GHL System Berhad Annual Report 2020

57 A N N U A L R E P O R T 2 0 2 0 STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL CONT’D KEY INTERNAL CONTROL PROCESSES (Cont’d) 4. Internal Audit Function As part of the Group’s efforts to establish a sound framework for risk management and internal control, an in- house audit function is established as a key component of its internal control processes. The Group Internal Audit (“GIA”) reports independently to the ARC and is guided by a formalised Internal Audit Charter and the Institute of Internal Auditor’s International Professional Practice Framework. Acting as the third layer of defence in internal control, the GIA performs audits within the Group in accordance with an annual internal audit plan which is formulated through a comprehensive risk-based methodology and approved by the ARC. The audits are designed to test the appropriateness of control design and implementation as well as compliance with the existing policies and procedures. The results of all internal audit reviews, together with the findings and recommendations, are presented to Management for discussion and formulation of the necessary corrective action plans prior to finalisation of the internal audit reports. Status of implementation of agreed audit recommendations is tracked until completion and updates are highlighted by the Head of Group Internal Audit to the ARC. Appropriate relevant parties are invited to be present during such presentations The GIA is headed by Mr. Liow Tien Chin, a member of Certified Practising Accountant (CPA) Australia and Chartered Member of The Institute of Internal Auditors Malaysia, with more than 10 years of experience in the profession. The GIA department is supported by a workforce whom possesses the relevant qualification and experience and has adequate resources to fulfil the internal audit plan for the next financial year. The Head of GIA, Mr. Liow, had in March 2021 confirmed the Internal Auditor’s independence to the ARC, where he had signed the annual declaration that he and his team were and had been free from any relationship or conflicts of interest which could impair their objectivity and independence. Based on the confirmation by the Head of GIA, the ARC is satisfied that the internal audit personnel are free from any relationships or conflicts of interest, which could impair their objectivity and independence and that the audit programme for the financial year under review was carried out by the Internal Auditors as planned. 5. Information Technology Controls and Security a. Disaster Recovery Backup Plan The Board is cognizant of the importance of business continuity management in strengthening the Group’s resilience in response to the evolving business environment and enhancement of shareholders’ values. A Disaster Recovery (“DR”) backup policy and procedure has been established group wide in order to ensure continuity of the business operations in the event of IT-disabling disaster strikes. DR drills are conducted by the technology division together with external service provider at least once a year with continuous effort to enhance the DR capability to cover all key aspects of the businesses. b. Payment Card Industry Data Security Standard (“PCIDSS”) PCIDSS is an actionable framework established by Payment Card Industry Security Standards Council (“PCISSC”) to ensure the safe handling of cardholder information at every step. PCIDSS covers systems, policies and procedures around the following: t #VJMEJOH BOE NBJOUBJOJOH B TFDVSF OFUXPSL BOE systems t 1SPUFDU DBSEIPMEFS EBUB t .BJOUBJOJOH B WVMOFSBCMF NBOBHFNFOU QSPHSBN t *NQMFNFOUBUJPO PG strong access control measures t 3FHVMBSMZ NPOJUPS BOE UFTU OFUXPSLT t .BJOUBJO BO information security policy