Transcript 16th XBRL International Conference

“Convergence, Communication and Interactive Data”
December 3-6, 2007
Vancouver, British Columbia, Canada
Internal Reporting Track
XBRL application to Internal Controls
December 4th, 2007
Yuji Furusho
CISA (Certified Information Systems Auditor)
Fujitsu Limited


Annual documentation and evaluation of Internal Controls are
“formal activities” for listed companies in the following
countries:
◦ U.S.
- Sarbanes and Oxley Act (so-called SOX)
◦ Canada - Bill-198 / Regulation 52-109
◦ Japan
- Financial Products Exchange Act (so-called J-SOX)
◦ Korea, France, etc.
Evaluation of Internal Controls in accordance with the
significance of the impact on the financial statements is key.
◦ This means that evaluation of the internal controls should be
consistent with the significance of related accounts, and
therefore consistent with the ultimate impact in the financial
statements.
-1-

Enterprise Model – connecting FS, GL, and business
process
Sales Process
Financial Statement
(PL)
(PL)sales
sales
(BS) A/R
(BS) inventory
┆
General Ledger
Software sales
Hardware sales
Maintenance sales
┆
┆
┆
- Head Quarter
- related accounts:
Software sales
A/R - Software
(n) risk
(n) control
┆
Sales Process
- North Region
- related accounts:
Software sales
A/R - Software
(n) risk
(n) control
┆
-2-

Internal Control Taxonomy to handle non-financial
business process information.
◦ Definition of “Control Objective”, “Risk”, and
“Control Activity” in a business process.
◦ “Design effectiveness”, “Operational effectiveness”,
and “Remediation plan/status” as values.
◦ Utilization of “COSO elements”
 For comprehensive Risk/Control identification.
 For focusing not only “Risk” but also “Opportunity”.
-3-
process
location
Fixed
elements
related acct
(n) subprocess
coso: activity
COSO
elements
Company
Extension
Internal Control Dimension
F,O,C
(n)control objective
(n)control objective
(n)risk
(n)risk
(n)control activity
(n)control activity
key control
Instance Document
result (score)
assertion
issue
result (narrative)
-4-
F,O,C,S
related
assertion
remediation
status
・incomplete evidence
・control exception
（exception on approval,
processing, etc.)

25 activities illustrated in COSO tool.
1/Activity : INBOUND
15/Activity : PLAN
2/Activity : OPERATIONS
16/Activity : PROCESS ACCOUNTS PAYABLE
3/Activity : OUTBOUND
17/Activity : PROCESS ACCOUNTS RECEIVABLE
18/Activity : PROCESS FUNDS
4/Activity : MARKETING AND SALES
5/Activity : SERVICE
19/Activity : PROCESS FIXED ASSETS
20/Activity : ANALYZE AND RECONCILE
6/Activity : PROCUREMENT
21/Activity : PROCESS BENEFITS AND RETIREE
7/Activity : TECHNOLOGY DEVELOPMENT
8/Activity : HUMAN RESOURCES
INFORMATION
9/Activity : MANAGE THE ENTERPRISE
22/Activity : PROCESS PAYROLL
10/Activity : MANAGE EXTERNAL RELATIONS
23/Activity : PROCESS TAX COMPLIANCE
11/Activity : PROVIDE ADMINISTRATIVE
24/Activity : PROCESS PRODUCT COSTS
25/Activity : PROVIDE FINANCIAL AND MANAGEMENT
SERVICES
REPORTING
12/Activity : MANAGE INFORMATION TECHNOLOGY
13/Activity : MANAGE RISKS
14/Activity : MANAGE LEGAL AFFAIRS
-5-

Using element / value to “link” taxonomies;
◦ FR taxonomy and GL taxonomy
“xbrlinfo” elements in GL taxonomy
taxonomy
instance
FR
GL
sales:
xbrlinfo:
sales: “682,xxx”
xbrlinfo: “sales”
◦ GL taxonomy and IC (Internal Control) taxonomy
“relatedAccount” element in IC taxonomy
taxonomy
instance
GL
IC
accountMainID:
relatedAccount:
accountMainID: “EX00100”
relatedAccount: “EX00100”
-6-

The following “FS – GL (Trial Balance) – IC” model
has been adopted for Proof-of-Concept.
Financial Statement
General Ledger
(PL) sales
(BS) A/R
(BS) inventory
┆
┆
Journal Entry
┆
aggregation
location
definition
Definition
using
Dimensional
Taxonomy
Internal Control
Trial Balance (by location)
(PL) sales
(BS) A/R
(BS) inventory
┆
acct-process
mapping
-7-
location x process
related accounts
(n) risk
(n) control
┆

Overall Structure
Process Information
• Process
• Location
• Related Accounts etc.
1
Sub-Process Information
n
• Control Objective
• Risk
• Control Activity
• Key Control
etc.
Evaluation and Remediation
• Design Effectiveness
• Operational Effectiveness
1 • Remediation Plan
etc.
1
-8-

“Process Information” section
Process Information
【Sample】
process
Sales Process
location
Software Service Dept.
related accounts
Sales, Account Receivable
-9-

