Internal Control and Risk Management

1. Comments from the Board of Directors towards the company’s internal control

Internal Control

The Company’s Board of Directors and management are aware and give precedence to internal control system as a crucial factor to create confidence and minimize business risks which enhances efficiency to serve the company objectives by allocating company’s resources appropriately as planned.

The Board of Directors has assigned the Audit Committee to effectively and appropriately regulate the company’s internal control and risk management. In other words, the Audit Committee has to supervise the company to follow the related laws and regulations in order to prevent conflicts of interests, or connected transactions. Apart from that, the Audit Committee also needs to monitor and control the company’s operation, and to prevent illegitimate or unauthorized uses of company’s properties. In addition to that, the Audit Committee has to prevent the company’s assets from missing, loss, misconduct or corruption. The company has established audit mechanisms by having internal audit independently preformed auditing, evaluating the efficiency and the competence of internal control process, risk management process, and compliance process in every operational unit. The company has applied international standards of The Committee of Sponsoring Organizations of the Tread way Commission (COSO) and the Enterprise Risk Management in order to promote the highest level of efficiency and effectiveness in business operations. Moreover, the company’s management team will work on the audit’s results to improve productivity and allow the Internal Audit Department to consistently monitor business operations. In addition to that, the Compliance Division is set up to monitor and study business-related laws, announcements or regulations in order to keep our employee aware of such information and to make sure that the company operates its business practice correctly.

Furthermore, the Audit Committee has annually evaluated the company’s internal control process and has reported to the Board of Directors regarding to the “Sufficiency Evaluation of Internal Control Process” of The Securities and Exchange Commission (SEC) and has disclosed the evaluation results in the company’s Annual Registration Statement (Form 56-1) and Annual Report.

In 2016, the company did not find any significant errors in the company’s internal control process:

  • Control Environment The Company has arranged a good internal control environment by appropriately setting up a distinct organizational structure and chain of command. Including, establishing well-defined business goals and Key Performance Indicators (KPI) in assessing operational performance that complies with company’s objectives and determining an authority manual and operational manual for the entire system in written document to be used as a guideline for operational standard and procedure. Apart from that, the company also fosters the executives and staffs to be aware of its corporate governance by establishing policies to enhance good corporate governance, business ethics, and code of conducts for committee members, directors, and staffs. The company also constantly promotes relating activities, for example, an annual employee training which helps the business operation to be more transparent and justified for all stakeholders.
  • Risk Management Apart from the sufficiency evaluation of internal control process by referring to the “Sufficiency Evaluation of Internal Control Form” under The COSO framework of The Securities and Exchange Commission (SEC), the company also conducted an annual Internal Risk Evaluation under the rules of consolidated supervision of the Bank of Thailand (BOT) which covers 5 main risks: Strategic Risk, Credit Risk, Market Risk, Liquidity Risk, and Operational Risk. The Internal Risk Evaluation is composed of assessing risk level, quality of risk management, and tendency of risk. Additionally, this also involves identifying ways to control or manage the risks. The result of such assessments need to be submitted to Krung Thai Bank Public Company Limited and reported to the Risk Management Committee of the Financial Business Group.
  • Control Activity The Company has explicitly delegated responsibilities to each position and has revised the exercise of authority manual and operational manual/procedures to make them align with the organizational structure and current operation practices. Moreover, it has verified that results of its performance are consistently in line with rules, regulations, exercise of authority manual and Standard Operating Procedure (SOP) to ensure that the operations are efficient and under adequate internal control system. Regarding the related-party transaction issue, the Board of Directors has approved the principle for business transaction that might be considered as related-party transaction in order to make it correctly complied with previously mentioned laws. Allowing management to make transaction or business deal that considered being related-party transaction as per the definition stated in The Securities and Exchange Commission laws. Such transaction or deal should be the same as normal practice that company will do to other parties under the same circumstance using normal bargaining power without the use of personal influence as a committee, management or other influential person, (“General business deal”) including the ongoing transaction and future prospect transaction. The management can set up framework to be operational guideline and will summarize the report of such transaction to the audit committee and the Board of Directors’ meeting in a timely manner. If the company should do the transaction with the person that might consider being related-party transaction or might considered being conflict of interest in the future, the company will set up audit committee to consider the appropriateness of such transaction. If the audit committee is not specialized enough to consider that transaction, the company will appoint specialist such as auditor or appraiser or law firm, who is independent from the company and the other accusing party, to provide comment on such transaction.
  • Information System and Communications The Company places a great emphasis on the Information System and Communications. It has promoted and encouraged a continuous development to ensure that the information is accurate and updated. Additionally, it has embraced a modern and proficient technology with an emphasis on information security, covering all stages: information gathering, processing, monitoring, and filing. This consequence serves as a powerful data analysis tool that allows executives and stakeholders to perform and utilize the information appropriately; as a result, a timely and comprehensive investment decision-making could accurately be made through this process. Besides, the company has determined information technology security and information usage policies and established intranet system as an internal communication channel for announcing policies, regulations, operational manuals, and news within the organization.

