Bank Islam Integrated Annual Report 2020

BANK ISLAM MALAYS IA BERHAD INTEGRATED ANNUAL REPORT 2020 151 ěɁ ɨǉǹȢǉƺɽ ɽȃǉ Ȉȶǁǉɥǉȶǁǉȶƺǉ Ɂǹ ȶɽǉɨȶƃȢ ʍǁȈɽӗ ɽȃǉ : ɨǉɥɁɨɽɰ ǹʍȶƺɽȈɁȶƃȢȢʰ ɽɁ ɽȃǉ 9Ɂƃɨǁ ɽȃɨɁʍǼȃ ɽȃǉ 9 K:ӝ ěȃǉ ƃȶȶʍƃȢ ƃʍǁȈɽ ɥȢƃȶ Ȉɰ ɨǉʤȈǉʥǉǁ ƃȶǁ ƃɥɥɨɁʤǉǁ ƹʰ ɽȃǉ 9 K: ɥɨȈɁɨ ɽɁ ɽȃǉ ɰɽƃɨɽ Ɂǹ ǉƃƺȃ ǹȈȶƃȶƺȈƃȢ ʰǉƃɨӝ ěȃǉ ƃʍǁȈɽ ɥȢƃȶ ƃǁɁɥɽɰ a risk-based approach in determining the auditable units and frequency of the audits which focused on the following three ӯѶӰ ƺɁȴɥɁȶǉȶɽɰӖӸ i. Impact and likelihood of the inherent risk; ii. The respective controls in place; and iii. Existence of effective risk transfer and loss impact reduction practices in minimising potential losses from negligence or fraud. A ƃǁɁɥɽɰ ɽȃǉ ɰɽƃȶǁƃɨǁɰ ƃȶǁ ɥɨȈȶƺȈɥȢǉɰ ɁʍɽȢȈȶǉǁ Ȉȶ ɽȃǉ ȶɽǉɨȶƃȢ :ɁȶɽɨɁȢ yɨƃȴǉʥɁɨȟ Ɂǹ :ɁȴȴȈɽɽǉǉ Ɂǹ ČɥɁȶɰɁɨȈȶǼ ÝɨǼƃȶȈɰƃɽȈɁȶ Ɂǹ ɽȃǉ ěɨǉƃǁʥƃʰ :ɁȴȴȈɰɰȈɁȶ ӯ:ÝČÝӰ ƃȶǁ ɽȃǉ ɁƹȚǉƺɽȈʤǉɰ ɰǉɽ ƹʰ ɽȃǉ ȶɰɽȈɽʍɽǉ Ɂǹ ȶɽǉɨȶƃȢ ʍǁȈɽɁɨɰԇ ȶɽǉɨȶƃɽȈɁȶƃȢ ĀɨɁǹǉɰɰȈɁȶƃȢ ĀɨƃƺɽȈƺǉɰ yɨƃȴǉʥɁɨȟ ʥȃȈƺȃ ƺɁȴɥɨȈɰǉɰ ɽȃǉ ƺɁɨǉ ɥɨȈȶƺȈɥȢǉ ǹɁɨ ɽȃǉ ĀɨɁǹǉɰɰȈɁȶƃȢ ĀɨƃƺɽȈƺǉ Ɂǹ ȶɽǉɨȶƃȢ ʍǁȈɽȈȶǼӗ ɽȃǉ ǁǉǹȈȶȈɽȈɁȶ Ɂǹ ȶɽǉɨȶƃȢ ʍǁȈɽȈȶǼ ƃȶǁ :Ɂǁǉ Ɂǹ KɽȃȈƺɰӝ ěȃǉ ɨǉɰʍȢɽɰ Ɂǹ ɽȃǉ ƃʍǁȈɽ ƺɁȶǁʍƺɽǉǁӗ ȈȶƺȢʍǁȈȶǼ Ȉɽɰ ɨȈɰȟɰ ƃȶǁ ɨǉƺɁȴȴǉȶǁƃɽȈɁȶɰ ƃɨǉ ɨǉɥɁɨɽǉǁ ɽɁ ɽȃǉ 9 K: Ɂȶ ƃ ɨǉǼʍȢƃɨ ƹƃɰȈɰӝ ĄǉɰɁȢʍɽȈɁȶ Ɂǹ ɽȃǉ ƃʍǁȈɽ ǹȈȶǁȈȶǼɰ ƃȶǁ ɨǉƺɁȴȴǉȶǁƃɽȈɁȶɰ ƃɨǉ ɥǉɨǹɁɨȴǉǁ ƹʰ ɽȃǉ ÃƃȶƃǼǉȴǉȶɽ ƃȶǁ ƺȢɁɰǉȢʰ Ɂƹɰǉɨʤǉǁ ƹʰ ɽȃǉ ÃƃȶƃǼǉȴǉȶɽ ʍǁȈɽ :ɁȴȴȈɽɽǉǉ ʥȃɁɰǉ ȴǉȴƹǉɨɰ ƺɁȴɥɨȈɰǉ Ɂǹ ɽȃǉ ȴǉȴƹǉɨɰ Ɂǹ ɽȃǉ ČǉȶȈɁɨ ÃƃȶƃǼǉȴǉȶɽӝ ȶ ƃǁǁȈɽȈɁȶӗ ČȃƃɨȈƃȃ audit reports including their findings, risks and recommendations are notified and deliberated at the SSC meetings. ěȃǉ A Ȉɰ ƺɁȴȴȈɽɽǉǁ ɽɁ ɥɨɁʤȈǁǉ ƃȶ Ȉȶǁǉɥǉȶǁǉȶɽӗ ɁƹȚǉƺɽȈʤǉ ƃɰɰʍɨƃȶƺǉ ƃȶǁ ƃǁʤȈɰɁɨʰ ɰǉɨʤȈƺǉɰ ɽȃƃɽ ʥȈȢȢ ƃǁǁ ʤƃȢʍǉ ƃȶǁ ȈȴɥɨɁʤǉ the Bank’s operations. A ƺɽȈʤȈɽȈǉɰ Ȉȶ ѵѳѵѳ Āɨǉɥƃɨǉ ɽȃǉ ʍǁȈɽ ĀȢƃȶ ƃȶǁ 9ʍǁǼǉɽ ǹɁɨ ƃɥɥɨɁʤƃȢ Ɂǹ ɽȃǉ 9 K:ӝ ěȃǉ ʍǁȈɽ ĀȢƃȶ ʥƃɰ ǁǉʤǉȢɁɥǉǁ ƹƃɰǉǁ Ɂȶ ƃɰɰǉɰɰȴǉȶɽ of the significant potential risk exposure of the auditable areas; ĀɨɁʤȈǁǉ Ȉȶǁǉɥǉȶǁǉȶɽ ƃɰɰǉɰɰȴǉȶɽ ƃȶǁ ɁƹȚǉƺɽȈʤǉ ƃɰɰʍɨƃȶƺǉ Ɂȶ ɽȃǉ ƃǁǉɧʍƃƺʰ ƃȶǁ ǉǹǹǉƺɽȈʤǉȶǉɰɰ Ɂǹ ȈȶɽǉɨȶƃȢ ƺɁȶɽɨɁȢɰ ȈȴɥȢǉȴǉȶɽǉǁ ɽɁ ȴȈɽȈǼƃɽǉ ɽȃǉ ɨȈɰȟ ǉʯɥɁɰʍɨǉɰӝ Āɨǉɥƃɨǉ ƃʍǁȈɽ ɨǉɥɁɨɽ ƺɁȶɰȈɰɽȈȶǼ Ɂǹ ɁƹɰǉɨʤƃɽȈɁȶɰӗ ȈȴɥɨɁʤǉȴǉȶɽ ɁɥɥɁɨɽʍȶȈɽȈǉɰӗ management responses, deadline for resolution and person-in-charge for implementation including corrective actions by the respective stakeholders; yɁȢȢɁʥӸʍɥ Ɂȶ ɽȃǉ ÃƃȶƃǼǉȴǉȶɽ ƺɁɨɨǉƺɽȈʤǉ ƃƺɽȈɁȶɰ Ɂȶ ƃʍǁȈɽ Ȉɰɰʍǉɰ ɨƃȈɰǉǁ ƹʰ ɽȃǉ Aӝ AǉɽǉɨȴȈȶǉ ʥȃǉɽȃǉɨ ƺɁɨɨǉƺɽȈʤǉ actions taken have generally achieved the desired results to mitigate the risk exposures; ĄǉɥɁɨɽ ɽɁ ɽȃǉ 9 K:ӗ ɽȃǉ ǹȈȶƃȢ ƃʍǁȈɽ ɨǉɥɁɨɽ ȃȈǼȃȢȈǼȃɽȈȶǼ ɽȃǉ ƃʍǁȈɽ ɥȢƃȶ ƺɁʤǉɨƃǼǉӗ ƃʍǁȈɽ ɰƺɁɥǉ ƃȶǁ ɨȈɰȟɰ ƺɁʤǉɨǉǁӗ ƃʍǁȈɽ rating, significant audit findings, findings escalated for Management’s immediate action and status of corrective ƃƺɽȈɁȶɰӝ ɽɁɽƃȢ Ɂǹ Ѵѵѵ ƃʍǁȈɽɰ ӯǉʯƺȢʍǁȈȶǼ ȈȶʤǉɰɽȈǼƃɽȈɁȶɰӰ ʥǉɨǉ ƺɁȶǁʍƺɽǉǁ ǹɁɨ ɽȃǉ {ɨɁʍɥ Ȉȶ yťѵѳѵѳӢ ĄǉɥɁɨɽ ɽɁ ɽȃǉ 9 K: ɽȃǉ ƃǁǉɧʍƃƺʰӗ ɨǉȢȈƃƹȈȢȈɽʰӗ ȈȶɽǉǼɨȈɽʰ ƃȶǁ ƺɁȴɥȢȈƃȶƺǉ ɁǹӖ – risk management, internal controls and governance processes; – Information Technology, stress testing procedures and practices and the back-up system to cover for contingencies and disaster; ӵ ĄǉǼʍȢƃɽɁɨʰ ɨǉɥɁɨɽȈȶǼӗ ƃƺƺɁʍȶɽȈȶǼ ɨǉƺɁɨǁɰӗ ǹȈȶƃȶƺȈƃȢ ɨǉɥɁɨɽɰ ƃȶǁ ȴƃȶƃǼǉȴǉȶɽ ȈȶǹɁɨȴƃɽȈɁȶӢ ĄǉʤȈǉʥ ƺɁȴɥȢȈƃȶƺǉ ʥȈɽȃ ɨǉȢǉʤƃȶɽ ȢǉǼƃȢӗ ɨǉǼʍȢƃɽɁɨʰ ƃȶǁ ȈȶɽǉɨȶƃȢ ɥɁȢȈƺȈǉɰ ƃɰ ʥǉȢȢ ƃɰ Ȉȶ ƺɁȴɥȢȈƃȶƺǉ ʥȈɽȃ ČȃƃɨȈƃȃ ɨʍȢǉɰ ƃȶǁ ɥɨȈȶƺȈɥȢǉɰ ƃɰ ǁǉɽǉɨȴȈȶǉǁ ƹʰ ɽȃǉ ČȃƃɨȈƃȃ ČʍɥǉɨʤȈɰɁɨʰ :ɁʍȶƺȈȢ ƃȶǁ ČȃƃɨȈƃȃ :ɁȴɥȢȈƃȶƺǉ ĀɁȢȈƺʰӝ ĀɨɁʤȈǁǉ Ȉȶǁǉɥǉȶǁǉȶɽ ƃɰɰǉɰɰȴǉȶɽ Ɂȶ ɽȃǉ ǉǹǹǉƺɽȈʤǉȶǉɰɰ Ɂǹ ɽȃǉ 9ʍɰȈȶǉɰɰ :ɁȶɽȈȶʍȈɽʰ ĀȢƃȶӣAȈɰƃɰɽǉɨ ĄǉƺɁʤǉɨʰ ĀȢƃȶ ɽɁ ensure resumption of business activities is not hampered.