Basic HTML Version
Annual Report 2013
KPJ HEALTHCARE BERHAD
85
CONTROL ACTIVITIES
Policies and Procedures
Policies and procedures are documented comprehensively and
updated regularly to ensure relevance and compliance with the current
and applicable laws and regulations. These policies and procedures
help to ensure management directives are carried out and necessary
actions undertaken to address and minimise risks as well as to ensure
the continuity of business functions in the event of a crisis.
Regular re drills at our hospitals and companies, ranging from basic
re safety to mass evacuation drills, are conducted with the assistance
of the Fire Department. The objective is to ensure all employees are
well prepared and familiar with our emergency response and crisis
management plans.
SEGREGATION OF DUTIES
The delegation of responsibilities by the Board to the Management
and Operating Units are clearly de ned and authority limits are strictly
enforced and reviewed regularly. Different authority limits are set
for different categories of managers for the procurement of capital
expenditure, donations and approval of general and operational
expenses. Similarly, cheque signatories and authority limits are clearly
de ned and enforced. As a measure to curb and reduce the incidence
of fraud and error, duties and tasks are properly segregated between
different members of staff, especially those in nance and purchasing
services.
INFORMATION AND COMMUNICATION PROCESS
The Group recognises the importance of securing its information
technology assets against potential threats to ensure their
con dentiality, integrity and availability. Apart from complying with
information security laws, regulations and international standards, the
Group has developed its own Policies and Standard Operating Manual.
TheKPJ Clinical Information System (KCIS) is currently deployed at nine
hospitals and plans are underway for it to be commissioned at another
four to six hospitals in 2014. It is a secure clinical system enhanced
with electronic clinical documentation and audit trail to mitigate the
risks of incorrect information. It secures highly con dential patient
data by limiting access according to the user’s role and responsibility
as a care giver.
The Group has started migrating clinical information system to the
enterprise-wide KPJ Cloud System by hosting a KPJ data centre
serving all hospitals via the Internet. This secure private cloud is
dedicated to providing core systems with data security services to
ensure cloud computing is enabled in a shared and safe environment.
The Group’s centralised IT infrastructure and hardware system is a
key driver in optimising the cost of investment, without neglecting the
need for continuous improvements in clinical systems for quality care
and patient safety.
CONTINUOUS MONITORING PROCESS
Ongoing Monitoring
Ongoing monitoring of internal control effectiveness is appropriately
and suf ciently done through not only normal daily supervision
by immediate supervisors, but also by the Internal and External
Auditors, who make both scheduled and surprise audit visits to ensure
compliance. Any discrepancy and irregularity will be reported to
Management for correction and improvement. Management also
monitors the performance of the hospitals and companies through
regular meetings and reports.
Separate Evaluations
All hospitals with MSQH certi cation and JCI accreditation have to
undergo stringent surveillance audits by the respective surveyors and
audit teams to ensure compliance with accreditation standards and
requirements before certi cates can be renewed, usually every three
years.
ASSURANCE
The Board is of the view that the system of internal controls and risk
management instituted throughout the Group is sound and effective
and provides a level of con dence on which the Board can rely on for
assurance. In the year under review and up to the date of approval of
this statement, there was no signi cant control failure or weakness
that would result in any material losses, contingencies or uncertainties
that would require separate disclosure in the Annual Report. The Board
ensures that the internal controls system and the risk management
practices of the Group are reviewed regularly to meet the changing
and challenging operating environment.
The Board has received assurance from the Managing Director and
Chief Financial Of cer that the internal controls and risk management
system is adequate, appropriate and effective for the Group’s
operations.
Statement on
Internal Control and Risk Management
(Pursuant to Section 15.27(b) of the Bursa Malaysia Listing Requirements