Maybank

Statement on Internal Control

Financial year ended 31 December 2012

Introduction

This Statement on Internal Control is made pursuant to Bursa Malaysia Securities Berhad Listing Requirements which requires the Board of Directors ("Board") to include in its Company Annual Report a statement about the state of its internal control. The revised Malaysian Code on Corporate Governance (2012) requires all listed companies to establish and maintain a sound risk management framework and internal control system to safeguard shareholders' investment and the company's assets.

Accordingly, the Board is pleased to provide the Statement on Internal Control ("Statement") that was prepared in accordance with the "Statement on Risk Management & Internal Control – Guidelines for Directors of Public Listed Issuers" issued by Bursa Malaysia Securities Berhad which outlines the processes to be adopted by the Board in reviewing the adequacy and effectiveness of the risk management and internal control system of the Group.

Responsibility

The Board acknowledges its overall responsibility in establishing a sound risk management framework and internal control system. The Board is of the view that the risk management framework and internal control system are designed to manage the Group's risks within an acceptable risk appetite, rather than eliminate the risk of failure to achieve the policies, goals and objectives of the Group. It can therefore only provide reasonable, rather than absolute assurance of effectiveness against material misstatement of management and financial information or against financial losses and fraud.

The Board has established appropriate control structure and process for identifying, evaluating, monitoring, and managing significant risks that may affect the achievement of business objectives. The control structure and process which have been instituted throughout the Group are updated and reviewed from time to time to suit the changes in the business environment, and this on-going process has been in place for the whole financial year under review and up to the date of approval of this statement for inclusion in the annual report.

The role of Management includes:

• Identifying and evaluating the risks faced, and the achievement of business objectives and strategies
• Formulating relevant policies and procedures to manage these risks
• Designing, implementing, and monitoring a sound system of internal control
• Implementing the policies approved by the Board
• Reporting in a timely fashion to the Board any changes to the risks and corrective actions taken.

Internal Control Structure

The key processes that the Board has established in reviewing the adequacy and effectiveness of the risk management and internal control system include the following:

Risk Management Framework

• The Board has established an organisation structure with clearly defined lines of responsibility, authority limits, and accountability aligned to business and operations requirements which supports the maintenance of a strong control environment. It has extended the responsibilities of the Audit Committee of the Board ("ACB") to include the assessment of internal controls through the Internal Audit function.
• The Board has also delegated the responsibility of reviewing the effectiveness of risk management to the Risk Management Committee ("RMC"). The effectiveness of the risk management system is monitored and evaluated by the Group Risk Management function, on an ongoing basis. The RMC assists the Board to review and oversee the effectiveness of the risk management of the Bank, wherein the Group Risk Management function would facilitate the continuous monitoring and evaluating of the Group's risk management system. Any approved policy and framework formulated to identify, measure and monitor various risk components would be reviewed and recommended by the RMC to the Board. Additionally, the RMC reviews and assesses the adequacy of these risk management policies and ensures infrastructure, resources and systems are emplaced for risk management.
• The risk management function is strengthened with the Group Chief Risk Officer ("GCRO"), having oversight over the risk governance across the Group. The risk governance structure is aligned across the business units, overseas units, and subsidiaries of the Group through the streamlining of the risk frameworks, policies and organisational structures in order to embed and enhance our risk management and risk culture based on the Group's regional growth and expansion plans.
• Risk management principles, policies, procedures and practices are updated regularly to ensure relevance and compliance with current/applicable laws and regulations, and are made available to all employees. The Group also adopted a whistle blowing policy, providing an avenue for employees to report actual or suspected malpractice, misconduct or violations of the Group's policies and regulations in a safe and confidential manner.
• A written Management Control Policy (MCP) and Internal Control Policy (ICP) from Management are in place. The MCP outlines the specific responsibilities of the various parties i.e. the Management, the Internal Audit Committee ("IAC") and the ACB pertaining to internal control for Maybank Group. The ICP is to create awareness among all the employees with regards to the internal control components and the basic control policy of Maybank Group.
• There is an Anti-Fraud Framework implemented which provides broad principles, strategy and policy for the Group to adopt in relation to fraud in order to promote high standards of integrity. The Framework establishes robust and comprehensive programmes and controls for the Group as well as highlights the roles and responsibilities at every level for preventing and responding to fraud.
• The Group established the three lines of Defence concept: risk taking units, risk control units, and internal audit. The risk taking units manage the day-to-day management of risks inherent in their business activities, while the risk control units are responsible for setting the risk management framework and developing tools and methodologies. Complementing this is internal audit, which provides independent assurance of the effectiveness of the risk management approach.

