1 139 Table of Contents 141 162

KPJ Healthcare Berhad - Annual Report 2018

138 KPJ HEALTHCARE BERHAD CONTINUOUS MONITORING AND ASSURANCE Ongoing Monitoring The main assurance process of the Group is primarily undertaken by the Level 2 and Level 3 defence line functions. The effectiveness of internal control systems implemented throughout the Group is assessed primarily by the Group Internal Audit through the conduct of regular audits on the hospitals and key subsidiaries. The assurance on the effectiveness of the ERM framework is provided primarily by the Group Clinical Services and Risk & Compliance Services through on-site and off-site reviews. In 2018, 24 clinical audits and 5 risk & compliance reviews were conducted by these departments respectively. Reports generated by the Level 2 and Level 3 lines of defence mentioned above are presented to the Clinical Risk Management Committee and Risk and Sustainability Committee respectively for deliberation. The Group’s risk management framework and internal control systems do not apply to the associate companies where it does not exercise management control over their operations. The Group’s interest are served through representation on the Board of Directors of these associate companies as well as through regular review of management accounts that they provide to the Group. The Board is satisfied with the information provided to assess the associates’ performance for informed and timely decision-making on the Group’s investments in these associates. Independent Evaluation All hospitals certified with the MSQH and JCI accreditation have to undergo stringent surveillance audit by the respective surveyors and audit teams to ensure compliance with accreditation standards and requirements before accreditation certification can be renewed, usually every three (3) years. In 2018, MSQH conducted two (2) hospital accreditation surveys and JCI conducted one (1) hospital survey as part of the accreditation process cycle. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL Review of This Statement By The External Auditors This Statement on Risk Management and Internal Control has been reviewed by the External Auditors as required by Paragraph 15.23 (b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad for the inclusion in the Integrated Report for the year ended 31 st December 2018. The limited assurance review was performed in accordance with Recommended Practice Guide (RPG) 5 (Revised) issued by the Malaysian Institute of Accountants. RPG 5 (Revised) does not require the External Auditors to form an opinion on the adequacy and effectiveness of the risk management and internal control of the Group. The External Auditors have reported to the Board that nothing has come to their attention that causes them to believe that the statement is inconsistent with their understanding of the process adopted by the Board in reviewing the adequacy and integrity of risk management and internal controls systems of the Group. ASSURANCE The Board has received assurance from the President & Managing Director and Vice President (II) – Group Finance Services, that the Group’s risk management framework and internal control system are operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of approval of this Statement for inclusion in the Integrated Report, based on the risk management and internal control system adopted by the Group. The Board is of the view that the system of internal controls instituted throughout the Group is sound and effective and provides a level of confidence on which the Board relies for assurance. In the year under review and up to the date of this report, there was no significant control failure or weakness that would result in any material separate disclosure in the Integrated Report. The Board ensures that the internal control system and the risk management practices of the Group are reviewed regularly to meet the changing and challenging operating environment. The Board is therefore pleased to disclose that the system of internal control and risk management of the Group is sufficient, appropriate, effective and in line with the Malaysian Code of Corporate Governance and the Statement on Risk Management and Internal Control – Guidelines for Directors of Listed Issuers.

RkJQdWJsaXNoZXIy NzU2NTI=