Internal Control and Risk Management

1. Summary of the Board of Directors' Opinion Regarding the Company's Internal Control System

Internal Control

The Company’s Board of Directors and executives give importance to and are well aware that internal control system is important mechanism that gives confidence to the Company’s Management in reducing business risks and allows the business to run efficiently, by appropriately allocating resources, to achieve the duly set business target goals.

The Company’s Board of Directors has assigned the Audit, Corporate Governance and Social and Environmental Responsibility Committee (Audit Committee) to supervise, oversee and ensure that the Company’s internal control and risk management systems are appropriate and effective, and that the Company punctually complies with relevant laws and regulations with no conflict of interest nor Related Parties Transaction. The Audit Committee is also responsible for monitoring and overseeing the operations of the Company, assuring no use of the Company’s assets for illegal or unauthorized purposes, and protecting the Company’s assets by preventing leakage, loss, fraud or misconduct. The Company has established check and balance mechanism with an independent Internal Audit Department to be responsible for auditing and evaluating efficiency and sufficiency of the internal control, risk management and corporate governance systems in the operations of all the Company’s departments. In doing this, the Company has adapted and applied international standard frameworks of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and the Enterprise Risk Management for more practical use of and perfect internal control and risk management. And, in order to maximize the efficiency and effectiveness of the Company's operations, the Company’s Management will take the audit results into consideration and take any and all necessary steps and actions to improve and correct all audited and found at risk issues, in order to improve the quality of the Company’s business operation. The Internal Audit Department has set up a system to regularly monitor the Company's operation including establishing a Compliance Department to update and study all the laws, regulations, announcements and orders relating to the Company’s business operation and further publicize them for employees’ understanding and due compliance, as well as to supervise and ensure the Company’s proper business operation.

In addition, the Audit Committee has evaluated the sufficiency of the internal control system and reported to the Board of Directors annually with reference to "Internal Control Sufficiency Evaluation Form" of The Securities and Exchange Commission. The assessment results are disclosed in "Attachment 5 - the Audit Committee Report" in the Annual Registration Statements for the year 2019 (Form 56-1) and the Report of the Audit Committee in the Annual Reports (Form 56-2).

In the year 2019, the Company found no significant flaws in the Company's internal control system, details of which are as follows:

• Environment of Control The Company has established a good internal control environment by organizing clear and suitable organizational structure and chain of command, and also setting business goals and Key Performance Indicators (KPI) for evaluating efficiency of performance in accordance with the organization's goals. The Company has also arranged for written authority and operation manuals as guidelines for the Company’s daily operation. In addition, the Company has also instilled all its executives and employees with the awareness of good corporate governance by establishing a Good Corporate Governance Policy, Business Morality, and Ethics of the Company’s Directors, Executives and Staff, and also arranging for ongoing promotion activities to educate the Company’s employees and increase their awareness of working transparently and fairly, taking into account of all groups of stakeholders, on yearly basis.
• Risk Assessment Apart from assessing the sufficiency of the internal control system with reference to the "Internal Control Sufficiency Evaluation Form" in accordance with COSO Framework (The Committee of Sponsoring Organizations of the Treadway Commission) of The Securities and Exchange Commission, the Company has also conducted annual self-risk assessment in due compliance with the Guideline on Consolidated Supervision of the Bank of Thailand which covering significant risks such as strategic risk, credit risk, market risk, liquidity risk, information technology risk and operational risk including corruption risk. Such self-risk assessment was conducted by evaluating the relevant risks level, risks management quality, risks trends, and specifying method and direction for managing or controlling such relevant risks. The Company has submitted the outcome of the aforesaid self-risk assessment to Krung Thai Bank Public Company Limited for its further reporting to the Risk Management Committee of the Financial Business Group.
• Control on Management’s Operation The Company has clearly divided duties and responsibilities of each managerial position and reviewed the authority and operation manuals to match perfectly with the Company’s current organizational and operational structures. The Company, on regular basis, re-examines and verifies that its business performance is in due compliance with relevant rules, regulations, articles of association as well as authority and operation manuals, to ensure the Company’s efficient operation with sufficient and appropriate internal control system. Concerning Related Parties Transaction, the Company’s Board of Directors has approved a principle for making commercial agreements in the form of Related Parties Transaction to conform with the afore-mentioned laws and regulations, by allowing the Company’s Management to do commercial transactions, programs or agreement with related parties according to the definition given to Related Parties Transaction under the laws governing securities and exchange. However, the said commercial transaction, program or agreement shall be in the same manner as an ordinary person would do with a general contracting party in the same situation, with normal bargaining power and no influence in the status of a director, executive or related person (transactions with general commercial agreements). The aforesaid includes ongoing programs and programs that may occur in the future. The Company’s Management shall, for this purpose, set the regulatory framework as guideline for operation and prepare a summary report of the said Related Parties Transaction to be considered and approved respectively by the Audit Committee and the Board of Directors Meetings within a reasonable time. If the Company has Related Parties Transaction that may have conflict in the future, the Company would arrange for the Audit Committee to consider the appropriateness of the said transaction. If the Audit Committee has no expertise in considering the Related Parties Transactions, the Company will arrange for people with special expertise such as auditor, property appraiser or law firm etc., who are independent from influences of the Company and the conflicted person, to give opinions on the said transaction.
• Information and Data Communication SystemsThe Company gives importance to information system and data communication, as well as promotes and supports continuous system development, so that all information is accurate and up to date. The Company uses modern and efficient information technology system, including data security starting from data collection, data processing, and data tracking, so that the Company’s operation and the Management’s or stakeholders’ using of important information are complete, accurate, and sufficient in a timely manner for making business decisions. There is also a policy on security of information technology and data usage, and establishment of Intranet system as internal communication channel for publicizing policies, rules, regulations, orders and operation manuals, including news and other messages and information throughout the organization.

