MUFG; Internal Audit | Mitsubishi UFJ Financial Group

Role of Internal Audit

Internal Audit evaluates and improves the effectiveness of governance, risk management and control processes with high proficiency and independence, thereby contributing to enhancement of MUFG Group's value and to achievement of ”MUFG Way”.
“MUFG Group” means Mitsubishi UFJ Financial Group, Inc. and its subsidiaries.

What is Internal Audit?

Every business organization faces various risk elements. For example, clerical errors could occur in paper work and there could be cyberattacks when using a network environment. Internal Audit assesses the consequences of risks surrounding the company and evaluates whether each division is taking appropriate actions in accordance with the risk level.
Furthermore, risks would include not only mistakes and accidents but also apply to situations where the company could not achieve the goals and objectives as originally set.

Major procedures of an internal audit are as follows;

1. Planning of internal audit
2. Examination
3. Communication of the internal audit results
4. Follow-up

Internal audit mainly consists of this cycle;

Develop an annual audit plan to select audits to be conducted in a fiscal year
Examine audited divisions through inquiry, observation, inspection, and re-performance, for example, inspecting submitted documents and performing interviews
Report internal audit results to senior management and announce them to audited divisions
Follow up on whether audited divisions are addressing issues timely

1. Planning of internal audit

Assess every risk surrounding MUFG Group, develop an internal audit plan focused on high-risk areas and assign auditors to each internal audit.

2. Examination

Review evidence based on the internal audit plan in order to achieve internal audit objectives. Collect audit evidence and then analyze and evaluate etc. the collected evidence, inspecting submitted documents and performing interviews.

3. Communication of internal audit results

Communicate (feed-back) results of preliminary and actual examination to audited divisions and if recommendations are issued, provide concrete instruction whether they should respond and deadline etc.
Furthermore, report such results to appropriate bodies.

4. Follow-up

Check issue implementation status of audited divisions and report the progress to appropriate bodies.

Internal Audit covers all parts of MUFG Group's business activities, discussing and evaluating management / operation framework and business implementation in the scope of legality, rationality and efficiency, beyond checking compliance with defined procedures and legal regulations.
In addition, Internal Audit provides instructions and recommendations for operational improvement of audited divisions and reports these to senior management, thereby contributing to safeguarding and development of the assets of MUFG Group.

Three Lines of Defense Framework

The risk management shall be conducted by various divisions inside a company, such as divisions in charge of each risk category, a compliance division, and an internal audit division, etc.
Among others, financial institutions have had a keen awareness of the problem behind the risk management structure that mainly depends on divisions in charge of each risk category, reflecting on lessons learned from past financial crises, and reviewed roles and responsibilities of each division in the risk management.
Reflecting this background, the concept of “Three Lines of Defense” was invented and roles and responsibilities of each division in the risk management were defined, classifying divisions within an organization into “the 1st Line of Defense”, “the 2nd Line of Defense” and “the 3rd Line of Defense”.

The 1st Line of Defense (the business division, client-facing divisions) undertakes risks within the extent of risk exposure assigned and is responsible and accountable for identifying, evaluating and controlling business risks.
The 2nd Line of Defense (the risk management division, compliance division etc.) ensures that risks are identified and managed by the 1st Line of Defense.
The 3rd Line of Defense (the internal audit division) independently evaluates the efficiency of governance, risk management, and control processes implemented by the 1st and 2nd Lines of Defense.

Internal Audit plays an essential part of risk management through ongoing communication with the 1st and 2nd Lines of Defense, while maintaining independence.

Group Internal Audit Framework

MUFG Group has internal audit functions at the holding company level as well as subsidiaries ensuring proficiency and independence through effective collaboration.
Internal audit division in the holding company receives reports from main directly-owned subsidiaries on the performance and results of internal audits and status of other business and provides instruction and evaluation as needed.

Reports to the Internal Audit Committee

The holding company has an audit committee within its board of directors and each of the major subsidiaries has an Audit & Supervisory Committee or a voluntarily established internal audit and compliance committee.

Within each of the holding company and the major subsidiaries, Internal Audit reports to the committee on important matters including governing principles in the internal audit plan, the progress status and results of the internal audits.

MUFG Internal Audit Activity Charter

MUFG has developed and published the MUFG Internal Audit Activity Charter to define the mission and purpose, responsibility, and organizational position of internal audits.

1. Mission and Purpose of Internal Audit

2. Standards for Professional Practice

3. Scope of Internal Audit

4. Responsibility of Internal Audit

Internal Audit of the Company and Subsidiaries have the responsibility to;

Submit, at least annually, to senior management and the Board or other appropriate bodies (“the Boards”) a risk-based internal audit plan for review and approval
Communicate to the Boards the impact of resource limitations on the internal audit plan
Review and adjust the internal audit plan, as necessary, in response to changes in the Company and Subsidiaries' business, risks, operations, programs, systems, and controls
Communicate to the Boards any significant interim changes to the internal audit plan
Ensure each engagement of the internal audit plan is executed. Each engagement includes the following;

The establishment of objectives and scope
The assignment of appropriate and adequately supervised resources
The documentation of work programs and testing results
The communication of engagement results with applicable conclusions and recommendations to appropriate parties

Follow up on engagement findings and corrective actions, and report periodically to the Boards any corrective actions not effectively implemented
Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld
Ensure Internal Audit collectively possess or obtain the knowledge, skills, and other competencies needed to meet the requirements of this policy
Ensure trends and emerging issues that could impact the Company and Subsidiaries are considered and communicated to the Boards as appropriate
Ensure emerging trends and leading class practices in internal auditing are considered
Establish and ensure adherence to policies and procedures designed to guide Internal Audit
Ensure adherence to the Company and Subsidiaries' relevant policies and procedures, unless such policies and procedures conflict with this policy. Any such conflicts will be resolved or otherwise communicated to the Boards
Ensure conformance of Internal Audit with the Standards. If Internal Audit is prohibited by law or regulation from conformance with certain parts of the Standards, the chief of Internal Audit will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards

5. Independence and Objectivity

6. Quality Assurance and Improvement Program

7. The Role of the Board of Directors

IAHD reports functionally to the Board and administratively to senior management. To establish, maintain, and assure that IAHD has sufficient authority to fulfill their duties through the Audit Committee, which is under the umbrella of the Board, the Board will;

Review and evaluate the framework and operation of MUFG Group internal audit
Obtain explanations on, and discuss with IAHD, IAHD's proposed audit plan, risk management based on which such plan has been prepared, audit focus areas, and staffing plan including retention of any external expert, and approve such audit plan
Obtain an internal audit's reports on, and discuss with IAHD, any significant matters relating to an internal audit, including the execution, findings and results of, and communications with management regarding, the internal audit, and provide instructions, as necessary, to IAHD
Examine the evaluation of the Internal Audit periodically performed, and any recommendation made, by an outside assessor and evaluate the Internal Audit's responses to such evaluation or recommendation
Assess performance of assignment and sustainable enhancement measures related to methodologies and employee development
Determine the appointment of Group CAO and other personnel who perform significant internal audit functions of the Company, and communicate such determination to the Nominating and Governance Committee of the Board
Perform an annual evaluation of Group CAO, considering the performance of Internal Audit, and submit such evaluation to the Compensation Committee of the Board

The Boards authorizes Internal Audit to;

Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information
Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports
Obtain assistance from the necessary personnel of MUFG Group, as well as other specialized services from within or outside MUFG Group, in order to complete the engagement

End

Corporate Governance Policies

Compliance