CFSL Integrated Report 2025

CORPORATE GOVERNANCE

122

Risk Management

Statutory Disclosures

Financial

5. INTERNAL AUDIT During the year under review, the Internal Audit Function of CFSL contributed to strengthening governance structures, risk management, and internal controls - key pillars that support the Company’s commitment to deliver inclusive financial services that are secure, transparent, and compliant, ultimately empowering individuals and communities. The Internal Audit Function executed its mandate under the Risk-Based Internal Audit Plan approved by the Audit and Compliance Committee (ACC). This plan was developed with consideration of the organisations’ strategic objectives and regulatory obligations, ensuring comprehensive coverage of key risk areas and focusing on transparency, accountability, and operational effectiveness. The ACC not only approves the plan but also ensures that adequate resources are allocated to deliver on its objectives and monitors progress throughout the year. The Internal Audit Function remains independent of Executive Management, and reports directly to the ACC on a quarterly basis. The Head of Internal Audit maintains a direct reporting line to the Chairperson of the ACC, while the internal auditors refrained from any operational responsibilities, disclosed potential conflicts of interest, and avoided engagements where prior involvement could impair judgement. In addition, Internal Audit’s unrestricted access to documents, personnel, and systems enabled thorough evaluations with no limitations were placed on the scope of work, thus further reinforcing the function’s objectivity and independence. The Internal Audit Function is segregated into two teams, namely Risk-Based unit and IT team, both of which apply a risk-based approach to execute assignments. While the Risk-Based team performed assurance engagements in line with the definition of the IIA as well as investigations and advisory assignments, the IT team, for its part, performed engagements where a high reliance on Information Systems and Technology was required. The structure, organisation and qualifications of the key members of the Internal Audit team are listed on the Company’s website. Throughout the year, Internal Audit conducted over thirty-five (35) engagements together with other ongoing activities across CFSL, encompassing assurance, advisory, investigative, and IT audits. Internal Audit engagements were carried out in accordance with the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA), and staff adhered to the IIA Code of Ethics and CFSL’s internal policies. By aligning audit priorities with the strategic goals of CFSL, Internal Audit contributed to enhancing internal controls, promoting ethical conduct, and ensuring compliance with applicable laws and regulations—or critical elements in maintaining the integrity of financial services and protecting stakeholders. 6. EXTERNAL AUDIT The external auditor of the Company is BDO & Co (BDO), first appointed as external auditor at the AMS held in July 2020 in replacement of Ernst and Young following a tender issued by the RMAC in November 2019. BDO was re-appointed as the external auditor by the shareholders of CFSL at the annual meeting held in February 2025. The ACC discusses critical policies, judgements and estimates, and external audit issues with BDO as and when necessary and meets them at least once a year without management being present. The ACC assesses the effectiveness of the external audit process via feedback received from the Management team. Areas of improvement are thereafter discussed with the external auditor. The Group has implemented a policy for the provision of non-audit service by the external auditor. The objectives of the policy are: • To ensure that neither the nature of service nor the level of reliance placed on it by the Group could be perceived to impair the independence and objectivity of the external auditor’s opinion on financial statements. • To establish a straightforward and transparent process and reporting mechanism to enable the ACC to monitor and control the independence of the external auditor and compliance with this policy. • To avoid unnecessary restrictions on the purchase of services from the external auditor who is expected to provide a higher quality and a more cost-effective service than other providers. No non-audit work was provided by the external auditor to the Company for the year under review. To guarantee objectivity and independence, the Board ensures that the team providing non-audit services is different from the one providing audit services. 7. REPORTING WITH INTEGRITY This report has been prepared in line with the principles set out by the International Framework established by the International Integrated Reporting Council (IIRC). It provides key information which allows for the assessment of the strategy, business model, operating context, material risks and opportunities, governance and operational performance of CFSL for the period 1 October 2024 to 30 September 2025.