Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IT Braces for 'J-SOX' Rules

ScuttleMonkey posted about 7 years ago | from the more-reasons-not-to-be-profitable dept.

Security 57

jcatcw writes to mention that Japan-based businesses are prepping for new requirements, called J-SOX, similar to Sarbanes-Oxley in the United States. Even though details are not expected until next month, many IT managers are already working on implementing controls to handle the expected regulations. "Marios Damianides, an IT risk management consultant and partner at Ernst & Young LLP in New York, said he expects that the relaxation of some Sarbanes-Oxley requirements by the Public Company Accounting Oversight Board in the U.S. late last year should help ensure that the J-SOX rules won't be excessive for businesses."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


remember that xmas song (-1, Troll)

Anonymous Coward | about 7 years ago | (#18403023)

that goes....

fleece slobbynuts...boo boo bou boo boop boop...faleese slobbynuts...etc...


It always comes down to the Geeks vs. the J-sox (-1, Offtopic)

elrous0 (869638) | about 7 years ago | (#18403037)

Okay, you knew someone would have to say it.

Re:It always comes down to the Geeks vs. the J-sox (0)

Anonymous Coward | about 7 years ago | (#18403485)

But we were hoping that better judgment would prevail. Apparently our hope was in vain. :P

Comment anonymous for obvious reasons... (1, Interesting)

Anonymous Coward | about 7 years ago | (#18403059)

I've been working on compliance for J-SOX over the last six months or so - to be honest, the actual legal requirements are so vague and broad that almost any interpretation can be said to be "in compliance".
The main thing that's come out of it is that we've had to document all procedures relating to the production systems - no more flying by the seat of your pants.

Re:Comment anonymous for obvious reasons... (4, Interesting)

qwijibo (101731) | about 7 years ago | (#18403183)

Is that any different than the US? Everything I've seen about Sarbox is so vague that anyone can claim compliance if they have paid consultants enough money. The large bank I work for has a bunch of people who try to ensure that we're doing everything by the book, while management considers violating all of the rules to be a sport. It's always fun to have a large group of people telling you that you can be fired for failing to do things right when your management lets you know that if you do things by the book, you'll fail to meet your goals and will be fired. It's a life sized Dilbert cartoon. =)

Re:Comment anonymous for obvious reasons... (0)

Anonymous Coward | about 7 years ago | (#18404173)

Give yourself a promotion by turning them all in.
The last thing this country needs right now is a large bank flaunting the rules.

Re:Comment anonymous for obvious reasons... (3, Informative)

onkelonkel (560274) | about 7 years ago | (#18404293)

flouting - the word you want is flouting. Flout - "to contemptuously disregard: flout the rules" Flaunt - "to display ostentatiously: he liked to flaunt his wealth by lighting a cigar with a fifty dollar bill"

English is tricky.

Re:Comment anonymous for obvious reasons... (1)

qwijibo (101731) | about 7 years ago | (#18404721)

Are you under the mistaken impression that there are senior leaders of large corporations who are concerned with anything other than money? The idea of turning people in presumes there's someone who cares. My theory is that these people do not exist, but people feel better if they believe there is someone who will smite thy enemies.

The laws requiring everything to be done by the book are made under the mistaken assumption that one-size-fits-all is not an insane approach to running any organization.

What would happen to a bank if the financial transactions were all jumbled around because they handled the data haphazardly? That would probably be bad, and it makes sense to avoid the obvious bad situation.

What about if their marketing group was all screwed up and they didn't have lists of victims for telemarketers to call in the middle of dinner? What if you didn't receive a piece of junk mail? I think those kinds of problems, if they happened frequently enough, would make the world a better place.

The way the laws are written, these wildly different situations are expected to be handled in a comparable manner. Any large organization is going to have many smaller organizations, some of which are more critical than others to the health of the company. The amount of effort invested in each group should be relative to the overall importance of the group.

Re:Comment anonymous for obvious reasons... (1)

ryturner (87582) | about 7 years ago | (#18405591)

Are you under the mistaken impression that there are senior leaders of large corporations who are concerned with anything other than money?
Power. Money is just a convenient way to measure it.

