The Board of Directors of VSTECS Berhad (“VSTECS”) is pleased to present its Statement on Risk Management and Internal Control for the financial year ended 31 December 2019, which has been prepared pursuant to Paragraph 15.26 (b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad and as guided by the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers. This statement outlines the nature and state of internal control of the Group (comprising the Company and its subsidiaries) during the financial year.
The Board of Directors acknowledges its overall responsibility for maintaining a sound internal control system for the Group to safeguard the shareholders’ investment and the Group’s assets, and to discharge their stewardship responsibilities in identifying risks and ensuring the implementation of appropriate systems to manage these risks in accordance with the best practices of the Malaysian Code on Corporate Governance.
The Board further recognises its responsibility for reviewing the adequacy and integrity of the Group’s internal control systems and management information systems.
In view of the limitations that are inherent in any systems of internal control, the Group’s system of internal control is designed to manage rather than eliminate the risk of failure to achieve business objective and can only provide reasonable and not absolute assurance against material misstatement or loss.
For risk management, the Board, through the Enterprise Risk Management (“ERM”) Committee, would determine the Company’s level of risk tolerance and identify, assess and monitor key business risks to safeguard shareholders’ investments and the company’s assets.
For internal control, the Board confirms that there is a continuous process in place to identify, evaluate and manage the significant risks that may affect the achievement of business objectives. The process which has been instituted throughout the Group is updated and reviewed from time to time to be relevant to the changes in the business environment, and this on-going process has been in place for the financial year under review and up to the date of adoption of this Annual Report.
ENTERPRISE RISK MANAGEMENT
The Board recognises that risk management is an integral part of the Group’s business objectives and is critical for the Group to achieve continued profitability and sustainable growth in shareholders’ value. In pursuing these objectives, the Group has adopted an ERM Framework to manage its risk and opportunities. The ERM Committee which reports directly to the Audit Committee was established by the Board, with the primary responsibility of ensuring the effective functioning of ERM Framework.
The ERM Committee assists the Audit Committee and the Board in the continuous process of identifying, measuring, controlling, monitoring, and reporting significant and material risks affecting the achievement of the Group’s business objectives. It provides the Board and the Senior Management with a tool to anticipate and manage both the existing and potential risks, taking into consideration the changing risk profiles as dictated by changes in business and regulatory environment, the Group’s strategies and functional activities throughout the year.
The ERM framework is professionally developed based on internationally recognised standards. The ERM Committee has developed a risk assessment template, whereby the current year actual incidences and impacts for the respective risk identified were recorded for review, risk profiling and mitigating actions.
The ERM Committee meeting is held quarterly to identify any new risks, assess, evaluate and manage risks of the Group. The quarterly review ensures the risks are current and relevant. Risks mitigation are planned and implemented for the identified risks and incidences. Risks mitigation programme would include policy changes, establishment on new procedures, improvement in system controls, surveillance report and other measures. For the financial year under review, the identified risks are vendor risk, new competition risk, market risk, credit risk, project risk, business model/technology risk, political risk, inventory risk, fraud risk and operational compliance risk. The actual financial impact from the risks (if applicable) is also reviewed on a quarterly basis. Enhancements are made in line with the Board’s commitment to improve the Group’s governance, risk management and control framework, and practicing effective control culture and environment for the Group’s business operations. The on-going ERM exercise is presented quarterly to the Audit Committee for the Board to be updated on the risk management amendments.
JOINT VENTURE AND ASSOCIATE
The disclosures in this statement do not include the risk management and internal control practices of the Group’s joint venture and associate companies, namely Enrich Platinum Sdn. Bhd. (“EPSB”) and ISATEC Sdn. Bhd. (formerly known as I.S.A. Technologies Sdn. Bhd.) (“ISATEC”) respectively. The Group’s interests in these entities are safeguarded through the appointment of members of the Group to the board of EPSB and ISATEC.
BUSINESS CONTINUITY MANAGEMENT
The Board is aware of the importance of an effective Business Continuity Management (“BCM”) programme particularly in crisis and disaster management of the organisation and the impact such threats may have on business operations. Additionally, it provides a framework for building organisational resilience that safeguard the interests of its stakeholders, reputation and value creating activities.
The Group has launched its BCM plan to all business units. The Group has also communicated its group-wide awareness on BCM to form the organisation’s core values and effective management in order to enhance the realisation of the business unit’s responsibility and accountability in ensuring the preparedness of the organisation’s resiliency to crisis.
