Securities (Internal Controls Over Financial Reporting) Guidelines, 2024

THE SECURITIES ACT SECURITIES (INTERNAL CONTROLS OVER FINANCIAL REPORTING) GUIDELINES, 2024 GUIDELINE NO. 3 OF 2024

Securities (Internal Controls Over Financial Reporting) Guidelines Arrangement of guidelines

1. Title and application 1
2. Scope of these Guidelines 1
3. Definition of Internal Control 3
4. Assessment and reporting on the Company's internal controls by Management 4
5. Evaluation of internal control over financial reporting 7
6. Disclosure controls and procedures 8
7. Conclusions regarding effectiveness of disclosure controls and procedures 9
8. Annual disclosure by the signing officers 9
9. Guidelines governing the assurance report on the Company’s ICOFRs 10
10. Conducting an audit of financial statements and internal controls over financial reporting 13
11. Management Report on Internal Controls Over Financial Reporting 16
12. Certifications 16
13. General guidelines 17
14. Annual Report to be filed under these guidelines 20
15. Reporting on the status of ICOFR Frameworks to the Commission 20
16. Effective date 21
17. Repeal of the Securities (Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines, 2019 22 APPENDIX 1: SAMPLE ANNUAL CERTIFICATIONS 23 APPENDIX 2: SAMPLE CERTIFICATIONS BY SIGNING OFFICERS TO AUDITORS 25 APPENDIX 3: SAMPLE CERTIFICATIONS BY SIGNING OFFICERS TO THE AUDIT COMMITTEE 26 APPENDIX 4: SAMPLE UNQUALIFIED ASSURANCE REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING 27 APPENDIX 5: SAMPLE MODIFIED ASSURANCE OPINIONS ON ICOFR NOT IMPACTING STANDALONE FINANCIAL STATEMENTS 29 APPENDIX 6: MODIFIED (DISCLAIMER) ASSURANCE REPORT ON ICOFR WITH/ WITHOUT AN IMPACT STANDALONE FINANCIAL STATEMENTS 34 APPENDIX 7: QUALIFIED (ADVERSE) ASSURANCE REPORT ON ICOFR WITH/ WITHOUT AN IMPACT STANDALONE FINANCIAL STATEMENTS 36 APPENDIX 8: SAMPLE MANAGEMENT REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING 37 APPENDIX 9: SAMPLE REPORTING TEMPLATE ON STATUS OF ICOFR 42 APPENDIX 10: SAMPLE REPORTING TEMPLATE – MAPPING OF BUSINESS PROCESS TO FINANCIAL STATEMENTS 43 APPENDIX 11: FORMAT OF THE GAP ANALYSIS REPORT 44

Securities (Internal Controls Over Financial Reporting) Guidelines 1 | P a g e

1. Title and application 1.1 These Guidelines may be cited as the Securities (Internal Controls Over Financial Reporting) Guidelines, 2024. 1.2 These Guidelines are issued pursuant to section 211(1) of the Securities Act, No. 41 of 2016 as amended by Act No. 21 of 2022 (hereinafter referred to as “the Act”) to provide guidance to issuers and auditors on the application of Sections 146, 147 and 149 of the Act. They do not address sections of the Act not directly cited.
2. Scope of these Guidelines 2.1 These Guidelines have been designed to guide the implementation of the aforementioned sections of the Act as summarized below— 2.1.1 Section 146 requires a listed company or company whose securities are registered with the Securities and Exchange Commission (the “Commission”) to file its accounting records, financial records and such other returns with the Commission. This is to be done on a periodic or annual basis as may be prescribed by the Commission by statutory instrument. The section also requires the chief executive officer and the chief financial officer or any other officers or persons performing similar functions in the company,to certify in each report filed, the matters listed in subsection (2) (d), (e) and (f). 2.1.2 Section 147 requires a listed company or company whose securities are registered with the Commission to establish a system of internal controls over its financial reporting and security of its assets. It also requires the board of directors of a listed company to ensure the integrity of the company’s internal control systems and to report the effectiveness of the same in the company’s annual report. 2.1.3 Section 149 requires the auditor of a listed company or company whose securities are registered with the Commission to issue a statement as to the existence, adequacy and effectiveness or otherwise of the internal control system of the company. This is to be contained in the auditor’s assurance report of the company. 2.2 The Guidelines have been issued to provide clarity on the use of the term internal controls as referenced in Section 147(3) of the Act and to limit the use of the term to Internal Controls over Financial Reporting (“ICFRs”) in relation to sections 146 and 149 of the Act. 2.3 The following must be noted: 2.3.1 Certifications: The Commission will require companies to produce the certifications mandated by section 146 of the Act as part of its annual reports. Examples of these certifications are provided in the appendices.

Securities (Internal Controls Over Financial Reporting) Guidelines 2 | P a g e 2.3.2 Company: In these Guidelines, references to a “company” are references to a listed company or a company whose securities are registered with the Commission. 2.3.3 Principle of proportionality: In applying these guidelines and establishing a suitable ICFR Framework, Issuers are expected to take into account the size, nature and scope of their operations and associated risks the ICFRs are designed to mitigate. This will ensure Issuers develop and implement ICFRs that are proportional to significance of the risk over financial reporting specific to the entity. 2.3.4 Internal controls over financial reporting: The reference to internal controls over financial reporting can incorporate disclosure controls and procedures by reference in the internal control report by management. 2.4 The guidelines for Issuers and their auditors are contained as follows: Framework Section Description Guidelines Issuers 3 Definition of Internal Control 4 Assessment and reporting of the Company's Internal Control by Management 5 Evaluation of Internal Control over Financial Reporting 6 Disclosure controls and procedures 7 Conclusions Regarding Effectiveness of Disclosure Controls and Procedures 8 Annual Disclosure by the Signing Officers 11 Management Report on Internal Controls Over Financial Reporting 12 Certifications 13 General guidelines 14 Annual report to be filed under these guidelines 15 Reporting on the status of ICOFR Frameworks to the commission 16 Effective date 17 Repeal of the Securities (Internal Control Reporting Framework for Issuers of registered Securities) Guidelines, 2019 Guidelines to Auditors 3 Definition of Internal Control 9 Guidelines governing the Assurance report on the Company’s Internal Controls Over Financial Reporting

Securities (Internal Controls Over Financial Reporting) Guidelines 3 | P a g e 10 Conducting an audit of financial statements and internal controls over financial reporting 13 General guidelines 14 Annual report to be filed under these guidelines 16 Effective date 17 Repeal of the Securities (Internal Control Reporting Framework for Issuers of registered Securities) Guidelines, 2019

3. Definition of Internal Control 3.1 Section 147(3) of the Act defines internal controls as policies, procedures and practices put in place by the management or the board of a listed company or company whose securities are registered with the Commission to ensure safety of assets, accuracy of financial records and reports, achievement of corporate objectives and compliance with laws and regulations. 3.2 In these Guidelines the use of the term internal controls has been streamlined to internal controls over financial reporting in relation to sections 146 and 149 of the Act. In this regard controls are critical to ensure safety of assets, ensure achievement of corporate objectives and compliance with laws and regulations. 3.3 In these guidelines "internal control over financial reporting" has been defined as: “ A process designed by, or under the supervision of, the company's Chief Executive Officer and Chief Financial Officers or persons performing similar functions, and implemented by a company's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that—

1. Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and nature of the assets of the company.
2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or nature of the company's assets that could have a material effect on the financial statements.” 3.4 Section 3.2 entails that Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process implemented by an

Securities (Internal Controls Over Financial Reporting) Guidelines 4 | P a g e entity's board of directors, management and other personnel which is designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements. 3.5 This definition provided in 3.2 does not encompass the elements of the definition by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). The COSO definition relates to the effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations. This is with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements. This is because internal control beyond financial reporting is a very broad subject and may not always have an immediate impact on the users of the financial statements. 3.6 The use of the above definition ICOFR and the definition in 3.1 is not intended to relegate the emphasis on policies procedures and practices required to be put in place by companies for the achievement of corporate objectives and compliance with laws and regulations. The expectation is that Companies when designing and implementing ICOFRs will invariably take into account the company’s corporate objectives and laws and regulations. 4. Assessment and reporting on the Company's internal controls by Management 4.1 The Securities Act read together with these Guidelines require a company's annual report to include an internal control report by management that contains￾4.1.1 a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company. 4.1.2 a statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting. 4.1.3 management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal controls over financial reporting are effective. The assessment must include disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal controls over financial reporting are effective to the extent that there are one or more material weaknesses in the company's internal controls over financial reporting; and

