Preview
About this topic
Topic objectives
Directors
management
Internal Audit Department and Audit Committee
Risk Management and Risk Management Committee
Self-assessment/Exercises
Checklist
Preview
About this topic
Compliance is often considered to be the responsibility of someone else in an organisation, such as the Compliance Officer or the Board of Directors. However, as we have seen in the previous topic, in order for a firm to comply with all external compliance issues and ethical principles, it needs to engender a culture of compliance.
This has the effect of imposing responsibility on every employee to do their job in a manner compliant with the firm’s compliance programme.
In this topic we consider the regulatory requirements to establish and the roles and responsibilities of the Board of Directors, Chief Executive Officer, Internal Audit department, Audit Committee and Risk Management Committee.
Topic Objectives
At the end of this topic, you should be able to:
(a) to explain the role and responsibilities of the Board of Directors
(b) to explain the regulatory requirements in relation to the appointment of members of the Management
(c) to describe the role of the Internal Audit department and its relationship with the Audit Committee and compliance
(d) to explain the role of the Audit Committee
(e) describe the regulatory requirements and role of Risk Management Committee
What Is a Board of Directors?
A board of directors (BofD) is the governing body of a company, whose members are elected by shareholders (in the case of public companies) to set strategy, oversee management, and protect the interests of shareholders and stakeholders…Read more
Manager Roles And Responsibilities
Modern managers are responsible for their teams’ productivity, morale, and well-being. They work with their team to set goals and priorities while providing feedback and coaching. They are also responsible for managing the budget and overseeing day-to-day operations…Read more
Directors
To become a member of the Board of Directors, a person must be a “fit and proper” person (See the Capital Markets & Services Act 2007 for the Securities Commission Malaysia’s (SC) requirements on fit and proper). The SC expects firms to conduct proper due diligence on a person prior to his/her appointment as a director to ensure that the person is fit and proper and is suitably qualified to assume the position of a director.
Firms are also required to notify the SC on new appointments of directors within two working days of the appointment, or prior to any public announcement (whichever is earlier) in accordance with the SC’s Licensing Handbook. In the case of investment banks, they also need to comply with the Guidelines on Investment Banks for appointment of its directors.
In addition to the above, where a firm is a Participating Organisation or Trading Participant of Bursa Malaysia, the firm must also register its directors or notify the relevant exchange on the appointment of new directors.
Figure 1 illustrates the position of the Board of Directors within a firm.
From the foregoing diagram, it can be seen that the Board of Directors occupies the highest hierarchy within a firm with the Audit Committee, Risk Management Committee, Management and Head of Compliance/Compliance Officer reporting to it. (The duties and responsibilities of the Management, Audit Committee, Risk Management Committee and the Internal Audit department are explained in more detail later in this topic whereas the duties and responsibilities of the Head of Compliance/Compliance Officer will be discussed in Topic 3, Compliance Officers.
The responsibility for engendering a compliance culture within a firm, therefore, ultimately lies with the firm’s Board of Directors. Similarly, the supervisory responsibilities over representatives and other staff ultimately rest with its Board of Directors.
While the Compliance Officer will ordinarily be involved with the formulation and coordination of the compliance programme, the effective implementation and maintenance of these programme lies with the firm itself and its Board of Directors. Any failure is seen to be a failure of the firm and its Board.
For instance, under the Bursa Malaysia Securities Berhad’s Participating Organisations’ Directives and Guidance, it is stipulated that:
The ultimate responsibility for proper supervision and compliance rests with the Participating Organisation and its Board of Directors.
Similarly, the Rules of Bursa Malaysia Derivatives Berhad mentions that:
Each Trading Participant shall establish and maintain a proper system to supervise the activities of each Registered Representative, agents and other personnel and that is reasonably designed to achieve compliance with the Rules and the Capital Markets and Services Act. The final responsibility for proper supervision shall rest with the Trading Participant and its Board of Directors.
See Guidelines on Compliance Function for Fund Management Companies which also places the responsibility for compliance with all laws, regulations and guidelines on the Board of Directors.
