Role of Internal Audit
Internal Audit evaluates and improves the effectiveness of governance, risk management and control processes with high proficiency and independence, thereby contributing to enhancement of MUFG Group's value and to achievement of the corporate vision.
“MUFG Group” means Mitsubishi UFJ Financial Group, Inc. and its subsidiaries.
What is Internal Audit?
Every business organization faces various risk elements. For example, clerical errors could occur in paper work and there could be cyberattacks when using a network environment. Internal Audit assesses the consequences of risks surrounding the company and evaluates whether each division is taking appropriate actions in accordance with the risk level.
Furthermore, risks would include not only mistakes and accidents but also apply to situations where the company could not achieve the goals and objectives as originally set.
Major procedures of an internal audit are as follows;
Internal audit mainly consists of this cycle;
- Develop an annual audit plan to select audits to be conducted in a fiscal year
- Examine audited divisions through inquiry, observation, inspection, and re-performance, for example, inspecting submitted documents and performing interviews
- Report internal audit results to senior management and announce them to audited divisions
- Follow up on whether audited divisions are addressing issues timely
1. Planning of internal audit
Assess every risk surrounding MUFG Group, develop an internal audit plan focused on high-risk areas and assign auditors to each internal audit.
Review evidence based on the internal audit plan in order to achieve internal audit objectives. Collect audit evidence and then analyze and evaluate etc. the collected evidence, inspecting submitted documents and performing interviews.
3. Communication of internal audit results
Communicate (feed-back) results of preliminary and actual examination to audited divisions and if recommendations are issued, provide concrete instruction whether they should respond and deadline etc.
Furthermore, report such results to appropriate bodies.
Check issue implementation status of audited divisions and report the progress to appropriate bodies.
Internal Audit covers all parts of MUFG Group's business activities, discussing and evaluating management / operation framework and business implementation in the scope of legality, rationality and efficiency, beyond checking compliance with defined procedures and legal regulations.
In addition, Internal Audit provides instructions and recommendations for operational improvement of audited divisions and reports these to senior management, thereby contributing to safeguarding and development of the assets of MUFG Group.
Three Lines of Defense Framework
The risk management shall be conducted by various divisions inside a company, such as divisions in charge of each risk category, a compliance division, and an internal audit division, etc.
Among others, financial institutions have had a keen awareness of the problem behind the risk management structure that mainly depends on divisions in charge of each risk category, reflecting on lessons learned from past financial crises, and reviewed roles and responsibilities of each division in the risk management.
Reflecting this background, the concept of “Three Lines of Defense” was invented and roles and responsibilities of each division in the risk management were defined, classifying divisions within an organization into “the 1st Line of Defense”, “the 2nd Line of Defense” and “the 3rd Line of Defense”.
- The 1st Line of Defense (the business division, client-facing divisions) undertakes risks within the extent of risk exposure assigned and is responsible and accountable for identifying, evaluating and controlling business risks.
- The 2nd Line of Defense (the risk management division, compliance division etc.) ensures that risks are identified and managed by the 1st Line of Defense.
- The 3rd Line of Defense (the internal audit division) independently evaluates the efficiency of governance, risk management, and control processes implemented by the 1st and 2nd Lines of Defense.
Internal Audit plays an essential part of risk management through ongoing communication with the 1st and 2nd Lines of Defense, while maintaining independence.
Group Internal Audit Framework
MUFG Group has internal audit functions at the holding company level as well as subsidiaries ensuring proficiency and independence through effective collaboration.
Internal audit division in the holding company receives reports from main directly-owned subsidiaries on the performance and results of internal audits and status of other business and provides instruction and evaluation as needed.
Reports to the Internal Audit Committee
The holding company has an audit committee within its board of directors and each of the major subsidiaries has an Audit & Supervisory Committee or a voluntarily established internal audit and compliance committee.
Within each of the holding company and the major subsidiaries, Internal Audit reports to the committee on important matters including governing principles in the internal audit plan, the progress status and results of the internal audits.
MUFG Internal Audit Activity Charter
MUFG has developed and published the MUFG Internal Audit Activity Charter to define the mission and purpose, responsibility, and organizational position of internal audits.
MUFG Group Internal Audit mission is to provide an objective assurance, advice and opinion on a risk-focused basis, thereby contributing to enhancement of group value and to the achievement of the corporate vision. Internal Audit must evaluate and improve the effectiveness of governance, risk management and control processes through a systematic and disciplined approach.
The purpose of Internal Audit is to provide independent and objective assurance and consulting services designed to ensure it adds value to MUFG Group.
Assurance is an independent assessment through an objective evaluation. Consulting is providing advice that adds value to Management.
Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (“the Standards”) and the Definition of Internal Auditing). Internal Audit will also be compliant with laws and regulations.
