Statement of Internal Control


The Statement of Internal Control establishes the key constructs underpinning the Board’s work to promote the highest standards in the Bank’s financial management and reporting in compliance with all applicable laws and regulations. Such high standards of operational efficiency are achieved by delegating appropriate authority to distinct committees within the Management, who collectively report back to the Board to ensure tangible and intangible risks are effectively and pro-actively managed throughout the organisation.



The Board affirms its commitment on overall responsibility and oversight of the BPMB Group’s internal control system. The Board keeps abreast with the developments in the areas of risk and governance to ensure its effectiveness in safeguarding stakeholders’ interests and the Group’s assets.

The Board recognises that internal controls and risk management systems in place need to be updated from time to time to align with the changes in the business environment as well as with the process improvement initiatives undertaken. The Board has established appropriate control structures and processes for identifying, evaluating, monitoring, managing and responding to significant risks faced by the Group in its achievement of the business goals and objectives.

The Management is accountable to the Board and is responsible for the effective implementation of the policies and procedures on risks and controls. Regular testing of the adequacy, effectiveness, efficiency and integrity of the internal control systems and processes is conducted to ensure its viability and robustness.


Key Internal Control Processes

The key processes that the Board has established in reviewing the adequacy and effectiveness of the internal control system include the following:


Establish the Management’s role with regards to internal controls

The roles of the Management include but are not limited to:

Identifying and evaluating the risks faced in the achievement of business objectives and strategies;

Formulating relevant policies and procedures to manage these risks;

Monitoring the effective implementation of the internal control system; and

Reporting to the Board on any changes to the risks and the corrective actions taken in a timely manner


Internal Audit Function— Group Internal Audit (GIA)

The GIA undertakes periodic reviews of the Group’s business and operations to provide independent assurance to the Board that the risk management, internal control systems and governance processes put in place are working effectively.

Audit engagements are carried out based on the annual audit plan as approved by the Board Audit Committee (BAC) and takes into consideration feedback from the Management and Shariah Committee. The GIA assesses the selected auditable functions and areas under the audit scope with regards to risk exposure, compliance towards the approved policies, procedures, and relevant laws and regulations, as well as benchmarks them against available best practices. In evaluating the internal controls, the GIA adopts the five (5) components set out in the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO); namely control environment, risk assessment, control activities, information and communication, and monitoring activities.

The result of the audits conducted, including the risks and recommendations are reported to the BAC on a regular basis. Resolution to the audit findings are performed and followed up with the Management and deliberated at the Management Audit Committee (MAC) and BAC meetings. The shariah audit findings are presented to the Shariah Committee (SC) where any potential Shariah non-compliance (SNC) issues are deliberated and confirmed by the SC.

The GIA continues to enhance its capabilities through continuous improvement to its internal audit processes benchmarked against the industry’s standards, upskilling of the internal auditors through various internal and external training, certification of auditors and engagements with reputable third-party service providers when undertaking specific audit assignments.


Management Audit Committee (MAC)

The MAC is a Management-level committee chaired by the Chief Internal Auditor (CIA), which meets once every two (2) months or as and when required. The MAC facilitates the BAC to review the financial condition of the BPMB Group, the internal controls, performance and findings of the internal auditors and where necessary; and to monitor the execution and implementation of all necessary action plans including the recommendations made by the BAC, ensuring that they are undertaken by the Management within the agreed timeline. Minutes of the MAC meetings are tabled to the BAC together with the audit reports.


Board Audit Committee (BAC)

The BAC meets at least four (4) times a year and at any ad hoc meetings as and when required, or at Chairman’s request to further review issues identified in audit reports prepared by the GIA as well as by external auditors. The BAC has active oversight on the GIA’s independence, scope of work and resources. It also reviews and approves the annual audit plan and the frequency of the internal audit activities.


Other Internal Control Processes and Structures

The other key elements of the procedures established by the Board that provides effective internal control include:


Business Plan and Performance Review

An annual business plan and budget are submitted to the Board for approval. Performance achievements are reviewed against the targeted results on a monthly basis allowing timely responses and corrective actions to be taken to mitigate risks. The Board reviews regular reports from the Management on the key operating statistics. The Board also approves any changes or amendments to the Group’s policies.


