What Are Japanese Directors' Obligations Regarding Internal Control Systems?

In today's complex business environment, robust internal control systems are universally recognized as critical for effective corporate governance, risk management, and ensuring the integrity of business operations. Japanese law reflects this importance, imposing significant obligations on company directors to establish, maintain, and oversee such systems. Failure to meet these obligations can expose directors to personal liability for damages suffered by the company. This article explores the nature and scope of these duties under Japanese law.

The Concept and Evolution of Internal Control Systems in Japan

An internal control system (内部統制システム - naibu tōsei shisutemu) in the Japanese context refers to the comprehensive framework of processes, policies, and structures designed and implemented by a company's management to achieve key objectives. These objectives typically encompass:

1. Effectiveness and Efficiency of Operations: Ensuring that business activities are conducted productively and resources are used optimally.
2. Reliability of Financial Reporting: Guaranteeing the accuracy and integrity of financial statements and related disclosures.
3. Compliance with Laws and Regulations (コンプライアンス - konpuraiansu): Ensuring that the company and its employees adhere to all applicable legal and regulatory requirements, as well as internal company rules.
4. Safeguarding of Assets: Protecting corporate assets from loss, misuse, or unauthorized disposition.

The legal recognition of a director's duty to establish internal controls in Japan predates its explicit codification for all company types. A landmark decision by the Osaka District Court on September 20, 2000 (Heisei 12), commonly known as the Daiwa Bank case, was instrumental. In this case, which involved substantial losses from unauthorized trading by an employee at the bank's New York branch, the court held that directors have a duty, as part of their broader duty of care, to establish and implement an appropriate risk management system (a core component of internal controls) tailored to the scale and nature of the company's business. This duty was found to exist even before the Companies Act explicitly detailed such requirements for all large companies.

Statutory Basis for Internal Control Obligations

Japanese law now provides a more explicit statutory basis for internal control obligations, primarily through the Companies Act and, for listed companies, the Financial Instruments and Exchange Act (FIEA).

Companies Act (会社法 - Kaishahō)

The Companies Act mandates the establishment of internal control systems for certain types of companies and clarifies the board's role:

• Large Companies (大会社 - Daigaisha): Under Article 362, Paragraph 4, Item 6, and Paragraph 5, the board of directors of a "large company" (defined as a company with stated capital of 500 million yen or more, OR total liabilities of 20 billion yen or more) must decide on the establishment of systems necessary to ensure the properness of business operations. Similar obligations apply to large companies without a board but with representative directors (Article 348, Paragraph 3, Item 4, and Paragraph 4).
• Companies with Specific Governance Structures:
  • Companies with an Audit & Supervisory Committee (監査等委員会設置会社 - Kansa-tō Iinkai Setchi Kaisha): The board must decide on internal control systems, irrespective of company size (Article 399-13, Paragraph 1, Item 1(b) & (c)).
  • Companies with a Nominating Committee, etc. (指名委員会等設置会社 - Shimei Iinkai-tō Setchi Kaisha): Similarly, the board has this responsibility (Article 416, Paragraph 1, Item 1(b) & (e)).
• General Duty of Care: Even for smaller, non-listed companies not falling under the specific mandates above, the principles established in cases like Daiwa Bank suggest that directors still have a general duty of care to implement controls appropriate to their company’s risks and circumstances.

The Ordinance for Enforcement of the Companies Act (会社法施行規則 - Kaishahō Shikō Kisoku) further elaborates on the key elements that these board-decided internal control systems must cover. These include (e.g., Article 100 for board-managed companies):
* Systems for ensuring compliance with laws and the articles of incorporation by directors and employees.
* Systems for the retention and management of information related to the execution of directors' duties.
* Regulations and other systems concerning risk management.
* Systems for ensuring the efficient execution of directors' duties.
* Systems for ensuring the properness of operations within a corporate group (if the company has subsidiaries).
* Systems concerning employees who assist statutory auditors (or the audit committee) if requested, and ensuring the independence of those employees from directors.
* Systems for reporting to statutory auditors (or the audit committee) by directors and employees, and ensuring that persons making such reports do not suffer disadvantageous treatment.
* Procedures for prepayment or reimbursement of expenses arising from the duties of statutory auditors (or audit committee members) and other systems relating to the execution of their duties.

Financial Instruments and Exchange Act (FIEA) – "J-SOX"

For listed companies, the FIEA imposes additional requirements concerning Internal Control Over Financial Reporting (ICFR), commonly known as J-SOX. This was introduced following scandals and in parallel with the U.S. Sarbanes-Oxley Act (SOX). Key J-SOX requirements include:

• Management must assess the effectiveness of the company's ICFR and issue an "Internal Control Report."
• The company's external auditor must audit this report and express an opinion on it.