Securities (Internal Controls Over Financial Reporting) Guidelines 5 | P a g e 4.1.4 a statement that the company’s auditors had audited the financial statements included in the annual report and had issued an assurance report on the effectiveness or otherwise of the company's internal controls over financial reporting. 4.2 The Securities Act read together with these Guidelines also requires a company to file, as part of the company's annual report, the assurance report of the audit firm that audited the company's financial statements. Key considerations in preparation, assessment and evaluation of ICOFRs 4.3 The following key information is relevant in the preparation, assessment and evaluation of internal controls over financial reporting that are implemented by a company: (1) Evaluation of Internal controls over financial reporting (2) Auditor independence (3) Material weaknesses in internal control over financial reporting (4) Method of evaluating the effectiveness of internal control over financial reporting. 4.4 Detailed guidelines on these key considerations are provided below. 4.5 Evaluation of Internal Control over Financial Reporting 4.5.1 Management must base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. 4.5.2 The COSO Framework satisfies the Commission’s criteria and shall be used as an evaluation framework for the purpose of management's annual internal control evaluation and disclosure requirements. 4.5.3 The use of standard measures that are publicly available drives the enhancement of the quality of the internal control report and will promote comparability of the internal control reports of different companies. These Guidelines require the management’s report to identify the evaluation framework used by it to assess the effectiveness of the company's internal control over financial reporting. 4.5.4 An appropriate control framework is one which is free from bias, allows reasonably consistent qualitative and quantitative measurements of a company's internal control, is sufficiently complete so that relevant factors which would alter a conclusion about the effectiveness of a company's internal controls are not omitted, and is relevant to an evaluation of internal control over financial reporting.

Securities (Internal Controls Over Financial Reporting) Guidelines 6 | P a g e 4.6 Auditor’s Independence 4.6.1 The auditor is required to provide an opinion over the existence, adequacy and effectiveness or otherwise of internal control over financial reporting. As such, management and the company's independent auditors cannot coordinate their processes of documenting and testing the internal controls over financial reporting. The auditors must apprise themselves of the regulatory requirements including but not limited to the Securities Act on auditor independence which prohibit an auditor from providing certain audit or non-audit services to an audit client or its related entities that have potential to give rise to a conflict of interest. This may include provision of audit and non-audit services to related entities such as collective investment schemes managed by an audit client or where the audit client is a trustee or custodian. 4.7 Material weaknesses in internal control over financial reporting 4.7.1 The Securities Act read together with these Guidelines preclude management from determining that a company's internal control over financial reporting is effective if it identifies one or more material weaknesses in the company's internal control over financial reporting. The term "material weakness" in these Guidelines has the same meaning as that in generally accepted accounting standards, international standards of auditing and other widely used auditing standards. In the context of these guidelines a material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis’’. 4.7.2 These Guidelines require management's internal control report to include disclosure of any material weakness in the company's internal control over financial reporting identified by management in the course of its evaluation. 4.8 Method of evaluating the effectiveness of internal control over financial reporting 4.8.1 These Guidelines do not specify the method or procedures that are to be applied or performed in an evaluation of the effectiveness of internal control over financial reporting. However, of importance in conducting such an evaluation is the need for a company to maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. Developing and maintaining such evidential matter is an inherent element of effective internal controls. 4.8.2 The assessment of a company's internal control over financial reporting must be based on procedures sufficient to evaluate its design and test its

Securities (Internal Controls Over Financial Reporting) Guidelines 7 | P a g e operating effectiveness. Controls subject to such assessment include, but are not limited to- (a) controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements. (b) controls related to the initiation and processing of non-routine and non-systematic transactions. (c) controls related to the selection and application of appropriate accounting policies; and controls related to the prevention, identification, and detection of fraud. 4.8.3 The controls over financial reporting will include both manual and automated controls. 4.8.4 The nature of a company's testing activities will largely depend on the circumstances of the company and the significance of the control. However, inquiry alone generally will not provide an adequate basis for management's assessment. 4.8.5 An assessment of the effectiveness of internal control over financial reporting must be supported by evidential matter, including documentation, regarding both the design of internal controls and the testing processes. This evidential matter should provide reasonable support for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions, the conclusion that the tests were appropriately planned and performed, and the conclusion that the results of the tests were appropriately considered. The period for the maintenance of such evidential matters will follow the normal statutory requirements for the maintenance of accounting and other records. 5. Evaluation of internal control over financial reporting 5.1 The company's management, with the participation of the chief executive officer and chief financial officers, are required to evaluate any change in the company's internal control over financial reporting that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 5.2 Furthermore, management is required to evaluate any change in the company's internal control over financial reporting that occurred during a reporting period that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 5.3 Management is required by Section 146(2)(f) to disclose any change in the company’s internal control over financial reporting, identified in connection with the evaluation required by the Act, that occurred subsequent to the date of the company’s last review that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.

Securities (Internal Controls Over Financial Reporting) Guidelines 8 | P a g e 5.4 A separate certification is required for the chief executive officer and chief financial officer of the company or other officers or persons performing similar functions, as required by section 146 (2) of the Act and as set forth below. 5.5 In addition, the company must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. 6. Disclosure controls and procedures 6.1 Disclosure controls and procedures include the controls and procedures designed to ensure that information required by the Acts or reporting standards (e.g. GAAP, IFRS) to be disclosed by the company in reports submitted to the Commission under the Act or any other applicable laws and regulations, is collected and communicated to the company's management, including its chief executive officer and chief financial officers or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure. 6.2 While there is substantial overlap between a company's disclosure controls and procedures and its internal control over financial reporting, there are elements of disclosure controls and procedures that cannot be dealt with under internal control over financial reporting and vice versa. 6.3 The components of internal control over financial reporting will be included in disclosure controls and procedures for all companies. However, in designing their disclosure controls and procedures, companies are expected to make judgments regarding the processes on which they will rely to meet the applicable requirements. 6.4 In doing so, companies should design their disclosure controls and procedures so that certain components of internal control over financial reporting pertaining to the accurate recording of transactions and disposition of assets or to the safeguarding of assets are included. 6.5 The company's management, with the participation of the chief executive officer and chief financial officer, are required to evaluate any change in the company's disclosure controls and procedures that has materially affected, or is reasonably likely to materially affect, the company's disclosure controls and procedures. This evaluation must be made in the annual filing and relates to change which occurred during a reporting period. 6.6 Furthermore, management must evaluate any changes in the disclosure controls and procedures subsequent to the date of their last evaluation that has materially affected, or are reasonably likely to materially affect, the company's disclosure controls and procedures.

Securities (Internal Controls Over Financial Reporting) Guidelines 9 | P a g e 7. Conclusions regarding effectiveness of disclosure controls and procedures 7.1 These Guidelines require companies to state the conclusion of the chief executive officer and chief financial officer and officers or persons performing similar functions, that the disclosure controls and procedures are designed to provide reasonable assurance of achieving the objectives and to set forth the conclusion that the controls and procedures are, in fact, effective at the "reasonable assurance" level. Such conclusions may only be made where the officer making the conclusion reasonably believes the same to be true. 7.2 The concept of reasonable assurance is built into the definition of internal control over financial reporting that has been adopted in these Guidelines. If management decides to include a discussion of reasonable assurance in the internal control report, the discussion must be presented in a manner that neither makes the disclosure in the report confusing nor renders management's assessment concerning the effectiveness of the company's internal control over financial reporting unclear. 7.3 These Guidelines require companies to disclose the conclusions of the company’s chief executive officer and chief financial officer or officers or persons performing similar functions, regarding the effectiveness of the company’s disclosure controls and procedures based on the evaluation of these controls and procedures required by the Act. 7.4 These Guidelines also require separate certification by the chief executive officer and chief financial officer or officers or persons performing similar functions, of the company, as required by section 146 (2) of the Act and as set out in Appendices 1 - 3 hereof. Such certification is to be made in annual report filed by the company and is to be made by the officers signing the report from the categories of officer mentioned above (hereafter referred to as a “signing officer”). 7.5 Directors Report on effectiveness of internal control over financial reporting 7.5.1 Section 147 requires the board of directors of a listed company or whose securities are registered with the Commission to ensure the integrity of the company’s internal control systems and to report the effectiveness of the same in the company’s annual report. 7.5.2 Under these guidelines, the directors shall report on the effectiveness of the company’s Internal Controls Over Financial Reporting including its Disclosure controls and procedures in the Directors' Report of the company’s annual report. 8. Annual disclosure by the signing officers 8.1 Section 146(2)(f) of the Act requires the signing officers to certify in each annual report filed. In accordance with section 146(1), the signing officers have identified, in the report, whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation. Further entities must

