A Policy Proposal for the Functional Enhancement of Internal Audit of Japan

Background

  1. There are two functions in the mission of internal audit: contribution to the value protection of an organization and contribution to the value creation. In the first function internal audit takes a role as governance for defense conducting compliance related audits. In the second function internal audit takes another role as governance for offense conducting audits focusing on the business effectiveness and efficiency, and the risks relating to the business model or business strategy.
  2. As the business environment rapidly and disruptively changes management needs to implement successfully their firm’s business model and strategy for the value creation and achieve the sustainable growth. Considering this factor as well as the limitation of internal audit function of protecting the firm against non-compliance events, internal audit should enhance its function to contribute to the value creation of the firm and play more role in governance for offense. The benefit of this functional enhancement of internal audit has already been realized in major firms in the west. Internal audit of Japanese firms should follow their experience to enhance the internal audit function and this argument is supported by Japanese Financial Services Agency (FSA) at least for financial institutions when FSA publicly issued  a document “Present conditions and future issues for enhancement of internal audit functions in Japanese financial institutions” in June, 2019.
  3. A research backing this policy proposal shows that among the 49 Japanese firms that have 20 and more internal auditors and that have issued integrated reports some have already established a function relating to the value creation while the majority remain at a stage where its main function relates to the value protection.
  4. It is easy to assume that internal audit departments with less than 20 internal auditors remain at the stage due to its scale limitation. Therefore, the cause analysis of the functional gap of the 49 firms surely tells what policy proposal is needed for the functional enhancement of internal audit in Japanese firms as a whole.
  5. Two factors are analyzed to explain about the functional gap: the difference of the awareness level of risk management of the subject firms and the difference of the level of trust in the internal audit departments of the subject firms. Due to the difficulty to observe the level of trust directly, the difference of interactions of internal audit departments with the supreme governance organizations (CEO, Directors of the Board including unaffiliated directors, Audit Committee, Audit and Supervisory Committee, and Kansayaku (Audit and Supervisory Board=a Japanese unique system to supervise the Directors of the Board)) is analyzed instead. The analyses have found that the two factors respectively have a moderate correlation with the functional gap.

Policy Proposal

1. Japanese firms should enhance internal audit functions toward the following direction:

  • Be responsible for governance for defense (audit for value protection) as well as governance for offense(audit for value creation).
  • Shift the focus of audit to the risk that arises when the business model and processes do not meet their objectives.
  • Step forward to become a trusted advisor.

2. In order to achieve the enhancement of internal audit functions specified in 1, we propose the measures below. The measures are tagged to two routes that are identified as two causes in the analysis of the functional gap: 2-1. measures to raise awareness of risk management and 2-2. measures to gain more trust in internal audit function.

2-1. Measures to raise awareness of risk management

  • Encourage management to write up the integrated report based on the integrated thinking defined by IIRC Integrated Reporting Framework
  • Grant internal audit function a role in the process of preparing an integrated report (e.g., assurance of the integrity of the report)
  • Raise awareness of Japanese companies of the fundamental risk management framework.
  • Internal audit department should make an extra effort to raise awareness of risk management inside the company.

2-2. Measures to gain more trust in internal audit function

  • Enrich the interactions of internal audit department with the supreme governance organizations (CEO, Directors of the Board including unaffiliated directors, Audit Committee, Audit and Supervisory Committee, and Kansayaku).
  • Increase the interactions of internal audit department with the Board, particularly with the unaffiliated directors.
  • Develop the dual reporting line.
  • Provide more consulting services to management.
  • Make internal audit experience as a career step to senior management.

This brief is part of a research report published in the Journal of the Institute of Internal Auditors-Japan, Vol.45, No.12, Dec.2019, by Prof. Hiroshi Naka. For more details, please download the executive summary below.