INTERNAL CONTROL STATEMENT

1. Separation of Commercial and Regulatory Functions
   
   
   1. The Group's commercial and regulatory functions are segregated to ensure the proper discharge of Bursa Malaysia's regulatory duties. Both these functions operate independently of each other to ensure that business units are not in a position to influence any regulatory decision made by the Regulation unit. The CEO is not involved in the deliberation or decision making on matters relating to applications for secondary issuance of securities, waivers and extension of time to comply with the Listing Requirements, disciplinary actions or the commencement of relevant regulatory procedures or actions pursuant to the rules of the Group.
      
      It is Bursa Malaysia's statutory duty to always act in the public interest, having particular regard for the need to protect investors. Accordingly, public interest prevails in the event that Bursa Malaysia's own interest, or any interest that it is required to serve under any law relating to corporations, conflicts with the public interest. Four Public Interest Directors (PIDs) are appointed by the Minister of Finance to Bursa Malaysia's Board to ensure decisions are made in the public interest. Regulatory Committees which have been set up to deliberate and decide on regulatory matters comprise independent individuals with significant and relevant industry experience, apart from Board members, to further ensure Bursa Malaysia upholds its obligation to safeguard the public interest.
      
      
   2. Processes are established and set out in the Guidelines for Handling Conflict of Interest (COI) to deal with any possible COI which may arise in the course of Bursa Malaysia performing its commercial or regulatory role. The types of COI managed by the Guidelines for Handling COI are:
      
      
      • COI or potential COI where Bursa Malaysia or its subsidiaries make regulatory decisions involving listed issuers, market participants or advisers/sponsors with whom Bursa Malaysia or its subsidiaries have a commercial or competitive relationship;
        
        
      • COI or potential COI where Bursa Malaysia makes a business decision which may have an adverse impact on the performance of its regulatory duties; and
        
        
      • Conflicts arising from the interest (direct or indirect) of a Director, member or major shareholder or person connected with such Director, member or major shareholder in a transaction proposed to be entered into, or action/decision to be taken, by Bursa Malaysia or its subsidiaries.
        
        
2. Authority and Responsibility
   
   
   1. Certain responsibilities are delegated to Board Committees through clearly defined Terms of Reference (TOR) which are reviewed annually.
      
      
   2. The Authority Limits Document is reviewed from time to time to reflect the authority and authorisation limits of Management in all aspects of Bursa Malaysia's major business operations and regulatory functions.
      
      
   3. The Group's Management Governance Framework, comprising two committees for governance function and three committees for business operations function, has clearly defined TOR to enable good business and regulatory governance.
      
      
3. Planning, Monitoring and Reporting
   
   
   1. An annual planning and budgetary exercise is undertaken requiring all divisions to prepare business plans and budgets for the forthcoming year, which are deliberated upon and approved by the Board before implementation.
      
      
   2. Updates on the Group's performance are provided to the Board at every meeting. The Group's performance for the year is reviewed and deliberated by the Board on a half-yearly basis. Financial performance variances are presented to the Board on a quarterly basis.
      
      
   3. There is a regular and comprehensive flow of information to the Board and Management on all aspects of the Group's operations to facilitate the monitoring of performance against the Group's corporate strategy, business and regulatory plans. The Board also reviews and approves the Annual Regulatory Report, aimed at reporting to the Securities Commission (SC) under Section 16 of the Capital Markets and Services Act 2007 (CMSA) the extent to which Bursa Malaysia and its subsidiaries have complied with their duties and obligations under Sections 11 and 21 of the CMSA.
      
      
   4. The CFO is required to assure the AC that adequate processes and controls are in place for an effective and efficient financial statements close process in the preparation of each quarterly financial statements, including the consolidated condensed financial statements. The CFO also assures that appropriate accounting policies have been adopted and applied consistently to give a true and fair view of the state of affairs of the Group in compliance with the Malaysian Financial Reporting Standards, International Financial Reporting Standards and the requirements of the Companies Act 1965 of Malaysia.
      
      
4. Policies and Procedures
   
   
   1. Clear, formalised and documented internal policies, standards and procedures are in place to ensure compliance with internal controls and relevant laws and regulations. A list of identified laws and regulations applicable to Bursa Malaysia is documented and maintained to facilitate compliance. Regular reviews are performed to ensure that documentation remains current and relevant. Common Group policies are available on Bursa Malaysia's intranet for easy access by staff.
      
      
   2. For significant system development/enhancement projects, whether involving new product/service launches or not, the GIA conducts a System Readiness Review to ensure that due processes have been complied with prior to the implementation or launch of the product/service.
      
      
5. Audits
   
   
   1. Through its internal audits, GIA assesses compliance with policies and procedures as well as relevant laws and regulations. In addition, it examines and evaluates the effectiveness and efficiency of the Group's internal control system.
      