Securities (Internal Controls Over Financial Reporting) Guidelines 10 | P a g e evaluate and take into account subsequent events, incorporating those that affect current year reporting into the current year's accounts including any corrective actions with regard to significant deficiencies and material weaknesses. 8.2 In line with this requirement, the management of a company is required to provide written representation to the auditors and audit committee of the company stating that the signing officers have disclosed to such auditors and audit committee, the following information based on their most recent evaluation of internal control over financial reporting: 8.2.1 all significant deficiencies in the design or operation of internal control over financial reporting which would adversely affect the company's ability to record, process, summarize and report financial data. In addition, the signing officers are required to have identified any material weakness in internal controls for the company’s auditors; and 8.2.2 any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting. 8.3 To the extent that a signing officer becomes aware of a significant deficiency, material weakness or fraud requiring disclosure outside of the formal evaluation process or after management's most recent evaluation of internal control over financial reporting, such officer will disclose the same to the company's auditors and audit committee. 8.4 A sample of these certifications are attached at Appendices 2 and 3. 9. Guidelines governing the assurance report on the Company’s ICOFRs 9.1 Section 149 of the Act requires the auditor of a company to issue a statement as to the existence, adequacy and effectiveness or otherwise of the internal control system of the company. This is to be contained in the auditor’s assurance report of the company. 9.2 Under these Guidelines, the International Auditing and Assurance Standards Board (IAASB), as adopted by ZICA, shall be the body that sets auditing standards for external auditors to use in connection with the preparation and issuance of assurance reports on the existence, adequacy and effectiveness of internal control over financial reporting of the company, and under Act. 9.3 International Standards for Assurance Engagements 3000 (“ISAE 3000”) will apply in the attestation on internal controls over financial reporting and in connection with the preparation and issuance of assurance reports on the existence, adequacy and effectiveness of internal control over financial reporting of the company. ISAE 3000 will also continue to apply once integrated reporting becomes effective in Zambia.

Securities (Internal Controls Over Financial Reporting) Guidelines 11 | P a g e 9.4 The auditor of a company who issues or prepares an assurance report for the company containing a statement as to the existence, adequacy and effectiveness of the company's internal control over financial reporting must also report on the existence, adequacy and effectiveness or otherwise of the internal control system over financial reporting of the company. 9.5 The assurance report on the existence, adequacy and effectiveness of a company’s internal control system over financial reporting must be dated, signed by hand, identify the period covered by the report, state the location of the practitioner and clearly state the opinion of the auditor on whether a company has maintained, in all material respects, effective internal control systems over financial reporting as of the reporting date. Adverse Opinion 9.6 If there are deficiencies that, individually or in combination, result in one or more material weaknesses, the auditor must express an adverse opinion on the company's internal control over financial reporting, unless there is a restriction on the scope of the engagement. When expressing an adverse opinion on internal control over financial reporting because of a material weakness, the auditor's report must include - • The definition of a material weakness as provided in these guidelines • A statement that a material weakness has been identified and an identification of the material weakness described in management's assessment. Note: If the material weakness has not been included in management's assessment, the report should be modified to state that a material weakness has been identified but not included in management's assessment. Additionally, the auditor's report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. In this case, the auditor also should communicate in writing to the audit committee that the material weakness was not disclosed or identified as a material weakness in management's assessment. If the material weakness has been included in management's assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, the auditor's report should describe this conclusion as well as the information necessary to fairly describe the material weakness. 9.7 The auditor should determine the effect the adverse opinion on internal control has on the opinion on the financial statements. Additionally, the auditor should disclose whether his or her opinion on the financial statements was affected by the adverse opinion on internal control over financial reporting. Note: If the auditor issues a separate report on internal control over financial reporting in this circumstance, the disclosure required by this

Securities (Internal Controls Over Financial Reporting) Guidelines 12 | P a g e paragraph may be combined with the report language described in paragraphs .88 and .91. The auditor may present the combined language either as a separate paragraph or as part of the paragraph that identifies the material weakness. Report Modifications 9.8 If an overall opinion cannot be expressed, the reasons therefore must be stated in the assurance report. The auditor should modify their report if any of the following conditions exist. • Elements of management's report on internal control over financial reporting are incomplete or improperly presented. • There is a restriction on the scope of the engagement. • There is other information contained in management's annual report on internal control over financial reporting, or • Management's certifications pursuant to these guidelines misstated. 9.9 In these Guidelines, a “statement as to the existence, adequacy and effectiveness or otherwise of the internal control system over financial reporting of a company” is a report in which an auditor expresses an opinion, or states that an opinion cannot be expressed, concerning the existence, adequacy and effectiveness of the company's internal control system over financial reporting in accordance with standards on assurance engagements. When an overall opinion cannot be expressed, the external auditor must state why it is unable to express such an opinion. 9.10 The auditor may form an opinion on the effectiveness of internal control over financial reporting only when there have been no restrictions on the scope of the auditor's work. A scope limitation requires the auditor to disclaim an opinion or withdraw from the engagement 9.11 After forming an opinion on the effectiveness of the company's internal control over financial reporting, the auditor should evaluate the presentation of the elements that management is required under these Guidelines to present in the Management report on internal control over financial reporting. 9.12 If the auditor determines that any required elements of management's annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to include an explanatory paragraph describing the reasons for this determination. 9.13 Management's report on internal control over financial reporting may contain information in addition to the elements described in these guidelines that are subject to the auditor's evaluation. If management's report on internal control over financial reporting could reasonably be viewed by users of the report as including such additional information, the auditor should disclaim an opinion on the information.

Securities (Internal Controls Over Financial Reporting) Guidelines 13 | P a g e 9.14 If the auditor believes that Management's certifications pursuant to these guidelines misstated, the auditor should modify their report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons the auditor believes management's disclosures should be modified. 9.15 In line with the requirements in ISAE 3000.69J, an example of an unmodified standard report is provided in Appendix 4. In cases where the auditors determine that a modified report is appropriate, examples of audit reports arising in various scenarios have been provided in Appendices 5 - 7. 9.16 The assurance report on the existence, adequacy and effectiveness of the internal control system over financial reporting of a company will be separate from the audit report on financial statements. The auditor should therefore add the following paragraph (immediately following the opinion paragraph) to the auditor's report on the financial statements – “We also have audited, [state company name]'s internal controls over financial reporting as of 31 December 20XX, based on [state criteria: criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)] and our report dated [ date of report, which should be the same as the date of the report on the financial statements ] expressed [ include nature of opinion ].” 10. Conducting an audit of financial statements and internal controls over financial reporting 10.1 In the context of these guidelines, an integrated audit means an audit assignment that combines the audit of an issuer’s financial statements with an audit of its Internal Controls over Financial Reporting. An audit of the financial statements is conducted under International Standards on Auditing (“ISAs”) while the ICFR audit is conducted under ISAE 3000. Both these standards require the auditor to issue an engagement letter. Therefore, auditors will be required to issue two engagements letters, one for the financial statement audit and another for the ICOFR audit. 10.2 However, issuers and their auditors should ensure that to the extent possible that the audit assignment for the audit of the company's financial statements is integrated with the assurance work on its internal controls over financial reporting. Additional guidance on integrated audits is provided in section 10 below. 10.3 Tests of Controls in an Audit of Internal Control. 10.3.1 The objective of the tests of controls in an audit of internal control over financial reporting is to obtain evidence about the effectiveness of controls to support the auditor's opinion on the company's internal control over financial reporting. The auditor's opinion relates to the effectiveness of the company's internal control over financial reporting as of a point in time and taken as a whole.