While the Companies Act internal controls are broader, covering operational efficiency and general legal compliance, J-SOX has a specific focus on ensuring the reliability of financial statements. However, they are interconnected; a robust financial reporting system is an integral part of an overall effective internal control framework. Deficiencies in J-SOX compliance can also indicate broader failings in the Companies Act-mandated internal controls.

Responsibility for Establishing and Overseeing Internal Controls

The primary responsibility for deciding on the basic policies and framework of the internal control system lies with the board of directors. The board must formally resolve these matters.

The representative directors and other executive directors are then responsible for the actual implementation, operation, and day-to-day management of these systems within the guidelines set by the board.

Statutory auditors (監査役 - kansayaku) in companies with statutory auditors, or the audit committee (監査委員会 - kansa iinkai) in companies with an audit committee or an audit & supervisory committee, play a crucial oversight role. They are responsible for auditing the execution of duties by directors, which includes monitoring the establishment and operation of internal control systems. They have the power to investigate and report deficiencies to the board or shareholders.

Director Liability for Internal Control Failures

If directors breach their duty to establish an adequate internal control system, or to ensure its proper functioning, and this breach results in damage to the company, they can be held personally liable under Article 423, Paragraph 1 of the Companies Act.

The crucial elements in such a claim are:

1. Existence of a Duty: Establishing that the directors had a duty to implement certain controls.
2. Breach of Duty: Showing that the internal control system was either not established, was inadequately designed, or was not effectively operated or monitored due to the directors' negligence.
3. Damage to the Company: Demonstrating that the company suffered financial or other harm.
4. Causation: Proving a causal link between the deficiency in the internal control system (i.e., the directors' breach) and the damage incurred by the company. This can often be challenging, as plaintiffs must show that had adequate controls been in place, the damage (e.g., from employee fraud, regulatory fines) would likely have been prevented or mitigated.

The Supreme Court judgment of July 9, 2009 (Heisei 21), often referred to as the Yakult case, addressed the liability of parent company directors for losses incurred by a subsidiary due to high-risk derivatives trading. The court indicated that parent company directors could be liable if they neglected to establish a system to manage the subsidiary's significant risks, particularly when such risks were foreseeable and the parent had the ability to influence the subsidiary's controls. This case underscores the importance of group-wide internal controls.

Does the Business Judgment Rule (BJR) Apply?

A key question is whether directors' decisions regarding the design and implementation of internal control systems are protected by the BJR. The PDF's commentary on Problem 42 notes some ambiguity. While some lower court decisions have suggested that determining the specific content of a risk management system can be a matter of business judgment, the BJR may not apply to the fundamental duty to establish an adequate system in the same way it applies to ordinary operational decisions aimed at profit generation through risk-taking.

Internal control is, in itself, a tool of prudent management and supervision, rather than a direct profit-seeking activity. Therefore, the standard of review might focus more on whether the system was objectively unreasonable or patently inadequate given the company's specific risk profile and industry standards, rather than merely deferring to any system chosen by directors. The focus is less on "promoting profit through risk" and more on "ensuring propriety and preventing foreseeable harm." A complete failure to consider or implement basic, widely accepted controls for known risks is unlikely to receive BJR protection.

Illustrative Application: A Case of Prolonged Fictitious Sales (Problem 42)

Problem 42 of the PDF describes A社, a software development and sales company, where its B事業部 (B Business Division) engaged in systematic fictitious sales amounting to 1.2 billion yen over more than four years. This involved forging order forms and inspection certificates, and manipulating accounts receivable confirmations sent to customers, the finance department, and external auditors. The fraud was concealed by the B Business Division head and staff, who misdirected incoming payments for legitimate sales to cover the fictitious receivables. Shareholder X sued the representative director, Y, for failing to establish effective internal controls that could have prevented or detected this prolonged fraud.

Analyzing the Control Weaknesses in A社:

The described fraud reveals several classic internal control deficiencies:

• Lack of Segregation of Duties: The B Business Division's sales staff were seemingly involved in generating orders, handling inspection certificates (even if forged), and influencing how receivables were confirmed and payments were applied.
• Insufficient Independent Verification: Revenue was recognized based on inspection certificates returned by the sales division itself, without independent confirmation from end-users or robust checks by the finance department (C課).
• Compromised Confirmation Processes: The B Business Division was able to intercept and falsify accounts receivable confirmations, a critical external check. Direct communication between the finance/audit function and customers is essential.
• Inadequate Cash Application Controls: The finance department relied on instructions from the B Business Division for applying cash receipts to outstanding receivables, rather than performing direct, independent reconciliation.
• Potential "Tone at the Top" Issues or Collusion: The involvement of the Business Division head and staff suggests a breakdown in ethical culture within that division, or successful collusion.

