Statement of Internal Control
The Statement of Internal Control establishes the key constructs underpinning the Board’s work to promote the highest standards in the Bank’s financial management and reporting in compliance with all applicable laws and regulations. Such high standards of operational efficiency are achieved by delegating appropriate authority to distinct committees within the Management, who collectively report back to the Board to ensure tangible and intangible risks are effectively and pro-actively managed throughout the organisation.
The Board affirms its commitment on overall responsibility and oversight of the BPMB Group’s internal control system. The Board keeps abreast with the developments in the areas of risk and governance to ensure its effectiveness in safeguarding stakeholders’ interests and the Group’s assets.
The Board recognises that internal controls and risk management systems in place need to be updated from time to time to align with the changes in the business environment as well as with the process improvement initiatives undertaken. The Board has established appropriate control structures and processes for identifying, evaluating, monitoring, managing and responding to significant risks faced by the Group in its achievement of the business goals and objectives.
The Management is accountable to the Board and is responsible for the effective implementation of the policies and procedures on risks and controls. Regular testing of the adequacy, effectiveness, efficiency and integrity of the internal control systems and processes is conducted to ensure its viability and robustness.
Key Internal Control Processes
The key processes that the Board has established in reviewing the adequacy and effectiveness of the internal control system include the following:
Establish the Management’s role with regards to internal controls
The roles of the Management include but are not limited to:
Identifying and evaluating the risks faced in the achievement of business objectives and strategies;
Formulating relevant policies and procedures to manage these risks;
Monitoring the effective implementation of the internal control system; and
Reporting to the Board on any changes to the risks and the corrective actions taken in a timely manner
Internal Audit Function— Group Internal Audit (GIA)
The GIA undertakes periodic reviews of the Group’s business and operations to provide independent assurance to the Board that the risk management, internal control systems and governance processes put in place are working effectively.
Audit engagements are carried out based on the annual audit plan as approved by the Board Audit Committee (BAC) and takes into consideration feedback from the Management and Shariah Committee. The GIA assesses the selected auditable functions and areas under the audit scope with regards to risk exposure, compliance towards the approved policies, procedures, and relevant laws and regulations, as well as benchmarks them against available best practices. In evaluating the internal controls, the GIA adopts the five (5) components set out in the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO); namely control environment, risk assessment, control activities, information and communication, and monitoring activities.
The result of the audits conducted, including the risks and recommendations are reported to the BAC on a regular basis. Resolution to the audit findings are performed and followed up with the Management and deliberated at the Management Audit Committee (MAC) and BAC meetings. The shariah audit findings are presented to the Shariah Committee (SC) where any potential Shariah non-compliance (SNC) issues are deliberated and confirmed by the SC.
The GIA continues to enhance its capabilities through continuous improvement to its internal audit processes benchmarked against the industry’s standards, upskilling of the internal auditors through various internal and external training, certification of auditors and engagements with reputable third-party service providers when undertaking specific audit assignments.
Management Audit Committee (MAC)
The MAC is a Management-level committee chaired by the Chief Internal Auditor (CIA), which meets once every two (2) months or as and when required. The MAC facilitates the BAC to review the financial condition of the BPMB Group, the internal controls, performance and findings of the internal auditors and where necessary; and to monitor the execution and implementation of all necessary action plans including the recommendations made by the BAC, ensuring that they are undertaken by the Management within the agreed timeline. Minutes of the MAC meetings are tabled to the BAC together with the audit reports.
Board Audit Committee (BAC)
The BAC meets at least four (4) times a year and at any ad hoc meetings as and when required, or at Chairman’s request to further review issues identified in audit reports prepared by the GIA as well as by external auditors. The BAC has active oversight on the GIA’s independence, scope of work and resources. It also reviews and approves the annual audit plan and the frequency of the internal audit activities.
Other Internal Control Processes and Structures
The other key elements of the procedures established by the Board that provides effective internal control include:
Business Plan and Performance Review
An annual business plan and budget are submitted to the Board for approval. Performance achievements are reviewed against the targeted results on a monthly basis allowing timely responses and corrective actions to be taken to mitigate risks. The Board reviews regular reports from the Management on the key operating statistics. The Board also approves any changes or amendments to the Group’s policies.
Board Committees (other than the BAC) are also established to assist the Board in performing its oversight function, namely, Board Credit Committee (BCC), Board Nomination & Remuneration Committee (BNRC), Board Risk Management Committee (BRMC), Board Information Technology Committee (BITC) and Shariah Committee (SC). These Committees have the authority (Terms of Reference) to examine all matters within their scope and report their recommendations to the Board.
Various Management Committees (Executive-level) are also established by the Management to assist and support the various Board Committees to oversee the core areas of business operations. These Committees include the Executive Committee (EXCO), Group Credit Committee (GCC), Management Risk Committee (MRC), Asset and Liability Committee (ALCO), Management Tender Committee (MTC) and Management Information Technology Committee (MITC), Group Human Resource Committee (GHRC), Crisis Management Team (CMT) and Group Budget Working Committee (GBWC).
Policies, Standard Operating Procedures (SOPs) and Authority Limits
Policies and SOPs governing the Group’s businesses and operations are documented and are made available to all employees across the Group. These policies and SOPs are reviewed and updated by the respective business and functional units through a structured process of review to cater to changes in laws and regulations as well as changes to the business and operational environment.
Delegation of authority including authorised limits at various levels of Management in the Group are documented and designed to ensure accountability and responsibility.
Code of Ethics and Conduct
The Code of Ethics and Conduct (the Code) sets out the standards of good and ethical banking practices, and aims to maintain confidence in the security and integrity of the Group’s business practices. The Code applies to all employees working in the Bank, complies with the laws of Malaysia as well as all internal policies and procedures of the Bank. All employees of the Bank are expected to carry out business activities and represent the Group with the highest ethical, legal and professional standards.