STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL
Responsibility of the Board
The Board is ultimately responsible for the Company’s system of internal control, which includes the establishment of an appropriate control environment and framework, as well as reviewing its adequacy and integrity.
The Board has established an ongoing process for identifying, evaluating and managing significant risks faced by FIMM. Whilst the Board maintains ultimate responsibility over risk and control issues, it has delegated to the executive management the implementation of a system of risk management and internal control within an established framework.
In view of inherent limitations in any system of internal control, the Company’s internal control system is designed to manage, rather than eliminate, the risk of failure in achieving corporate objectives. Accordingly, it can only provide reasonable but not absolute assurance against material misstatement or loss.
Risk management framework
The Management has been entrusted by the Board to manage risk and also, to develop, operate and monitor a system of internal control and providing assurance to the Board that it has done so in accordance with policies adopted by the Board.
FIMM adopts a centralised approach to risk management, whereby all employees take ownership and accountability for risks at their respective levels through facilitation with the Internal Audit Department (“IAD”). The process of risk management and treatment is overseen by the IAD.
A working group, the Risk Working Committee (“RWC”), provides risk management support to Management as a whole. The role of RWC includes periodic reporting of the status of risk mitigation actions, new risks identification and risks that have changed characteristics together with corresponding controls. The RWC comprising key persons from all departments and divisions submits its reports to the Audit Committee on a regular basis. The Audit Committee reports to the Board on any significant changes in the business and external environment which affect key risks.
The revised Risk Management Framework was approved on 18 October 2012 upon new establishment of Internal Audit Department.
- Strategic, which are risks that affect the overall direction of the business;
- Operational, which are risks that impact the delivery of FIMM’s services;
- Financial, which are risks associated with financial processes and reporting;
- Technology, which are risks associated with robustness in information technology in meeting business needs; and
- Compliance, which are risks that impact the compliance with legislations, regulations, policies and procedures.
The following key elements of a risk management framework have been put in place as part and parcel of embedding a sound system of internal control within the Company:
- Establishment and yearly review of formalised Risk Management Policy and Procedure on risks;
- Audit Committee shall assist the Board of Directors (BOD) in discharging its statutory duties and responsibilities relating to Risk Management Policy;
- Establishment and review of risk management structure, which outlines the reporting framework and responsibility of the Board, Audit Committee, Risk Working Committee, Internal Audit Department, management and risk owners;
- Reviewing and, where appropriate, revising the risk parameters (qualitative and quantitative) for FIMM and at the individual department to strengthen effectiveness of the risk management process;
- On-going formal and informal risk management education and training at management and staff levels;
- Continuous review and refinement of existing risk management framework model to enhance risk awareness within FIMM and facilitate re-affirmation of risk prioritisation and aggregation exercises with various departments;
- Implementation by Management of a company-wide risk assessment process, which includes the identification of key risks facing each department, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans to manage those risks to the desired level; and
- Development of FIMM Risk Profile.
Internal audit function
The newly established Internal Audit Department on 18 July 2012, the internal audit function provides the Board with the assurance it requires regarding the adequacy and integrity of internal controls. Internal audit independently reviews the internal control processes in the key activities of the Company’s businesses by adopting a risked-based approach and reports directly to the Audit Committee on a quarterly basis or as appropriate. Internal audit also test the effectiveness of the internal controls on the basis of an internal audit strategy and detailed annual internal audit plan presented to the Audit Committee for approval. Reports on internal audit findings, together with recommendations for Management actions, are reviewed by the Audit Committee and reported to the Board by the Audit Committee on a quarterly basis or as appropriate.
An Internal Audit Manual was established and approved by the Audit Committee on 18 October 2012. The purpose of this manual is to provide guidance for FIMM’s internal auditors. It contains policies and procedures for planning, preparation, performing, and reporting on audit activity and results. This manual summarises the operations of the internal audit function and delineates the policies, standards and procedures which will generally govern the internal audit function.
However, prior to FIMM’s recognition as a Self-Regulatory Organisation (“SRO”) on 31 January 2011, BDO Governance Advisory Sdn Bhd (“BDOGA”) was appointed to render internal audit services on 3 September 2010 for tenure of two (2) years.Go to Top
Internal Control System
During the tenure of BDOGA, the scope of audit function is broad and includes those systems of internal controls that are in place to achieve the following objectives:
- Compliance with legislations, regulations, policies and procedures;
- Economy and efficiency of operations;
- Safeguarding of assets;
- Reliability and integrity of financial and operational information; and
- Achievement of operational objectives.
The internal audit function reports directly to the Audit Committee of FIMM. In order for the function to carry out its responsibilities, it has full access to all records, properties and personnel of the Company.Go to Top
Other risk and control processes
Apart from risk management and internal audit, other key elements of the Company’s internal controls system are as described below:
- Management and the Board are provided with regular and comprehensive financial information, which includes a review of the Company’s financial performance and position;
- Detailed and systematic budgetary process in which the respective heads of department and division prepare budgets for the forthcoming financial year and subsequent financial quarters; continuous monitoring of results against planned activities and variances are followed up and actions taken, where necessary; and
- The Chief Executive Officer reports to the Board on significant changes in the business and the external environment.
Review of Effectiveness
Regulatory Audit conducted by Securities Commission (“SC”) for the year 2012 verified the essential frameworks and relevant controls in place for FIMM to discharge its functions efficiently and effectively as a Self-Regulatory Organisation (“SRO”).
SC is of the view that FIMM has broadly demonstrated adequacy in its governance framework, complaints handling procedures and compliance to the terms and conditions imposed upon its recognition as a SRO. The assessment takes into consideration the transition period of FIMM being a mere industry association into a SRO as well as notable initiative currently in progress to address the shortcomings and operational gaps.
In addition, the Board is of the view that the existing system of the internal control is adequate. There were no material losses incurred during the current financial year as a result of weaknesses in internal control. Nevertheless, Management continues to take measures to strengthen the control environment.Go to Top
AUDIT COMMITTEE REPORT
The Committee will, on behalf of the Board of Directors (Board), discharge its oversight responsibilities to encourage and safeguard the highest standards of integrity, reliable financial reporting, compliance with regulatory matters and effective internal controls of FIMM.
Description of main functions
The Committee reports directly to the Board and as such, the Committee has no executive responsibilities, but it is responsible for performing its duties in accordance with the Audit Committee Charter and in this regard, makes recommendations to the Board on the adequacy of external audit, internal audit, risk management and compliance procedures.
Terms of Reference
The objectives of the Committee are as follows:-
- Assisting the Board to discharge its responsibilities with due care, diligence and skill in relation to FIMM’s reporting of financial information to users of the financial reports, application of accounting policies, reporting requirements, internal control system and establishment and management of compliance procedures over regulatory and legal requirements;
- Improving the effectiveness of the internal and external audit functions and the effective communication between the Board and the auditors (both external and internal);
- Reviewing key risk profiles, the mitigation plan and controls in place to manage these significant risks and the overall effectiveness of the risk management process;
- Determine and set the scope of annual audit plan for the internal and external audit; and
- Ensure the adequacy of the resources of the internal audit department to carry out its function effectively.
Information on Audit Committee Charter
The Audit Committee is established with the aim of enhancing confidence in the integrity of an organisation’s processes and procedures relating to internal control and corporate reporting including financial reporting. Audit Committee provides an ‘independent’ reassurance to the board through its oversight and monitoring role. Among many responsibilities the Board entrust the Audit Committee with are the transparency and accuracy of financial reporting and disclosures, effectiveness of external and internal audit functions, robustness of the systems of internal audit and internal controls, effectiveness of anti-fraud, ethics and compliance systems. Audit Committee may also play a significant role in the oversight of the company’s risk management policies and programmes.Go to Top
Meetings and Attendance of the Committee
|Number of Audit Committee meetings in 2012||4|
|Date of Audit Committee meetings in 2012||4Q FY2011 (4th ACM)||24 Feb 2012|
|1Q FY2012 (5th ACM)||11 May 2012|
|2Q FY2012 (6th ACM)||18 July 2012|
|3Q FY2012 (7th ACM)||18 Oct 2012|
|Name of members of the Audit Committee||Attendance||Remarks|
|Datuk Siti Hadzar Mohd Ismail (Chairman) (PID)||4/4||Chairman/PID Director|
|Datuk Wira Jahaya B Mat||4/4||PID Director|
|George Yap Koi Ming (PID)||0/4||PID Director|
|Yeoh Kim Hong||4/4||Non PID Director|
|Dato’ Mohamad Ayob Abu Hassan (PID)||4/4||Non PID Director|
Summary of Activities
The summary of activities of the Committee during the year under review was as follows:
- Ensuring that financial statements are understandable, transparent, and reliable.
- Ensuring the risk management process is comprehensive and ongoing, rather than partial and periodic.
- Helping achieve an organization-wide commitment to strong and effective controls, emanating from the tone at the top.
- Reviewing corporate policies relating to compliance with laws and regulations, ethics and conflicts of interest.
- Continually communicating with senior management regarding status, progress, and new developments, as well as problematic areas.
- Ensuring internal audit access to the Audit Committee, to encourage communication beyond scheduled committee meetings.
- Reviewing internal audit plans, reports, and significant findings.
- Establishing a direct reporting relationship with the external auditors.
Internal Audit Function
During the engagement of internal audit services with BDOGA, eight (8) internal control reviews were carried out as per Audit Plan. Internal Audit Plan for years 2010 till 2012 was proposed and approved by the Audit Committee on 8 October 2010 with a total of eight (8) internal control reviews.
The primary objective of the internal audit function is to provide an assessment, independent of operations, on the adequacy and integrity of the system of internal controls of FIMM. The function plans and important role in supporting departmental operations. It provides assurance on key aspects of the risk management, control and governance processes. Where control deficiencies exist and where the achievement of objectives is at risk, internal audit plays a role in providing constructive insight and recommendations for strengthening of these controls. In this way, internal audit contributes to enhance accountability and performance in the organisation.Go to Top