Hence, the Board of Directors needs to do significantly more than approve appropriate policies and procedures for the firm. For instance, the Board should ensure that:
(a) a sound system of internal controls is maintained to safeguard shareholders’ interests, the company’s assets and clients’ interests. This covers not only financial controls but operational and compliance controls, and risk management.
(b) written policies and procedures are in place and that management effectively implements all policies and procedures set by the board.
(c) competent persons are appointed to supervise and manage the company and that such persons are always subject to oversight of the Board.
(d) a fully staffed Compliance department is established and delegated with the responsibility of managing the organisation’s compliance with all relevant laws, regulations, directives, guidelines, policies and procedures.
(e) a Compliance Officer has the responsibility of managing the organisation’s compliance with all relevant laws, rules, regulations, directives, guidelines, policies and procedures.
(f) a competent Compliance Officer is available to review the effectiveness of organisational controls and procedures, as well as to verify the reliability of information reported.
(g) proper procedures are in place to anticipate likely changes in the regulatory regime and compliance requirements that may be against the interests of the organisation.
(h) there are periodic discussions with management concerning the effectiveness of internal controls and risk management, and to ensure that management has appropriately taken action of recommendations and concerns expressed by the Compliance Officer and auditors (regulatory auditors, internal and external auditors) with regard to internal control weaknesses and issues of non-compliance.
(i) the organisation always has adequate financial, human and other resources commensurate with its business.
(j) a proper system of record keeping relating to the organisation’s and clients’ information is established and maintained.
The Compliance Officer reports to the Board of Directors of the firm to inform, update and make recommendations on compliance matters, including breaches. Where specified, copies of such reports and recommendations must be submitted to the relevant exchange and/or the SC by the Compliance Officer.
Management
Whilst the Board of Directors is ultimately responsible to supervise the firm, the Board is assisted by the management or supervisors (Chief Executive Officer, heads of department, heads of regulated activity, senior managers, etc.). Supervisors are also accountable to the regulators not with standing they are not members of the Board of Directors. For instance, the SC’s Guidelines on Market Conduct and Business Practices
for Stockbrokers and Licensed Representatives stipulates that:
The SC will hold the Board of Directors and senior management of the
stockbroking company primarily accountable and responsible in ensuring
adequate policies, procedures, and resources are put in place to meet the core principles.
Firms must ensure that their supervisors are fit and proper. Firms who are Capital Markets Services Licence holders should seek the SC’s prior approval before appointing its Chief Executive Officer (CEO). In addition, investment banks are required to comply with the Guidelines on Investment Banks for the appointment of their CEO. Apart from the requirements by the SC, Capital Markets Services Licence holders who are Participating Organisations of Bursa Malaysia Securities Berhad must also register their CEO with the exchange. The Rules of Bursa Malaysia Securities Berhad further stipulates that a CEO who is also registered as a Head of Dealing, may only be responsible for activities of trading in securities, whereas a CEO who is also registered as a Head of Operations must not be responsible for activities of trading in securities. A CEO is expected to demonstrate the capability and competence to lead the firm. He must also act honestly, exercise due skill and diligence and be suitably qualified to assume the position.
Where a firm is licensed by the SC to carry out more than one type of regulated activity, the firm must appoint a head for each regulated activity. In order to qualify as a head of regulated activity, the person must have the requisite experience. The requirement for appointing a head for each regulated activity is to ensure that a person with the necessary skills and expertise will provide guidance and supervision to the representatives who carry on that particular regulated activity.
Capital Markets Services Licence holders who are Participating Organisations of Bursa Malaysia Securities Berhad are also required to have at least three heads, namely Head of Dealing, Head of Operations and Head of Compliance. A head of a Participating Organisation must not engage in or hold any interest in any other business unless:
(a) the directorship or appointment is non-executive in nature;
(b) there is no conflict of interest or duty with being a head of a Participating Organisation;
(c) the engagement or interest is not in breach of the conditions of the Capital Markets Services Representative’s Licence (if applicable); and
(d) the head has obtained the Participating Organisation’s prior approval.