Securities (Internal Controls Over Financial Reporting) Guidelines 14 | P a g e 10.3.2 To express an opinion on internal control over financial reporting as of a point in time, the auditor should obtain evidence that internal control over financial reporting has operated effectively for a sufficient period of time, which may be less than the entire period (ordinarily one year) covered by the company's financial statements. To express an opinion on internal control over financial reporting taken as a whole, the auditor must obtain evidence about the effectiveness of selected controls over all relevant assertions. This requires that the auditor test the design and operating effectiveness of controls he or she ordinarily would not test if expressing an opinion only on the financial statements. 10.3.3 When concluding on the effectiveness of internal control over financial reporting for purposes of expressing an opinion on internal control over financial reporting, the auditor should incorporate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the financial statements, as discussed in the following section. 10.4 Tests of Controls in an Audit of Financial Statements. 10.4.1 To express an opinion on the financial statements, the auditor ordinarily performs tests of controls and substantive procedures. 10.4.2 The objective of the tests of controls the auditor performs for this purpose is to assess control risk. To assess control risk for specific financial statement assertions at less than the maximum, the auditor is required to obtain evidence that the relevant controls operated effectively during the entire period upon which the auditor plans to place reliance on those controls. 10.4.3 When concluding on the effectiveness of controls for the purpose of assessing control risk, the auditor also should evaluate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the company's internal control over financial reporting. Consideration of these results may require the auditor to alter the nature, timing, and extent of substantive procedures and to plan and perform further tests of controls, particularly in response to identified control deficiencies. 10.5 Effect of Tests of Controls on Substantive Procedures. 10.5.1 If, during the audit of internal control over financial reporting, the auditor identifies a deficiency, he or she should determine the effect of the deficiency, if any, on the nature, timing, and extent of substantive procedures to be performed to reduce audit risk in the audit of the financial statements to an appropriately low level. 10.5.2 Regardless of the assessed level of control risk or the assessed risk of material misstatement in connection with the audit of the financial statements, the auditor should perform substantive procedures for all

Securities (Internal Controls Over Financial Reporting) Guidelines 15 | P a g e relevant assertions. Performing procedures to express an opinion on internal control over financial reporting does not diminish this requirement. 10.6 Effect of Substantive Procedures on the Auditor's Conclusions About the Operating Effectiveness of Controls. 10.6.1 In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, at a minimum - • The auditor's risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud. • Findings with respect to illegal acts and related party transactions. • Indications of management bias in making accounting estimates and in selecting accounting principles. • Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor's judgment about the effectiveness of controls. 10.6.2 To obtain evidence about whether a selected control is effective, the control must be tested directly, the effectiveness of a control cannot be inferred from the absence of misstatements detected by substantive procedures. The absence of misstatements detected by substantive procedures, however, should inform the auditor's risk assessments in determining the testing necessary to conclude on the effectiveness of a control. 10.7 Obtaining Written Representations 10.7.1 In performing an audit of internal controls over financial reporting, the auditor should obtain written representations from management: a) Acknowledging management's responsibility for establishing and maintaining effective internal control over financial reporting. b) Stating that management has performed an evaluation and made an assessment of the effectiveness of the company's internal control over financial reporting and specifying the control criteria. c) Stating that management did not use the auditor's procedures performed during the audits of internal control over financial reporting or the financial statements as part of the basis for management's assessment of the effectiveness of internal control over financial reporting. d) Stating management's conclusion, as set out in Management’s Internal Controls Report, about the effectiveness of the company's internal control over financial reporting based on the control criteria as of a specified date. e) Stating that management has disclosed to the auditor all deficiencies in the design or operation of internal control over

Securities (Internal Controls Over Financial Reporting) Guidelines 16 | P a g e financial reporting identified as part of management's evaluation, including separately disclosing to the auditor all such deficiencies that it believes to be significant deficiencies or material weaknesses in internal control over financial reporting. f) Describing any fraud resulting in a material misstatement to the company's financial statements and any other fraud that does not result in a material misstatement to the company's financial statements but involves senior management or management or other employees who have a significant role in the company's internal control over financial reporting. g) Stating whether control deficiencies identified and communicated by the auditors to the audit committee/ Board during previous engagements have been resolved by the entity, and specifically identifying any that have not; and h) Stating whether there were, after the date being reported on, any changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses. 10.7.2 The failure to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit. Auditors should apply the procedures in the ISAs and ISAE in dealing with the limitation in scope. 11. Management Report on Internal Controls Over Financial Reporting 11.1 An example of a Management Report on Internal Controls Over Financial Reporting has been reproduced in detail in Appendix 8. This example is reproduced to show how the components required to be included in the internal control report may be presented. It is necessary to tailor the same to the circumstances of the company. An internal control report may include information not contained in this example. 11.2 Signature and Filing of Report. The report must be on behalf of the company by its chief executive officer and Chief financial officer or officers or persons performing similar functions. 12. Certifications 12.1 Section 146 (2) of the Act requires the chief executive officer and chief financial officer or officers or persons performing similar functions (the “signing officers”) to make certain certifications as listed therein in each annual report filed— 12.1.1 There must be a statement that the signing officers are responsible for establishing and maintaining internal controls and procedures for financial reporting or having such controls and procedures designed under their supervision.

Securities (Internal Controls Over Financial Reporting) Guidelines 17 | P a g e 12.1.2 The disclosure controls and procedures may be designed under the supervision of chief executive officer and chief financial officer or officers or persons performing similar functions. 12.1.3 The statement as to the effectiveness of disclosure controls and procedures and internal controls and procedures for financial reporting should be throughout the period of reliance but as ofthe report date; and 12.1.4 The certifications should include changes in internal control over financial reporting that have materially affected or are reasonably likely to materially affect internal control over financial reporting. 12.2 The certifying Officers must also provide the auditor and the Audit Committee/ Board with certifications confirming that they have disclosed: (i) All significant deficiencies in the design or operation of internal controls which would adversely affect the company's ability to record, process, summarize and report financial data and hereby identify any material weakness in internal controls; and (ii) any fraud, whether material, that involves management or other employees who have a significant role in the company's internal controls. (iii) any significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation. 12.3 Under these guidelines, the CEO, CFO and other officers as appropriate must submit the following certifications • Certifications by the Chief Executive Officer, Chief Financial Officers and other Officers certifications (See sample certification at Appendix 1) • Certification to the auditors (See sample certification at Appendix 2) • Certification to the Audit Committee/ Board of Directors (See sample certification at Appendix 3) 13. General guidelines 13.1 Certifications and disclosures in annual reports 13.1.1 Each annual report submitted by the Issuer pursuant to Section 146 of the Act must be accompanied by the certifications and reports in the format specified in Section 14 and the appendices. Management, the Chief Executive Officer, the Chief Financial Officer of the company, or persons performing similar functions, at the time of filing of the annual report must sign a certifications and reports as appropriate. 13.1.2 A person required to provide a certification specified in these guidelines may not have the certification signed on their behalf pursuant to the power of attorney or other form of conferring authority. 13.2 Period end Controls and procedures. 13.2.1 Every company must maintain disclosure controls and procedures and internal control over financial reporting.

Securities (Internal Controls Over Financial Reporting) Guidelines 18 | P a g e 13.2.2 Each company's management must evaluate, with the participation of the company's chief executive officer and chief financial officer or officers or persons performing similar functions, the effectiveness of the company's disclosure controls and procedures, as of the end of each fiscal period. This evaluation shall be performed by the management of the company. 13.2.3 The framework on which management's evaluation of the company's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. 13.2.4 For purposes of paragraph 13, “disclosure controls and procedures” means the controls and other procedures of the company which are designed to ensure that information required to be disclosed by the company in the reports it submits under the Act, is recorded, processed, summarized and reported, within the periods specified in the Commission's Guidelines and forms. Disclosure controls and procedures include controls and procedures designed to ensure that information required to be disclosed by the company in the reports it submits under the Act is accumulated and communicated to the company's management, including its chief executive officer and chief financial officer or officers or persons performing similar functions, to allow timely decisions regarding required disclosure. 13.2.5 The definition of “internal control” contained in section 147 (3) may be understood to include the process designed by, or under the supervision of, the company's chief executive officer and chief financial officer or officers or persons performing similar functions, and effected by the company's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that— (a) pertain to the maintenance of records which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; and (b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (c) provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, use or disposition of the

Securities (Internal Controls Over Financial Reporting) Guidelines 19 | P a g e company’s assets which could have a material effect on the financial statements. 13.3 Annual Controls and Procedures 13.3.1 Disclosure Controls and Procedures Where a report is an annual report filed under the Act, it must contain the conclusions of the company's chief executive officer and chief financial officer or officers or persons performing similar functions, regarding the effectiveness of the company's disclosure controls and procedures as of the end of the period covered by the report, based on the evaluation of the controls and procedures. 13.3.2 Management's annual report on internal control over financial reporting Where a report is an annual report filed under the section 146 of the Act, it must contain— (a) a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; (b) a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting. (c) management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company’s internal control over financial reporting is effective. This must include disclosure of any material weakness in the company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting; and (d) a statement that the external auditor who audited the financial statements included in the annual report containing the disclosure has issued an assurance report on management's assessment of the company's internal control over financial reporting. 13.3.3 Assurance report of the external auditor Where an internal control statement is an annual report filed under the Act, it must include the external auditor's assurance report on the company’s internal control over financial reporting. 13.3.4 Changes in internal control over financial reporting It is necessary for a company’s chief executive officer and chief financial officer or officers or persons performing similar functions, to disclose any change in the company's internal control over financial reporting identified in connection with the evaluation required by the Act. This relates to any change which occurred during the period covered by the