“Sub-Process Information” section
Sub-process
AX05_Sales & billing
Step
Safaia/FOCS sales
activity
PROCESS
ACCOUNTS
RECEIVABLE
: COSO elements
sub-activity
control
objective
-
Accurately record all
authorized sales returns
and allowances and only
such returns and
allowances
Inaccurate
input of data
section
risk
- financial reporting
- operation
- compliance
risk
-risk ID
-risk
assertion
section
- safeguarding asset
- 10 -
control activity
(sample)
Mail customer statements
periodically and investigate and
resolve disputes or inquiries, by
individuals independent of the
invoicing function
control activity
-control ID -control
-control method (manual/auto)
-evidence/related documents
assertion

“Sub-Process Information” section – “risk”
risk
company expansion
COSO
elements
Inaccurate
input of
data
assertion
risk ID
risk
existence
Rxxxxxx
--- ------ --- ----------------- --------------- ----------- -- --- -------.
Y
complete- rights and
ness
obligation
evaluation
Y
- 11 -
allocation
and cut-off
presentation
and
disclosure

“Sub-Process Information” section – “control activity”
control
activty
(sample)
Mail
customer
statements
periodically
and
investigate
and resolve
disputes or
inquiries, by
individuals
independent
of the
invoicing
function
control activity
control
ID
Cxxxx
method of control
control
--- ---- -- ---- --------- -- - ----- ------------- --- ------- ------- --.
manual
Y
person
in
charge
automatic
Leader
of xxx
Dept
- 12 -
evidences
related manuals
and rule documets
1)
1. Request
2)
Form
3)
---------------- --------------
assertion
-existence
-completeness
-rights and
obligation
-evaluation
-allocation
and cut-off
-Presentation and
discloture

“Evaluation and Remediation” section
design effectiveness
operational effectiveness
remediation
- date
- person in charge of evaluation
- results - score
- results - narrative
- date
- person in charge of evaluation
- population
- number of samples
- results - score
- results - narrative
- person in charge of evaluation
- summary
- due date
key control
- yes / no (Boolean)
- 13 -

Use of “dimensionItem”
◦ Multi dimension of “Control Objective”, “Risk”, and
“Control Activity”
Evaluation
Control Objective 1
Risk 1
Control Activity 1
Control Activity 2
Risk2

Control Activity 3
Use of Reference Link
◦ Use of “part element”, setting Boolean value;
 Control objective: F/R, O/R, C, S/A
 Assertion: Ex, C, R/O, Ev, A/C, P/D
 Type of Control: Manual, Automatic
Risk
assertion – E/O
Reference Link
- 14 -
- yes / no (Boolean)

Consistent and effective risk management for Financial Reporting by
balancing financial risk significance and control importance.
FR to GL
GL to IC
- 15 -

Identify and understand internal control implications on
significant accounts – (Where and what kind of issues, etc.）
Financial Statement ▷ ▷ ▷ Internal Control
７５%
A/R
Location A: A/R
process
１５%
Location B: A/R
- 16 -
department
score
issue

Identify and understand accounts affected by internal control
issues.
Internal Control ▷ ▷ ▷ Financial Statement
７５%
process
department
score
issue
Location A: A/R
A/R
deficiencies
１５%
Location B: A/R
- 17 -

Flexible definition and evaluation through taxonomy.
1. Relationship among “Control Objective”, “Risk”, and
“Control Activity” using dimensional model

Evaluation of “Control Objective” and “Control Activity”
relationship, skipping “Risk” element, or evaluation of
“Risk” and “Control Activity” relationship, skipping
“Control Objective”
2. “Risk” or “Control Activity” evaluation with respect to
specific “Control Objective”

A company may want to focus on “Financial Reporting”
objective, while other may want to include “Operational
Effectiveness” objective.
3. Identification of compensating controls

“Control Activity” relevant to “Risk” by evaluating “Related
Assertion”
- 18 -

Dimensional definition of “Control Objective”, “Risk”, and
“Control Activity”.
- 19 -

Flexible evaluation of “Risk” and “Control Activity” focusing on
“Control Objective” – Company may want to focus on
“Financial Reporting” for SOX auditing purpose.
COSO Taxonomy
Control Objective
“part” element
Financial Reporting
Reference Link Operational Effectiveness - yes / no (Boolean)
Company Extension
Control Objective
- yes / no (Boolean)
Compliance
- yes / no (Boolean)
“part” element
Safeguarding Asset
- yes / no (Boolean)
Reference Link
- 20 -

Compensating controls may be identified through “assertion”
attributes assigned to “Risk” and “Control Activity”.
◦ In cases of effectiveness failure of key controls,
compensating controls may be identified along with
assertions assigned to them.
Control 1 - key
Risk
failure
E/O
Y
assertion
C V/A R/O P/D
Y Y
related assertion
E/O C V/A R/O P/D
Y Y
Find “Compensating control”
Control 2 – non-key
related assertion
E/O C V/A R/O P/D
Y Y
- 21 -
Yuji Furusho
[email protected]
+81-3-6424-6227
THANK YOU!