      
   2. Annual on-site regulatory audits are conducted by the SC on the Group's operations to ensure compliance with its duties and obligations under the CMSA, as well as its policies and procedures.
      
      
   3. Yearly audits are carried out by SIRIM in relation to the ISO 9001:2008 Quality Management System (ISO 9001) and ISO 14001:2004 Environment Management System (ISO 14001), collectively known in Bursa Malaysia as the Integrated Management System. This process ensures that product and service quality as well as environmental performance comply with international standards and are continuously improved.
      
      
   4. The Auditor Independence Policy requires the lead and concurring audit engagement quality reviewing audit partners to be subject to a five-year rotation with a five-year cooling off period. An annual plan, encompassing planned statutory audit, recurring non-audit services and other anticipated non-audit services by the External Auditors, require prior approval by the AC. AC's approval is also required for unplanned non-audit services obtained from the current External Auditor.
      
      
   5. The GIA is required to conduct an assessment of the internal control system pertaining to the processes of the relevant business units/functional groups which have a bearing on the financial information of Bursa Malaysia, to ensure reliability and integrity of such information. The Chief Internal Auditor (CIA) is required to confirm the effective operation of process controls which support the preparation of the financial statements.
      
      
   6. The External Auditors are engaged to conduct a limited review of the quarterly financial results together with the cumulative quarters.
      
      
6. Performance Measurement
   
   
   1. Key Performance Indicators (KPIs), which are based on the Corporate Balanced Scorecard approach, are used to track and measure staff performance.
      
      
   2. Yearly employee engagement surveys and customer satisfaction surveys are conducted to gauge feedback on the effectiveness and efficiency of stakeholder engagement for continuous improvement.
      
      
7. Staff Competency
   
   
   1. Hiring and termination guidelines are in place while training and development programmes are conducted to ensure that staff are competent and kept up to date with the necessary competencies to carry out their respective duties towards achieving the Group's objectives.
      
      
8. Conduct of Staff
   
   
   1. A Code of Ethics is established for all employees, which defines the ethical standards and conduct of work required at Bursa Malaysia.
      
      
   2. Bursa Malaysia has a stand-alone Whistleblower Policy and Procedures (WPP) to provide an avenue for staff or any external party to report any breach or suspected breach of any law or regulation, including business principles and the Group's policies and guidelines, in a safe and confidential manner. The WPP serves as an anti-fraud programme or internal control mechanism to mitigate the risk of fraud and to improve corporate governance by ensuring that any improper conduct committed by any employee will be exposed when reported and dealt with appropriately. To avoid any possible COI, the AC is appointed by the Board to oversee the WPP and to ensure effective administration thereof by the CIA and/or designated officer(s) of the GIA. The Senior Independent Non-Executive Director, who serves as a fallback point of contact when other channels of communication are inappropriate or inadequate, is designated to receive report(s) made by employees or external parties for the purpose of whistleblowing in accordance with the WPP.
      
      
   3. A Securities Transaction Policy is established to govern the securities transactions of the Group's staff. The policy prohibits employees from using unpublished price sensitive information obtained during the course of their work for personal gain or for the gain of other persons. Employees (including principal officers) are also not allowed to trade in the securities of Bursa Malaysia during the closed period, which is 30 calendar days preceding the announcement of Bursa Malaysia's quarterly and annual financial results.
      
      
   4. A Corporate Fraud Policy is established to aid in the detection and prevention of fraud and to promote consistent organisational behaviour and practices.
      
      
   5. A Confidentiality Policy is established for the management, control and protection of confidential information used by the Group to avoid leakage and improper use of such information.
      
      
   6. Management and employees of Grade 4 and above are required to declare their assets annually and provide an update on assets acquired.
      
      
   7. Segregation of duties is practised whereby conflicting tasks are apportioned between different members of staff to reduce the scope for error and fraud.
      
      
9. Business Continuity Planning
   
   
   1. A comprehensive Business Continuity Plan (BCP), including a Disaster Recovery Plan which is tested annually, is in place to ensure continuity of business operations. A BCP industry-wide test for securities, bond, Islamic and Labuan International Financial Exchange (LFX) markets was successfully conducted on 24 November 2012.
      
      
10. Insurance
    
    
    1. There exists sufficient insurance coverage and physical safeguards on major assets to ensure the Group's assets are adequately covered against any mishap that could result in material loss. A yearly policy renewal exercise is undertaken in which Management reviews the coverage based on the current fixed asset inventory and the respective net book values and 'replacement value', i.e. the prevailing market price for the same or similar item, where applicable. The underwriter also assists by conducting a risk assessment, which helps Bursa Malaysia in assessing the adequacy of the intended coverage. There is also a yearly renewal exercise to ensure adequacy in the Group's professional indemnity insurance coverage.