Participating Organisations must ensure that a person appointed as Head of Dealing or Head of Operations fulfils the following requirements:
(a) that the person is approved by the SC as Head of Dealing or Head of Operations;
(b) that the person is registered with Bursa Malaysia Securities Berhad as a Head of Dealing or Head of Operations;
(c) that the person appointed as Head of Dealing holds a Capital Markets Services Representative’s Licence for dealing in securities; and
(d) that the person appointed as Head of Operations is not a holder of Capital Markets Services Representative’s Licence
As a “registered person”, these individuals are required to undertake to comply with the Rules of Bursa Malaysia Securities Berhad and the Bursa Malaysia Securities Berhad’s Participating Organisations’ Directives and Guidance and may be subject to disciplinary actions by Bursa Malaysia Securities Berhad.
In carrying out his/her duties, the Compliance Officer should provide advice and prepare supervising guidelines to assist these supervisors to carry out their duties and obligations competently and efficiently. Therefore, there is a need for open and constant communication between the Compliance Officer and the supervisors to supplement any existing review process and to make sure that the policies and procedures are in place to
ensure proper supervision of the various departments. See Guidelines for Compliance Officers, Compliance Guidelines for Futures Brokers and the SC’s Guidelines on Compliance Function for Fund Management Companies.
Internal Audit Department and Audit Committee
Internal Audit
A Participating Organisation of Bursa Malaysia Securities Berhad must establish and maintain an internal audit function which is independent from all other functions of the Participating Organisation, to carry out the duties as stipulated in the Rules of Bursa Malaysia Securities Berhad.
There is no regulatory requirement however for a Trading Participant of the Bursa Malaysia Derivatives Berhad to establish an internal audit department.
The SC on the other hand encourages fund management companies to establish an internal audit function to develop an appropriate internal audit framework commensurate with the fund management company’s business. However, fund management companies that are only licensed to carry on the business of dealing in unit trust products should maintain an internal audit function.
An internal audit should be conducted at least once a year. In so doing, it reviews the audit findings, recommends remedial and corrective measures where necessary and monitors the firm’s compliance. Internal auditors have a crucial role to play in raising the standards of conduct of and within firms by assessing and reviewing the internal controls of the firm on a regular and on-going basis. The audit function is a mandate for independent and objective oversight.
The Internal Audit department usually has in place a system of check and balance such as annual assessments which are required by, for example, Bursa Malaysia Securities Berhad.
The Compliance Officer often works closely with the Internal Audit department. The information the Internal Audit department has will help the Compliance Officer to identify areas of concern — initially in formulating the compliance programme, and will indicate areas in which a compliance programme may not be effective or could be more effective. Thus, the Internal Audit department complements the role of the Compliance Officer in seeking to achieve a high standard of compliance. In particular, compliance may use internal audit reports to identify compliance issues or as an indicator of the strength of internal controls relating to operational procedures that overlap with compliance procedures. See Compliance Guidelines for Futures Brokers, Guidelines for Compliance Officers and the SC’s Guidelines on Unit Trust Funds.
For listed companies, the Malaysian Code on Corporate Governance 2012 provides that its Board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the Board that the internal controls are operating effectively. Internal auditors should carry out their functions according to the standards set by recognised professional bodies. Internal auditors should also conduct regular reviews and appraisals of the effectiveness of the governance, risk management and internal controls processes within the company.
Audit Committee
Generally, the Internal Audit department reports to the Audit Committee. The responsibility of the Audit Committee is to ensure regular review and appraisal of the firm’s internal controls.
The Audit Committee receives the internal audit report, and presents it to the Board of Directors along with the course of action or remedial measures taken to address any irregularities or non-compliance issues. Where relevant, a copy of this is also submitted to the exchange.
As set out in the Malaysian Code on Corporate Governance 2012, the Audit Committee of listed companies should:
(a) ensure financial statements comply with applicable financial reporting standards; and
(b) have policies and procedures to assess the suitability and independence of external auditors.
Note that Bursa Malaysia Securities Berhad requires that the Audit Committee “monitor the Participating Organisation’s compliance with applicable laws and regulations”. This goes to show that the Audit Committee shares the same functions as the Compliance Officer.
