Internal Control and Compliance
Importance and Mission
PTTEP places great emphasis on continuous development of the internal control system with coverage to our business activities adequately and appropriately to provide reasonable assurance that the Company's operations including utilization of resources and safeguarding of its assets are efficient and effective; to ensure that reporting for both financial and non-financial reports is accurate, reliable and timely; and all business operations are in compliance with relevant laws and regulations. The Company recognizes the importance of respect and compliance with all applicable laws enforced in the country of operations, both Thailand and abroad. The Board of Directors' policy on compliance with laws, regulations and rules is set forth in PTTEP's Group Business Ethics. All personnel of PTTEP Group, from directors to executives and employees, are required to study and comply with all laws relevant to PTTEP's business operations in all locations correctly and efficiently.
PTTEP has set up Governance, Compliance, Internal Control and Subsidiary Management Department as the central unit to oversee governance, compliance to regulations and internal control. The department reports directly to the Management in the following order: Senior Vice President for Corporate Secretary Division, Executive Vice President for Human Resources, Corporate Affairs, and Assurance Group, and Chief Executive Officer. In 2013, PTTEP announced the compliance policy, demonstrating the company's determination to operate with full legal compliance. Personnel at all levels are aware of their respective duty in promoting compliance. The Compliance Manual is in place, gathering all information and regulations related to compliance to applicable laws, corporate rules and contractual agreements to ensure awareness among employees in compliance with internal and external rules.
Furthermore, PTTEP conducts Compliance Program on an annual basis, to communicate laws related to its operations to relevant departments through various channels. There are regular training on relevant and essential laws, to ensure understanding of our personnel and effective implementation. Internal rules and regulations and policies are recommended or amended in compliance with laws. Compliance is monitored and reviewed through the internal control system. Compliance reporting is prepared, including recommendations on preventative approaches or resolutions upon the emergence of non-compliance risks or incidents.
PTTEP recognizes the importance of compliance to relevant laws and respective impacts to stakeholders. In 2020, PTTEP published Gaps Analysis and Recommendations Report relating to Personal Data Protection Act (PDPA), which reviewed and ensured the internal process' compliance to the Personal Data Protection Act B.E. 2562 of which all sections will be enforced from 1 June 2021 onwards.
The Board of Directors is aware of the importance of internal control system and internal audit. It ensures the internal control system of PTTEP Group is efficient and sufficient according to its risk appetites. The Audit Committee and Internal Audit Division are tasked to periodically review and monitor the internal control performance. The Internal Control Unit performs assessment on the adequacy and suitability of the internal control system on an annual basis in which results are reported directly to the Audit Committee to assure that the Company is able to achieve its objectives concerning performance, reporting and compliance with applicable laws, regulations and rules and to boost confidence among the management, investors and other stakeholders. PTTEP's internal control system is in alignment with the international standard of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), with considerations to the components listed below.
1. Control Environment
PTTEP has established a suitable and sufficient control environment which not only promotes effective and efficient business operations but also the awareness and control atmosphere as guided by the Good Corporate Governance and Business Ethics (CG&BE) to achieve the goal, namely, "Growth, Prosperity, Stability, Sustainability, and Dignity". The Board of Directors supervises and improves internal control as well as established appropriate organizational structure, reporting lines and delegation of work authority.
On top of that, PTTEP places an emphasis on human resource management. The Human Resource Management Regulation are in writing and PTTEP is committed to attracting, developing and retaining talent, in order to address business needs. Responsibilities regarding internal control have been set to help the Company achieve its goals.
2. Risk Assessment
PTTEP places importance on risk management by appointing the Risk Management Committee which is responsible for setting policy, risk appetite and risk metrics & limits, as well as overseeing the effectiveness of the company-wide risk management. The Company has also applied the ISO 31000 Risk Management concepts company-wide as well as the assessment of key risks related to our businesses, including fraud risk or risks which may arise as a result of significant changes to the Company, to appropriately manage such risks in a timely manner.
3. Control Measures
PTTEP has adequate control measures which are able to mitigate risks to acceptable levels for their respective business environments or activities of each units. Control measures include the policy, work process, including the adoption of technology. Those control measures are also periodically reviewed and continuously improved. The Company also encourages employees to be strictly and constantly aware of the importance of conformance to the control activities and compliance with related laws and regulations to ensure that our internal control system is as effective as designed.
4. Information and Communication
PTTEP realizes the significance of information and communication, particularly quality of data processing systems to provide accurate, complete, up-to-date and timely information which is appropriate and sufficient to support business operations and make effective decisions. The Company ensures that our available information are accurate, complete, up-to-date, accessible, secured, auditable, stable, as well as embedded with authorization control to confidential information as appropriately classified. Moreover, PTTEP has effective internal and external communication systems in place to support the functioning of the internal control system as well as a special communication channel to allow our stakeholders to confidentially report their concerns or complaints where the reported information will be kept confidential. Whistleblowers and investigation participants will be treated fairly and protected against any retaliation threats in accordance to our Reporting and Whistleblowing Regulation 2013, which is regularly reviewed and revised.
5. Monitoring Activities
PTTEP regularly monitors and assesses the effectiveness of our internal control system through ongoing evaluations which are built into the Company's daily operational activities along with separate evaluations to ensure that the system is sufficient and suitable for the current business environment and dynamic risk factors. Subsequently, once the deficiencies are identified, improvement plans will be developed and responsible parties will be assigned to respond with timely resolutions. For separate evaluations, the Company has developed the Control Self-Assessment evaluations (CSA) on an annual basis at both corporate and business process level. In addition, the Internal Audit Division, which has a direct reporting line to the Audit Committee, has the responsibilities for performing independent audits correspondingly.
PTTEP believes that the above 5 components will help it achieves the following objectives:
- Efficient and effective operations which means proper safeguarding of assets and wise resource utilization.
- Accurate, reliable, timely and transparent reporting.
- Compliance with laws, rules and regulations as well as the Company's policy and procedure.