elements in GL taxonomy

◦ GL taxonomy and IC (Internal Control) taxonomy“relatedAccount” element in IC taxonomy

sales: “682,xxx”

GL xbrlinfo:

FR sales:

xbrlinfo: “sales”

taxonomy

instance

accountMainID: “EX00100”

IC relatedAccount:

GL accountMainID:

relatedAccount: “EX00100”

taxonomy

instance

- 6 -

Implementation Model The following “FS – GL (Trial Balance) – IC” model

has been adopted for Proof-of-Concept.

Financial Statement (PL) sales (BS) A/R (BS) inventory ┆

General Ledger

┆

Journal Entry

┆

Trial Balance (by location)

(PL) sales (BS) A/R (BS) inventory ┆

Internal Controllocation x process related accounts (n) risk (n) control ┆

locationdefinition

acct-processmappingDefinition

using Dimension

alTaxonomy

aggregation

- 7 -

IC Taxonomy Architecture 1 Overall Structure

Process Information• Process• Location• Related Accounts etc.

Sub-Process Information• Control Objective• Risk• Control Activity• Key Control etc.

n

1

Evaluation and Remediation• Design Effectiveness• Operational Effectiveness• Remediation Plan

etc.

11

- 8 -

IC Taxonomy Architecture 2 “Process Information” section

Process Information

process

location

related accounts

Sales Process

Software Service Dept.

Sales, Account Receivable

【 Sample 】

- 9 -

IC Taxonomy Architecture 3 “Sub-Process Information” section

Sub-process AX05_Sales & billing

Step Safaia/FOCS sales: COSO elements

activity

PROCESS ACCOUNTS RECEIVABLE

sub-activity

-

controlobjective

Accurately record all authorized sales returns and allowances and only such returns and allowances

risk

Inaccurate input of data

control activity(sample)

Mail customer statements periodically and investigate and resolve disputes or inquiries, by individuals independent of the invoicing function

section

- financial reporting- operation- compliance

section

- safeguarding asset

assertion

risk-risk ID-risk

assertion

control activity-control ID -control-control method (manual/auto)-evidence/related documents

- 10 -

IC Taxonomy Architecture 4 “Sub-Process Information” section – “risk”

risk

COSO elements

company expansion assertion

risk ID risk existence complete-ness

rights and obligation evaluation allocation

and cut-off

presentation and

disclosure

Inaccurate input of data

Rxxxxxx

--- ------ --- ------------------ ------- --------- ----------- - -- --- -------.

Y 　 　 Y 　 　

- 11 -

IC Taxonomy Architecture 5 “Sub-Process Information” section – “control activity”

control activty

(sample)

control activity

control ID control

method of controlperson

in charge

evidences related manuals and rule documets assertion

manual automatic

Mail customer statements periodically and investigate and resolve disputes or inquiries, by individuals independent of the invoicing function

Cxxxx

--- ---- -- ---- ---------- -- - ----- -------------- --- -------- ------- --.

Y 　Leader of xxx Dept

1. Request Form

1) ------------2) ----- ------3) ---------

-existence-complet- eness-rights and obligation-evaluation-allocationand cut-off-Presenta- tion anddiscloture

- 12 -

IC Taxonomy Architecture 6 “Evaluation and Remediation” section

design effectiveness

- date- person in charge of evaluation- results - score- results - narrative

key control

- yes / no (Boolean)

operational effectiveness

- date- person in charge of evaluation- population- number of samples - results - score- results - narrative

remediation

- person in charge of evaluation- summary- due date

- 13 -

IC Taxonomy - Technical Consideration Use of “dimensionItem”

◦ Multi dimension of “Control Objective”, “Risk”, and “Control Activity”

Use of Reference Link◦ Use of “part element”, setting Boolean value;

Control objective: F/R, O/R, C, S/A Assertion: Ex, C, R/O, Ev, A/C, P/D Type of Control: Manual, Automatic

- 14 -

assertion – E/O

- yes / no (Boolean)Risk Reference Link

Evaluation

Control Objective 1 Risk 1 Control Activity 1

Control Activity 2

Risk2 Control Activity 3

Merit of Enterprise Model Consistent and effective risk management for Financial Reporting

by balancing financial risk significance and control importance.

FR to GL

GL to IC

- 15 -

Merit of Enterprise Model - Scenario 1 Identify and understand internal control implications on

significant accounts – (Where and what kind of issues, etc. ）

Financial Statement Internal Control▷ ▷ ▷

A/R Location A: A/R

Location B: A/R

１５ %

７５ %

process department

score issue

- 16 -

Merit of Enterprise Model - Scenario 2 Identify and understand accounts affected by internal

control issues.

Internal Control Financial Statement▷ ▷ ▷

Location A: A/R

Location B: A/R

A/R

１５ %

７５ %

process department

score issue

deficiencies

- 17 -

Merit of XBRL application Flexible definition and evaluation through taxonomy.

1. Relationship among “Control Objective”, “Risk”, and “Control Activity” using dimensional model

Evaluation of “Control Objective” and “Control Activity” relationship, skipping “Risk” element, or evaluation of “Risk” and “Control Activity” relationship, skipping “Control Objective”

2. “Risk” or “Control Activity” evaluation with respect to specific “Control Objective”

A company may want to focus on “Financial Reporting” objective, while other may want to include “Operational Effectiveness” objective.

3. Identification of compensating controls “Control Activity” relevant to “Risk” by evaluating

“Related Assertion”

- 18 -

Merit of XBRL application 1 - dimensional model Dimensional definition of “Control Objective”, “Risk”, and

“Control Activity”.

- 19 -

Merit of XBRL application 2 - focusing on “Control Objective” Flexible evaluation of “Risk” and “Control Activity” focusing

on “Control Objective” – Company may want to focus on “Financial Reporting” for SOX auditing purpose.

- 20 -

Financial Reporting - yes / no (Boolean)Control Objective Reference Link Operational Effectiveness - yes / no (Boolean)

Compliance - yes / no (Boolean)

Safeguarding Asset - yes / no (Boolean)Control Objective Reference Link

COSO Taxonomy

Company Extension

“part” element

“part” element

Merit of XBRL application 3 – compensating control Compensating controls may be identified through “assertion”

attributes assigned to “Risk” and “Control Activity”.◦ In cases of effectiveness failure of key controls,

compensating controls may be identified along with assertions assigned to them.

Risk

E/OY

CY

V/AY

R/O-

P/D-

assertion

Control 1 - key

E/OY

CY

V/A-

R/O-

P/D-

related assertion

E/OY

CY

V/A-

R/O-

P/D-

related assertion

failure

Find “Compensating control”Control 2 – non-key

- 21 -

Questions?

Yuji Furushoyfurusho@jp.fujitsu.com

+81-3-6424-6227

THANK YOU!