Internal Control Environment

The company adopts a set of internal control systems to ensure and maintain the level of performance and control the operational and financial operations covering all the activities and departments of the company and include:

• Separation of tasks.
• Double check and control.
• Performance reports.

The BOD shall choose and recommend the appointment of external auditors accredited by the CMA to prepare the financial statements of the Company in coordination and cooperation with the Audit and Risk Committee and submit these recommendations for presentation and approval by the AGM.

The external auditors express their opinion and reasonable assurance about the fairness of the presentation of the financial statements in all material respects, their financial position, the results of their operations and their cash flows, and to express an opinion on the internal control relevant to the preparation and fair presentation of the financial statements, and to assess the appropriateness of accounting policies applied and to express a clear opinion on the financial statements’ presentation in accordance with the applicable international accounting principles and standards, and the determination of those cases that have not been complied with these principles and standards in the preparation of the financial statements.

The appointment of the external auditor shall be one year from the date of appointment based on the recommendations of the Audit Committee and the BOD and approved by the shareholders of the Ordinary General Assembly.

External auditors shall be fully independent of the Company and effectively to ensure that their duties are performed fairly and objectively.

• The auditor shall not be a chairman or a member of the BOD of the company, or a person performing any administrative work, or a relative to the second degree of those who supervise the management of the company or its accounts.
• Not to handle further work of the Company other than the audit.

• The external auditor shall have a quality control system that provides reasonable assurance that its independence will not be affected. He shall also attend meetings of the Audit Committee and / or agreed Board meetings and submit reports indicating any obstacles or interference by the BOD or the Company's Management during the appointment period. All reports of the External Auditor shall be independent and impartial.
• The external auditor shall also attend the annual meetings of the General Assembly to submit the audited financial statements and read the report prepared by him to the shareholders and to respond to any queries from shareholders and stakeholders. The External Auditor shall also attend extraordinary meetings, if necessary.

The auditor shall at all times have the right to inspect all the company's books, records and documents and to request the data he deems necessary. He may also verify the company's assets and liabilities and discuss his views with the Audit Committee before submitting the final accounts and the annual report to the BOD. In the event that he is not able to use these rights, this shall be proved in writing in a report submitted to the BOD, presented to the Ordinary General Assembly and notified to the MOCI and the CPA.

In particular, the external auditor's report should include the following data:

• Whether the observer has obtained the information that he deems necessary for the performance of his functions.
• Whether the budget and profit and loss accounts are in accordance with reality, including all the provisions of the law and the company's contract and express honestly and clearly the financial position of the company.
• Whether the company maintains regular accounts.
• Whether the inventory was carried out in accordance with established regulations.
• Whether the data contained in the BOD's Report are in accordance with the Company's books.
• Whether there are violations of the provisions of the law and the contract of the company that has occurred during the fiscal year and indicate whether these violations still exist within the limits of the information available to him.

The audit contract stipulates that the auditor shall be committed to maintain, during and after the end of his work in the company, the confidentiality of data and information obtained by virtue of his job, and does not use these data and information in achieving benefit for himself, or others, and does not publicize any secrets related to the company. If the Controller contravenes his duties, he may be dismissed and, if necessary, solicited to compensate for damages

In the field of internal auditing and control, Al-Tijaria depends on contracting with specialized and accredited bodies to carry out these responsibilities and tasks. The BOD shall ensure that internal audit and oversight is a permanent process covering all activities and business of the Company without exception of any section or department of the company. Internal audit shall provide regular and periodic reports on audit results, and that internal control processes and controls have been formulated by the management and implemented as appropriate, and submitted after review and deliberation by the internal auditor, and concerned departments, to the Audit Committee and the Risk Committee for discussion and recommendation. Final results are to be presented to the BOD.

The BOD of the Company supports the internal audit functions of the Company through:

• The Board members and senior management recognize the importance of the internal audit function and communicate this importance to all employees of the company.
• Utilize the appropriate method and timing of the results of internal audit work and take appropriate corrective action from the Department.
• Ensure the independence of the internal audit function.
• Outsourcing of internal audit.
• Involve internal audit in assessing and recommending the effectiveness of internal control procedures.

The Internal Audit Committee shall follow up the periodic plans and procedures to ensure that:

• Comprehensive scope, objectives and functions of the internal audit function.
• Independence of the internal auditor.
• Comprehensive and appropriate audit plan.
• Integrity and impartiality of the internal audit function.
• Professionalism.
• Internal Audit Procedures.
• Defining internal audit responsibilities.
• Follow-up of periodic reports and internal auditor's observations and corrective actions taken.

