The Company recognizes importance of internal control system. The Company, therefore, has continually improved its internal control system to enhance its effectiveness and efficiency with emphases on: the adequacy and suitability taking into account the associated risks; the proper, transparent and auditable business management and work performance. This is to reasonably assure the Company’s achievement of its set targets. The Audit Committee has been entrusted with the responsibility to review the Company’s internal control system provided by the management to see if it is suitable and efficient, based on the results of the auditing exercise conducted by the Internal Audit Department and the external auditor’s opinion on the Company’s internal control system. This is to ensure that the Company’s internal control system is suitable, adequate, and extensive with coverage in all respects, including the management control, operational control, financial and accounting control, and legal compliance.
Assessment of the Company’s internal control system has been conducted according to the Adequacy Assessment Form for Internal Control System in accordance with the Form of the Securities and Exchange Commission, which is in line with the internal control framework of the Committee of Sponsoring Organization of the Treadway Commission (or COSO 2013). The assessment was made on the aspects categorized by the components of the internal control as follows:
The Company encourages good control environment by setting the vision, mission and organizational value, with an aim to propel a sustainable growth and top-notch operational performance of the organization, having in place clear short-term and long-term business operation targets and strategies that have been approved by the Board of Directors. The operational performance has been measured periodically, using the Balanced Scorecard and the Key Performance Indicators (KPIs), to monitor the business operation performance, comparing them with the set targets. The Company is prepared to adjust its business plans and strategies according to the current circumstance and consistently changing associated risks.
The Company has established the suitable organizational structure, line of control, and relationship between the intra-company units that are conducive to effective business operations. The suitable delegation of power and responsibility has been implemented.
The Company has in place the policies, rules, procedures and instructional manuals for the work performance of the operational units in all functions, including, for example, finance, procurement, human resources, and administrative work units. Those policies, rules, procedures and manuals have been communicated to, and recognized by, all employees. Non-compliant employees could be subjected to disciplinary punishments. Improvement of the aforesaid policies, rules, procedures and manuals has been made from time to time to maintain their suitability.
With respect to the personnel—the Company’s most important resource, the Company has in place the job descriptions for all job positions, standardized assessment of employees’ work performance and fair, clear and reasonable compensation schemes with the relevant internal and external factors are factored in. Trainings have been organized to improve employees’ knowledge, skills and ability suitable for the employees’ respective existing tasks and for the employees to be prepared for future changes. Various trainings are also made available electronically on-line continuously for employees’ self-learning according to their preference to accomplish their respective career goals.
The Company has in place the policies on the occupational health, safety and working environment, which are in compliance with the applicable laws, to enhance the efficiency and effectiveness of the work safety management.
The Company has established the Code of Conduct, which has been acknowledged in writing by all employees, including those at the management level. Copies of the Code of Conduct have been distributed to all employees and directors for their use as guidelines in performing their jobs with honesty, integrity, transparency and ethic.
The Company has the rules in dealing with all business counterparties fairly and indiscriminately in accordance with the customary business practice. The Company’s procurement staff and suppliers as well as other business counterparties are bound by the confidentiality agreement/policy to determinedly do the business with accountability and fair to all stakeholders, based on the believe that sustainable growth of the Company should goes hand-in-hand with the growth and development of all stakeholders.
The Corporate Governance Committee was established and entrusted with the supervisory task to assure that the Company’s business operations are conducted in compliance with the good governance policy, placing importance on honesty and business ethic. Channels are made available for expression of opinions and suggestions in connection with the service provision, for “whistle blowing” in connection with violation of law or business ethic, or suspicious dishonest or illegitimate behavior of employees, officers and other interested parties. These include raising incorrect financial reports, defective internal control system via ordinary mail, telephone, facsimile, e-mail, and internet to the website of the Company.
The Risk Management Committee was established and entrusted with the responsibility to set policy framework and directions for the systematic risk management and handling. The Company’s Risk Management Policy and Guidelines set the steps to be taken to identify risk indicators and risk factors, both inside and outside of the Company. Risk assessment is conducted on two aspects in order to determine the risk level (high, medium or low) as follows: the impact magnitude (both quantitative and qualitative) to assess how much damage could be done; and the occurrence probability (or likelihood). The assessment results are compared with the Risk Appetite to determine which are acceptable, and which are not. For the risks identified as needed to be more intensively controlled, the respective ‘risk treatment plans’ for those risks will be made, which include the key risk indicators for use by the risk managers to monitor the results of risk management and to make the risk management progress report to the Risk Management Committee, and further report to the Corporate Governance Committee and the Board of Directors, consecutively.
Importance is placed on preparation for the dynamic circumstance influenced or affected by the economic and political situations, the changes in laws, natural disasters, and environmental and safety regulations. The Company has in place the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to cope with the potential risks and critical situations, to assure the Company’s uninterrupted business operations, and to mitigate damage and adverse effects suffered.
The Company adopted Enterprise Risk Management as a tool to handle with uncertainty that may have impact on business goals which the Risk Management Policy was already set up, together with the regularly update and promote Risk Management Process entire Company to ensure that the Company can accomplish its goals, to deal with the changes and risks that may occur immediately and to create more shareholders and stakeholders confidence.
Board of Directors approved Risk Management Policy and authorized Risk Management Committee for this responsibility. Also note that the Company’s executives have to do the Risk Assessment on yearly basis which cover Operational risk, Financial Risk, Strategic Risk, Compliance Risk and Fraud Risk. Risk Manager will be a coordinator who analyzes and evaluates the results whether particular risk is at acceptable level or not. Risk Manager is required to report and provide the solution (if any) to Risk Management Committee for consideration and then to propose to Board of Directors.
