Statement on Risk Management

and Internal Control

3.6 The compliance function, which includes the Audit and Risk Committee (“ARC”) and internal audit function, assists

the Board to oversee the management of risks and review the effectiveness of internal controls. The ARC reviews

reports of the Group Internal Audit Department (“GIA”) and also conducts annual assessment on the adequacy of

the GIA’s scope of work.

3.7 The ARC convenes regular meetings to deliberate on findings and recommendations for improvement by both

the internal and external auditors on the state of the system of internal control, review and recommend the risk

management policies, strategies, key risk profiles and risk mitigation actions for the Group and reports to the

Board. Minutes of the ARC meetings are tabled to the Board.

3.8 Review and award of major contracts which exceed the limits delegated to Group MD or senior management are

undertaken by the Board.

3.9 Clearly documented standard operating procedure manuals set out the policies and procedures for day to day

operations to be carried out. Periodic reviews are performed to ensure that documentation remains current,

relevant and aligned with evolving business and operational needs.

3.10 The competency of staff is enhanced through rigorous recruitment process and development programmes.

A performance appraisal system of staff is in place, with established targets and accountability and is reviewed

annually.

4.

INTERNAL AUDIT FUNCTION

The Group’s internal audit function is undertaken by GIA which reports directly to the ARC and administratively to

the Group MD. The GIA assists the ARC in the discharge of its duties and responsibilities. Its key role is to provide

independent and objective assurance designed to add value and assist the Group in accomplishing its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal

control system and governance processes.

The business processes and conduct of the operating units within the Group are continuously assessed by GIA in the

context of adequacy and effectiveness of the financial, operational controls and risk management. GIA reports to the ARC

and communicates to Management on audit observations noted in the course of their review and performs monitoring

on the status of actions taken by the operating units. It conducts independent reviews of the key activities within the

Group’s operating units based on a detailed annual audit plan developed using a risk-based methodology including

input from Senior Management and the ARC, which was approved by the ARC. The terms of reference of the GIA are

clearly spelt out in its Internal Audit Charter.

The GIA evaluates the following:

(a)

Adequacy, integrity, effectiveness of the Company and the Group’s internal controls in safeguarding shareholders’

investment and the Group’s assets. The internal controls cover financial, operational, information technology,

compliance controls and enterprise risk management;

(b)

Extent of compliance with established policies, procedures and statutory requirements; and

(c)

Adequacy of policies, procedures and guidelines on the Company and Group’s accounting, financial and operational

activities.

For the year under review, the GIA had undertaken the following:

(a)

Prepared the annual audit plan for approval by the ARC.

(b)

Performed risk-based audits based on the annual audit plan, including follow-up of matters from previous internal

audit reports.

(c)

Issued internal audit reports to the Management on risk management, control and governance issues identified

from the risk-based audits together with recommendations for improvements for these processes.

Annual Report 2020

kumpulan Fima Berhad

(197201000167)(11817-V)

107