Securities (Internal Controls Over Financial Reporting) Guidelines 20 | P a g e annual report, and which has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 13.3.5 Maintaining evidence of management’s assessment The company must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. 14. Annual Report to be filed under these guidelines 14.1 In the context of these guidelines, issuers shall publish an annual report which shall comprise of: (i) The annual report and audited financial statements required under the Companies Act and other relevant regulations. (ii) The certifications and submissions required under these guidelines, which must be included immediately before the company’s audited financial statements in the following order: 14.2 The information required under these guidelines may be included in the following order. • Assurance report on Internal Control Over Financial Reporting • Management Report on Internal Controls Over Financial Reporting • Auditors report on financial statements • Audited Financial Statements • Certifications by the Chief Executive Officer, Chief Financial Officers and other Officers certifications • Certification to the auditors • Certification to the Audit Committee/ Board of Directors 15. Reporting on the status of ICOFR Frameworks to the Commission 15.1 Reporting on status of ICOFR and Mapping of Key Business Processes to financial statements Entities shall be required to submit to the Commission in an electronic form the following: • Status of their Internal Controls Over Financial Reporting Framework (See Appendix 9 for a sample template) • Mapping of Key Business Processes to the audited financial statements. See Appendix 10 for sample template return. 15.2 Gap Analysis Reports 15.3 Entities that have not established appropriate ICOFR frameworks shall be required to submit on an annual basis a Gap Analysis Report. (See Appendix 11 for a format of a Gap Analysis Report). This report should be used as a tool to update Senior Management, the Board and the Commission on the status of the Company’s ICOFRs. The GAR should include a plan for the finalization of issuers ICOFRs.

Securities (Internal Controls Over Financial Reporting) Guidelines 21 | P a g e 15.4 Format of Gap Analysis Report 15.4.1 In establishing robust ICOFRs, issuers are expected to provide evidence that they have undertaken the following at a minimum: (1) Identified its key business processes (KBPs) and the activities therein. (2) Identified all the control activities in the KBPs. (3) Identified key controls over financial reporting in each BPs. (4) Undertaken an assessment of the design effectiveness of its key controls. (5) Remediated Design defects in the controls and/or identified compensating controls. (6) Undertaken further tests of controls in support of the self￾certifications and to address failures in controls identified in earlier processes. (7) Documented all KBPs, activities including key controls over financial reporting, risk assessments, results of tests of controls etc. (8) Provided regular reports to its BOD regarding the progress made towards full implementation of the Company’s ICOFR in accordance with these guidelines. 15.4.2 Management must make an assessment with regards to the overall implementation status of the Company’s ICOFRs, and where material weaknesses or deficiencies are identified, a Gap Analysis Report may be necessary. Companies whose ICOFR frameworks are established need not produce a Gap analysis report, unless there is a process of materially changing or revising the ICOFR Framework. 16. Effective date 16.1 These Guidelines shall become effective on 1st September 2024 and shall apply to all financial years ending on or after 31st December 2024. 16.2 The effective date aligns to the Securities (Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines, 2019 whose transitional provisions were designed to provide affected Issuers a five (5) year transition period in which to prepare for full implementation of the proposed framework. Following the expiry of the five (5) transition period on 31st December 2023, all issuers will be required to fully comply with these guidelines with effect from 1st January 2024. This includes the publication and submission of required reports to the Commission as stipulated above. 16.3 The Commission reserves the right to take supervisory action for entities that do not take active steps to ensure they develop robust ICOFRs.

Securities (Internal Controls Over Financial Reporting) Guidelines 22 | P a g e 17. Repeal of the Securities (Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines, 2019 17.1 The Securities (Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines, 2019 are hereby repealed and replaced with these guidelines.

APPENDIX 1: SAMPLE ANNUAL CERTIFICATIONS [ON COMPANY LETTER HEAD] [ANNUAL CERTIFICATION BY CHIEF EXECUTIVE OFFICER, CHIEF FINANCIAL OFFICER OR OTHER PERSON OR OFFICER ON THE ANNUAL REPORT AND OTHER SUBMISSIONS REQUIRED UNDER THE SECURITIES (INTERNAL CONTROLS OVER FINANCIAL REPORTING) GUIDELINES] I, [identify the certifying individual], certify that—

1. I have reviewed the Annual Report as defined in Section 14 of the Securities (Internal Controls Over Financial Reporting) Guidelines of [identify the company,] as of [insert year end].
2. Based on my knowledge, the annual report does not contain any untrue statement of a material fact. Nor does it omit to state a material fact which would make the statement misleading in light of the circumstance under which it was made.
3. Based on my knowledge, the financial statements and other financial information included in this annual report, fairly presents, in all material respects, the financial condition and results of operations of the company as of, and for, the periods presented in this annual report;
4. The other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal controls over financial reporting as by the Securities (Internal Controls Over Financial Reporting) Guidelines the Company and we have (a) designed or caused to be designed under our supervision such disclosure controls and procedures to ensure that material information relating to the company and its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which the annual report is being prepared; (b) designed or caused to be designed under our supervision such disclosure controls and procedures to ensure that information required to be disclosed under the Securities Exchange Act of 2016 (as amended) is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms, including without limitation that information required to be disclosed in the SEC filings is accumulated and communicated to management, including the Chief Executive Officer (CEO), and Chief Financial Officer (CFO), as appropriate, to allow for timely decisions regarding required disclosure. (c) designed or caused to be designed under our supervision such internal controls over financial reporting to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. (d) evaluated the effectiveness of the company’s disclosure controls and procedures and internal control over financial reporting within the ninety (90) days prior to this annual report (the "Evaluation Date");

(e) Disclosed in this report any change in the Company’s internal control over financial reporting and disclosure controls and procedures that occurred during the Company’s most recent fiscal quarter (the Company’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the Company’s internal control over financial reporting (f) presented in this annual report, our conclusions about the effectiveness of the disclosure controls and procedures and internal control over financial reporting based on our evaluation as of the Evaluation Date. 5. the company’s other certifying officers and I have disclosed, based on our most recent evaluation, to the company’s auditors and the audit committee of the company’s board of directors (or persons performing similar functions)— (a) all significant deficiencies in the design or operation of disclosure controls and procedures and internal control over financial reporting which would adversely affect the company's ability to record, process, summarize and report financial data and have identified for the company's auditors any material weaknesses in internal controls; and (b) any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal controls; and 6. The company’s other certifying officer (s) and I have evaluated the effectiveness of the company’s disclosure controls and procedures, and Internal Controls Over Financial Reporting as required under Securities (Internal Controls Over Financial Reporting) Guidelines. Based on this evaluation we have concluded that as of XXXXX (date) the company’s disclosure controls and procedures and Internal Controls of Financial Reporting are effective. Date: ...............

---

[Signature] [Title] Provide a separate certification for the company’s chief executive officer and chief financial officer or officers or persons performing similar functions. The certification must be in the form set forth above

APPENDIX 2: SAMPLE CERTIFICATIONS BY SIGNING OFFICERS TO AUDITORS [ON COMPANY LETTERHEAD] [address of the [Auditors] Disclosure to Auditors The other certifying officer(s) and I hereby disclose, based on our most recent evaluation of the company’s disclosure controls and procedures and internal control over financial reporting , to the company's auditors that— (i) all significant deficiencies in the design or operation of the Company’s disclosure controls and procedures and internal control over financial reporting which would adversely affect the company's ability to record, process, summarize and report financial information and thereby identify any material weakness in disclosure controls and procedures and internal control over financial reporting; and (ii) any fraud, whether or not material, that involves management or other employees who have a significant role in the company's disclosure controls and procedures and internal control over financial reporting. Further, the other certifying officer(s) and I have not become aware of any significant changes in disclosure controls and procedures and internal control over financial reporting or other factors that could significantly affect disclosure controls and procedures and internal control over financial reporting subsequent to the date of our evaluation. [Note: If the certifying officers have become aware of any significant changes in disclosure controls and procedures and internal control over financial reporting, this paragraph must be modified and full details of the matters disclosed including any corrective actions taken with regard to significant deficiencies and material weaknesses] Signature: Name: Position:

APPENDIX 3: SAMPLE CERTIFICATIONS BY SIGNING OFFICERS TO THE AUDIT COMMITTEE [ON COMPANY LETTERHEAD] [address of the [Audit Committee]/ [Board of Directors]/ [or body performing functions similar to an Audit Committee] Disclosure to the Audit Committee The other certifying officer(s) and I hereby disclose, based on our most recent evaluation of the company’s disclosure controls and procedures and internal control over financial reporting, to the company's auditors that— (iii) all significant deficiencies in the design or operation of the Company’s disclosure controls and procedures and internal control over financial reporting which would adversely affect the company's ability to record, process, summarize and report financial information and thereby identify any material weakness in disclosure controls and procedures and internal control over financial reporting; and (iv) any fraud, whether or not material, that involves management or other employees who have a significant role in the company's disclosure controls and procedures and internal control over financial reporting. Further, the other certifying officer(s) and I have not become aware of any significant changes in disclosure controls and procedures and internal control over financial reporting or other factors that could significantly affect disclosure controls and procedures and internal control over financial reporting subsequent to the date of our evaluation. [Note: If the certifying officers have become aware of any significant changes in disclosure controls and procedures and internal control over financial reporting, this paragraph must be modified, and full details of the matters disclosed including any corrective actions taken with regard to significant deficiencies and material weaknesses] Signature: Name: Position:

APPENDIX 4: SAMPLE UNQUALIFIED ASSURANCE REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING The following is an example of an unmodified audit report for an audit of internal controls over financial reporting in the case of standalone financial statements. This report is for illustrative purposes only and is intended only to be a guide that may be used in conjunction with the considerations outlined guidance to auditors in the ISAs and other relevant regulations. It is also not an exhaustive report which includes all aspects of reporting by the auditor under the Securities Act, Companies Act or any other relevant laws and regulations. Auditors will need to customize it according to individual requirements and circumstances. ASSURANCE REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING (UNMODIFIED OPINION) To the shareholders of [Insert Company name] We have audited [state company name]'s internal controls over financial reporting as of 31 December 20XX, based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Our Opinion In our opinion, [state company name] maintained, in all material respects, effective internal controls over financial reporting as of 31 December 20XX, based the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We also have audited the financial statements of [insert name of Company] which comprise of the Statement of Financial Position as of 31 December, 20XX, the Statement of Profit and Loss and Other Comprehensive Income, Statement of Changes in Equity, Statement of Cashflows for the year then ended of the Company and our report dated [date of report, which should be the same as the date of the report ] expressed [ include nature of opinion]. Auditor’s Responsibilities for the Audit of the Internal Control over financial reporting [State Company name]'s management is responsible for maintaining effective internal controls and for its assessment of the effectiveness of internal controls included in the accompanying [Management Report on Internal Controls Over Financial Reporting]. Our responsibility is to express an opinion on the company's internal controls over financial reporting based on our audit. In this regard, our firm applies International Standards of Quality Control in the firm’s administration and performance of our audit. Our firm complies with the independence and other ethical requirements of the International Ethics Standards Board for Accountants Code and the Securities and Exchange Commission in Zambia. Basis for Opinion We conducted our audits in accordance with the standards of the International Standards for Assurance Engagements 3000. Those standards require that we plan and perform the

audit to obtain reasonable assurance that effective internal controls were maintained in all material respects. Our conclusion may not be suitable for another purpose. Our audit of the company’s internal controls included obtaining an understanding of internal controls over financial reporting, assessing the risk that a material weakness exists and testing and evaluating the design and operating effectiveness of internal controls over financial reporting based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circumstances. We believe that our audit provided a reasonable basis for our opinion. Definition and Limitations of Internal Control Over Financial Reporting A company's internal controls over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal controls over financial reporting includes those policies and procedures that:

1. pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company.
2. provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
3. provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. Because of their inherent limitations, internal controls over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. (include Partner’s signature) (Include Partner’s name) Include date Partner - Practicing certificate number: AUD/……. Include location Include firm’s name Chartered Accountants

APPENDIX 5: SAMPLE MODIFIED ASSURANCE OPINIONS ON ICOFR NOT IMPACTING STANDALONE FINANCIAL STATEMENTS This appendix provides examples of a modified (Except for / adverse) audit reports for an audit of internal controls over financial reporting and not impacting the audit opinion on the standalone financial statements of the company. These reports are for illustrative purposes only and are intended only to be a guide that may be used in conjunction with the considerations outlined in guidance to auditors in the ISAs and other relevant regulations. They are also not exhaustive reports and auditors should take care to include all aspects of reporting required of them under the Securities Act, Companies Act or any other relevant laws and regulations. Auditors will need to customize these reports according to individual requirements and circumstances. The extracts sample opinions cover five scenarios as follows:

1. Except for Qualified opinion – where materials weaknesses indicate that the company did not maintain adequate ICOFRs over an aspect of its ICOFRs.
2. Adverse Qualified opinion – where material weaknesses are indicative that the Company did not maintain adequate ICOFRs.
3. Qualified Opinion on operating effectiveness of Internal Financial Controls Over Financial Reporting and unmodified opinion on adequacy of such controls
4. Adverse Opinion on operating effectiveness of Internal Financial Controls Over Financial Reporting and unmodified opinion on adequacy of such controls
5. Adverse Opinion on Internal Financial Controls Over Financial Reporting – essential components of internal controls not adequately considered in the internal financial controls established by the company Scenario 1 – Except for Opinion – an aspect of ICOFR not adequately maintained Except for Qualified opinion [EXTRACT] According to the information and explanations given to us and based on our audit, the following material weaknesses have been identified as of 31 December 20XX: a) The Company did not have an appropriate internal control system for customer acceptance, credit evaluation and establishing customer credit limits for sales, which could potentially result in the Company recognizing revenue without establishing reasonable certainty of ultimate collection. b) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, except for the effects/possible effects of the material weakness/es described above, [state company name] maintained, in all material respects, effective internal controls over financial reporting as of 31 December 20XX, based the criteria

established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX standalone financial statements of the Company, and the / these material weakness/es does not / do not affect our opinion on the standalone financial statements of the Company. Scenario 2 - Adverse Opinion – ICOFRs not maintained adequately Adverse opinion [extract] According to the information and explanations given to us and based on our audit, the following material weakness/es has / have been identified as of 31 December 20XX: a) The Company did not have an appropriate internal control system for customer acceptance, credit evaluation and establishing customer credit limits for sales, which could potentially result in the Company recognizing revenue without establishing reasonable certainty of ultimate collection. b) The Company did not have an appropriate internal control system for inventory with regard to receipts, issue for production and physical verification. Further, the internal control system for identification and allocation of overheads to inventory was also not adequate. These could potentially result in material misstatements in the Company’s trade payables, consumption, inventory and expense account balances. c) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, because of the effects/possible effects of the material weakness/es described above, [state company name] did not maintain, in all material respects, effective internal controls over financial reporting as of 31 December 20XX, based the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX standalone financial statements of the Company, and the / these material weakness/es does not / do not affect our opinion on the financial statements of the Company.

Scenario 3 - Qualified Opinion on operating effectiveness of Internal Controls Over Financial Reporting and unmodified opinion on adequacy of such controls Qualified opinion [extract] According to the information and explanations given to us and based on our audit, the following material weakness/es has / have been identified in the operating effectiveness of the Company’s internal financial controls over financial reporting as of 31 December 20XX: a) The Company’s internal financial controls over customer acceptance, credit evaluation and establishing customer credit limits for sales, were not operating effectively which could potentially result in the Company recognizing revenue without establishing reasonable certainty of ultimate collection. b) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, the Company has, in all material respects, maintained adequate internal controls over financial reporting as of 31 December 20XX, based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), except for the effects/possible effects of the material weakness/es described above. We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX financial statements of the Company, and the / these material weakness/es does not / do not affect our opinion on the standalone financial statements of the Company. Scenario 4 - Adverse Opinion on operating effectiveness of Internal Controls Over Financial Reporting and unmodified opinion on adequacy of such controls Adverse opinion [extract] According to the information and explanations given to us and based on our audit, the following material weakness/es has / have been identified in the operating effectiveness of the Company’s internal financial controls over financial reporting as of 31 December 20XX: a) The Company’s internal control system for customer acceptance, credit evaluation and establishing customer credit limits for sales, were not operating effectively which could potentially result in the Company recognizing revenue without

