page
65
Overview Our Business
Strategic Review
Corporate Governance
Financial Statements
Other Information
12. Policies and Procedures
There is extensive documentation of policies, procedures, guidelines and service level agreements on the Group’s intranet site
including those relating to finance, contract management, marketing, sourcing, human resources, information systems, network
operations, legal, system and information security controls. Continuous control enhancements are made to cater for business
environment changes and in line with Maxis’ new and changing business strategy.
13. Financial and Operational Information
A detailed budgeting and reporting process has been established. Comprehensive budgets are prepared by the operating units and
presented to the Board before the commencement of a new financial year. Upon approval of the budget, the Group’s performance
is tracked and measured against the approved budget on a monthly basis. Reporting systems which highlight significant variances
against plan are in place to track and monitor performance. These variances in financial and operational performance indices are
incorporated in detail in the monthly management reports. On a quarterly basis, the results are reviewed by the Board to enable
the Directors to review the Group’s overall performance compared to the approved budgets and prior periods.
14. Systems and Information Security
The Systems and Information Security department (“SIS”) has an assurance function and is responsible for continuously
monitoring and resolving security threats to the Group both internally and externally. This includes conducting security awareness,
vulnerability assessment and penetration test programmes, and compliance audits on the IT systems and networks of Maxis to
reduce the impact of service interruption due to malicious activities, cyber-attacks, negligence and malware. The effectiveness of
the security programme is validated by auditors and external security consulting companies.
Apart from the internal security compliance programmes, SIS is also required to maintain and assist in the compliance of the
following regulatory and industry security programmes, namely: MS/ISO27001:2013, Payment Card Industry/Data Security
Standard, and the Personal Data Protection Act 2010.
SIS is governed by Security Governance team made up of members of MMT who meet periodically to direct and approve the
corporate security policies and standards set by the department and security projects undertaken by the department. It is also
responsible for updating the Audit Committee at least annually on the Group’s security status.
MONITORING AND REVIEW
The processes that monitor and review the effectiveness of the system of risk management and internal controls include:
1.
Management Representations made to the Board
by the CEO and Chief Financial and Strategy Officer (“CFSO”), based on
representations made to them by Management on the adequacy and effectiveness of the Group’s risk management and internal
control system in their respective areas. Any material exceptions identified are highlighted to the Board.
2.
Internal Audit
in their quarterly report to the Audit Committee and members of MMT continues to highlight significant issues and
exceptions identified during the course of their review on processes and controls compliance.
3.
The Defalcation Committee
meets and deals regularly on matters pertaining to fraud and unethical practices. All issues arising
from work carried out by the investigation team within the Internal Audit department and Management are channeled to this
Committee for deliberation. Appropriate actions are then taken based on the findings.
4.
Enterprise Risk Management department
reports to the Board on a quarterly basis through the Audit Committee on the risk
profile of the Group and the progress of action plans to manage and mitigate the risks.
Management has taken the necessary actions to remediate weaknesses identified for the period under review. The Board and
Management will continue to monitor the effectiveness and take measures to strengthen the risk management and internal control
environment.
Statement on
Risk Management and Internal Control
