Maybank

Statement on Internal Control

Financial year ended 31 December 2012

Introduction

This Statement on Internal Control is made pursuant to Bursa Malaysia Securities Berhad Listing Requirements which requires the Board of Directors ("Board") to include in its Company Annual Report a statement about the state of its internal control. The revised Malaysian Code on Corporate Governance (2012) requires all listed companies to establish and maintain a sound risk management framework and internal control system to safeguard shareholders' investment and the company's assets.

Accordingly, the Board is pleased to provide the Statement on Internal Control ("Statement") that was prepared in accordance with the "Statement on Risk Management & Internal Control – Guidelines for Directors of Public Listed Issuers" issued by Bursa Malaysia Securities Berhad which outlines the processes to be adopted by the Board in reviewing the adequacy and effectiveness of the risk management and internal control system of the Group.

Responsibility

The Board acknowledges its overall responsibility in establishing a sound risk management framework and internal control system. The Board is of the view that the risk management framework and internal control system are designed to manage the Group's risks within an acceptable risk appetite, rather than eliminate the risk of failure to achieve the policies, goals and objectives of the Group. It can therefore only provide reasonable, rather than absolute assurance of effectiveness against material misstatement of management and financial information or against financial losses and fraud.

The Board has established appropriate control structure and process for identifying, evaluating, monitoring, and managing significant risks that may affect the achievement of business objectives. The control structure and process which have been instituted throughout the Group are updated and reviewed from time to time to suit the changes in the business environment, and this on-going process has been in place for the whole financial year under review and up to the date of approval of this statement for inclusion in the annual report.

The role of Management includes:

Internal Control Structure

The key processes that the Board has established in reviewing the adequacy and effectiveness of the risk management and internal control system include the following:

Risk Management Framework
Internal Audit Function
Other Key Elements of Internal control

The other key elements of the procedures established by the Board that provides effective internal control include:

Assurance from Management

The Board has also received reasonable assurance from the President & Chief Executive Officer ("PCEO") and the Group Chief Financial Officer ("GCFO") that the Group's risk management and internal control system are operating adequately and effectively, in all material respects, based on the risk management model adopted by the Group.

Review of the Statement by External Auditors

The external auditors have reviewed this Statement on Internal Control for inclusion in the annual report for the financial year ended 31 December 2012.

The external auditors conducted the review in accordance with the "Recommended Practice Guide 5: Guidance for Auditors on the Review of Directors' Statement on Internal Control" ("RPG 5") issued by the Malaysian Institute of Accountants. The review has been conducted to assess whether the Statement on Internal Control is both supported by the documentation prepared by or for the Board and appropriately reflects the processes the Directors had adopted in reviewing the adequacy and integrity of the system of internal controls of the Group.

RPG 5 does not require the external auditors to consider whether the Directors' Statement on Internal Control covers all risks and controls, or to form an opinion on the effectiveness of the Group's risk and control procedures. RPG 5 also does not require the external auditors to consider whether the processes described to deal with material internal control aspects of any significant matters disclosed in the annual report will, in fact, mitigate the risks identified or remedy the potential problems.

Based on their review, the external auditors have reported to the Board that nothing had come to their attention that causes them to believe that the Statement on Internal Control is inconsistent with their understanding of the processes the Board has adopted in the review of the adequacy and effectiveness of the risk management and internal control of the Group.