Guidance
And Advisory
SORMIC GUIDE 2025 & SUMMARY OF AMENDMENTS
The Statement on Risk Management and Internal Control (also known as the SORMIC) is a mandatory declaration, included in the annual reports of listed companies in Malaysia, to provide stakeholders with insights into the state of the risk management and internal control systems within listed companies.
The primary requirement for the SORMIC is set out in Paragraph 15.26(b) of BURSA’s Listing Requirements (LR). This requirement is to be read in conjunction with Main Market Practice Note 9 and ACE Market Guidance Note 11, including any updates from time to time.
The SORMIC sets out the obligations of the Board of Directors (the Board) and Management with respect to risk management and internal control and describes the processes that are considered in reviewing its effectiveness. In making the statement, the Board of a listed company is required to explain its governance framework and policies, including any special circumstances that have led it to adopt a particular policy.
The purpose of the SORMIC Guide 2025 is to facilitate the Boards of listed companies in preparing the Statement on Risk Management and Internal Control (SORMIC) for publication in annual reports.
The SORMIC Guide 2025 provides an approach for the Board of a listed company to establish sound risk management and internal control systems, enhancing governance, transparency, and stakeholder confidence. The Board is responsible for oversight, while Management ensures implementation and effectiveness of the risk Management and internal control measures adopted by the company.
The SORMIC Guide 2025 also aligns with international best practices, as set by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (ISO), and The Institute of Internal Auditors (IIA). These standards reinforce accountability, strengthen governance frameworks and enhance business resilience in a dynamic corporate environment.
Evolution of the Guide: The initial Guide for the Statement on Internal Control was introduced in December 2000 by an industry Task Force. It aimed to help directors of listed companies formulate their Statement on Internal Control in compliance with Bursa Malaysia Listing Requirements (Bursa LR).
Over the years, BURSA has taken significant steps to advance regulations, codes, and direction on risk management and internal control. These efforts have reshaped the frameworks underpinning SORMIC, driving transformative changes in industry practices among listed companies.
In 2012, the Guide was updated and renamed “The Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers”. This revision reflected the evolving regulatory landscape and growing emphasis on corporate governance, making disclosure a vital aspect of informed investment decision-making.
Since 2012, there have been amendments and impactful changes to the BURSA LR, Malaysian Code on Corporate Governance (MCCG) and related guidelines.
Building on previous versions, the SORMIC Guide 2025 incorporates BURSA current LR, relevant aspects of the MCCG practices, and globally recognised standards. It also integrates insights and data from authoritative sources to provide practical, and actionable guidance for directors of listed companies.
Acknowledgements: The Task Force behind this publication extends its sincere thanks to the regulatory agencies, company directors, professional bodies, and industry experts for their valuable contributions through focus groups and consultations which have enhanced the relevance and applicability of the SORMIC Guide 2025.
We are confident that the SORMIC Guide 2025 will provide the Board of listed companies with the guidance and tools to meet BURSA’s disclosure requirements.
FAQ INTERNAL REVIEW OF SUSTAINABILITY STATEMENT BY INTERNAL AUDITORS
In a circular dated 26 September 2022, BURSA MALAYSIA SECURITIES BERHAD (BURSA) enhanced the sustainability reporting framework to elevate the sustainability practices and disclosures of listed issuers. BURSA has, among other requirements, announced one for a Statement of Assurance to strengthen the credibility of the Sustainability Statement. A listed issuer may seek two (2) types of assurance, that is, internal review by its internal auditor or independent assurance performed in accordance with recognised assurance standards.
This directive was elaborated in the BURSA Main Market Listing Requirements (BURSA Main LR) in relation to Enhanced Sustainability Reporting Framework – Practice Note 9 Appendix 1 Part III and Appendix 2. Contents of the Sustainability Statement, Section 6.2e are to be read together with Chapter 10, BURSA Sustainability Reporting Guide 3.0. This Frequently Asked Questions (“FAQ”) document aims to provide clarity to internal auditors on the roles they have to play in reviewing the Sustainability Statement.
This FAQ, the first in a series to come, will mainly address the background of BURSA’s requirements, the planning aspects of the internal review followed by the execution of the internal review. It fosters an understanding of the processes, which will be executed in accordance with the International Professional Practices Framework (“IPPF”) 2017, issued by The Institute of Internal Auditors Inc., in order to achieve the desired consistency of quality and standards.
Please take a moment to explore this FAQ document. Should you have any questions or require additional information, we encourage you to reach out to Technical & Quality Assurance Department of The Institute of Internal Auditors Malaysia (IIAM). Together, internal auditors can continue to be an integral part of a listed issuer’s governance, risk and controls policies which includes good sustainability practices.
Please click here to download the pdf version of the FAQ Internal Review of Sustainability Statement by Internal Auditors.
GUIDANCE FOR AN EFFECTIVE INTERNAL AUDIT FUNCTION 2.0
This Guidance for an Effective Internal Audit Function 2.0 comes as a comprehensively refreshed edition to serve as a reference point for everyone who has a duty or interest to uphold the highest level of governance, risk and control in any organisation.
The Board of Directors, Chief Executive Officers, Chief Financial Officers, Management, Chief Audit Executives and every internal auditor of public interest entities, public sector organisations, and private companies and businesses would be able to capitalise on this Guidance as a catalyst to jointly achieve internal audit excellence, as well as a validation of progress achieved.
Departing from existing coverage of governance relating to regulatory requirements of public listed companies which was the mainstay of past publications, this Guidance includes perspectives on internal audit functions of the government and Shariah compliant entities and aims to provide a more inclusive view to unite the entire internal audit fraternity on universal best practices that are hinged on internationally recognised standards and publications, and nationally mandated regulations and sanctioned researches.