establishing reasonable certainty of ultimate collection. b) The Company’s internal control system for inventory with regard to receipts, issue for production and physical verification were not operating effectively. Further, the internal control system for identification and allocation of overheads to inventory was also not operating effectively. These could potentially result in material misstatements in the Company’s trade payables, consumption, inventory and expense account balances. c) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, the Company has, in all material respects, maintained adequate internal financial controls over financial reporting as of 31 December 20XX, based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and because of the effects/possible effects of the material weakness/es described above on the achievement of the objectives of the control criteria, the Company’s internal financial controls over financial reporting were not operating effectively as of 31 December 20XX. We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX standalone financial statements of the Company, and the / these material weakness/es does not / do not affect our opinion on the financial statements of the Company. Scenario 5 - Adverse Opinion on Internal Financial Controls Over Financial Reporting – essential components of internal controls not adequately considered in the internal financial controls established by the company Adverse opinion [extract] According to the information and explanations given to us and based on our audit, the following material weakness/es has / have been identified as of 31 December 20XX: a) The Company did not have an appropriate internal financial control system over financial reporting since the internal controls adopted by the Company did not adequately consider risk assessment, which is one of the essential components of internal control, with regard to the potential for fraud when performing risk assessment, b) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material

misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, because of the effects/possible effects of the material weakness/es described above on the achievement of the objectives of the control criteria, the Company has not maintained internal controls over financial reporting as of 31 December 20XX, based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX standalone financial statements of the Company, and the / these material weakness/es does not / do not affect our opinion on the standalone financial statements of the Company.

APPENDIX 6: MODIFIED (DISCLAIMER) ASSURANCE REPORT ON ICOFR WITH/ WITHOUT AN IMPACT STANDALONE FINANCIAL STATEMENTS The following is an example of a modified (qualified / adverse) audit report for an audit of internal controls over financial reporting and impacting/not impacting the audit opinion on the standalone financial statements of the company. This report is for illustrative purposes only and is intended only to be a guide that may be used in conjunction with the considerations outlined guidance to auditors in the ISAs and other relevant regulations. It is also not an exhaustive report which includes all aspects of reporting by the auditor under the Securities Act, Companies Act or any other relevant laws and regulations. Auditors will need to customize it according to individual requirements and circumstances. The extracts sample opinions cover five scenarios as follows:

1. Framework for internal control over financial reporting not established but does not impact the audit opinion on financial statements
2. Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial reporting but does not impact audit opinion on the financial statements
3. Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial reporting and impacting audit opinion on the financial statements Scenario 1 – Framework for internal control over financial reporting not established but does not impact the audit opinion on financial statements Disclaimer of Opinion According to the information and explanation given to us, the Company has not established its internal controls over financial reporting based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Because of this reason, we were unable to obtain sufficient appropriate audit evidence to provide a basis for our opinion whether the Company had adequate internal controls over financial reporting and whether such internal financial controls were operating effectively as of 31 December 20XX. We have considered the disclaimer reported above in determining the nature, timing, and extent of audit tests applied in our audit of the standalone financial statements of the Company, and the disclaimer does not affect our opinion on the standalone financial statements of the Company.

Scenario 2 – Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial reporting but does not impact audit opinion on the financial statements Disclaimer of Opinion The system of internal financial controls over financial reporting with regard to one of the significant branches of the Company at Lusaka were not made available to us to enable us to determine if the Company has established adequate internal control over financial reporting at the aforesaid branch based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Because of this reason, we were unable to obtain sufficient appropriate audit evidence to provide a basis for our opinion whether the Company had adequate internal controls over financial reporting and whether such internal financial controls were operating effectively as of 31 December 20XX. We have considered the disclaimer reported above in determining the nature, timing, and extent of audit tests applied in our audit of the financial statements of the Company, and the disclaimer does not affect our opinion on the financial statements of the Company. Scenario 3 – Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial reporting and impacting audit opinion on the financial statements Disclaimer of audit opinion The system of internal financial controls over financial reporting with regard to the Company were not made available to us to enable us to determine if the Company has established adequate internal control over financial reporting based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and whether such internal financial controls were operating effectively as of 31 December 20XX. Because of this reason, we were unable to obtain sufficient appropriate audit evidence to provide a basis for our opinion whether the Company had adequate internal controls over financial reporting and whether such internal financial controls were operating effectively as of 31 December 20XX. We have considered the disclaimer reported above in determining the nature, timing, and extent of audit tests applied in our audit of the standalone financial statements of the Company, and the disclaimer has affected our opinion on the financial statements of the standalone Company, and we have issued a qualified (/ adverse / disclaimer of) opinion on the financial statements.

APPENDIX 7: QUALIFIED (ADVERSE) ASSURANCE REPORT ON ICOFR WITH/ WITHOUT AN IMPACT STANDALONE FINANCIAL STATEMENTS The following is an example of a modified (qualified / adverse) audit report for an audit of internal controls over financial reporting causing a modified report on the standalone financial statements. This report is for illustrative purposes only and is intended only to be a guide that may be used in conjunction with the considerations outlined guidance to auditors in the ISAs and other relevant regulations. It is also not an exhaustive report which includes all aspects of reporting by the auditor under the Securities Act, Companies Act or any other relevant laws and regulations. Auditors will need to customize it according to individual requirements and circumstances. Adverse Opinion [EXTRACT] According to the information and explanations given to us and based on our audit, the following material weakness/es has / have been identified as of 31 December 20XX: (a) The Company did not have appropriate internal controls for reconciliation of physical inventory with the inventory records, which has resulted in misstatement of inventory values in the books of account. (b) [list other deficiencies identified] A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such t hat there is a reas onabl e p o s s i b i l i t y that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. In our opinion, because of the effect of the material weakness/es described above on the achievement of the objectives of the control criteria, the Company has not maintained internal controls over financial reporting as of 31 December 20XX, based on the criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit tests applied in our audit of the 31 December 20XX standalone financial statements of the Company, and the / these material weakness/eses has / have affected our opinion on the standalone financial statements of the Company and we have issued a qualified (/ adverse / disclaimer of) opinion on the standalone financial statements.

APPENDIX 8: SAMPLE MANAGEMENT REPORT ON INTERNAL CONTROLS OVER FINANCIAL REPORTING Management’s Internal Control over Financial Reporting: Management Responsibility Management of [State Company name] is responsible for establishing and maintaining adequate internal controls over financial reporting. Our internal control over financial reporting is a process designed under the supervision of our Chief Executive Officer and our Chief Financial Officer to provide reasonable assurance regarding the reliability of financial reporting and the preparation of the company’s financial statements for external reporting purposes in accordance with International Financial Reporting Standards. Internal control over financial reporting includes our disclosure controls and procedures designed to prevent misstatements. Risks in Financial Reporting The main risks in financial reporting are that it is possible that either financial statements do not present a true and fair view due to inadvertent or intentional errors (fraud), or that the publication of financial statements is not done on a timely basis. These risks may reduce investor confidence or cause reputational damage and may have legal consequences including banking regulatory interventions. A lack of fair presentation arises when one or more financial statements or disclosures contain misstatements or omissions that are material. Misstatements or omissions are deemed material if they could, individually or collectively, influence economic decisions that users make on the basis of the financial statements. Internal Controls Evaluation Framework To confine the risks of financial reporting, management of the company has established internal controls over financial reporting with the aim of providing reasonable, but not absolute, assurance against material misstatements or omissions and has conducted an assessment of the effectiveness of the company’s internal controls over financial reporting based on the framework established in Internal Control Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). COSO recommends the establishment of specific objectives to facilitate the design, and evaluate the adequacy, of a control system. As a result, in establishing internal controls over financial reporting, management has adopted the following financial statement objectives: • Existence - assets and liabilities exist and transactions have occurred. • Completeness - all transactions are recorded, and account balances are included, in the financial statements. • Valuation - assets, liabilities and transactions are recorded in the financial reports at the appropriate amounts. • Rights and Obligations of ownership - rights and obligations are appropriately recorded as assets. • Presentation and disclosures - classification, disclosure and presentation of financial reporting is appropriate; and