Board Committees

Board Committees (other than the BAC) are also established to assist the Board in performing its oversight function, namely, Board Credit Committee (BCC), Board Nomination & Remuneration Committee (BNRC), Board Risk Management Committee (BRMC), Board Information Technology Committee (BITC) and Shariah Committee (SC). These Committees have the authority (Terms of Reference) to examine all matters within their scope and report their recommendations to the Board.


Management Committees

Various Management Committees (Executive-level) are also established by the Management to assist and support the various Board Committees to oversee the core areas of business operations. These Committees include the Executive Committee (EXCO), Group Credit Committee (GCC), Management Risk Committee (MRC), Asset and Liability Committee (ALCO), Management Tender Committee (MTC) and Management Information Technology Committee (MITC), Group Human Resource Committee (GHRC), Crisis Management Team (CMT) and Group Budget Working Committee (GBWC).


Policies, Standard Operating Procedures (SOPs) and Authority Limits

Policies and SOPs governing the Group’s businesses and operations are documented and are made available to all employees across the Group. These policies and SOPs are reviewed and updated by the respective business and functional units through a structured process of review to cater to changes in laws and regulations as well as changes to the business and operational environment.

Delegation of authority including authorised limits at various levels of Management in the Group are documented and designed to ensure accountability and responsibility.


Code of Ethics and Conduct

The Code of Ethics and Conduct (the Code) sets out the standards of good and ethical banking practices, and aims to maintain confidence in the security and integrity of the Group’s business practices. The Code applies to all employees working in the Bank, complies with the laws of Malaysia as well as all internal policies and procedures of the Bank. All employees of the Bank are expected to carry out business activities and represent the Group with the highest ethical, legal and professional standards.


Penyataan Kawalan Dalaman


Penyataan Kawalan Dalaman menetapkan struktur utama sebagai landasan kerja Lembaga Pengarah untuk mendorong standard tertinggi dalam pengurusan dan pelaporan kewangan Bank serta mematuhi semua undang-undang dan peraturan yang berkenaan. Standard kecekapan operasi yang tinggi seperti ini dicapai dengan mewakilkan kuasa yang sesuai untuk jawatankuasa yang berbeza dalam Pengurusan dan secara kolektif melapor kembali kepada Lembaga Pengarah untuk memastikan risiko nyata dan tidak ketara dapat dikendalikan secara berkesan dan proaktif di seluruh organisasi



Lembaga Pengarah menegaskan komitmennya terhadap tanggungjawab dan pengawasan keseluruhan sistem kawalan dalaman Kumpulan BPMB. Lembaga Pengarah juga mengikuti perkembangan di bidang risiko dan tadbir urus, dengan terus-menerus untuk memastikan keberkesanannya dalam melindungi kepentingan pihak berkepentingan dan aset Kumpulan.

Lembaga Pengarah menyedari bahawa kawalan dalaman dan sistem pengurusan risiko yang ada perlu diperbarui dari masa ke semasa agar sesuai dengan perubahan dalam lingkungan perniagaan dan juga dengan inisiatif peningkatan proses yang dilakukan. Lembaga Pengarah telah menetapkan struktur dan proses kawalan yang sesuai untuk mengenal pasti, menilai, memantau, mengurus dan bertindak balas terhadap risiko penting yang dihadapi oleh Kumpulan dalam pencapaian matlamat dan objektif perniagaannya.

Pengurusan bertanggungjawab kepada Lembaga Pengarah dan bertanggungjawab untuk pelaksanaan dasar serta prosedur risiko dan kawalan yang efektif. Pengujian secara berkala mengenai kecukupan, keberkesanan, kecekapan dan integriti sistem dan proses kawalan dalaman dilakukan untuk memastikan daya maju dan daya ketahanannya.