The Group performed notification-tree exercises to test responses from employees on 2 April 2019 and 1 October 2019 with regards to BCM and the results were satisfactory.
Further to that, the Group also performed an Enterprise Resource Planning (“ERP”) system failover test to remote site and the results were positive. The Group has a disaster recovery location for ERP and other core systems at a data centre in Cyberjaya, Selangor to cater for mishap in the event of a disaster.
INTERNAL AUDIT FUNCTION
The Board through the Audit Committee endorsed and approved the scope of work for the internal audit function through review of its one-year audit plan.
Internal audit functions are executed by an outsourced independent professional firm and VSTECS’ in-house internal audit team respectively to review the sufficiency and adequacy of key internal controls on auditable areas, to highlight any weaknesses in internal control of existing standard practices and to provide recommendations to improve the internal controls within the Group.
The Internal Auditors report directly to the Audit Committee on improvement measures pertaining to internal control, including subsequent follow-up to determine the extent of their recommendations that have been implemented by the Management. Internal audit reports are submitted to the Audit Committee, who reviews the findings with Management at its quarterly meetings. The Management is responsible for ensuring that corrective actions to control weaknesses are implemented within a defined timeframe. The status of implementation is monitored through follow-up audits which are also reported to the Audit Committee.
In addition, the deficiencies noted by the External Auditors’ and Management’s responsiveness to the control recommendations on deficiencies noted during financial audits provide added assurance that control procedures on functions with financial impact are in place, and are being adhered to. In assessing the adequacy and effectiveness of the system of internal controls and accounting control procedures of the Group, the Audit Committee reports to the Board its activities, significant results, findings and the necessary recommendations for improvement.
KEY INTERNAL CONTROL PROCESSES
The key elements of the Group’s internal control systems are described below:
- The Board has established an organisational structure with clearly defined lines of responsibilities, authority limits and accountability aligned to business and operations requirements which support the maintenance of a strong control environment;
- The Board has established the Board Committees with clearly defined delegation of responsibilities within the defined terms of reference. These committees include the Audit Committee, Remuneration Committee and Nominating Committee which have been set up to assist the Board to perform its oversight functions. The committees have the authority to examine all matters within their scope and report to the Board for their recommendation: and
- Management has also established committees with appropriate empowerment to ensure effective management and supervision of the Group’s core business operations. These committees include the Management Committee, ERM Committee, Operation Committee, Credit Control Committee, Inventory Control Committee and Logistics Committee.
OTHER KEY ELEMENTS OF INTERNAL CONTROLS
- Quarterly financial results and other information are provided to the Audit Committee and the Board. This oversight reviews allow the Board to monitor and evaluate the Group’s performance in achieving its corporate objectives;
- The annual budget is reviewed and approved by the Board. The actual performance would be reviewed against the targets on a quarterly basis allowing timely response and necessary action plans to be taken to improve the performance;
- Comprehensive financial accounts and management reports are prepared and reviewed by the Management Committee monthly for effective monitoring and decision-making;
- Policies and procedures of core business processes are documented in a series of Standard Operating Procedures and are implemented throughout the Group. These policies and procedures are subject to periodic reviews, updates and continuous improvements to reflect the changing risks and operational needs;
- Necessary actions have been taken on the weaknesses identified in the internal control systems with the implementation of improved control measures and processes;
- Professionalism and competence of staff are maintained through a rigorous recruitment process, continuous in-house training, job quality improvement and a performance appraisal and review system;
- Staff professionalism, industrial skill sets and job competency are progressively developed through broad based training and development programmes;
- The Code of Conduct is implemented within the Group for Directors, Management and employees of the Group. This code is established to promote a corporate culture which ensures ethical conduct throughout the Group; and
- Appropriate insurance coverage and physical safeguards over major assets are in place to ensure that the assets of the Group are adequately covered against any mishap that may result in material losses to the Group.
REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS
The External Auditors have reviewed this Statement on Risk Management and Internal Control pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants for inclusion in the Annual Report of the Group for the year ended 31 December 2019, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in this Annual Report of the Group, in all material respects:
- has not been prepared in accordance with the disclosure required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers, or
- is factually inaccurate.
AAPG 3 does not require the external auditors to consider whether the Directors’ Statement on Risk Management and Internal Control covers all risk and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board of Directors and management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in this Annual Report will, in fact, remedy the problems.