Internal audit reports should include a review and evaluation of the Company's internal control systems, including:

• Control procedures and supervision of the efficiency and effectiveness of the internal control systems necessary to protect the company's assets and the validity of the financial statements and the efficiency of their operations with their administrative, financial and accounting aspects.
• Comparison of the evolution of risk factors in the company and the existing systems to assess the efficiency of the business and to meet the unexpected changes in the market.
• Evaluation of the performance of the BOD and the Executive Management in the application of internal control systems, including the determination of the times when the Board was informed of oversight issues and the manner in which the Board dealt with these matters.
• Any failures in the application of internal controls or weaknesses in their application or contingencies that may have affected or may affect the Company's financial performance and the procedures used to address such failures.

The importance of Shari'a supervision stems from the specificity of the Islamic business represented by the presence of the legitimate side in all aspects of the company's activities, activities and transactions, as well as the importance of reviewing the company's commitment in all its operations and transactions to the provisions and principles of Islamic Shari'a.

Shari'a supervision is an integral part of the internal control system and operates in accordance with the company's policies. The scope of the internal audit and compliance unit includes examining and evaluating the adequacy and effectiveness of the Shari'a Supervisory System in order to ascertain the adequacy of the existing system, its compliance and whether it provides reasonable assurance that the management of the Company has assumed its responsibility to ensure the application of Islamic Shari'a provisions and principles according to the contracted supervisor’s solutions.

• The BOD' awareness of the importance of working and abiding by the guidelines and principles of Islamic Shari'a, and what helps to maintain shareholder confidence and prevent reputational risks.
• The company has developed a code of ethical work for the company as well as a set of policy and procedures manuals in accordance with the provisions and principles of Islamic law.
• Ensure the independence of the functions of Shari'a supervision by appointing an external source as a legitimate control body of the company of scholars who are recognized for their competence and experience in the field of Islamic law, and those who have a wide experience with Islamic transactions.
• Preparation of the charter of the Shari'a Supervisory Board clarifying the objectives, tasks and responsibilities of the Shari'a Audit Company.
• The Shari'a Supervisory Board reports on the Company's transactions to the General Assembly after being reviewed by the Audit and Risk Committee and the BOD of the Company.

• Compliance with regulations, standards, instructions and laws is one of the most important foundations and factors for the success of the company, and maintains its reputation and credibility, and the interests of shareholders and stakeholders, and provides protection against systemic penalties.
• The commitment is a comprehensive and multifaceted responsibility that falls on all the parties in the company, from the BOD and the senior management to all the employees, according to their powers and tasks. In accordance to BOD’s belief of the importance of compliance, it has:
  • Established an independent Compliance Department that is directly monitored by the Chairman of the Board and submits its reports to him and to the Corporate Governance Committee.
  • Formed a special committee for governance to follow up the company's compliance tasks.
  • Adopted the charter of the Committee on Governance.
  • Evaluate the compliance program at least once a year through corporate governance reports to see how effective the company is in carrying out compliance functions.
• Adopt the Compliance Unit Policies and Procedures Manual, which is designed in the form of a set of basic principles which specify:
  • Responsibilities of the BOD.
  • Responsibilities of executive management on compliance.
  • Controls the independence of the obligation function.
  • Criteria for supporting the obligation function to carry out the tasks entrusted to it.
  • Core values ??of the commitment.
  • Risks arising from non-compliance.
  • Responsibilities and responsibilities of compliance management and program of work.
  • The relationship between the compliance unit and the internal audit.
• Compliance with the regulatory requirements, whereby the Authority - the control sector - will be provided with the Corporate Governance Department periodically (annually) to implement the requirements stipulated in the Corporate Governance Rules issued by the Capital Markets Authority. The Board is also provided with an internal audit review report prepared annually by a specialized consulting firm. The quality assurance report is prepared for internal audits every three years.

Risk management is an essential part of the company's strategic control and management process. These are the procedures that the BOD and the Executive Management adopt in an orderly manner to identify, address and address the risks associated with the Company's various activities by understanding the potential positive and negative factors of all events, influences and factors that may affect the Company's activity and systematically addressing all risks surrounding its activities The risks that they may face and determine how to avoid, confront or limit them and to maintain the level of risk within the acceptable ratios against the expected benefits.

The BOD should determine the type and size of risks acceptable to the Company and strive to maintain the level of risk management within the proper framework to ensure the interests of the company. A clearly defined risk management strategy within the company is critical to protecting the company's investments and assets, with risk studies and reports reviewed and reviewed.

The BOD of the Company has enhanced risk management functions through:

• Formation of the Audit and Risk Committee of the BOD.
• Establish an independent risk management department that reports periodically to the Audit and Risk Committee.
• Approving the work of the Audit and Risk Committee.

