Role of Internal Audit
“MUFG Group” means Mitsubishi UFJ Financial Group, Inc. and its subsidiaries.
What is Internal Audit?
Every business organization faces various risk elements. For example, clerical errors could occur in paper work and there could be cyberattacks when using a network environment. Internal Audit assesses the consequences of risks surrounding the company and evaluates whether each division is taking appropriate actions in accordance with the risk level.
Furthermore, risks would include not only mistakes and accidents but also apply to situations where the company could not achieve the goals and objectives as originally set.
Major procedures of an internal audit are as follows;
- Develop an annual audit plan to select audits to be conducted in a fiscal year
- Examine audited divisions through inquiry, observation, inspection, and re-performance, for example, inspecting submitted documents and performing interviews
- Report internal audit results to senior management and announce them to audited divisions
- Follow up on whether audited divisions are addressing issues timely
1. Planning of internal audit
3. Communication of internal audit results
Furthermore, report such results to appropriate bodies.
Internal Audit covers all parts of MUFG Group's business activities, discussing and evaluating management / operation framework and business implementation in the scope of legality, rationality and efficiency, beyond checking compliance with defined procedures and legal regulations.
In addition, Internal Audit provides instructions and recommendations for operational improvement of audited divisions and reports these to senior management, thereby contributing to safeguarding and development of the assets of MUFG Group.
Three Lines of Defense Framework
Among others, financial institutions have had a keen awareness of the problem behind the risk management structure that mainly depends on divisions in charge of each risk category, reflecting on lessons learned from past financial crises, and reviewed roles and responsibilities of each division in the risk management.
Reflecting this background, the concept of “Three Lines of Defense” was invented and roles and responsibilities of each division in the risk management were defined, classifying divisions within an organization into “the 1st Line of Defense”, “the 2nd Line of Defense” and “the 3rd Line of Defense”.
- The 1st Line of Defense (the business division, client-facing divisions) undertakes risks within the extent of risk exposure assigned and is responsible and accountable for identifying, evaluating and controlling business risks.
- The 2nd Line of Defense (the risk management division, compliance division etc.) ensures that risks are identified and managed by the 1st Line of Defense.
- The 3rd Line of Defense (the internal audit division) independently evaluates the efficiency of governance, risk management, and control processes implemented by the 1st and 2nd Lines of Defense.
Group Internal Audit Framework
Internal audit division in the holding company receives reports from main directly-owned subsidiaries on the performance and results of internal audits and status of other business and provides instruction and evaluation as needed.
Reports to the Internal Audit Committee
The holding company has an audit committee within its board of directors and each of the major subsidiaries has an Audit & Supervisory Committee or a voluntarily established internal audit and compliance committee.
Within each of the holding company and the major subsidiaries, Internal Audit reports to the committee on important matters including governing principles in the internal audit plan, the progress status and results of the internal audits.
MUFG Internal Audit Activity Charter
Assurance is an independent assessment through an objective evaluation. Consulting is providing advice that adds value to Management.
- Risks relating to the achievement of MUFG Group's strategic objectives are appropriately identified and managed
- Operations or programs are being carried out effectively and efficiently
- The results of operations or programs are consistent with established goals and objectives
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the Company and Subsidiaries
- The actions of the Company and Subsidiaries' officers, directors, employees, and contractors are in compliance with the Company and Subsidiaries' policies, procedures, and applicable laws, regulations, and governance standards
- Controls over financial reporting are designed and operated effectively
- Controls over disclosure are designed and operated effectively
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity
- Resources and assets are acquired economically, used efficiently, and protected adequately
Internal Audit perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided Internal Audit does not assume management responsibility.
- Submit, at least annually, to senior management and the Board or other appropriate bodies (“the Boards”) a risk-based internal audit plan for review and approval
- Communicate to the Boards the impact of resource limitations on the internal audit plan
- Review and adjust the internal audit plan, as necessary, in response to changes in the Company and Subsidiaries' business, risks, operations, programs, systems, and controls
- Communicate to the Boards any significant interim changes to the internal audit plan
- Ensure each engagement of the internal audit plan is executed. Each engagement includes the following;
- The establishment of objectives and scope
- The assignment of appropriate and adequately supervised resources
- The documentation of work programs and testing results
- The communication of engagement results with applicable conclusions and recommendations to appropriate parties
- Follow up on engagement findings and corrective actions, and report periodically to the Boards any corrective actions not effectively implemented
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld
- Ensure Internal Audit collectively possess or obtain the knowledge, skills, and other competencies needed to meet the requirements of this policy
- Ensure trends and emerging issues that could impact the Company and Subsidiaries are considered and communicated to the Boards as appropriate
- Ensure emerging trends and leading class practices in internal auditing are considered
- Establish and ensure adherence to policies and procedures designed to guide Internal Audit
- Ensure adherence to the Company and Subsidiaries' relevant policies and procedures, unless such policies and procedures conflict with this policy. Any such conflicts will be resolved or otherwise communicated to the Boards
- Ensure conformance of Internal Audit with the Standards. If Internal Audit is prohibited by law or regulation from conformance with certain parts of the Standards, the chief of Internal Audit will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement any function or engage in any activity that could impair their judgement.
Where the chief of Internal Audit of the Company and subsidiaries has or is expected to have roles and / or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Group CAO will confirm to the Audit Committee, at least annually, the organizational independence of Internal Audit.
Group CAO will disclose to the Board of the Company any interference and related implications in determining the scope of internal auditing, performing work, and / or communicating results.
Group CAO will communicate to senior management and the Audit Committee of the Company on Internal Audit's quality assurance and improvement program, including results of internal assessments and external assessments conducted at least once every five years by a qualified, independent and outside assessor.
- Review and evaluate the framework and operation of MUFG Group internal audit
- Obtain explanations on, and discuss with IAHD, IAHD's proposed audit plan, risk management based on which such plan has been prepared, audit focus areas, and staffing plan including retention of any external expert, and approve such audit plan
- Obtain an internal audit's reports on, and discuss with IAHD, any significant matters relating to an internal audit, including the execution, findings and results of, and communications with management regarding, the internal audit, and provide instructions, as necessary, to IAHD
- Examine the evaluation of the Internal Audit periodically performed, and any recommendation made, by an outside assessor and evaluate the Internal Audit's responses to such evaluation or recommendation
- Assess performance of assignment and sustainable enhancement measures related to methodologies and employee development
- Determine the appointment of Group CAO and other personnel who perform significant internal audit functions of the Company, and communicate such determination to the Nominating and Governance Committee of the Board
- Perform an annual evaluation of Group CAO, considering the performance of Internal Audit, and submit such evaluation to the Compensation Committee of the Board
- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports
- Obtain assistance from the necessary personnel of MUFG Group, as well as other specialized services from within or outside MUFG Group, in order to complete the engagement