INTRODUCTION
The Board of Directors of VSTECS Berhad (“VSTECS”) is pleased to present its Statement on Risk Management and Internal Control for the financial year ended 31 December 2023, which has been prepared pursuant to Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad and as guided by the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers. This statement outlines the nature and state of internal control of the Group (comprising the Company and its subsidiaries) during the financial year.
BOARD’S RESPONSIBILITY
The Board of Directors acknowledges its overall responsibility for maintaining a sound internal control system for the Group to safeguard the shareholders’ investment and the Group’s assets, and to discharge their stewardship responsibilities in identifying risks and ensuring the implementation of appropriate systems to manage these risks in accordance with the best practices of the Malaysian Code on Corporate Governance (“MCCG”).
The Board further recognises its responsibility for reviewing the adequacy and integrity of the Group’s internal control systems and management information systems.
In view of the limitations that are inherent in any systems of internal control, the Group’s system of internal control is designed to manage and mitigate rather than eliminate the risk of failure to achieve business objective and can only provide reasonable and not absolute assurance against material misstatement or loss
For risk management, the Board, through the Enterprise Risk Management (“ERM”) Committee, would determine the company’s level of risk tolerance and identify, assess and monitor key business risks including anti-bribery and corruption risk to safeguard shareholders’ investments and the Company’s assets. The ERM Committee reviews, considers and plans
for mitigating actions for both external and internal risk areas.
For internal control, the Board confirms that there is a continuous process in place to identify, evaluate and manage the significant risks that may affect the achievement of business objectives. The process which has been instituted throughout the Group is updated and reviewed from time to time to stay relevant to the changes in the business environment and market trends, and this on-going process is continuously in place for the whole financial year under review and up to the date of adoption of this Annual Report.
ENTERPRISE RISK MANAGEMENT
The Board recognises that risk management is an integral part of the Group’s business objectives and is critical for the Group to achieve continued profitability and sustainable growth in shareholders’ value. In pursuing these objectives, the Group has adopted an ERM Framework in managing and addressing its sustainability risk and opportunities to support its long-term strategy and success. The ERM Committee which reports directly to the Audit Committee (“AC”) was established by the Board with the primary responsibility of ensuring the effective functioning of ERM Framework.
The ERM Committee assists the AC and the Board in the continuous process of identifying, measuring, controlling, monitoring, and reporting significant and material risks affecting the achievement of the Group’s business objectives. It provides the Board and the Senior Leadership Team with information to anticipate and manage both the existing and potential risks, taking into consideration the changing risk profiles as dictated by changes in business and regulatory environment, the Group’s strategies and functional activities throughout the year.
The ERM framework has been continuously refined to suit the Group’s strategic and operations since year 2012 with the objective to maintain a sound system of internal controls in safeguarding shareholders’ investments and the Company’s assets as well as to enhance shareholders’ value. The ERM Committee has developed a risk assessment template, whereby the current year actual incidences and impacts for the respective risk identified were recorded for review, risk profiling and mitigating actions.
The ERM Committee meeting is held quarterly to identify any new risks, assess, evaluate and manage risks of the Group. The quarterly review ensures the mitigation actions are implemented effectively for the identified risks and incidences. Risks mitigation programme would include policy changes, establishment on new procedures and internal control work instructions, improvement in system controls, surveillance report and other measures. For the year under review, the top ten (10) identified risks are market risk, credit risk, vendor and new competition risk, project risk, inventory risk, business model and new business investment risk, foreign exchange and financing risk, bribery and corruption risk, political risk and sustainability risk. The actual financial impact from the risks is also reviewed on a quarterly basis. Enhancements are made in line with the Board’s commitment to improve the Group’s governance, risk management and control framework, and practicing effective control culture and environment for the Group’s business operations. The quarterly ERM reports including any new initiatives and risk management procedures are presented to the Audit Committee
JOINT VENTURE AND ASSOCIATE
The disclosures in this statement do not include the risk management and internal control practices of the Group’s associate company, ISATEC Sdn. Bhd. (“ISATEC”). The risk management and internal control procedures of the Group are however applicable to our joint venture company, Enrich Platinum Sdn. Bhd. (“EPSB”). The Group maintains Board representation in both entities to safeguard its interests in EPSB and ISATEC.
BUSINESS CONTINUITY MANAGEMENT
The Board is aware of the importance of an effective Business Continuity Management (“BCM”) programme particularly in crisis and disaster management of the organisation and the impact such threats may have on business operations. Additionally, it provides a framework for building organisational resilience that safeguard the interests of its stakeholders, reputation and value creating activities.
The Group has launched its BCM plan to all business units. The Group has also communicated its group-wide awareness on BCM to form the organisation’s core values and effective management in order to enhance the realisation of the business unit’s responsibility and accountability in ensuring the preparedness of the organisation’s resiliency to crisis.
The Group performs notification-tree exercises at least twice a year to ensure reachability via all lines of communication to the Group’s employees. For 2023, notification-tree tests were performed on 3 April 2023 and 3 October 2023 with regards to BCM and the results were concluded satisfactory in which 100% staff reachability was achieved within a 4 hour window.
Further to that, the Group also performed an annual Enterprise Resource Planning (“ERP”) system failover test to our remote site facility and the results were deemed successful. The Group has a disaster recovery location for ERP and other core systems at a data centre facility in Cyberjaya, Selangor as a back-up ERP facility for business transaction continuity.
INTERNAL AUDIT FUNCTION
The Board through the AC endorsed and approved the scope of work for the internal audit (“IA”) function through review of its one-year audit plan.