Sox - Intentionally obscure. (0)

Anonymous Coward | about 7 years ago | (#18405031)

The intent of SOX isn't to produce compliant or verifiable environments that I can tell. It's a big stick to wield (and it gets wielded differently on a case by case basis). Everything seems to run to intent versus who did what these days. It's not whether analyst A set mail to Broker B. It's about whether or not A put B on the To/CC/BCC line (A meant to send to B), or if B got the mail through a convoluted series of DL memberships (indicating that the intent was NOT for B to receive the message).

Re:Comment anonymous for obvious reasons... (1)

wolja (449971) | about 7 years ago | (#18410251)

To be frank the only reason any company does more than pay lip service to the piece of crud laughingly known as Sarbannes Oxley is that the CEO risks jail time if they can be shown to have made a false financial statement.

All the money spent is purely to prevent that occurring.

If the jail time was for lower level managers then you'd notice the level of spending on *compliance* would be way way less.

Re:Comment anonymous for obvious reasons... (0)

Anonymous Coward | about 7 years ago | (#18403499)

I may not know what I'm talking about in this particular case, but it seems to me that any regulations so vague that "that almost any interpretation can be said to be 'in compliance'" could also be construed as 'out of compliance' by contentious Federal regulators.

Re:Comment anonymous for obvious reasons... (2, Interesting)

boxless (35756) | about 7 years ago | (#18403837)

Yeah, I reall think the vagueness is the worst part. Then it all comes down to what kind of company you work for, and what kind of IT department you have. If they are the controlling type, then the vagueness will lead them to slow things down to a crawl, all under the heading of compliance. It is an extremely frustrating thing to watch and participate in. Up is down. Black is white.

If you have a more flexible group, then the vagueness might help.

Re:Comment anonymous for obvious reasons... (2, Interesting)

ContractualObligatio (850987) | about 7 years ago | (#18403945)

The other side to the problem, bizarrely, is that it is too detailed. By which I mean, the financial guys didn't really have many rules for the IT department, and now they do.

Which leads to your point i.e. Great, they've added a layer of detail by requiring IT to be "compliant", but it's so vague *within* that layer it's a nightmare.

I've heard they might be talking about getting rid of the IT controls from SOX entirely and just letting companies get on with it.

Arghh... (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#18403075)

I'm still busy trying to wrap my brain around J-POP...

With decent success: "I'm happy that Aibon is back!!!"


FAQ from a company called Protiviti (4, Informative)

sczimme (603413) | about 7 years ago | (#18403145)

There is a J-SOX* FAQ here [protiviti.jp]. Note: this is a PDF. I have no affiliation w/ the company.

* "J-SOX"? I suppose it makes sense, but sounds too much like "J-pop".

J-SOX vs J-Pop (1)

Sparr0 (451780) | about 7 years ago | (#18403665)

Which is fine since 99% of "normal people" have never heard of J-Pop, and I doubt that Japanese IT professionals call it J-SOX.

Re:J-SOX vs J-Pop (1)

Otter (3800) | about 7 years ago | (#18403739)

A friend of mine works for Mitsubishi (in the US), and says the whole company calls it J-SOX. No, makes no sense to me either.

Re:J-SOX vs J-Pop (1)

WhiplashII (542766) | about 7 years ago | (#18406179)

Even funnier - in Japanese, Japan (the name of the country) has no J in it. It is Nihon.

So they are adding the English first letter of their own country's name. What's wrong with N-SOX?

Re:J-SOX vs J-Pop (1)

sczimme (603413) | about 7 years ago | (#18403861)

Which is fine since 99% of "normal people" have never heard of J-Pop, and I doubt that Japanese IT professionals call it J-SOX.

Read the linked PDF in my earlier post. You know, the one from the company with the .jp TLD: the standard is called J-SOX throughout the document, and is used to differentiate the Japan version from the US version (called US-SOX in the PDF).