    Moreover, it has assigned the company secretary to be responsible for preparing information and related documents for meetings beforehand along with taking minutes of each Board of Directors’ meeting. As for external communication to public, the company has established communication method for receiving information complaint or corruption suspicions through designated channel.

  • Monitoring The Company has an appropriate performance tracking and evaluation system, covering various aspects that are necessary in business operations; finance and accounting, operations, law and regulations compliance, and asset management. A performance is evaluated at all levels from directors to management team to achieve the business goal, by comparing the operating result and business objectives constantly. Board of Directors’ meeting is also one of the company’s evaluation tools; it is arranged regularly to monitor business performance through management’s report. Directors will supervise the alignment of implemented strategy and business plans, which were previously approved, to accomplish the best possible operating result.

    Moreover, the company also managed a performance investigation following internal control system by responsible staffs in Internal Control Department, and independently reported to the Audit Committee. In 2015 and 2016, the Audit Committee has arranged 7 and 6 meetings, respectively.

    In the Audit Committee meeting No.5/2016 on 10th November, 2016, the Committee had evaluated internal control system from performance report. According to the internal control evaluation, the Audit Committee concluded on the 5 components reports i.e. internal control, risk evaluation, performance control, information system and communications, and tracking system. The Audit Committee had an opinion that the company’s internal control system is adequate and suitable for the company’s operation. Risk management is at acceptable level. Accounting systems and financial reporting practices is reliable, and in compliance with rules, laws, and regulation related to the company’s business.

Risk Management

The Company gives priority to risk management, it has set risk management policies determining to develop risk management system under Good Corporate Governance. Besides, it has integrated risk management covering all aspect across the organization by adopting a systematic and continuous engagement. The Risk Management Committee (RMC), which consists of management from each business unit will supervise the organization risk management to ensure that company’s goal is achieved at acceptable level.

In 2014, the company has restructured the organization by setting up Compliance department and restructured Legal department in order to enhance management flexibility in operation management and to comply with company’s business operation direction.

(Please see detail about company’s risks management in “Risk Factors” topic)


2.Audit Committee’s Report

The Company discloses the audit committee report; “Audit Committee report” in annual registration statement 2016 (Form 56-1) and in annual report.


3.Internal Audit Supervisor and Compliance Supervisor

Mr. Pornchai Wijitburaphat is an official Internal Audit Supervisor of the company and Mr. Sakda Chantrasuriyarat currently takes a position of Compliance Supervisor.

(Please refer to Profile of Internal Audit Supervisor and Compliance Supervisor)

The Audit Committee gave an opinion that considering from the qualifications of officials taking the positions of Internal Audit and Compliance; they can perform their roles effectively and are appropriate to the positions.

Therefore, the appointment, assessment, removal, transfer or contract termination of Supervisor position of company’s internal audit must be approved by the Audit Committee.

Internal Audit

The Company’s Internal Audit is responsible for:

  1. Evaluating sufficiency and effectiveness of operational and information system, internal control, and risk management under the authority of audit.
  2. Reporting significant issues regarding the control process of the company’s activities and ways to develop such a process in that particular activity.
  3. Providing recommendations to executives so that the operation is effective, efficient, economical, and is complied with good corporate governance.
  4. Reporting a progress or result of an annual audit and its resource sufficiency.
  5. Coordinating, supervising, and monitoring other functions such as risk management, compliance, safety control, codes of conduct, environment, and accounting audit.
  6. Taking responsibilities of other operations related to internal audit as assigned by the Audit Committee.


The Company’s Compliance is responsible for:

  1. Ensuring that the company complies with laws and regulations of the Stock Exchange of Thailand or government agencies correctly.
  2. Giving legal opinions to the Board of Directors and management so that the operations of the company comply with rules and regulations of the Stock Exchange of Thailand or Government Regulations, along with monitoring and suspending the management’s transactions and actions that might violate such rules or regulations.
  3. Examining evidences when there is a suspicious transaction or action that might violate the laws or regulations of the Stock Exchange of Thailand or government agencies, which may significantly affect the company’s financial status and performances.
  4. Coordinating with the Internal Audit Supervisor and Internal Audit Committee in order to ensure appropriateness and effectiveness of the company’s internal control and internal audit.
  5. Participating and giving recommendations regarding procedures of the company’s operational functions to ensure that policies, regulations, and procedures stated by laws are followed correctly.
  6. Acting as a center for giving information, knowledge, and suggestion to units within the organization on how to comply with rules and regulations of operating procedures.