Adopting the Risk Management Policies and Procedures Manual which states:

• Identify and classify the risks that the Company may face in pursuing its strategic objectives, including strategic, financial and operational risks, compliance risks, reporting risks, information flows and reputation risks.
• Raising organizational awareness of how to reduce risk (eg by strengthening oversight).
• Procedures for the implementation of the risk management plan.
• Scope of application covering all the work, functions and activities of the company.
• Preparation of the Company's risk profile.
• Risk assessment and prioritization.
• Identify ways and procedures to address risks and their effectiveness.
• Identify corrective steps and discuss them with officials of different departments.
• Identify proactive steps to prevent or reduce risks that a company may face.
• Determine the level of risk acceptable to the company against expected benefits and how to manage these risks.
• Track risks and report periodically.
• Define roles, responsibilities and schedule.
• Review transactions and transactions proposed by the Company with related parties and make appropriate recommendations thereon to the BOD.
• Briefing the BOD on risk reports through the Audit Committee and the risks, steps and actions taken to mitigate these risks and place them within the acceptable range of the Company.

To achieve the company's investment and business objectives, the risk management process is essential. The objective is to develop a continuous, proactive and structured process to understand, manage and report on the core risks in each business unit and business transaction. The risk management policy must be adhered to by the company's departments and departments. The risk management framework includes, but is not limited to:

• Understand the company's goals.
• Identify the risks associated with the business activity and the potential impacts of the identified risks.
• Develop programs to address identifiable risks.
• Monitoring and evaluating risks and procedures and arrangements for addressing them.

The risk management policy development process should take into account a number of steps outlined below:

• Identify and assess the types and scope of risks associated with the Company's business, business and investments.
• Review and report on key risk areas when necessary.
• Develop a plan and criteria for reducing risks and their effects.
• Disseminate and discuss the contents of the risk profile with relevant management members and develop methods and policies to address and reduce risks.

The reporting system is one of the most important tools for effective monitoring and monitoring of the activities and functions of the company as well as for the performance of the departments. The company adopted fixed models to report periodically (quarterly) from various departments to executive management to determine the results of operations to make decisions according to clear vision and accurate and updated information. According to the following criteria:

• All administrations are required to prepare reports within 15 working days of the end of the reporting period, without prejudice to any other reports submitted.
• A record showing the date of receipt of the reports is prepared by the Office of the Chairman through the Risk and Compliance Unit.
• These reports are reviewed by the Risk and Compliance Unit to express opinions and observations and to highlight weaknesses or shortcomings that may expose the Company to any potential risks and ways of addressing them and making corrective decisions at the time.
• Reports are reviewed by the Risk and Compliance Unit to highlight areas of vulnerability and risk.
• Each department is directly responsible for identifying staff preparing and reviewing reports.
• The Director of Management is directly responsible to the Group's Chief Executive Officer for the accuracy and accuracy of the data contained in his management reports.
• The Group's Chief Executive Officer approves the Group's reports and highlights significant and significant changes in the company's operations.
• The Group's Chief Executive Officer is directly accountable to the Chairman of the Board for the accuracy and accuracy of the data contained in the reports of the Group.
• Reports are discussed at the management committee meetings and any special notes are recorded.
• The Head of Risk and Compliance Unit shall be responsible for following up the implementation of the recommendations and decisions issued by the Committee in this regard. In addition to the above mentioned administrative and operational reports, an integrated summary report must be prepared on all activities and activities of the company to be presented to the BOD to determine the progress of the operations and their consistency with the plans and targets set annually or whenever necessary.

Characteristics to be provided in the integrated report:

• Focus on strategy: The report should include an explanation of the company's strategic objectives and the procedures and policies adopted by the company to achieve these objectives.
• Organizational Chart: The report should include an explanation of the organizational structure, procedures and policies followed by the company in the conduct of its business, and the external factors that affect the integrity of the financial position of the company. As well as the efforts made by the company to ensure the efficiency of business and keep them in the short, medium and long term.
• Risks facing the company: The report reviews the company's activities and associated risks, as well as an explanation of performance rates and how to measure them, in addition to the opportunities available to the company to expand its business and maximize profits.
• Future direction and expectations: Include the management's expectations about the future of the company's activity, as well as an assessment of the difficulties it may face, identify high-risk activities to give it priority review, and identify the opportunities, challenges and threats facing the company to achieve its strategic objectives.
• Briefness, accuracy and materiality in presenting information: The information and data presented in the report should be very comprehensive and consistent, concise and accurate, and be material and important information that facilitates the decision making process by the executive management or any of the decision makers.
• Periodic Reports: Reports should be on a periodic basis (at least annually). The report should be updated with the latest updates and prepared according to time frames that serve the short, medium and long term.