|
|
|
Annual Report 2012
|
|
|
Internal Control Statement
|
|
INTERNAL CONTROL STATEMENT
|
The Board is committed to maintaining a sound
internal control system. Each business unit/
functional group has implemented its own control
processes under the leadership of the Chief
Executive Officer (CEO), who is responsible for
good business and regulatory governance. The
following statement outlines the nature and scope
of the Group's internal control in 2012. |
|
BOARD'S RESPONSIBILITY
The Board affirms its overall responsibility for the Group's system of
internal control and risk management and for reviewing the adequacy and
integrity of the system. The system of internal control covers governance,
risk management, financial, strategy, organisational, operational,
regulatory and compliance control. However, the Board recognises that
this system is designed to manage, rather than eliminate, the risk of
not adhering the Group's policies and achieving goals and objectives.
Therefore, the system provides reasonable, but not absolute, assurance
against the occurrence of any material misstatement, loss or fraud.
In 2012, the adequacy and effectiveness of internal controls were
reviewed by the Audit Committee (AC) in relation to internal audits
conducted by Group Internal Audit (GIA) during the year. Audit issues as
well as actions taken by Management to address these issues tabled
by the GIA were deliberated during the AC meetings. Minutes of the AC
meetings which recorded deliberations held during these meetings were
presented to the Board. |
|
RISK MANAGEMENT
Risk management is firmly embedded in the Group's management
systems. To manage risk in our activities, and ensure they are aligned
with the Group's strategic objectives and regulatory requirements, Bursa
Malaysia implemented an enterprise wide risk management framework
to identify, measure, assess and manage risks faced by the Group. This
framework is reviewed periodically to ensure it is relevant and adequate
to manage the organisation's risks, which continue to evolve along
with the changing business environment. Bursa Malaysia also has an
automated system to support the establishment and implementation
of its enterprise risk management process. The Group strongly believes
that prudent risk management is vital for business sustainability and the
enhancement of shareholder value. |
|
KEY INTERNAL CONTROL PROCESSES
The Group's internal control system encompasses the following key
processes:
- Separation of Commercial and Regulatory Functions
- The Group's commercial and regulatory functions are
segregated to ensure the proper discharge of Bursa
Malaysia's regulatory duties. Both these functions operate independently of each other to ensure that business units are
not in a position to influence any regulatory decision made by
the Regulation unit. The CEO is not involved in the deliberation
or decision making on matters relating to applications for
secondary issuance of securities, waivers and extension of
time to comply with the Listing Requirements, disciplinary
actions or the commencement of relevant regulatory
procedures or actions pursuant to the rules of the Group.
It is Bursa Malaysia's statutory duty to always act in the
public interest, having particular regard for the need to
protect investors. Accordingly, public interest prevails in the
event that Bursa Malaysia's own interest, or any interest that
it is required to serve under any law relating to corporations,
conflicts with the public interest. Four Public Interest
Directors (PIDs) are appointed by the Minister of Finance to
Bursa Malaysia's Board to ensure decisions are made in the
public interest. Regulatory Committees which have been set
up to deliberate and decide on regulatory matters comprise
independent individuals with significant and relevant industry
experience, apart from Board members, to further ensure
Bursa Malaysia upholds its obligation to safeguard the public
interest.
- Processes are established and set out in the Guidelines for
Handling Conflict of Interest (COI) to deal with any possible
COI which may arise in the course of Bursa Malaysia
performing its commercial or regulatory role. The types of
COI managed by the Guidelines for Handling COI are:
-
COI or potential COI where Bursa Malaysia or its
subsidiaries make regulatory decisions involving listed
issuers, market participants or advisers/sponsors
with whom Bursa Malaysia or its subsidiaries have a
commercial or competitive relationship;
-
COI or potential COI where Bursa Malaysia makes a
business decision which may have an adverse impact
on the performance of its regulatory duties; and
-
Conflicts arising from the interest (direct or indirect)
of a Director, member or major shareholder or person
connected with such Director, member or major
shareholder in a transaction proposed to be entered
into, or action/decision to be taken, by Bursa Malaysia
or its subsidiaries.
- Authority and Responsibility
- Certain responsibilities are delegated to Board Committees
through clearly defined Terms of Reference (TOR) which are
reviewed annually.
