KENANGA ANNUAL REPORT 2017

An Annual Audit Plan based on the appropriate risk based methodology has been developed and approved by the Audit Committee. On a quarterly basis, audit reports and status of internal audit activities including the sufficiency of GIA resources are presented to the Audit Committee for review. Periodic follow up reviews are conducted to ensure adequate and timely implementation of Management’s action plans; 15. Quarterly meetings are held by the Audit Committee together with Management to review issues highlighted in the reports by internal and external auditors as well as audits conducted by regulators such as the SC, Bursa Securities and BNM, in particular the actions taken to address issues. If required, the internal auditors will also assist the Audit Committee to periodically review the measures taken to address the Audit Committee’s concerns on any internal control system; 16. Regular Board and Management meetings to review the operational and financial performance of the Group and assess any significant internal control issue highlighted by the Audit Committee, GIA, Group Regulatory, regulators and external auditors so as to seek resolution of those matters; 17. The Board does not regularly review the internal control systems of associate companies and joint venture company as the Board does not have any direct control over their operations. Notwithstanding the above, the Group’s interests are served through representation on the Boards of the respective associate companies and joint venture company, and through receipt and review of management accounts and related enquiries thereon. Such representation also provides the Board with information for decision-making on the continuity of the Group’s investments based on the performance of the associate companies and joint venture company. The representation also enables the Group to influence the financial and operating policies of associate companies and joint venture company; 18. Management is responsible for, amongst others: – reviewing the actual performance against expectations and budget on a quarterly basis; – addressing any internal control issues with the Audit Committee, GIA and the external auditors; and – addressing any matters arising from the meetings of the Board and Audit Committee and ensuring that actions are taken in relation to these matters. Effectiveness of Risk Management Framework and Internal Control System The Board confirms that the risk management framework and the system of internal controls, with the key elements highlighted above, was implemented to identify, evaluate and manage significant risks faced by the Group during the financial year and has taken into consideration any material developments up to the date of approval of the annual report and financial statements. The main risk areas faced by the Company and the guidelines and policies adopted to manage them are provided in detail under Note 50 of the Audited Financial Statements of the Company for the Financial Year Ended 31 December 2017. The Board is satisfied that there is a sound system of risk management and internal controls in the Group which is functioning adequately and there are regular checks to ensure the controls are efficient and effective. Review of the Statement by External Auditors As required by Paragraph 15.23 of the MMLR of Bursa Securities, the external auditors have reviewed this Statement on Risk Management and Internal Control. Their review was performed in accordance with the Recommended Practice Guide (“ RPG ”) 5 (“Revised 2015), Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the annual report issued by the Malaysian Institute of Accountants. Based on the review, the external auditors have reported to the Board that nothing has come to their attention that causes them to believe that this Statement is inconsistent with their understanding of the process that the Board has adopted in the review of the adequacy and integrity of the internal controls of the Group. RPG5 does not require the external auditors to, and they did not, consider whether this Statement covers all risks and controls, or to form an opinion on the effectiveness of the Group’s risk and control procedures. This Statement on Risk Management and Internal Control is made in accordance with the resolution of the Board dated 8 March 2018. Kenanga Investment Bank Berhad 58 statement on risk management and internal control