Flashbacks (3, Interesting)

techpawn (969834) | about 7 years ago | (#18403259)

I just remember filling out three forms to get applications into test for SOX. In to frigging TEST! *shivers and starts rocking* I'm SO glad I got out of that!
I understand the need to track who did what and why and what the code is and all that jazz... But seriously, a year of my life was lost in that red tape...

J-SOX (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#18403283)

Why the name? Is it because "Sarbanes Oxrey" sounds a bit sirry?

Bye Bye public companies... (4, Interesting)

Duncan3 (10537) | about 7 years ago | (#18403305)

The reaction to SOX here in the US has been to take companies private, or list in London instead of New York. The costs of SOX alone are easily enough to force you out of business if your competitors aren't burdened with SOX.

I'm kinda surprised that Japan would be similarly desperate to rid itself of publicly traded companies.

Re:Bye Bye public companies... (2, Insightful)

geoffspear (692508) | about 7 years ago | (#18403551)

Yes, yes, we all noticed that the New York Stock Exchange and NASDAQ completely closed down; you don't have to remind us.

Re:Bye Bye public companies... (2, Insightful)

Duncan3 (10537) | about 7 years ago | (#18405959)

The NYSE and NASDAQ heads are whining almost daily about how all the big IPO's are now in London. The IPO is where the US brokers get the chance to screw the company of millions or billions, and funnel it to their friends, so this is really hurting them badly.

So yes, they are effectively shutout. No US company can seriously compete with China cooking the books as hard as they can even without SOX, SOX just adds to the pain by killing the cooks.

Re:Bye Bye public companies... (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#18403557)

On the other hand, billions of dollars have been stolen from people who can't afford it by crooks who were already rich. Stop feeling sorry for the companies, their PR campaigns (boo hoo, it's too much work to prove I'm honest, can't you just TRUST us?), and their excessive salaries.

Or, how about this: let's just go to a VAT system like the rest of the civilized world.

Remember kiddies, Republicans are helping out their rich friends to make them richer. Trickle down? It smells like URINE. That's the piss-on economics. Democrats on the other hand believe in people getting rich FAIRLY. That's called opportunity.

Now, watch a bunch of conservatives and libertarians attack me in an attempt to preserve their dynasty building. They're trying to form a royal class to rule you. Don't believe their bullshit.

Dam straight (0)

Anonymous Coward | about 7 years ago | (#18403807)

We keep getting libertarian things which benefit the effete rich : legalized sodomy, lower taxes for the wealthy and globalism. Where's libertarianism for the poor man : legal prostitution and legal recreational drugs ?

Re:Bye Bye public companies... (2, Insightful)

Azghoul (25786) | about 7 years ago | (#18405685)

Wait...... libertarians are trying to form a royal class?


Conservatives I'll give you... but libertarians have to HAVE some power for that to happen, don't you think?

Re:Bye Bye public companies... (1)

WhiplashII (542766) | about 7 years ago | (#18406225)

Wait - the Democrats want to use VAT? As in I get to keep the 1/2 of my money that the government takes, and only pay tax the same percentage as everyone else on purchases?

OK, I am now a Democrat! Where do I sign?

I spent 3 months in 2006 dedicated to this BS. (1, Interesting)

FatSean (18753) | about 7 years ago | (#18403627)

Thanks a bunch Enron! Fucking douchebags ruined it for everyone, and they got a slap on the wrist.

Instead of implementing some much desired features and efficiencies in our systems, we had to jump through hoops ensuring that everything was 'audit ready'. Logs whenever data enters or leaves a system, documentation of all that, etc...

We're already dealing with J-SOX...your god help me if Europe and Asia start the same crap.

Re:Bye Bye public companies... (0)

Anonymous Coward | about 7 years ago | (#18403793)

The costs of SOX alone

. - the worlds tiniest violin playing my heart bleeds for you.