Representative Director Y's Potential Liability:

To hold Representative Director Y liable, shareholder X would need to demonstrate:

1. Y's Duty: Y, as representative director, had a responsibility to ensure an adequate internal control system was in place, appropriate for a software company with external sales channels.
2. Breach - Inadequate System: The described system clearly had fundamental weaknesses that allowed a large-scale, multi-year fraud to occur and go undetected by internal finance and external auditors. The question is whether Y was negligent in not ensuring these weaknesses were addressed. What systems did Y oversee? Were there red flags (e.g., unusual growth in B事業部's receivables, lack of cash flow despite reported sales) that should have prompted investigation?
3. Damage: A社 suffered significant damage (loss of reputation, decline in orders, direct financial impact of the fraud).
4. Causation: Had reasonably designed controls (e.g., mandatory direct customer confirmation of orders and deliveries by finance, strict segregation of duties in sales and receivables, independent reconciliation of cash) been in place and operating, the fraud would likely have been detected much earlier or prevented altogether.

The Daiwa Bank precedent is relevant: the court found directors liable for not establishing adequate systems to prevent unauthorized actions by an employee, emphasizing that the board's duty includes creating risk management systems commensurate with the company's business. Similarly, for A社, the risk of sales fraud, especially in a division-based structure, is a foreseeable risk that internal controls should address. Director Y's failure to ensure the existence of such controls could be seen as a breach of the duty of care.

Comparison with U.S. Internal Control Frameworks

The Japanese approach to internal controls, particularly J-SOX, was significantly influenced by the U.S. Sarbanes-Oxley Act of 2002 (SOX).

• SOX Sections 302 and 404: SOX 302 requires CEO/CFO certification of financial reports and the effectiveness of disclosure controls and procedures and internal control over financial reporting. SOX 404 requires management to assess, and the external auditor to attest to, the effectiveness of ICFR. J-SOX has similar management assessment and external audit requirements for listed companies.
• COSO Framework: While not legally mandated, the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework is widely recognized and used in both the U.S. and Japan as a benchmark for designing, implementing, and evaluating internal control systems.
• Delaware's Caremark Standard: In the U.S., director oversight liability, particularly for failing to monitor legal compliance, is often analyzed under the In re Caremark International Inc. Derivative Litigation standard. This standard requires directors to have made a good faith effort to ensure that appropriate information and reporting systems exist. Liability typically arises if directors utterly failed to implement any reporting or information system or controls, or, having implemented such a system, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. This has strong parallels with the Japanese duty to establish systems for legal compliance and risk management.

Practical Steps for Effective Internal Control

Regardless of jurisdiction, establishing and maintaining effective internal controls involves ongoing effort and commitment. Key elements include:

• "Tone at the Top": Strong ethical leadership and commitment from senior management and the board.
• Comprehensive Risk Assessment: Regularly identifying and evaluating the significant risks the company faces.
• Clear Policies and Procedures: Documenting controls and ensuring they are communicated and understood.
• Segregation of Duties: Dividing responsibilities so that no single individual can control all aspects of a transaction or process from initiation to completion.
• Independent Checks and Reconciliations: Implementing verification processes performed by individuals independent of those executing the transactions.
• Effective Information and Communication Systems: Ensuring relevant information flows to the right people in a timely manner.
• Monitoring Activities: Regularly assessing the effectiveness of internal controls, including through internal audits.
• Whistleblower Mechanisms: Providing safe and confidential channels for employees and others to report suspected wrongdoing.

Conclusion

The obligation for directors to establish and maintain adequate internal control systems is a fundamental aspect of modern corporate governance in Japan. This duty, rooted in both case law like the Daiwa Bank decision and statutory provisions within the Companies Act and FIEA, aims to ensure operational propriety, legal compliance, and the reliability of financial information. While the Business Judgment Rule might offer some deference to directors' choices regarding the specifics of control design, a failure to implement a system that is reasonably adequate for the company's nature, size, and risk profile can lead to significant personal liability for directors if such failure results in corporate damage. Proactive and diligent attention to internal controls is, therefore, not merely a best practice but a legal imperative for directors in Japan.