In the context of achieving an effective internal audit function, areas deliberated include the duties and responsibilities of various stakeholders, characteristics and requirements of an internal audit function, core principles governing internal auditors, prescribed competency framework for the further development of internal auditors, the contemporary role of internal auditors in Environmental, Social and Governance (ESG), quality assurance and improvement programmes, outsourcing and co-sourcing decisions, and performance measures of the internal audit function.
CORPORATE LIABILITY ON CORRUPTION UNDER SECTION 17A OF THE MALAYSIAN ANTI-CORRUPTION COMMISSION ACT 2009 (AMENDED 2018)
This Article is written with the aim of providing objective guidance and assistance to internal auditors of commercial organisations to carry out a review of their organisations’ preparedness in complying with the requirements set out under Section 17A of the Malaysian Anti-Corruption Commission Act 2009 (amended 2018) [“MACC Act”] as well as assessing the adequacy and operating effectiveness of the organisations’ adequate procedures deployed in mitigating corruption risks. Accordingly, this Article is NOT, and should NOT be construed as, an Internal Audit Programme to conduct internal audit assignments pertaining to an organisation’s Anti-Bribery and Corruption Framework/Plan.
To enable internal auditors understand what Section 17A of the MACC Act is all about, including the Ministerial Guidelines on Adequate Procedures (“Ministerial Guidelines”), this Article is written to put into perspectives what Section 17A entails, its ramifications to commercial organisations and those charged with governance and management as well as the contents of the Ministerial Guidelines. Sections D, E and F of this Article set out the roles of Internal Audit, overview of the Ministerial Guidelines, and the suggested focus areas for Internal Auditors to consider vis-à-vis the key contents of Principles in the Ministerial Guidelines, including pertinent questions they should be posing to Management, in their audit coverage respectively.
Please click here to download the pdf version of the Corporate Liability on Corruption Under Section 17A Of The Malaysian Anti-Corruption Commission Act 2009 (Amended 2018).
STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL – GUIDELINES FOR DIRECTORS OF LISTED ISSUERS
The Statement on Internal Control – Guidance for Directors of Public Listed Companies was first issued in December 2000. The objective of the document is to provide guidance to directors in formulating the Statement on Internal Control in their annual report in accordance with Bursa Malaysia’s Listing Requirements.
An industry led Task Force was established to revise the Guidance to reflect the changing regulatory environment and evolving approaches to corporate governance issues that have made disclosure an important regulatory tool. Reporting by boards of directors on the risk management and internal control system within their companies has become an important part of corporate governance disclosure requirements.
Public consultation has become a regular feature of the process of regulatory change of corporate governance and financial reporting in laying the foundations of a good corporate governance framework. This document has undergone due consultative process including focus group meetings attended by company directors. We would like to thank the many companies, professional bodies and individuals who provided input and shared their experiences in order to improve earlier drafts of this document.
These guidelines are intended to guide directors of listed issuers in making disclosures concerning risk management and internal control in their company’s annual report pursuant to the paragraph 15.26(b) of the Listing Requirements. In making the statement, companies are required to explain their governance policies, including any special circumstances which have led them to adopting a particular approach. It sets out the obligations of management and the board of directors with respect to risk management and internal control. It also provides guidance on the key elements needed in maintaining a sound system of risk management and internal control, and describes the process that should be considered in reviewing its effectiveness.
We trust that these guidelines will provide directors with the necessary information to assist them in complying with the specific provisions of the Listing Requirements and aid in good corporate governance.
Please click here to download the pdf version of the Statement on Risk Management & Internal Control – Guidelines for Directors of Listed Issuers.
IIAM Webinar : Get to Know the Global Internal Audit Standards
Please click here to download the pdf version of the Statement on IIAM Webinar : Get to Know the Global Internal Audit Standards.
IIAM Webinar : WHAT THE NEW STANDARDS MEAN TO QUALITY ASSESSMENTS?
Please click here to download the pdf version of the Statement on IIAM Webinar : What the New Standards mean to Quality Assessments?.
INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK (IPPF)
The IIA’s blueprint for the profession that offers practitioners a full range of internal audit guidance, including the Core Principles, Standards, Code of Ethics, Implementation and supplemental guidance, position papers and other resources.The International Professional Practices Framework (IPPF) is the conceptual framework that organises authoritative guidance promulgated by The Institute of Internal Auditors (IIA). A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organised in the IPPF as mandatory guidance and recommended guidance.
ADDITIONAL RESOURCES
Find the guidance resources you need in such areas as Corporate Governance, Risk Management, Expressing an Opinion on Internal Control, COSO Guidance, Establishing an Audit Shop, Sustainable Development, and many more subject areas.
INTERNAL AUDIT FREQUENTLY ASKED QUESTIONS (FAQS) ABOUT THE PROFESSION
Gain a better understanding of the internal audit profession and help others do the same. We have compiled a list of commonly asked questions for your easy reference and to share with others.
TECHNICAL ENQUIRIES
These enquiries may be submitted to technical@iiam.com.my
One of the services provided by IIA Malaysia exclusively for members is to provide technical support by assisting members with technical enquiries.
The Institute’s staff shall not respond to queries on the application and interpretation of materials not published by IIA. No enquiries on internal auditing and other professional requirements applicable in jurisdictions other than Malaysia shall be entertained.
The Institute’s staff shall entertain queries only from members of IIA Malaysia (with limited exceptions for regulatory bodies and the news media).
Queries shall be in writing. The query should include the member’s name, membership number, address, contact telephone number during normal office hours.