  In addition, the Company has assigned the Company Secretary to be responsible for preparing the information and supporting documents for the meeting in advance, with summary of comments and resolutions of the meeting clearly stated in the minutes of every Board of Directors Meeting. For outsiders, the Company also set up communication channels for outsiders to complain or inform the fraud clues through the channel specified by the Company.

• Monitoring and Evaluation SystemsThe Company’s Board of Directors has established an internal control system that covers all aspects, such as accounting and finance, operation, compliance with laws and regulations, and property custody. The Company has monitored its business performance according to the set targets by having Board of Directors Meeting and a hierarchical monitoring system, levelling from the Board of Directors and the Management team, to monitor the goals and oversee the implementation of all strategic plans, plans, and projects that are operating under Annual Business Plan approved regularly by the Board of Directors, by regularly comparing business goals with the operating results and further reporting to the Board of Directors.

  In addition, the Company has arranged for regular audit on the compliance of internal control system by responsible person in the responsible department, and having the Internal Audit Department perform operational inspection and report the results independently to the Audit Committee. In the years 2018 and 2019, the Audit Committee held 12 meetings and 11 meetings respectively.

  In the Audit Committee Meeting No. 10/2019, on November 11, 2019, the Audit Committee assessed the internal control system from the evaluation report and concluded that, from the assessment of internal control system in 5 aspects, among others include internal control, risk assessment, operational control, information and communication system, and tracking system, the Audit Committee was of the opinion that the Company has sufficient internal control system and suitable for the Company's business operation. The risk management is at an acceptable level, accounting systems and financial reports are accurate and reliable as well as in due compliance with the laws and regulations related to the Company's business operation.

Risk Management

The Company gives utmost importance to risk management, and thus established a Risk Management Policy which focuses on the development of risk management system in accordance with Good Corporate Governance guideline. The Company also conducted risk management that covers all aspects of risk and proceeded with it systematically and continuously by the Risk Management Committee (RMC) which consisting of executives from each line of business functions. RMC shall supervise the risk management of the organization to achieve the target at the organization acceptable risk level. The Company also established a Compliance Department to oversee the Company's operation in due compliance with the rules prescribed by the Compliance Department and in line with the Good Corporate Governance guideline.

(Please find more details of risk management in various aspects of the Company in “Risk Factors” heading.)

2.Report of the Audit Committee

The Company has disclosed the Audit Committee Report in "Attachment 5 - the Audit Committee Report" in the Annual Registration Statements for the year 2019 (Form 56-1) and the Audit Committee report in the Annual Report

3.Internal Audit Supervisor and the Compliance Supervisor of the Company

The Company’s Internal Audit Supervisor is Mr. Pornchai Wijitburaphat and the Compliance Supervisor of the Company is Mr. Sakda Chantrasuriyarat.

(Please find more details in Attachment 3: Profiles of Internal Audit Supervisor, Compliance Supervisor, and Accounting Supervisor)

The Audit Committee is of the opinion that the qualifications of the Internal Audit Supervisor and Compliance Supervisor are appropriate and they both perform their duties efficiently.

However, the appointment, evaluation, dismissal, transfer or employment termination of the Internal Audit Supervisor must be approved by the Audit Committee.

The Company’s Internal Audit Supervisor has the following responsibilities:

1. Assessing the sufficiency and effectiveness of the working process and the information system, internal control and risk management under the mission and scope of the audit operation.
2. Reporting key issues about the controlling process of all the Company's activities and ways to improve the process of those activities.
3. Giving suggestion to the Company’s Management for efficient, effective and economical business operation with good corporate governance.
4. Proposing information about the progress and performance of the annual audit plan and the sufficiency of resources needed in the audit process.
5. Coordinating and supervising the monitoring and other controlling process such as risk management, compliance with rules and regulations, security, ethics, environment, and auditing.
6. Performing other duties related to internal audit as assigned by the Audit Committee.

The Compliance Supervisor has the following responsibilities:

1. Supervising and reviewing to ensure that the Company has complied with the laws and regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations.
2. Providing legal opinions to the Company’s Board of Directors and the Management to ensure that the Company's business operation complies with the laws and regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations, as well as following up with the Management to suspend any transaction or action that may violate the aforesaid laws and regulations.
3. Reviewing evidence in a suspicious event that a transaction or any action may violate the laws or regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations, which has or may affect the Company’s financial status and performance significantly.
4. Coordinating with the Chief of Internal Audit and the Audit Committee in order to review or jointly find guidelines for the Company to have an appropriate and effective internal control and internal audit systems.
5. Participating in consideration, determination and recommendation regarding suitability in the Company's operation, to ensure the Company’s compliance with policy, guidelines, rules or regulations, and correctly comply with all recommendations specified by laws.
6. Being center of information dissemination as well as providing knowledge and advice to various departments within the Company regarding work procedures in order to comply with the laws, rules and regulations that should be followed.