Proses Kawalan Dalaman Utama

Proses utama yang telah ditetapkan oleh Lembaga Pengarah dalam mengkaji kecukupan dan keberkesanan sistem kawalan dalaman merangkumi yang berikut:


Menetapkan peranan Pengurusan berkaitan dengan kawalan dalaman

Peranan Pengurusan merangkumi tetapi tidak terhad kepada:

Mengenal pasti dan menilai risiko yang dihadapi dalam pencapaian objektif dan strategi perniagaan;

Menggubal polisi dan prosedur yang relevan untuk menguruskan risiko ini;

Memantau pelaksanaan sistem kawalan dalaman yang berkesan; dan

Melaporkan kepada Lembaga Pengarah mengenai perubahan risiko dan tindakan pembetulan yang diambil tepat pada waktunya


Fungsi Audit Dalaman— Audit Dalaman Kumpulan (GIA)

GIA melakukan tinjauan berkala ke atas perniagaan dan operasi Kumpulan untuk memberikan jaminan bebas kepada Lembaga Pengarah bahawa pengurusan risiko, sistem kawalan dalaman dan proses urus tadbir yang sedia ada dilaksanakan, berfungsi dengan berkesan.

Keterlibatan audit dilakukan berdasarkan rencana audit tahunan seperti yang disetujui oleh Jawatankuasa Audit Lembaga Pengarah (BAC) dan mempertimbangkan maklum balas dari pihak Pengurusan dan Jawatankuasa Syariah. GIA menilai fungsi dan bidang yang boleh diaudit yang telah dipilih di bawah skop audit, berkenaan dengan pendedahan risiko, kepatuhan terhadap prosedur, polisi yang telah dipersetujui, undang-undang dan peraturan yang berkenaan, serta menanda aras mereka terhadap amalan terbaik yang sedia ada. Dalam menilai pengendalian dalaman, GIA menggunakan lima (5) komponen yang dinyatakan dalam Kerangka Bersepadu Kawalan Dalaman yang dikeluarkan oleh Jawatankuasa Organisasi Penaja Suruhanjaya Treadway (COSO); iaitu kawalan persekitaran, penilaian risiko, aktiviti kawalan, maklumat dan komunikasi, serta aktiviti pemantauan.

Hasil audit yang dilakukan, termasuk risiko dan saranan akan dilaporkan kepada BAC secara berkala. Resolusi terhadap penemuan audit akan dilakukan dan disusuli oleh Pengurusan melalui perbincangan dalam mesyuarat Jawatankuasa Pengurusan Audit (MAC) dan BAC. Penemuan audit syariah akan dikemukakan kepada Jawatankuasa Syariah (SC) di mana sebarang kemungkinan masalah ketidakpatuhan Syariah (SNC) akan dibincangkan dan disahkan oleh SC.

GIA akan meningkatkan kemampuannya melalui peningkatan berterusan terhadap proses audit dalaman yang ditanda aras berdasarkan standard industri, peningkatan kemahiran auditor dalaman melalui pelbagai latihan dalaman dan luaran, pensijilan juruaudit dan berurusan dengan penyedia perkhidmatan pihak ketiga yang berwibawa ketika melakukan penugasan audit khusus .


Jawatankuasa Pengurusan Audit (MAC)

MAC adalah jawatankuasa peringkat Pengurusan yang dipengerusikan oleh Ketua Juruaudit Dalaman (CIA), yang bermesyuarat setiap dua (2) bulan sekali atau bila diperlukan. MAC memfasilitasi BAC untuk mengkaji keadaan kewangan Kumpulan BPMB, kawalan dalaman, prestasi serta penemuan juruaudit dalaman, jika perlu; dan untuk memantau pelaksanaan semua rencana tindakan yang diperlukan termasuk cadangan yang dibuat oleh BAC, memastikan ianya dilaksanakan oleh pihak Pengurusan dalam jangka waktu yang dipersetujui. Minit mesyuarat MAC akan dibentangkan kepada BAC bersama-sama dengan laporan audit.


Jawatankuasa Audit Lembaga (BAC)

BAC bertemu sekurang-kurangnya empat (4) kali dalam setahun dan pada setiap pertemuan ad hoc bila dan bila diperlukan, atau atas permintaan Pengerusi untuk mengkaji lebih lanjut isu-isu yang dikenal pasti dalam laporan audit yang disiapkan oleh GIA dan juga oleh juruaudit luar. BAC mempunyai pengawasan aktif terhadap kebebasan, ruang lingkup kerja dan sumber daya GIA. Ia juga mengkaji dan menyetujui rancangan audit tahunan serta kekerapan aktiviti audit dalaman.