• Safeguarding of assets - unauthorized acquisition, use or disposition of assets is prevented or detected in a timely manner. However, any internal control system, including internal controls over financial reporting, no matter how well conceived and operated, can provide only reasonable, but not absolute, assurance that the objectives of that control system are met. As such, disclosure controls and procedures or systems for internal control over financial reporting may not prevent all errors and fraud. Further, the design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. Organization of the System of Internal Controls over Financial Reporting Controls within the system of internal controls over financial reporting are performed by all business functions with an involvement in reviewing the reliability of the books and records that underlie the financial statements. As a result, the operation of internal controls over financial reporting involves staff in the following departments: [state the departments involved, i.e.: Finance, Chief Operating Officer and Risk]. The [Finance or appropriate department] is responsible for the periodic preparation of financial statements and operates independently from the company’s businesses. Within [Finance or appropriate department], different functions have control responsibilities which contribute to the overall preparation process: • [Finance or appropriate department] specialists are responsible for reviewing the quality of financial data by performing validation and control. They are in close contact with business, infrastructure and legal entity management and employ their specific knowledge to address financial reporting issues arising on products and transactions, as well as validating, reserving and other adjustments based on judgment. • [Finance or appropriate department] is also responsible for company-wide activities which include the preparation of the company financial and management information, forecasting and planning and risk reporting. Finance sets the reporting timetables, performs the consolidation and aggregation processes, effects the elimination entries for internal and intercompany activities, controls the period end and adjustment processes, compiles the financial statements, and considers and incorporates comments as to content and presentation made by senior and external advisors. • [Finance or appropriate department] is also responsible for developing the company’s interpretation of International Financial Reporting Standards and their consistent application within the company and is responsible for the timely resolution of corporate and transaction-specific accounting issues. Tax is responsible for producing income tax related financial data in conjunction with Finance, covering the assessment and planning of current and deferred income taxes and the collection of tax related information. Tax monitors the income tax position and controls the provisioning for tax risks. The operation of internal control over financial reporting is also importantly supported by the [Chief Operating Officer and Risk]. Although these functions are not directly involved in the financial preparation process, they contribute significantly to the production of financial information:

• [Chief Operating Officer (“COO”)] is responsible for confirming transactions with counterparties and performing reconciliations, both internally and externally, of financial information between systems, depots and exchanges. The COO also undertakes all transaction settlement activity on behalf of the company and performs reconciliations of account balances. • [Risk] is responsible for developing policies and standards for managing credit, market, legal, liquidity, operational and vendor risks. Risk identifies and assesses the adequacy of credit, legal and operational provisions. Controls to Minimize the Risk of Financial Reporting Misstatement The system of internal control over financial reporting consists of a large number of internal controls and procedures aimed at minimizing the risk of misstatement of the financial statements. Such controls are integrated into the operating process and include those which: • are ongoing or permanent in nature such as supervision within written policies and procedures or segregation of duties. • operate on a periodic basis such as those which are performed as part of the annual financial statement preparation process. • are preventative or detective in nature. • have a direct or indirect impact on the financial statements themselves. Controls which have an indirect effect on the financial statements include Information Technology general controls such as system access and deployment controls. An example of a control with direct impact would be a reconciliation which directly supports a balance sheet line item. • feature automated or manual components. Automated controls are control functions embedded within system processes such as application enforced segregation of duty controls and interface checks over the completeness and accuracy of inputs. Manual internal controls are those operated by an individual or group of individuals such as authorization of transactions. • the combination of individual controls encompasses each of the following aspects of the system of internal control over financial reporting: • accounting policy design and implementation. Controls to promote the consistent recording and reporting of the company’s business activities in accordance with authorized accounting policies. • reference data. Controls over reference data in relation to the general ledger and on- and off-balance sheet transactions including product reference data. • new product and transaction approval, capture and confirmation. Controls are intended to ensure the completeness and accuracy of recorded transactions as well as appropriate authorization. Such controls include transaction confirmations which are sent to and received from counterparties to help ensure that trade details are corroborated. • reconciliation controls, both external and internal. Inter-system reconciliations are performed between relevant systems for all trades, transactions, positions or relevant parameters. External reconciliations include bank account, depot and exchange reconciliations.

• business aligned valuation specialists focus on valuation approaches and methodologies for various asset classes and perform IPV for complex derivatives and structured products. • taxation. Controls are designed to ensure that tax calculations are performed properly and that tax balances are appropriately recorded in the financial statements. • reserving and adjustments based on judgment. Controls are designed to ensure that reserving and other adjustments based on judgment are authorized and reported in accordance with the approved accounting policies. • balance Sheet substantiation. Controls relating to the substantiation of balance sheet accounts to promote the integrity of general ledger account balances based on supporting evidence. • consolidation and other period end reporting controls. At period end, all businesses submit their financial data to the company head office for consolidation. Controls over consolidation include the validation of accounting entries required to eliminate the effect of inter- and intra- company activities. Period end reporting controls include general ledger month end close processes and the review of late adjustments; and • financial statement disclosure and presentation. Controls over compilation of the financial statements themselves including preparation of disclosure checklists and compliance with the requirements thereof, and review and sign-off of the financial statements by senior Finance management. The financial statements are also subject to approval by Management, and the Board and its Audit Committee. Measuring Effectiveness of Internal Control Each year, the management of the company undertakes a formal evaluation of the adequacy and effectiveness of the system of internal control over financial reporting. This evaluation incorporates an assessment of the effectiveness of the control environment as well as individual controls which make up the system of internal control over financial reporting taking into account— • the financial misstatement risk of the financial statement line items, considering such factors as materiality and the susceptibility of the particular financial statement item to misstatement; and • The susceptibility of identified controls to failure considering such factors as the degree of automation, complexity, and risk of management override, competence of personnel and the level of judgment required. These factors, in aggregate, determine the nature and extent of evidence that management requires in order to be able to assess whether or not the operation of the system of internal control over financial reporting is effective. The evidence itself is generated from procedures integrated within the daily responsibilities of staff or from procedures implemented specifically for purposes of the internal control over financial reporting evaluation. Information from other sources also forms an important component of the evaluation since such evidence may either bring additional control issues to the attention of management or may corroborate findings. Such information sources include— • reports on audits carried out by or on behalf of regulatory authorities.

• external auditor reports; and, • reports commissioned to evaluate the effectiveness of outsourced processes to third parties. In addition, the company’s Audit evaluates the design and operating effectiveness of internal control over financial reporting by performing periodic and ad-hoc risk-based audits. Reports are produced summarizing the results from each audit performed which are distributed to the responsible managers for the activities concerned. These reports also provide evidence to support the annual evaluation by management of the overall operating effectiveness of the internal control over financial reporting. As a result of the evaluation, management has concluded that internal control over financial reporting is appropriately designed and operating effectively as of [State fiscal yearend]. The external auditor that audited the financial statements has issued an external auditor’s report on our assessment of the company’s internal controls over financial reporting and it is filed on page ………of this annual report. Signed by Chief Executive Officer Chief Financial Officer [Or other Senior Management Officials as appropriate]

APPENDIX 9: SAMPLE REPORTING TEMPLATE ON STATUS OF ICOFR

APPENDIX 10: SAMPLE REPORTING TEMPLATE – MAPPING OF BUSINESS PROCESS TO FINANCIAL STATEMENTS

APPENDIX 11: FORMAT OF THE GAP ANALYSIS REPORT This format is for illustrative purposes only and Issuers should customise the report to make it fit for purpose as a tool for monitoring and evaluation of the Company’s ICOFR project.

1. Introduction & Executive summary [Provide brief introduction and overall status of the Company’s ICOFR Framework]
2. Governance/ Housekeeping matters [Highlight the governance structure for the ICOFR Project, including the body responsible for providing strategic oversight to the Team charged with development of the Company’s ICOFR.]
3. Progress of implementation of the ICF Summarise progress made, challenges etc. against the minimum requirements set under the guidelines and/ or against requirements specified by the governance structures above. Discuss at the minimum. • Mapping of financial statements Key Business Processes (KBPs) • Risk Assessment – to assess risks over financial reporting and disclosures • Documentation of the Activities in the each KBP • Identification of Control Activities (“controls”) in each KBP. • Identification of Key Control Activities (“key controls”) in each KBP • Evaluation of the design effectiveness of Key controls • Results from the testing of operational effectiveness of key controls • Control weaknesses/ failures and mitigating measures [Note: Issuers to include the status of ICOFR (Appendix XX) and Mapping of ICOFR to Financial Statements (Appendix XX) as attachments to their GAR.
4. Reporting on the ICOFR to Board, Senior Management & others [Summarize details of reports to the Board, Senior Management & progress on recommendations/ directives issued with regard to ICOFR]
5. Reporting to SEC and other stakeholders [Summarize status of communications with SEC including recommendations/ directives issued with regard to ICOFR]
6. 7. Mitigation plan [provide a detailed plan, including timelines for when the Company anticipates having established a fully functional ICOFR Framework. For revisions to set timelines, explanations should be provided for deviations from the plan]