Internal Audit Function

• The Internal Audit function includes undertaking regular reviews of the Group's operations and the systems of internal control by performing regular reviews of the business processes to examine and evaluate the adequacy and efficiency of financial and operating controls, and highlights significant risks and non-compliance impacting the Group. Where applicable, they provide recommendations to improve on the effectiveness of risk management, control and governance processes. Management will follow through and review the status of actions on recommendations made by the internal and external auditors. Audit reviews are carried out on units that are identified premised on a risk-based approach, in line with the Group's objectives and policies in the context of its evolving business and regulatory environment, taking into consideration input of the senior management and the Board.
• The IAC is a management committee chaired by the GCFO, comprising senior level representatives from a broad range of business and support units of the Bank. The IAC meets regularly to deliberate on the findings of all signed audit and investigation reports and decide on the appropriate action required to resolve audit issues covering all aspects of the Bank's business and operations. Where required, representatives from the parties being audited are requested to attend the IAC meeting to enable more detailed deliberation and speedy resolution of the matter at hand. Minutes of the IAC meeting are then tabled to the ACB together with the audit reports. The IAC also follows through on the actions required by the ACB.
• The ACB meets on a scheduled basis to review the internal control issues identified in reports prepared by Internal Audit, the External Auditors, Regulatory Authorities and further evaluates the effectiveness and adequacy of the Group's internal control system. The ACB has active oversight on Internal Audit's independence, scope of work and resources. It also reviews the Internal Audit function and the scope of the annual audit plan and frequency of the internal audit activities. Minutes of the ACB meeting are then tabled to the Board. The details of the activities undertaken by the ACB are highlighted in the Audit Committee Report.

Other Key Elements of Internal control

The other key elements of the procedures established by the Board that provides effective internal control include:

• An annual business plan and budget are submitted to the Board for approval. Actual performances are reviewed against the targetted results on a monthly basis allowing timely responses and corrective actions to be taken to mitigate risks. The Board reviews regular reports from the management on the key operating statistics, as well as legal and regulatory matters. The Board also approves any changes or amendments to the Group's policies.
• Other Board Committees are also established to assist the Board in performing its oversight function namely Credit Review Committee, Nomination and Remuneration Committee and Employee Share Scheme Committee. Specific responsibilities have been delegated to these Board Committees, all of which have formalised terms of reference. These Committees have the authority to examine all matters within their scope and report to the Board with their recommendations. For more details on the various Board Committees, please refer to Pages 204 to 206.
• Various Executive Level Management Committees (ELCs) are also established by Management to assist and support the various Board Committees to oversee the core areas of business operations. These ELCs include the Group Executive Committee, Group Management Credit Committee, Executive Risk Committee, Asset & Liability Management Committee, Group Procurement Committee, Group IT Steering Committee, Group Staff Committee, and Human Resource Disciplinary Committee.
• Recruitment and promotion policies/guidelines within the Group are established to ensure that appropriate persons of calibre are selected to fill available positions. Formal training programmes either face-to-face or through e-learning, semi- and annual performance appraisals, and other relevant procedures are in place to ensure that staff are adequately trained and competent to enable them to discharge their duties and responsibilities effectively. Proper guidelines are also drawn up for termination of staff.
• A clearly defined framework with appropriate empowerment and authority limits has been approved by the Board for acquisitions and disposals of assets, awarding tenders, writing off operational and credit items, donations, as well as approving general and operational expenses.
• There are policies and procedures in place to ensure compliance with internal control and the prescribed laws and regulations. These policies and procedures are set out in the Group's Standard Practice Instruction and are updated from time to time in tandem with changes to the business environment or regulatory guidelines.

Assurance from Management

The Board has also received reasonable assurance from the President & Chief Executive Officer ("PCEO") and the Group Chief Financial Officer ("GCFO") that the Group's risk management and internal control system are operating adequately and effectively, in all material respects, based on the risk management model adopted by the Group.

Review of the Statement by External Auditors

The external auditors have reviewed this Statement on Internal Control for inclusion in the annual report for the financial year ended 31 December 2012.

The external auditors conducted the review in accordance with the "Recommended Practice Guide 5: Guidance for Auditors on the Review of Directors' Statement on Internal Control" ("RPG 5") issued by the Malaysian Institute of Accountants. The review has been conducted to assess whether the Statement on Internal Control is both supported by the documentation prepared by or for the Board and appropriately reflects the processes the Directors had adopted in reviewing the adequacy and integrity of the system of internal controls of the Group.

RPG 5 does not require the external auditors to consider whether the Directors' Statement on Internal Control covers all risks and controls, or to form an opinion on the effectiveness of the Group's risk and control procedures. RPG 5 also does not require the external auditors to consider whether the processes described to deal with material internal control aspects of any significant matters disclosed in the annual report will, in fact, mitigate the risks identified or remedy the potential problems.

Based on their review, the external auditors have reported to the Board that nothing had come to their attention that causes them to believe that the Statement on Internal Control is inconsistent with their understanding of the processes the Board has adopted in the review of the adequacy and effectiveness of the risk management and internal control of the Group.