A.

Adequate Segregation of Duties No employee shall have exclusive control over the following processes in a transaction: authorisation, execution, valuation, reconciliation, custody and recording. Functions that require an employee to perform more than one of these actions must be separated. Segregation of duties reduces the risk of intentional manipulation or error and increases possibility of their detection. B.

Well-defined Delegated Authorities

We shall ensure that have a documented authority matrix detailing delegated financial and non-financial authority for each function. Employees shall be required to operate within their delegated authorities at all times; where there is a need to further delegate this authority, such delegation shall be documented and a time frame defined for its implementation.

C. Compliance with all regulatory, legal and internal policies and requirement We shall establish controls to ensure compliance with all applicable regulatory and statutory requirements. Thus, we shall continually identify, communicate and evaluate our compliance with these requirements. Adherence to all regulatory and statutory requirements shall be mandatory for all employees and built into their performance appraisals. D. Defined Roles and Responsibilities We shall develop comprehensive and documented job descriptions for all positions within our company. Clear reporting lines shall be included in our organisational chart and employee job descriptions. Job descriptions for our employees shall include defined responsibilities and accountabilities. The board shall approve changes and amendments to the organisation chart. E.

Code of Conduct
As representatives of the company, the conducts, action and impression of employees, during and after business hours, may have repercussion on our reputation. Thus, we shall have a Code of Conduct statement to strengthen the ethical behaviour of employees and guide them in the course of normal business activities.

F.

Staff Competence
Management shall ensure that employees have the skills required to perform their roles. Risk management and internal control training activities and systems shall be a standard

training module for all new employees. Internal control awareness and usage shall also form a portion of the annual competency assessment employees must achieve. G. Vacation and Leave enforcement Major operational losses are often perpetrated by employees who have been left to perform their job without taking leave or who have taken a few days leave without their job being covered. Accordingly, our employees shall be required to be absent from their job for at least two consecutive weeks (10 working days) per year. The board must approve exceptions to this rule. Adequate compensating controls shall be established and enforced in all exceptions to the two-week vacation policy. Such controls may include rotating employees. H. Periodic self-assessment To promote the effectiveness of our internal control structure, each business unit and subsidiary company shall conduct periodic internal control self-assessment within its activity. These reviews shall be conducted at least twice a year. Findings and action plans to correct issues noted shall be documented and submitted to the risk management department. I.

Independent monitoring
Our internal audit department shall conduct independent and objective evaluations of our internal controls, at least annually. Furthermore, third parties may be invited to review the system, based on the scope and substance of the system under review. The review shall involve assessing the adequacy of the design and operating effectiveness of controls to obtain reasonable assurance on the effectiveness of the system as a whole.

J.

Product Program
We shall ensure that all products are supported by up-to-date product programs. The product program is a risk management tool that shall identify the main risk associated with products, high-level controls needed to mitigate these risks and provide general risk/return guidelines.

K. Information System The governance and security controls over our information technology infrastructure shall be continually reviewed to identify and mitigate all existing and emerging risks. L.

Contingency Planning
We shall establish a full set of up-to-date and tested contingency plans encompassing:

Crisis management Business Continuity Disaster recovery

M. Contractual Relationships Responsibility for committing our company must be limited to authorised individuals. Obligations to third parties, involving the provision of supplies or services to our company must be completed with a standardised legal agreement. Such agreements must conform to standards defined by the legal function and must be approved by an authorised personnel. N. Security and Protection We shall implement appropriate measures to protect our employees, property and information against internal and external threats at all times.