こんにちは、丸山満彦です。本日は、ココログがメンテナンス中なので、はてなです。さくさくと速いね・・・。
　さて、SECからSOX404のManagement Assessment GuidanceのためのConcept Releaseを公表していますね。35個の論点があげられており、60日間のコメント期間で広く意見を募集していますね。

　３５の論点が挙げられていますね。深いですね・・・

■SEC
・2006.07.11 SEC Moves Forward on Sarbanes-Oxley 404 Improvements (FOR IMMEDIATE RELEASE 2006-112)
・2006.07.11 Concept Release 34-54122

＝＝＝＝＝
II. INTRODUCTION
1. Would additional guidance to management on how to evaluate the effectiveness of a company’s internal control over financial reporting be useful? If so, would additional guidance be useful to all reporting companies subject to the Section 404 requirements or only to a sub-group of companies? What are the potential limitations to developing guidance that can be applied by most or all reporting companies subject to the Section 404 requirements?
2. Are there special issues applicable to foreign private issuers that the Commission should consider in developing guidance to management on how to evaluate the effectiveness of a company’s internal control over financial reporting? If so, what are these? Are such considerations applicable to all foreign private issuers or only to a sub-group of these filers?
3. Should additional guidance be limited to articulation of broad principles or should it be more detailed?
4. Are there additional topics, beyond what is addressed in this Concept Release, that the Commission should consider issuing guidance on? If so, what are those topics?
5. Would additional guidance in the format of a Commission rule be preferable to interpretive guidance? Why or why not?
6. What types of evaluation approaches have managements of accelerated filers found most effective and efficient in assessing internal control over financial reporting? What approaches have not worked, and why?
7. Are there potential drawbacks to or other concerns about providing additional guidance that the Commission should consider? If so, what are they? How might those drawbacks or other concerns best be mitigated? Would more detailed Commission guidance hamper future efforts by others in this area?
8. Why have the majority of companies who have completed an assessment, domestic and foreign, selected the COSO framework rather than one of the other frameworks available, such as the Turnbull Report? Is it due to a lack of awareness, knowledge, training, pressure from auditors, or some other reason? Would companies benefit from the development of additional frameworks?
9. Should the guidance incorporate the May 16, 2005 “Staff Statement on Management’s Report on Internal Control Over Financial Reporting”? Should any portions of the May 16, 2005 guidance be modified or eliminated? Are there additional topics that the guidance should address that were not addressed by that statement? For example, are there any topics in the staff’s “Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports Frequently Asked Questions (revised October 6, 2004)”19 that should be incorporated into any guidance the Commission might issue?
10. We also seek input on the appropriate role of outside auditors in connection with the management assessment required by Section 404(a) of Sarbanes-Oxley, and on the manner in which outside auditors provide the attestation required by Section 404(b). Should possible alternatives to the current approach be considered and if so, what? Would these alternatives provide investors with similar benefits without the same level of cost? How would these alternatives work?

III. RISK AND CONTROL IDENTIFICATION
11. What guidance is needed to help management implement a “top-down, risk-based” approach to identifying risks to reliable financial reporting and the related internal controls?
12. Does the existing guidance, which has been used by management of accelerated filers, provide sufficient information regarding the identification of controls that address the risks of material misstatement? Would additional guidance on identifying controls that address these risks be helpful?
13. In light of the forthcoming COSO guidance for smaller public companies, what additional guidance is necessary on risk assessment or the identification of controls that address the risks?
14. In areas where companies identified significant start-up efforts in the first year (e.g., documentation of the design of controls and remediation of deficiencies) will the COSO guidance for smaller public companies adequately assist companies that have not yet complied with Section 404 to efficiently and effectively conduct a risk assessment and identify controls that address the risks? Are there areas that have not yet been addressed or need further emphasis?
15. What guidance is needed about the role of entity-level controls in evaluating and assessing the effectiveness of internal control over financial reporting? What specific entity-level control issues should be addressed (e.g., GAAP expertise, the role of the audit committee, using entity-level controls rather than low-level account and transactional controls)? Should these issues be addressed differently for larger companies and smaller companies?
16. Should guidance be given about the appropriateness of and extent to which quantitative and qualitative factors, such as likelihood of an error, should be used when assessing risks and identifying controls for the entity? If so, what factors should be addressed in the guidance? If so, how should that guidance reflect the special characteristics and needs of smaller public companies?
17. Should the Commission provide management with guidance about fraud controls? If so, what type of guidance? Is there existing private sector guidance that companies have found useful in this area? For example, have companies found the 2002 guidance issued by the AICPA Fraud Task Force entitled “Management Antifraud Programs and Controls”23 useful in assessing these risks and controls?
18. Should guidance be issued to help companies with multiple locations or business units to understand how those affect their risk assessment and control identification activities? How are companies currently determining which locations or units to test?