(Further information is available under section Risk Management and Risk Factor.)
Controlling activities have been implemented. The areas covered include major operations which are material in carrying on the business, including those related to the critical information systems. The control activities are mainly of preventive nature to ensure that the risk management method or the control activities are pragmatic, realistically help prevent or minimize exposure to the risks that potentially causes damage to the business operations. In addition, the policies, rules and controlling activities are reviewed and revised periodically to make them suitable for the changing situations and associated risk profiles. The control activities are summarized as follows:
- The framework of the delegation of approving power to the managements at different cascading levels is clearly set in writing, and is reviewed and revised to maximize its suitability according to the change of organizational structure, while maintaining good check-and-balance mechanism and flexibility in business operations and internal control.
- Job segregation principle is adhered to in defining the responsibilities of the authorized approvers, transaction recording staff, information processing staff, and asset keeping staff to constitute the cross-checking and balancing of power mechanisms. Appropriate power distribution has been implemented to promote work performance flexibility. Staff rotation policy has been adopted and implemented appropriately in terms of suitable job positions and timing.
- In the case of activities classified as connected transactions or activities that potentially give rise to conflict of interest, tight measures in the form of policies and practicing rules which require that approvals must be obtained from the designated authorized persons. The approval process must be in line with the requirements of The Stock Exchange of Thailand and the Securities and Exchange Commission and for the best interest of the Company. To uphold this principle, the authorized approvers are barred from participating in the approval granting process if they have interest in the proposed activities in question. Each interested director and interested management is required to file within the prescribed time period a report of her/his relevant interest as well as the relevant interest of her/his ‘related persons.’ Such report must be made in the prescribed form, which the reported information also include the equity interest in the Company.
- Information Security Policy and Manual were made and communicated via the Company’s intranet and were sent by e-mail directly to each employee. This is to promote employees awareness of information security. Security standards were set to control access to the information and utilization of information. Information has been classified, and the access to the classified information has been appropriately controlled. Computer data traffic information has been recorded according to the applicable regulations of the Information Technology and Communication Ministry. The Company accomplished the successful completion of its ISO 27001 Project in the context of Data Centre, being granted with the ISO 27001 Certificate on 15th March 2012.
- The Legal Department and Corporate Governance Department have been entrusted with the responsibility to ensure full law compliant operations of the Company’s business. This is to minimize exposure to the non-compliance risk. To accomplish this objective, the Company has in place various law compliance measures or process, e.g. compilation and development of law compliance database, development of law compliance management system and warning system to prevent untimely actions that need to be taken within the time period, and organization of trainings and provision of advices for staff of all units within the Company.
The Company has continuously developed and improved its information system and provided channels for efficient intra-company communication with systematic data processing which is accurate, reliable, operates in a timely and suitable manner to accommodate the users’ demand for the purposes of work execution and analytical usage. As a result, important information needed for decision-making by the Board of Directors and Management can be made available adequately well in advance. For example, the materials and information necessary for Board of Directors meetings can be provided to the Board members not less than 7 days before the meeting, giving them ample time for preparation and being ready for the meeting and making the decisions. In addition, the questions, discussion, debate, observations, and decisions on the matters raised for consideration at the meetings can be completely recorded in detail.
The supporting information and documents for account book recording and financial statements preparing and other important documents are kept and retained in an organized fashion and for the period of time as required by law. The Company has never received comment from the auditor about any deficiency in document keeping. The Audit Committee has reviewed the audited quarterly and yearly financial statements of the Company, and has discussed with the management and the auditor the significant information in the Notes to the Financial Statements, e.g. the accounting policy, assessment and judgment process used in preparing the financial statements. The Audit Committee was of the opinion that the financial statements have been prepared in accordance with the generally accepted accounting principles, containing accurate, complete, and reliable information. The adopted accounting policies were reasonable. The information disclosure was sufficient, timely and beneficial to the shareholders, investors and other financial statements users.
Intra-company communication via e-mails and intranet has been used to communicate to employees the information about the Company’s policies, rules and orders. Internal meetings at all levels of the organization are held and exploited as communication channel for employees to express their opinions to develop work operations and improve work system efficiency. Company’s website is available for employees and outside stakeholders as channel of communication with the Company.
The Company has in place the work operation monitoring and assessment processes. The set KPIs are used to measure the performance and the results thereof are reported to the Management and Board of Directors regularly. If the performance results negatively deviate from the plan or targets, analyses are conducted to identify the cause(s) and rectification measures must be established and implemented to solve the problem within the reasonable time fixed.
Monitoring activities were organized and implemented by a separately different work unit to continuously monitor and assess the internal control system. The continuous monitoring and assessment activities are set as routine works in the course of the Company’s business operations to enable the Company to be responsive to the changing situations, whereas the monitoring and assessment by a separately different work unit, under the Internal Audit Department, is set to assess the adequacy and effectiveness of the internal control system for the important administration and operation processes, in accordance with the annual audit plan approved by the Audit Committee. The monitoring and assessment results are reported to the Audit Committee on a quarterly basis. The follow up conduct to measure the progress of work process improvement according to the recommendations stated in the audit report.
At the Board of Directors Meeting No. 11/2016, held on 14 December 2016, the meeting approved, as recommended by the Audit Committee, the summarized opinion on the adequacy of the internal control system. That is to say: the Company’s internal control system was designed and implemented with adequacy and suitability for the business operations without material deficiency; the Company’s financial reports were prepared in accordance with the generally accepted accounting standards with adequate information disclosure; the Company’s business operations have been conducted in compliance with the Securities and Exchange Act and other applicable laws.