Bursa Malaysia • Annual Report 2013
66
b. The Board is updated on the Group’s performance at every meeting.
The Group’s Business Plan and Budget performance for the year is
reviewed and deliberated upon by the Board on a half-yearly basis.
Financial performance variances are presented to the Board on a
quarterly basis.
c.
There is a regular and comprehensive flow of information to the Board
and Management on all aspects of the Group’s operations to facilitate
the monitoring of performance against the Group’s corporate strategy,
business and regulatory plans. The Board also reviews and approves
the Annual Regulatory Report, aimed at reporting to the Securities
Commission (SC) under Section 16 of the CMSA, the extent to which
Bursa Malaysia and its subsidiaries have complied with their duties
and obligations under Sections 11 and 21 of the CMSA.
d. The Director of Corporate Services who is also the Chief Financial
Officer (CFO), is required to provide assurance to the AC that adequate
processes and controls are in place for an effective and efficient
financial statements close process in the preparation of financial
statements for every quarter. The CFO also assures that appropriate
accounting policies have been adopted and applied consistently to give
a true and fair view of the state of affairs of the Group in compliance
with the Malaysian Financial Reporting Standards, International
Financial Reporting Standards and the requirements of the Companies
Act 1965 of Malaysia.
4. Policies and Procedures
a.
Clear, formalised and documented internal policies, standards
and procedures are in place to ensure compliance with internal
controls and relevant laws and regulations. A list of identified laws
and regulations applicable to Bursa Malaysia is documented and
maintained to facilitate compliance. Regular reviews are performed
to ensure that documentation remains current and relevant. Common
Group policies are available on Bursa Malaysia’s intranet for easy
access by staff.
b. For significant system development/enhancement projects, whether
involving new product/service launches or not, the GIA conducts a
System Readiness Review to ensure that due processes have been
complied with prior to the implementation or launch of the product/
service.
5. Audits
a.
Through its internal audits, GIA assesses compliance with policies
and procedures as well as relevant laws and regulations. In addition,
it examines and evaluates the effectiveness and efficiency of the
Group’s internal control system using the risk-based audit approach.
Statement on Internal Control and Risk Management
b. Annual on-site regulatory audits are conducted by the SC on the Group’s
operations to ensure compliance with its duties and obligations under
the CMSA, as well as its policies and procedures.
c.
The yearly certification for Information Security Malaysia Standard, MS
ISO/ IEC 27001:2007 Information Security Management Systems was
carried out by CyberSecurity Malaysia.
d. The Auditor Independence Policy requires the lead audit and
engagement quality reviewing partners to be subject to a five-
year rotation with a five-year cooling off period. An annual plan,
encompassing planned statutory audit, recurring non-audit services
and other anticipated non-audit services by the External Auditors,
requires prior approval by the AC. The AC’s approval is also required
for unplanned non-audit services obtained from the current External
Auditor.
e.
The GIA team is required to conduct an assessment of the internal
control system pertaining to the processes of the relevant business
units/functional groups which have a bearing on the financial
information of Bursa Malaysia, to ensure the reliability and integrity of
such information. The Senior Executive Vice President, Group Internal
Audit who is also the Head of GIA is required to confirm the effective
operation of process controls which support the preparation of the
financial statements.
f.
Besides the annual audit, the External Auditors are engaged to conduct
a limited review of the quarterly financial results together with the
cumulative quarters in accordance with International Standard on
Review Engagements 2410 (ISRE 2410), “Review of Interim Financial
Reporting Information Performed by the Independent Auditor of the
Entity” for the first three quarters of the year.
6. Risk Management
a.
The Group has in place an ERM framework for managing risks
affecting its business and operations. One of the key features of our
ERM framework is the risk governance structure comprising three
lines of defence with established and clear functional responsibilities
and accountabilities for the management of risk.
b. Senior Management, which includes Management Committee
members and Divisional Heads, are the first line of defence and are
accountable for all risks assumed under their respective areas of
responsibility in line with the Risk Management Policy and Guidelines.
This group is also responsible for creating a risk-awareness culture,
which will ensure greater understanding of the importance of risk
management and ensure that its principles are embedded in key
operational processes and all projects.
Governance