- The Authority Limits Document is reviewed from time to time
to reflect the authority and authorisation limits of Management
in all aspects of Bursa Malaysia's major business operations
and regulatory functions.
- The Group's Management Governance Framework,
comprising two committees for governance function and
three committees for business operations function, has
clearly defined TOR to enable good business and regulatory
governance.
- Planning, Monitoring and Reporting
- An annual planning and budgetary exercise is undertaken
requiring all divisions to prepare business plans and budgets
for the forthcoming year, which are deliberated upon and
approved by the Board before implementation.
- Updates on the Group's performance are provided to the
Board at every meeting. The Group's performance for the
year is reviewed and deliberated by the Board on a half-yearly
basis. Financial performance variances are presented
to the Board on a quarterly basis.
- There is a regular and comprehensive flow of information
to the Board and Management on all aspects of the Group's
operations to facilitate the monitoring of performance against
the Group's corporate strategy, business and regulatory plans.
The Board also reviews and approves the Annual Regulatory
Report, aimed at reporting to the Securities Commission
(SC) under Section 16 of the Capital Markets and Services
Act 2007 (CMSA) the extent to which Bursa Malaysia and its
subsidiaries have complied with their duties and obligations
under Sections 11 and 21 of the CMSA.
- The CFO is required to assure the AC that adequate processes
and controls are in place for an effective and efficient
financial statements close process in the preparation of each
quarterly financial statements, including the consolidated
condensed financial statements. The CFO also assures that
appropriate accounting policies have been adopted and
applied consistently to give a true and fair view of the state
of affairs of the Group in compliance with the Malaysian
Financial Reporting Standards, International Financial
Reporting Standards and the requirements of the Companies
Act 1965 of Malaysia.
- Policies and Procedures
- Clear, formalised and documented internal policies, standards
and procedures are in place to ensure compliance with
internal controls and relevant laws and regulations. A list of
identified laws and regulations applicable to Bursa Malaysia is
documented and maintained to facilitate compliance. Regular
reviews are performed to ensure that documentation remains
current and relevant. Common Group policies are available on
Bursa Malaysia's intranet for easy access by staff.
- For significant system development/enhancement projects,
whether involving new product/service launches or not,
the GIA conducts a System Readiness Review to ensure
that due processes have been complied with prior to the
implementation or launch of the product/service.
- Audits
- Through its internal audits, GIA assesses compliance
with policies and procedures as well as relevant laws and
regulations. In addition, it examines and evaluates the
effectiveness and efficiency of the Group's internal control
system.
- Annual on-site regulatory audits are conducted by the SC on
the Group's operations to ensure compliance with its duties
and obligations under the CMSA, as well as its policies and
procedures.
- Yearly audits are carried out by SIRIM in relation to the ISO
9001:2008 Quality Management System (ISO 9001) and ISO
14001:2004 Environment Management System (ISO 14001),
collectively known in Bursa Malaysia as the Integrated
Management System. This process ensures that product and
service quality as well as environmental performance comply
with international standards and are continuously improved.
- The Auditor Independence Policy requires the lead and
concurring audit engagement quality reviewing audit partners
to be subject to a five-year rotation with a five-year cooling
off period. An annual plan, encompassing planned statutory
audit, recurring non-audit services and other anticipated non-audit
services by the External Auditors, require prior approval
by the AC. AC's approval is also required for unplanned non-audit
services obtained from the current External Auditor.
- The GIA is required to conduct an assessment of the internal
control system pertaining to the processes of the relevant
business units/functional groups which have a bearing on the
financial information of Bursa Malaysia, to ensure reliability
and integrity of such information. The Chief Internal Auditor
(CIA) is required to confirm the effective operation of process
controls which support the preparation of the financial
statements.
- The External Auditors are engaged to conduct a limited
review of the quarterly financial results together with the
cumulative quarters.
- Performance Measurement
- Key Performance Indicators (KPIs), which are based on the
Corporate Balanced Scorecard approach, are used to track
and measure staff performance.
- Yearly employee engagement surveys and customer
satisfaction surveys are conducted to gauge feedback on the
effectiveness and efficiency of stakeholder engagement for
continuous improvement.
