HomeCorporate Profile › Statement of Internal Control
>Statement of Internal Control

Statement of Internal Control

Printer-friendly versionSend to friendPDF version

Introduction

 

This Statement on Internal Control is made pursuant to Bursa Malaysia Securities Berhad Listing Requirements requires the Board to include in its Company Annual Report a statement about the state of its internal control. The revised Malaysian Code on Corporate Governance (2007) requires all listed companies to maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets.

 

Accordingly, the Board is pleased to provide the Statement on Internal Control (“Statement”) that was prepared in accordance with the “Guidance for Directors of Public Listed Company” issued by Bursa Malaysia Securities Berhad which outlines the processes to be adopted by the Board in reviewing the adequacy and integrity of the system of internal control of the Group.

 


Responsibility

The Board acknowledges its overall responsibility for maintaining sound internal control systems to safeguard the shareholders’ interest and the Group’s assets. The Board is of the view that the internal control framework is designed to manage the Group’s risks within an acceptable risk profile, rather than eliminate the risk of failure to achieve the policies, goals and objectives of the Group. It can therefore only provide reasonable, rather than absolute assurance of effectiveness against material misstatement of management and financial information or against financial losses and fraud.

 

The Board has established appropriate control structure and process for identifying, evaluating, monitoring and managing significant risks that may affect the achievement of business objectives. The control structure and process which has been instituted throughout the Group is updated and reviewed from time to time to suit the changes in the business environment and this on-going process has been in place for the whole financial year under review.

 

The role of Management includes:

 

  • identifying and evaluating the risks faced;
  • formulating related policies and procedures to manage these risks; 
  • designing, operating and monitoring a suitable
  • system of internal controls; and
  • implementing the policies approved by the Board

 

 

Control Structure

The key processes that the Board have established in reviewing the adequacy and integrity of the system of internal controls include the following:-

 

Risk Management Framework

 

  • The Board has established an organisation structure with clearly defined lines of responsibility, authority limits and accountability aligned to business and operations requirements which support the maintenance of a strong control environment. It has extended the responsibilities of the Audit Committee (“AC”) to include the assessment of internal controls, through the Internal Audit (“IA”) function.
     
  • The Board has also delegated the responsibility of reviewing the effectiveness of risk management to the Risk Management Committee (“RMC”). The effectiveness of the risk management system is monitored and evaluated by the Group Risk Management function, on an ongoing basis. The RMC assists the Board to review and oversee the effectiveness of the risk management of the Bank, wherein the Group Risk Management function would facilitate to institutionalise the continuous monitoring and evaluating of the bank’s risk management system. Any approved policy and framework formulated to identify, measure and monitor various risk components would be reviewed and recommended by the RMC to the Board. Additionally, the RMC reviews and assesses the adequacy of these risks management policies and ensures infrastructure, resources and systems are emplaced for risk management.
     
  • During the year, the Risk Management function was strengthened with the recruitment of a Group Chief Risk Officer (“GCRO”). The GCRO has an oversight of credit and risk management across the Group, as the Group expands its business regionally. The GCRO’s role is also to better align risk management to the business to make risk management more strategic within the Group.
     
  • Risk management principles, policies, procedures and practices are updated regularly to ensure relevance and compliance with current/ applicable laws and regulations, and are made available to all employees. The Group also adopted a whistle blowing policy, providing an avenue for employees to report actual or suspected malpractice, misconduct or violations of the Group’s policies and regulations in a safe and confidential manner.
     
  • A written Management Control Policy (MCP) and Internal Control Policy (ICP) from Management are in place. The MCP outlines the specific responsibilities of the various parties i.e. the Management, the Internal Audit Committee and the Audit Committee of the Board pertaining to internal control for Maybank Group. The ICP is to create awareness among all the employees with regards to the internal control components and the basic control policy of Maybank Group.
     
  • There is an Anti-Fraud Framework implemented which provides broad principles, strategy and policy for the Group to adopt in relation to fraud in order to promote high standard of integrity. The Framework establishes robust and comprehensive programmes and controls for the Group as well as highlights the roles and responsibilities at every level for preventing and responding to fraud.
     
  • Establishment of the three (3) lines of Defence concept – risk taking units, risk control units and internal audit. The risk taking units manage the day-to-day management of risks inherent in their business activities while the risk control units are responsible for setting the risk management framework and developing tools and methodologies. Complementing this is internal audit, which provides independent assurance of the effectiveness of the risk management approach. 