IV. MANAGEMENT’S EVALUATION
19. What type of guidance would help explain how entity-level controls can reduce or eliminate the need for testing at the individual account or transaction level? If applicable, please provide specific examples of types of entity-level controls that have been useful in reducing testing elsewhere.
20. Would guidance on how management’s assessment can be based on evidence other than that derived from separate evaluation-type testing of controls, such as on-going monitoring activities, be useful? What are some of the sources of evidence that companies find most useful in ongoing monitoring of control effectiveness? Would guidance be useful about how management’s daily interaction with controls can be used to support its assessment?
21. What considerations are appropriate to ensure that the guidance is responsive to the special characteristics of entity-level controls and management at smaller public companies? What type of guidance would be useful to small public companies with regard to those areas?
22. In situations where management determines that separate evaluation-type testing is necessary, what type of additional guidance to assist management in varying the nature and extent of the evaluation procedures supporting its assessment would be helpful? Would guidance be useful on how risk, materiality, attributes of the controls themselves, and other factors play a role in the judgments about when to use separate evaluations versus relying on ongoing monitoring activities?
23. Would guidance be useful on the timing of management testing of controls and the need to update evidence and conclusions from prior testing to the assessment “as of” date?
24. What type of guidance would be appropriate regarding the evaluation of identified internal control deficiencies? Are there particular issues in evaluating deficient controls that have only an indirect relationship to a specific financial statement account or disclosure? If so, what are some of the key considerations currently being used when evaluating the control deficiency?
25. Would guidance be helpful regarding the definitions of the terms “material weakness” and “significant deficiency”? If so, please explain any issues that should be addressed in the guidance.
26. Would guidance be useful on factors that management should consider in determining whether management could conclude that no material weakness in internal control over financial reporting exists despite the discovery of a need to correct a financial statement error as part of the financial statement close process? If so, please explain.
27. Would guidance be useful in addressing the circumstances under which a restatement of previously reported financial information would not lead to the conclusion that a material weakness exists in the company’s internal control over financial reporting?
28. How have companies been able to use technology to gain efficiency in evaluating the effectiveness of internal controls (e.g., by automating the effectiveness testing of automated controls or through benchmarking strategies)?
29. Is guidance needed to help companies determine which IT general controls should be tested? How are companies determining which IT general controls could impact IT application controls directly related to the preparation of financial statements?
30. Has management generally been utilizing proprietary IT frameworks as a guide in conducting the IT portion of their assessments? If so, which frameworks? Which components of those frameworks have been particularly useful? Which components of those frameworks go beyond the objectives of reliable financial reporting?