The Compliance Officer, however, is not required to be a member of the Audit Committee. In fact, as the Compliance Officer is a member of the executive and hence not an independent director, he/ she is not recommended to be a member of the Audit Committee. Nevertheless, the Compliance Officer may be invited to attend the Audit Committee meetings to render his/ her views on compliance matters.
Risk Management and Risk Management Committee
Participating Organisations are required to establish and maintain a Risk Management Committee who shall report to the Board of Directors on any matters relating to risk management. The Participating Organisation must also ensure that risk management functions are properly carried out by the relevant department. There is no regulatory requirement, however, for a Trading Participant to establish a Risk Management Committee.
Nevertheless, the Trading Participant must have in place adequate
arrangements to manage risks that may arise in the conduct of its business. Similarly, fund management companies must also establish a risk management framework commensurate with its business that is reviewed annually.
The function of the Risk Management Committee as stipulated in the Bursa Malaysia Securities Berhad’s Participating Organisations’ Directives and Guidance is:
(a) to develop and implement adequate risk assessment commensurate with the scope, size and complexity of the Participating Organisation’s activities and the level of risks that the Participating Organisation is prepared to assume, and to manage and monitor such risks; and
(b) to manage and review the policies and procedures in relation to risk
management.
The department carrying out the risk management functions must also ensure that the policies and procedures established and formulated by the committee are efficaciously and effectively implemented.
The Risk Management Committee shall consist persons who are competent, have no conflict of interest in the discharge of their functions and collectively have the relevant skills and experience to carry out the functions of the Risk Management Committee.
The firm must ensure that the majority of the members of the Risk Management Committee are not holders of Capital Markets Services Representative’s Licence for dealing in securities.
Self-assessment
Exercise 1
1. Select from the following the person(s) who are ULTIMATELY responsible for ensuring compliance in a firm:
(A) Management
(B) Audit Committee
(C) Board of Directors
(D) Compliance Officer
2. Which of the following statements are TRUE of the relationship between a Compliance Officer and the Internal Audit department?
I. The Internal Audit department reports directly to the Head of Compliance
II. They complement each other and work towards achieving a high standard of compliance
III. Both functions are responsible to assess the suitability and independence of external auditors
IV. Compliance Officers may use internal audit reports to identify compliance issues within the firm
A. I and II only
B. II and IV only
C. I, II and IV only
D. All of the above
Checklist
Below is a checklist of the main points covered by this topic. Use this checklist to test your learning.
(a) The responsibility for engendering a compliance culture within a firm, therefore, ultimately lies with the firm’s Board of Directors. Similarly, the supervisory responsibilities over representatives and other staff ultimately rest with its Board of Directors.
(b) The Compliance Officer reports to the Board of Directors of the firm to inform, update and make recommendations on compliance matters, including breaches.
(c) Where specified, copies of such reports and recommendations must be
submitted to the relevant exchange and/or the SC by the Compliance Officer.
(d) Whilst the Board of Directors is ultimately responsible to supervise the firm, the Board is assisted by the management or supervisors (Chief Executive Officer, heads of department, heads of regulated activity, senior managers, etc.). Supervisors are also accountable to the regulators notwithstanding they are not members of the Board of Directors.
(d) The Compliance Officer often works closely with the Internal Audit department. The information the Internal Audit department has will help the Compliance Officer to identify areas of concern — initially in formulating the compliance programme, and will indicate areas in which a compliance programme may not be effective or could be more effective. Thus, the Internal Audit department complements the role of the Compliance Officer in seeking to achieve a high standard of compliance.
(e) The Internal Audit department reports to the Audit Committee. The responsibility of the Audit Committee is to ensure regular review and appraisal of the firm’s internal controls.
(f) The function of the Risk Management Committee as stipulated in the Bursa Malaysia Securities Berhad’s Participating Organisations’ Directives and Guidance is:
(i) to develop and implement adequate risk assessment commensurate with
the scope, size and complexity of the Participating Organisation’s activities and the level of risks that the Participating Organisation is prepared to assume, and to manage and monitor such risks; and
(ii) to manage and review the policies and procedures in relation to risk management.