 

Internal Audit Function

  • The Internal Audit function includes undertaking regular reviews of the Group’s operations, the systems of internal control by performing regular reviews of the business processes to examine and evaluate the adequacy and efficiency of financial and operating controls and highlights significant risks and non compliance impacting the Group. Where applicable, they provide recommendations to improve on the effectiveness of risk management, control and governance process. Management will follow up and review the status of actions on recommendations made by the internal and external auditors. Audits are carried out on units that are identified premised on a risk based approach, in cognisance with the Group’s objectives and policies in the context of its evolving business and regulatory environment, taking into consideration input of the senior management and the Board.
     
  • The Internal Audit Committee (IAC) is a management committee chaired by the GCFO and comprises senior level representatives from a broad range of business and support units of the Bank. The IAC meets every fortnight to deliberate on the findings of all signed audit and investigation reports and decide on the appropriate action required to resolve audit issues covering all aspects of the Bank’s business and operations. Where required, representatives from the parties being audited are requested to attend the IAC meeting to enable more detailed deliberation and speedy resolution of the matter at hand. Minutes of the IAC meeting are then tabled to the ACB together with the audit reports. The IAC also follows up on the actions required by the ACB.
     
  • The Audit Committee of the Board (ACB) meets on a monthly basis to review the internal control issues identified in reports prepared by Internal Audit, the external auditors, regulatory authorities and further evaluates the effectiveness and adequacy of the Group’s internal control system. The ACB has active oversight on the internal audit’s independence, scope of work and resources. It also reviews the Internal Audit function, particularly the scope of the annual audit plan and frequency of the internal audit activities. The minutes of the Audit Committee meetings are tabled to the Board on a monthly basis. The details of the activities undertaken by the ACB are highlighted in the Audit Committee Report.

 

Other Key Elements of Internal Control

The other key elements of the procedures established by the Board that provides effective internal control include:-

 

  • An annual business plan and budget is submitted to the Board for approval. Actual performances are reviewed against the targeted results on a monthly basis allowing timely responses and corrective actions to be taken to mitigate risks. The Board reviews regular reports from the management on the key operating statistics, as well as legal and regulatory matters. The Board also approves any changes or amendments to the Group’s policies.

 

  • Several Board Committees are set up to assist the Board to perform its oversight function namely Credit Review Committee, Nomination and Remuneration Committee and Employee Share Scheme Committee. Specific responsibilities have been delegated to these Board Committees, all of which have formalised terms of reference. These Committees have the authority to examine all matters within their scope and report to the Board with their recommendations. For more details on the various Board Committees, please refer to pages 213 to 216.

 

  • Various Executive Level Management Committees (ELC) are also established by Management to assist and support the various Board Committees to oversee the core areas of business operations. These ELCs include the Group Executive Committee, Group Management Credit Committee, Executive Risk Committee, Asset & Liability Management Committee, Group Procurement Committee, Group IT Steering Committee, Group Staff Committee and Human Resource Disciplinary Committee.

 

  • Recruitment and promotion policies/guidelines within the Group are established to ensure appropriate persons of calibre are selected to fill available positions. Formal training programmes either face-to-face or through e-learning, semi and annual performance appraisals and other relevant procedures are in place to ensure that staff are competent and adequately trained to enable them to discharge their duties and responsibilities effectively. Proper guidelines are also drawn up for termination of staff.

 

  • A clearly defined framework with appropriate empowerment and authority limits has been approved by the Board for acquisitions and disposals of assets, awarding tenders, writing off operational and credit items, donations, as well as approving general and operational expenses.

 

  • There are policies and procedures in place to ensure compliance with internal control and the prescribed laws and regulations. These policies and procedures are set out in the Group’s Standard Practice Instruction and are updated from time to time in tandem with changes to the business environment or regulatory guidelines.

 

Review of the Statement by External Auditors 

The external auditors have reviewed this Statement on Internal Control for inclusion in the annual report for the financial year ended 30 June 2011.
 

The external auditors conducted the review in accordance with the “Recommended Practice Guide 5: Guidance for Auditors on the Review of Directors’ Statement on Internal Control” (“RPG 5”) issued by the Malaysian Institute of Accountants. The review has been conducted to assess whether the Statement on Internal Control is both supported by the documentation prepared by or for the Directors and appropriately reflects the processes the Directors had adopted in reviewing the adequacy and integrity of the system of internal controls of the Group.

 

RPG 5 does not require the external auditors to consider whether the Directors’ Statement on Internal Control covers all risks and controls, or to form an opinion on the effectiveness of the Group’s risk and control procedures. RPG 5 also does not require the external auditors to consider whether the processes described to deal with material internal control aspects of any significant matters disclosed in the annual report will, in fact, mitigate the risks identified or remedy the potential problems.

 

Based on their review, the external auditors have reported to the Board that nothing had come to their attention that causes them to believe that the Statement on Internal Control is inconsistent with their understanding of the processes the Board have adopted in the review of the adequacy and integrity of the internal control of the Group.

Back