CapitaLand Malaysia Mall Trust | Annual Report 2020

The Manager has a risk identification and management framework for the CMMT Group. The Manager proactively identifies and addresses risks in the CMMT Group. The ownership of these risks lies with the CEO and function heads of the Manager with stewardship residing with the Board. The AC and Exco assist the Board to oversee management in the formulation, updating and maintenance of an adequate and effective risk management framework while the Board reviews the adequacy and effectiveness of the system of risk management and internal controls. KEY INTERNAL CONTROL PROCESSES The Manager has put in place systems of internal control and a set of procedures and processes to safeguard the assets of CMMT and in the best interests of Unitholders as well as to manage risk. These are described in the following paragraphs. The Manager performs an RCSA exercise and maintains a risk register which identifies the material risks faced by the CMMT Group and the internal controls in place to manage or mitigate those risks. The risk register is reviewed and updated at least once a year by the CEO and function heads of the Manager and is also reviewed quarterly by the AC and Exco and annually by the Board. The Exco is tasked to review concurrently and it is reported to the AC as to what approach is taken in identifying and assessing risks and internal controls under the RCSA. The Manager has established an approach on how the risk appetite is defined, monitored and reviewed for CMMT Group. Approved by the Board, the CMMT Group’s RAS incorporates the risk limits and addresses the management of material risks faced by the CMMT Group. Alignment of the CMMT Group’s risk profile with the RAS is achieved through various communication and monitoring mechanisms (including key performance indicators set for Management) put in place across the various functions by the Manager. Internal auditors conduct audits that involve testing the effectiveness of the material internal control systems for CMMT Group. Any material non-compliances or lapses in internal controls together with proposed corrective measures by the internal auditors are reported to the AC. The system of risk management and internal controls is continually being refined by the Manager and reported to the AC and the Board for their approval. The Board has also received assurance from the CEO and Chief Financial Officer of the Manager that the risk management and internal control systems in place within the CMMT Group are adequate and effective in addressing the material risks in the CMMT Group in its current business environment including material financial, operational, compliance and IT risks. The CEO and Chief Financial Officer of the Manager have obtained similar assurances from the function heads of the Manager. The Board has adopted a set of internal controls which sets out the authority limits for investments and divestments, acceptance of banking facilities or treasury products, budgetary approval, capital and operating expenditure, lease renewals, marketing, professional services expenditure and other operational matters. The Board approves transactions exceeding certain threshold limits, while delegating authority for transactions within those limits to authorised personnel to facilitate operational efficiency. Only authorised personnel are empowered to approve a transaction (including payments) on behalf of the Board. Internal control procedures are established to ensure that RPT are undertaken in compliance with the REITs Guidelines, the Listing Requirements and the Trust Deed and, are made on terms which are best available for CMMT and which are no less favourable than an arm’s length transaction between independent parties. The Manager incorporates into its annual internal audit plan a review of all RPT and RRPT. These established procedures are further explained on pages 107 to 108 of CMMT’s Annual Report 2020. Policies, guidelines and processes are established for dealing with any potential conflicts of interest. This is explained in further detail on pages 108 to 109. In order to deal with any potential conflict of interest situations that may arise, the Manager’s policy is that any such transactions carried out for and on behalf of CMMT shall be executed on terms that are best available to CMMT and which are no less favourable to CMMT than transactions between independent parties. The Manager has outsourced its internal audit function to CL IA which reports directly to the AC. CL IA is adequately resourced and staffed with persons having relevant qualifications and experience. CL IA is a corporate member of The Institute of Internal Auditors Singapore (IIA), which is an affiliate of the IIA with its headquarters in the United States of America (USA). CL IA subscribes to, and is guided by, the International Standards for the Professional Practice of Internal Auditing (Standards) developed by the IIA and has incorporated these Standards into its audit practices. To ensure that internal audits are performed by competent professionals, CL IA recruits and employs suitably qualified professional staff with the requisite skill sets and experience. This includes CL IA staff who are involved in Information Technology (IT) audits having STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL 116 CAPITALAND MALAYSIA MALL TRUST • ANNUAL REPORT 2020