Seriously, the only truly "onerous" requirement is for the CEO to personally guarantee that the CFO isn't full of shit, and that one's pushing it. The rest of the requirements amount to what would be considered best practices by just about every company whose administration isn't trying to wash the balance sheets without getting their hands dirty: from audit controls on all financial matters ("But it said we had a billion dollars when I saw the report last, I can't possibly imagine what happened to it since then"), to accounting practices (see: Enron), to independent audits ("yeah, my brother says it's ok to do this"), to loaning cash to the executives ("It was just a few billion dollars! I'll pay it back someday, honest!"), to tighter controls on insider trading.

Re:Bye Bye public companies... (4, Interesting)

boxless (35756) | about 7 years ago | (#18403953)

No, it isnt.

Sarbox, as being practiced these days, are not best practices, except at the largest of companies. A lot of it is crap, and we're going to rolled over by more nimble competitors if we don't watch out.

You know what, sometimes people are going to steal. And when you find that out, you prosecute. I'm sure there were plenty of laws that the Enron guys could have been charged with regardless of Sarbox.

I don't think the controls at my company have been improved one bit because Joan in AP can't see the AR screens. Actually, it's worse now, because Joan can take over in a pinch in AR, all in the irrational fear that if she's given access to some information that's not part of her regular function, she's suddenly going to steal.

And a little change to a webpage now takes 3 months (I'm talking a piece of text!). But, it is Sarbox compliant!


Re:Bye Bye public companies... (0)

Anonymous Coward | about 7 years ago | (#18404977)

Actually, it's worse now, because Joan can take over in a pinch in AR, all in the irrational fear that if she's given access to some information that's not part of her regular function, she's suddenly going to steal.

Joan, steal? Of course not! It must have been Jeff, he walked by the terminal one day when it was left unlocked! Or maybe some other person in accounting "misplaced" a few million dollars into their account and used a "feature" of the system to cause the balance to post a few days after the transaction took place? Naturally, it was the janitor who did it!

If you can't see how controlling who has access to the cashbox is a best practice at any size company, you haven't seen just how many fingers can be pointed when the till comes up a dollar short.

The law isn't to prevent Joan from stealing, it's to ensure that when someone steals, the person responsible can be tracked down.

Re:Bye Bye public companies... (1)

boxless (35756) | about 7 years ago | (#18406239)

we do have control of the cashbox.

we can track if Joan steals. She's logging in as herself, but they won't give her access to AR anymore.

SO, you know what? On the day they really need help in AR, she's going to login as the AR clerk.

Now you have exactly the problem you mentioned! Who is responsible for the theft now? Who knows.

Re:Bye Bye public companies... (1)

WhiplashII (542766) | about 7 years ago | (#18406233)

Enron guys could have been charged with regardless of Sarbox.

That's the crazy thing! The Enron guys weren't charged as a result of Sarbox - Sarbox came afterwards! The existing laws were obviously sufficient!

Re:Bye Bye public companies... (2, Insightful)

WhiplashII (542766) | about 7 years ago | (#18406499)

By the way, the cost of Sarbox compliance is estimated at $1M per $1B in revenue. At about $10T of total revenue in US public companies, we are spending $10B per year on compliance...

To avoid a few billion lost in Enron, and a few billion lost in MCI - every few years.

That is Congress math!

Re:Bye Bye public companies... (1)

Maxo-Texas (864189) | about 7 years ago | (#18408149)

What's up with the troll mod? I see nothing trollish about this as all.

Go ahead-- waste your mod points modding me down.


Builder (103701) | about 7 years ago | (#18412373)

This post is not a troll at all. The poster is simply pointing out that we're spending trillions to save billions.

We see the same thing in the UK. They want to spend hundreds of millions of pounds on ID and they say that this is to stop benefit fraud and illegal immigration. The cost of the scheme is a large multiple of the cost savings over the life of the project, but to someone, this math makes sense ?!

Sarbox and IT (1)

DragonHawk (21256) | about 7 years ago | (#18407671)

I cannot comment on SarbOx in general. IANAL. I don't even play one on TV. But I can comment on the IT aspects.

I've been through a supposed SarbOx implementation when, as a consultant, one of our clients got gobbled up by a huge company. They had a huge list of requirements, supposedly needed for SarbOx. One in particular stuck in my mind: Passwords had to change every 45 days. They blamed Congress for this whenever I objected.