Proses dan Struktur Kawalan Dalaman Lain

Unsur-unsur utama selain dari prosedur yang telah ditetapkan oleh Lembaga Pengarah yang menyediakan kawalan dalaman yang berkesan termasuk:


Rancangan Perniagaan dan Semakan Prestasi

Rancangan perniagaan dan anggaran belanjawan tahunan akan diserahkan kepada Lembaga Pengarah untuk persetujuan. Pencapaian prestasi akan disemak berdasarkan hasil yang disasarkan setiap bulan yang membolehkan tindak balas tepat pada waktunya dan untuk tindakan pembetulan diambil bagi mengurangkan risiko. Lembaga Pengarah akan mengkaji laporan berkala dari pihak Pengurusan mengenai statistik operasi utama. Lembaga Pengarah juga menyetujui sebarang perubahan atau pindaan terhadap dasar polisi Kumpulan.


Jawatankuasa-Jawatankuasa Lembaga Pengarah

Jawatankuasa Lembaga Pengarah (selain dari BAC) juga ditubuhkan untuk membantu Lembaga Pengarah dalam menjalankan fungsi pengawasannya, yaitu, Jawatankuasa Kredit Lembaga Pengarah (BCC), Jawatankuasa Penamaan & Imbalan Lembaga Pengarah (BNRC), Jawatankuasa Pengurusan Risiko Lembaga Pengarah (BRMC), Jawatankuasa Teknologi Maklumat Lembaga Pengarah (BITC) dan Jawatankuasa Syariah (SC). Jawatankuasa-jawatankuasa ini mempunyai bidang kuasa (Bidang Rujukan) untuk memeriksa semua hal dalam ruang lingkupnya dan akan melaporkan saranan mereka kepada Lembaga Pengarah.


Jawatankuasa Pengurusan

Pelbagai Jawatankuasa Pengurusan (peringkat Eksekutif) juga ditubuhkan oleh Pengurusan untuk membantu dan menyokong pelbagai Jawatankuasa Lembaga Pengarah untuk mengawasi bidang utama operasi perniagaan. Jawatankuasa ini merangkumi Jawatankuasa Eksekutif (EXCO), Jawatankuasa Kredit Kumpulan (GCC), Jawatankuasa Pengurusan Risiko (MRC), Jawatankuasa Aset dan Liabiliti (ALCO), Jawatankuasa Pengurusan Tender (MTC) dan Jawatankuasa Pengurusan Teknologi Maklumat (MITC), Jawatankuasa Sumber Manusia Kumpulan (GHRC), Pasukan Pengurusan Krisis (CMT) dan Jawatankuasa Kerja Belanjawan Kumpulan (GBWC).


Polisi, Prosedur Operasi Standard (SOP) dan Had Kuasa

Polisi dan SOP yang menyelaraskan perniagaan dan operasi Kumpulan didokumentasikan dan disediakan untuk semua pekerja di seluruh Kumpulan. Polisi dan SOP ini sentiasa diteliti dan dikemas kini oleh unit perniagaan dan fungsi masing-masing melalui proses tinjauan berstruktur supaya sentiasa selari dengan perubahan dalam undang-undang dan peraturan serta pada lingkungan perniagaan dan operasi.

Perwakilan kuasa termasuk had yang dibenarkan di pelbagai peringkat Pengurusan dalam Kumpulan juga didokumentasikan dan dirancang untuk memastikan kebertanggungjawaban dan tanggungjawab setiap orang.


Kod Etika dan Tingkah Laku

Kod Etika dan Tingkah Laku (Kod) menetapkan standard amalan perbankan yang baik dan beretika, serta bertujuan untuk mengekalkan keyakinan terhadap keselamatan dan integriti amalan perniagaan Kumpulan. Kod ini haruslah digunakan oleh semua pekerja yang bekerja di Bank, kerana ia mematuhi undang-undang Malaysia serta semua dasar dan prosedur dalaman Bank. Semua pekerja Bank diharapkan dapat menjalankan aktiviti perniagaan dan mewakili Kumpulan dengan standard etika, undang-undang dan profesional tertinggi.