V. DOCUMENTATION TO SUPPORT THE ASSESSMENT
31. Were the levels of documentation performed by management in the initial years of completing the assessment beyond what was needed to identify controls for testing? If so, why (e.g., business reasons, auditor required, or unsure about “key” controls)? Would specific guidance help companies avoid this issue in the future? If so, what factors should be considered?
32. What guidance is needed about the form, nature, and extent of documentation that management must maintain as evidence for its assessment of risks to financial reporting and control identification? Are there certain factors to consider in making judgments about the nature and extent of documentation (e.g., entity factors, process, or account complexity factors)? If so, what are they?
33. What guidance is needed about the extent of documentation that management must maintain about its evaluation procedures that support its annual assessment of internal control over financial reporting?
34. Is guidance needed about documentation for information technology controls? If so, is guidance needed for both documentation of the controls and documentation of the testing for the assessment?
35. How might guidance be helpful in addressing the flexibility and cost containment needs of smaller public companies? What guidance is appropriate for smaller public companies with regard to documentation?
＝＝＝＝＝

　こんにちは、丸山満彦です。またまた、ココログがメンテ中なので、こちらに書きます。。。
　また、どういうわけか、私のココログを開こうとすると「このページの表示が認められていません」となるようでご迷惑をおかけしております。ニフティーには「問い合わせ」をしましたが・・・。おそらく解決した頃に、「ご迷惑をおかけしました。お問い合わせの件ですが、・・・」とメールがかえってくると思われる。

さて、気を取り直して、、、

金融商品取引法の成立が確定したので、次は実施基準ですかね。。。八田先生が2006.06.07の日本ユニシスの講演で、実施基準の行方について発言したようですね・・・。しかし、あいかわらず、突っ込み泥どころ満載なのであります（とある人に突っ込まれました）。

八田先生の発言を拾いますと、次のようになります。
・「企業の内部統制の整備は、今日から始まる 」(日経コンピュータ)
　> 意味不明だが、国民を鼓舞するにはよいのかも・・・

・「いわゆる日本版SOX法は、金取法と基準案の両者を合わせたものである」（日経コンピュータ）
　> 高橋先生の定義とはかなり違うなぁ。。。SOXの監査法人の独立性強化の規定や内部通報の規定はどうなるのだろうか・・・

・「今年5月に施行された新会社法も内部統制の整備を求めている。もはや企業は、内部統制の整備から後戻りすることも、先送りもできなくなった」
　> うーん。前半はかなり不正確なような・・・

・「金取法は米国のSOX法のように企業に負担を強いる法律ではない」（日経コンピュータ）
　> その理由は、米国と比べ、リスクの評価方法や監査方法を簡素化」したからのようですね。リスクの評価方法については、リスクアプローチ及びトップダウンアプローチを指しているのでしょうが、米国でもリスクアプローチ及びトップダウンアプローチであって、実務上それがうまく機能しなかったのではないかというのが論点だろうと思います。監査方法の簡素化はそうなのでしょうが、実際企業でもっとも手間がかかるのは、業務プロセスに係る内部統制を文書化しキーコントロールを識別し、評価する部分ですから、監査方法が簡素化されても企業に負担を強いる法律ではないと言い切れるか・・・という問題がありますね。

・「米国のように企業規模で適用時期が異なるのは不公平。日本では企業負担を軽くした分、企業規模に関係なく適用されるべきではないか」（日経コンピュータ）　
　> そもそも中小企業にはもっと違った内部統制の基準があってもよいのではないかと言う話もあり、COSOでは中小企業向けの内部統制の基準の公開草案が公開され検討されていますよね・・・。日本ではどうなんでしょうね・・・。

＝＝＝＝＝
なお、公開草案の公表時期等にも触れられたようで、

公開草案は7月中
確定は10月以降

のようですね・・・

【参考】
・2006.06.07 日経コンピュータ 「内部統制の整備に企業規模は関係ない」、青学の八田教授が“日本版SOX法”成立にコメント
・2006.06.08 @IT “日本版SOX法”成立、実施基準の確定は「秋口以降」に

　こんにちは、丸山満彦です。ココログが遅いし、「ココログからのお知らせ」みたいな、変なのがついちゃって、非表示にする方法が良くわからない・・・。

　うーん、誰に聞けばよいのだろうか・・・。

また、ココログが込み合っていて・・・コメントを消せません。