So I got a copy of the SarbOx legislation. The word "password" doesn't even *OCCUR* in the law. A bunch of other stuff didn't line up, either. When I raised these issues to their attention, I was told their expensive auditing/compliance provider said it was a requirement, while I was just an IT puke, so suck it up. (We sucked it up. At $95/hour.)

Given that some of this stuff has to be done by outside auditors, and the rest is often outsourced to same, it occurs to me that there is an incentive for the auditing houses to make things as onerous as possible. They make more money that way. I'm not saying every situation is like that. Just that money, like electricity, tends to follow the path of least resistance.

Food for thought.

Another difference between East and West (0)

Anonymous Coward | about 7 years ago | (#18403357)

As opposed to SOX in the US, J-SOX will fit loosely and be administered by hordes of giggling Japanese schoolgirls.

lemme say (0)

Anonymous Coward | about 7 years ago | (#18403411)

Lemme be the first to say that J-SOX RULES!!!

gyroball? (1)

Brunellus (875635) | about 7 years ago | (#18403455)

J-SOX is what they'll be calling that baseball team up in Boston if Daisuke Matsuzaka's "gyroball" has any success.

dice-k? (0)

Anonymous Coward | about 7 years ago | (#18404829)

isn't he the one that planned to ride aboard a commerical rocket wearing a Char Aznable costume?

Personal experience with SOX (1, Interesting)

Anonymous Coward | about 7 years ago | (#18403741)

Here is my personal experience with SOX, from a sales point of view.

I can't take purchase orders that are not 100% perfectly filled out. It doesn't matter if I've been doing business with that company for 20 years and they all know me. The PO is now a LEGAL document (contract) and must be completed in full before my manufacturer's will take the order. You know the criteria I am talking about -- FOB, terms, Delivery date, quoted item, a price, etc. Lots of times, with people you've been doing business with a long time, they just send over the purchase order with enough information to fill the order. But again, "enough information to fill the order" and "perfectly filled out" are not the same thing. A simple example is a customer who is picking up the item. They may not fill out the shipping method because - duh - they are picking up from us down the street. That purchase order would not be accepted. It should say "customer pickup", per SOX (not directly, but SOX requires orders/revenues to be fully documented and companies take it to extremes - like with PO's)

Now, throw in a mix of bureaucracy and attorneys arguing over terms and conditions (net 30, net 60, etc) and guess what? Nothing gets sold.

It IS happening out in the field and I can safely say that SOX is having some unintended consequences.

So the Japanese are re-creating Sarbanes-Oxley? (1, Funny)

Anonymous Coward | about 7 years ago | (#18404003)

I expect theirs will be more reliable, get better mileage.

I am starting to work with J-SOX in the UK (3, Informative)

dominux (731134) | about 7 years ago | (#18404207)

for a Japanese company obviously. The thing you need to know is that the law itself is impenetrable in the US and Japan. Don't worry about it. Look for the document from COSO on internal controls (nasty - send this to the accounts department) and the COBIT framework (nice - keep this one in IT) COBIT is really really friendly and structured (34 chapters with loads of specific guidance on each), if you have been working with ISO 9000 and related things then you are going to like COBIT. COSO is woolly and unstructured, it sort of breaks down into 4 elements and J-SOX adds an extra one for IT controls, which as I understand it, probably just means that to do COSO you need to do COBIT.
Just remember when they are handing out the responsibilities:
COBIT = nice
COSO = nasty

you missed the obvious intro: (1)

Fulcrum of Evil (560260) | about 7 years ago | (#18404655)

I work for a japanese company, so I'm really getting a kick out of these replies ... this is how bad information gets passed around.

It's just a show piece (1)

Marxist Hacker 42 (638312) | about 7 years ago | (#18404563)

Capitalists convincing governments to pass these laws so that it looks like the governments are actually doing something about corporate corruption- while the 10% game (only the worst 10% of cases of business fraud ever get reported, let alone prosecuted) continues on.