Internal Audit will evaluate and improve the effectiveness of governance, risk management and control processes through a systematic and disciplined approach. The scope of MUFG Group Internal Audit covers all the business operations including externally contracted business operations within MUFG Group to the extent allowed by laws and regulations. Internal Audit assessments include evaluating whether;
- Risks relating to the achievement of MUFG Group's strategic objectives are appropriately identified and managed
- Operations or programs are being carried out effectively and efficiently
- The results of operations or programs are consistent with established goals and objectives
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the Company and Subsidiaries
- The actions of the Company and Subsidiaries' officers, directors, employees, and contractors are in compliance with the Company and Subsidiaries' policies, procedures, and applicable laws, regulations, and governance standards
- Controls over financial reporting are designed and operated effectively
- Controls over disclosure are designed and operated effectively
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity
- Resources and assets are acquired economically, used efficiently, and protected adequately
Internal Audit considers relying upon the work of other internal and external assurance and consulting service providers as needed.
Internal Audit perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided Internal Audit does not assume management responsibility.
Internal Audit of the Company and Subsidiaries have the responsibility to;
- Submit, at least annually, to senior management and the Board or other appropriate bodies (“the Boards”) a risk-based internal audit plan for review and approval
- Communicate to the Boards the impact of resource limitations on the internal audit plan
- Review and adjust the internal audit plan, as necessary, in response to changes in the Company and Subsidiaries' business, risks, operations, programs, systems, and controls
- Communicate to the Boards any significant interim changes to the internal audit plan
- Ensure each engagement of the internal audit plan is executed. Each engagement includes the following;
- The establishment of objectives and scope
- The assignment of appropriate and adequately supervised resources
- The documentation of work programs and testing results
- The communication of engagement results with applicable conclusions and recommendations to appropriate parties
- Follow up on engagement findings and corrective actions, and report periodically to the Boards any corrective actions not effectively implemented
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld
- Ensure Internal Audit collectively possess or obtain the knowledge, skills, and other competencies needed to meet the requirements of this policy
- Ensure trends and emerging issues that could impact the Company and Subsidiaries are considered and communicated to the Boards as appropriate
- Ensure emerging trends and leading class practices in internal auditing are considered
- Establish and ensure adherence to policies and procedures designed to guide Internal Audit
- Ensure adherence to the Company and Subsidiaries' relevant policies and procedures, unless such policies and procedures conflict with this policy. Any such conflicts will be resolved or otherwise communicated to the Boards
- Ensure conformance of Internal Audit with the Standards. If Internal Audit is prohibited by law or regulation from conformance with certain parts of the Standards, the chief of Internal Audit will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards
Based on securement of independence and objectivity of internal audit divisions by the executive in charge of Internal Audit, Group CAO will ensure that internal auditors remain free from all conditions that threaten the ability to carry out internal audit responsibilities in an unbiased manner. If Group CAO determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement any function or engage in any activity that could impair their judgement.
Where the chief of Internal Audit of the Company and subsidiaries has or is expected to have roles and / or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Group CAO will confirm to the Audit Committee, at least annually, the organizational independence of Internal Audit.
Group CAO will disclose to the Board of the Company any interference and related implications in determining the scope of internal auditing, performing work, and / or communicating results.
Internal Audit will develop and maintain a quality assurance and improvement program that covers all aspects of Internal Audit. The program will include an evaluation of Internal Audit's conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement.
Group CAO will communicate to senior management and the Audit Committee of the Company on Internal Audit's quality assurance and improvement program, including results of internal assessments and external assessments conducted at least once every five years by a qualified, independent and outside assessor.
IAHD reports functionally to the Board and administratively to senior management. To establish, maintain, and assure that IAHD has sufficient authority to fulfill their duties through the Audit Committee, which is under the umbrella of the Board, the Board will;
- Review and evaluate the framework and operation of MUFG Group internal audit
- Obtain explanations on, and discuss with IAHD, IAHD's proposed audit plan, risk management based on which such plan has been prepared, audit focus areas, and staffing plan including retention of any external expert, and approve such audit plan
- Obtain an internal audit's reports on, and discuss with IAHD, any significant matters relating to an internal audit, including the execution, findings and results of, and communications with management regarding, the internal audit, and provide instructions, as necessary, to IAHD
- Examine the evaluation of the Internal Audit periodically performed, and any recommendation made, by an outside assessor and evaluate the Internal Audit's responses to such evaluation or recommendation
- Assess performance of assignment and sustainable enhancement measures related to methodologies and employee development
- Determine the appointment of Group CAO and other personnel who perform significant internal audit functions of the Company, and communicate such determination to the Nominating and Governance Committee of the Board
- Perform an annual evaluation of Group CAO, considering the performance of Internal Audit, and submit such evaluation to the Compensation Committee of the Board
The Boards authorizes Internal Audit to;
- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports
- Obtain assistance from the necessary personnel of MUFG Group, as well as other specialized services from within or outside MUFG Group, in order to complete the engagement