IA functions are executed by an outsourced independent professional firm and VSTECS’ in-house IA team respectively to assess and review the sufficiency and adequacy of key internal controls on auditable areas, to highlight any weaknesses in internal control of existing standard practices and to provide recommendations to improve the internal controls within the Group. Scope of IA include review of internal control procedures, assessment of the Group’s governance and risk
management.
The Internal Auditors report directly to the AC on improvement measures pertaining to internal control, including subsequent follow-up and monitoring the progress of remedial action plans to determine the extent of their recommendations that have been implemented by the Management. IA reports are submitted to the AC, who reviews the findings with Management at its quarterly meetings. The Management is responsible for ensuring that corrective actions to control weaknesses are
implemented within a defined time frame. The status of implementation is monitored through follow-up audits which are also reported to the AC.
In addition, the deficiencies noted by the External Auditors’ and management’s responsiveness to the control recommendations on deficiencies noted during financial audits provide added assurance that control procedures on functions with financial impact are in place, and are being adhered to. In assessing the adequacy and effectiveness of the system of internal controls and accounting control procedures of the Group, the AC reports to the Board its activities, significant results, findings and the necessary recommendations for improvement.
ANTI-BRIBERY AND CORRUPTION
The Group’s Anti-Bribery and Corruption (“ABC”) policy was established in compliance with the Malaysian Anti-Corruption Commission Act 2009 and its 2018 amendment which imposes new corporate liability provision (Section 17A) on commercial organisations for failure to prevent corruption. Section 17A was enforced in June 2020.
The composite of the members ABC Compliance Committee (“Compliance Committee”) was selected based on competency, seniority and for independence of functions. Compliance Committee is responsible for the overall implementation of ABC policy and procedures and providing a reasonable level of assurance that all operations in the Group are in compliance with ABC policy, programme and the supporting operational policies.
Compliance Committee reports to ERM Committee which in turn reports to the AC of VSTECS.
KEY INTERNAL CONTROL PROCESSES
The key elements of the Group’s internal control systems are described below:
- The Board has established an organisational structure with clearly defined lines of responsibilities, authority limits and accountability aligned to business and operations requirements which support the maintenance of a strong control environment;
- The Board has established the Board Committees with clearly defined delegation of responsibilities within the defined terms of reference. These committees include the AC, Remuneration Committee and Nominating Committee which have been set up to assist the Board to perform its oversight functions. The committees have the authority to examine all matters within their scope and report to the Board their recommendations; and
- Management has also been established with appropriate empowerment to ensure effective management and supervision of the Group’s core business operations. These committees include the Management Committee, ERM Committee, Compliance Committee, Operation Committee, Credit Control Committee and Inventory Control Committee (“Committees”). These Committees, Health and Safety Committee, and members of the Logistics team will meet on monthly/bi-monthly/quarterly basis or conduct regular validation to ensure compliance with the relevant policies.
OTHER KEY ELEMENTS OF INTERNAL CONTROLS
- Quarterly financial results and other information are provided to the AC and Board. This oversight review allows the Board to monitor and evaluate the Group's performance in achieving its corporate objectives;
- The annual budget is reviewed and approved by the Board. The actual performance would be reviewed against the targets on a quarterly basis allowing timely response and necessary action plans to be taken to improve the performance;
- Comprehensive financial accounts and management reports are prepared and reviewed by the Management Committee monthly for effective monitoring and decision-making;
- Policies and procedures of core business processes are documented in a series of Standard Operating Procedures and are implemented throughout the Group. These policies and procedures are subject to periodic reviews, updates and continuous improvements to stay relevant to the changing risks and operational needs and updated statutory requirements;
- Professionalism and competence of staff are maintained through a rigorous recruitment process, continuous in-house training, job quality improvement and a performance appraisal and review system;
- Staff professionalism, industrial skill sets and job competency are progressively developed through broad based training and development programmes;
- Code of Conduct and ABC policy are implemented within the Group for all stakeholders including Directors, Management, employees of the Group and business associates. These code and policy are established to promote a corporate culture which ensures ethical conduct throughout the Group;
- ABC policy and procedures implementation include employees’ declaration on compliance with ABC policy, notification letters to business partners on ABC policy and ABC trainings for Directors, employees and Business Partners. In addition, all employees are required to complete ABC e-tutorial on a periodic basis;
- Whistle-Blowing Policy applies to employees and also vendors, partners, associates or any individuals, including the general public, in the performance of their assignment or conducting the business for or on behalf of the Group. The implementation of this policy enables the Group to address concerns that may adversely affect the reputation and interests of the Group effectively;
- Appropriate insurance coverage and physical safeguards over major assets and operating infrastructure systems integrity are in place to ensure that the assets and operations of the Group are adequately covered against any mishap that may result in material losses and operational disruptions to the Group; and
- Workplace Standard Operating Procedures, processes and preventive measures have been established and implemented in line with government directive to ensure employees’ and community’s health and safety and to contain the chances of an outbreak similar with the COVID-19 pandemic in 2020.
REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS
The external auditors have reviewed this Statement on Risk Management and Internal Control pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants for inclusion in the Annual Report of the Group for the year ended 31 December 2023, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the Annual Report of the Group, in all material respects:
- has not been prepared in accordance with the disclosure required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers, or
- is factually inaccurate.
AAPG 3 does not require the external auditors to consider whether the Directors’ Statement on Risk Management and Internal Control covers all risk and controls, or to form an opinion on the adequacy and effectiveness of customers, the Group’s risk management and internal control system including the assessment and opinion by the Board of Directors and management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the annual report will, in fact, remedy the problems.