- Staff Competency
- Hiring and termination guidelines are in place while training
and development programmes are conducted to ensure that
staff are competent and kept up to date with the necessary
competencies to carry out their respective duties towards
achieving the Group's objectives.
- Conduct of Staff
- A Code of Ethics is established for all employees, which
defines the ethical standards and conduct of work required
at Bursa Malaysia.
- Bursa Malaysia has a stand-alone Whistleblower Policy
and Procedures (WPP) to provide an avenue for staff or any
external party to report any breach or suspected breach of
any law or regulation, including business principles and the
Group's policies and guidelines, in a safe and confidential
manner. The WPP serves as an anti-fraud programme or
internal control mechanism to mitigate the risk of fraud
and to improve corporate governance by ensuring that
any improper conduct committed by any employee will be
exposed when reported and dealt with appropriately. To avoid
any possible COI, the AC is appointed by the Board to oversee
the WPP and to ensure effective administration thereof by
the CIA and/or designated officer(s) of the GIA. The Senior
Independent Non-Executive Director, who serves as a fallback
point of contact when other channels of communication are
inappropriate or inadequate, is designated to receive report(s)
made by employees or external parties for the purpose of
whistleblowing in accordance with the WPP.
- A Securities Transaction Policy is established to govern
the securities transactions of the Group's staff. The policy
prohibits employees from using unpublished price sensitive
information obtained during the course of their work for
personal gain or for the gain of other persons. Employees
(including principal officers) are also not allowed to trade in
the securities of Bursa Malaysia during the closed period,
which is 30 calendar days preceding the announcement of
Bursa Malaysia's quarterly and annual financial results.
- A Corporate Fraud Policy is established to aid in the
detection and prevention of fraud and to promote consistent
organisational behaviour and practices.
- A Confidentiality Policy is established for the management,
control and protection of confidential information used by the
Group to avoid leakage and improper use of such information.
- Management and employees of Grade 4 and above are
required to declare their assets annually and provide an
update on assets acquired.
- Segregation of duties is practised whereby conflicting tasks
are apportioned between different members of staff to
reduce the scope for error and fraud.
- Business Continuity Planning
- A comprehensive Business Continuity Plan (BCP), including
a Disaster Recovery Plan which is tested annually, is in
place to ensure continuity of business operations. A BCP
industry-wide test for securities, bond, Islamic and Labuan
International Financial Exchange (LFX) markets was
successfully conducted on 24 November 2012.
- Insurance
- There exists sufficient insurance coverage and physical
safeguards on major assets to ensure the Group's assets are
adequately covered against any mishap that could result in
material loss. A yearly policy renewal exercise is undertaken
in which Management reviews the coverage based on the
current fixed asset inventory and the respective net book
values and 'replacement value', i.e. the prevailing market
price for the same or similar item, where applicable. The
underwriter also assists by conducting a risk assessment,
which helps Bursa Malaysia in assessing the adequacy of the
intended coverage. There is also a yearly renewal exercise
to ensure adequacy in the Group's professional indemnity
insurance coverage.
|
|
REVIEW OF THIS STATEMENT
Pursuant to paragraph 15.23 of the Main Market Listing Requirements,
the External Auditors have reviewed this Statement and the Risk
Management Statement for inclusion in the 2012 Annual Report, and
reported to the Board that nothing has come to their attention that
causes them to believe that the Statements are inconsistent with their
understanding of the process adopted by the Board in reviewing the
adequacy and integrity of the system of internal control. Both statements
were approved by the Board on 31 January 2013.
Additionally, GIA has reviewed this Statement and reported to the AC that,
while it has addressed individual lapses in internal control during the
course of its internal audit assignments for the year, it has not identified
any circumstances which suggest any fundamental deficiencies in the
Group's internal control system. |
|
CONCLUSION
The Board is of the view that the system of internal control and risk
management is in place for the year under review, and up to the date
of approval of this Statement and the Risk Management Statement, is
sound and sufficient to safeguard shareholders' investment, the interests
of customers, regulators, employees and other stakeholders, and the
Group's assets.
The Board has received assurance from the CEO and CFO that the
company's risk management and internal control system is operating
adequately and effectively, in all material aspects, based on the risk
management model adopted by the Group. |
|
|
|
|