Re:It's just a show piece (0)

Anonymous Coward | about 7 years ago | (#18404851)

only the worst 10% of cases of business fraud ever get reported, let alone prosecuted

How would one ascertain that information?

Re:It's just a show piece (1)

Marxist Hacker 42 (638312) | about 7 years ago | (#18404931)

How would one ascertain that information?

*putting on BOFH hat- alwasys been there but apparently sometimes it's invisible*

Simple- just count the number of times upper management uses the phrase "It's not personal, it's just business". Every single deal that is applied to is shaddy to some extent- but thanks to the use of that phrase, the victim is unlikely to complain to regulators for fear of being seen as a bad businessman. It's the way capitalism uses socialism to breed a culture of corruption- where if you peered too closely at *any* board of directors or *any* C-level executive, you'll find the type of pond scum who would sell their own mother for an increase in share price.

And the "Understatement of the Year" award goes to (1)

w00f (872376) | about 7 years ago | (#18404885)

[quote]The lessons learned from U.S. companies' Sarbanes-Oxley efforts will lead Japan's Financial Services Agency to "soften J-SOX [requirements] a little bit," said Damianides" [/quote] Is he serious? If J-SOX works like America's SOX... they'll have the same crap results we have. You can pay one of the "big three" a mountain of cash to write up in creative ways that you comply. Done.


SirKron (112214) | about 7 years ago | (#18405303)

At my current client I have to show a screen print of what the change will look like on the production server, without making the change. So I have to alter the images from my test system to look like the production system to pass SOX review.

True story... (1)

Maxo-Texas (864189) | about 7 years ago | (#18408095)

Co worker was required to collect 400 SCREEN shots of a file before and after changes to the file and paste them into the SOX document.

You see- a backup copy of the file wouldn't satisfy auditing requirements since "it might be changed".

Of course bitmaps are so much harder to change than a backup copy on a lockbox system.


I'm so glad i don't develop now. My job is doing these processes and helping the developers focus on the work now. I'm happy- they are universally happier. I used to be so frustrated. It had reached a point of 3 months of documenting for 1 month of development which really meant about 24 hours of coding time.

I'm sorry but I got in this job because I liked CODING and DEBUGGING. In fact, I really prefer DEBUGGING because of the constant mini "AHA"'s. I can't even keep my skills up on 24 hours of coding per 4 months.
Neither can anyone else- so the business either accepts longer projects (throw in an extra month for stale skills) or they just outsource to a contract company that DUH HAS NO SOX REQUIREMENTS (because it can do the project 5x as fast).

Ah well..

Ah, the bliss (1)

jandersen (462034) | about 7 years ago | (#18411733)

Working as sys admin for an American company, I have had enough exposure to Sarbanes-Oxley to last me a while.

While I fully understand and sympathise with the need to ensure that companies don't lie as much as they would like (we should something for politicians and lawyers too, eh?), in some cases it is taken to ridiculous extremes. In my company we now have to submit all new hostnames to a security commission - these are hostnames that are allocated on an internal DNS server. Why is that? I don't understand it, but there you are.

And we are not allowed to use an external NTP server - the hole in the firewall is simply closed, and the request doesn't get through. On the other hand http is allowed through, of course - but don't tell me that the problems you can get on your machine from NTP are worse than what you import via http.

Now, I know that are many theorectical computer security issues associated with using networks, but in our case the Sarpox is simply being used as an excuse for allowing the most anal-retentive security people in the company to bully everybody. Wasn't the idea that it should be harder for people in upper management to abuse their power to strip the company of money and line their own pockets? Introducing rules that hamper the production teams in everything they do only provokes resentment and inspires people to find ways around, thus defeating the entire project and creating new, but unknown security threats. And meanwhile those in power positions, who are ethically challenged, will still be dishonest; and of course they will also just find new ways to steal, won't they?

So the real question remains - what can actually be done about the basic problem: that people in the top of companies (and indeed people in any power position) are fundamentally flawed? Looking to other countries, we can see that it is possible; the moral and ethical standards for companies in Europe are much higher than in the US.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account