GOVERNANCE

Bursa Malaysia

•

Annual Report 2014

71

STATEMENT ON INTERNAL CONTROL AND RISK MANAGEMENT

d. The Director of Corporate Services, who is also the Chief Financial

Officer (CFO), is required to provide assurance to the AC that

appropriate accounting policies have been adopted and applied

consistently, the going concern basis applied in the Annual Financial

Statements and Condensed Consolidated Financial Statements is

appropriate; and that prudent judgements and reasonable estimates

have been made in accordance with the requirements set out in

the Malaysian Financial Reporting Standards (MFRSs). The CFO also

assures that adequate processes and controls are in place for effective

and efficient financial reporting and disclosures under the MFRSs and

Bursa Malaysia Securities Berhad Main Market Listing Requirements

(MMLR); and that the Annual Financial Statements and quarterly

Condensed Consolidated Financial Statements give a true and fair

view of the financial position of the Group and do not contain material

misstatement.

4. Policies and Procedures

a.

Clear, formalised and documented internal policies, standards

and procedures are in place to ensure compliance with internal

controls and relevant laws and regulations. A list of identified laws

and regulations applicable to Bursa Malaysia is documented and

maintained to facilitate compliance. Regular reviews are performed

to ensure that documentation remains current and relevant. Common

Group policies are available on Bursa Malaysia’s intranet for easy

access by employees.

b. GIA conducts a system readiness review to ensure that due process has

been complied with prior to the implementation or launch of significant

system development and enhancement projects. Post implementation

reviews are also conducted after a predefined period of time to assess

the realised benefit of the implemented systems and projects.

5. Audits

a.

Through its internal audits, GIA assesses compliance with policies

and procedures as well as relevant laws and regulations. In addition,

it examines and evaluates the effectiveness and efficiency of the

Group’s internal control system using the Committee of Sponsoring

Organisations of the Treadway Commission Internal Control - Integrated

Framework as a guide.

GIA assesses the Group’s Internal Control system according to the

following five interrelated control elements:

• Control Environment

• Risk Assessment

• Control Activity

• Information and Communication

• Monitoring

b. Annual on-site regulatory audits are conducted by the SC on the Group’s

operations to ensure compliance with its duties and obligations under

the CMSA, as well as its policies and procedures.

c.

The yearly certification for Information Security Malaysian Standard,

MS ISO/ IEC 27001:2007 Information Security Management Systems

was carried out by CyberSecurity Malaysia.

d. The Auditor Independence Policy requires the lead audit engagement

and concurring partners be subject to a five-year rotation with a five-

year cooling off period. An annual plan, comprising a planned statutory

audit, recurring non-audit services and other anticipated non-audit

services by the External Auditors, requires prior approval by the AC.

The AC’s approval is also required for unplanned non-audit services

obtained from the current External Auditors.

e.

The GIA team is required to conduct an assessment of the internal

control system pertaining to the processes of the relevant business

units/functional groups which have a bearing on the financial

information of Bursa Malaysia, to ensure the reliability and integrity of

such information. The Senior Executive Vice President, GIA who is also

the Head of GIA is required to confirm the effective operation of process

controls which support the preparation of the financial statements.

f.

In addition to the annual audit, the External Auditors are engaged to

conduct limited reviews of the quarterly financial results together with

the cumulative quarters in accordance with International Standard on

Review Engagements 2410 (ISRE 2410), “Review of Interim Financial

Reporting Information Performed by the Independent Auditor of the

Entity” for the first three quarters of the financial year.

6. Risk Management

a.

The Group has in place an Enterprise Risk Management (ERM)

framework for managing risks affecting its business and operations. One

of the key features of our ERM framework is a risk governance structure

comprising three lines of defence with established and clear functional

responsibilities and accountabilities for the management of risk.

ERM FRAMEWORK

First Line of Defence

SENIOR MANAGEMENT TEAM

Second Line of Defence

CORPORATE RISK MANAGEMENT TEAM

Third Line of Defence

GROUP INTERNAL AUDIT

b. Senior Management, which includes Management Committee

members and Divisional Heads, are the first line of defence and are

accountable for all risks assumed under their respective areas of

responsibility in line with the Risk Management Policy and Guidelines.

This group is also responsible for creating a risk-awareness culture,

which will ensure greater understanding of the importance of risk

management and ensure that its principles are embedded in key

operational processes and in all projects.