Internal Control and Risk Management

Summary of the Board of Directors' Opinion Regarding the Company's Internal Control System

The Company’s Board of Directors and executives give importance to and are well aware that internal control system is an important mechanism that gives confidence to the Company’s management in reducing business risks and allowing the business to run efficiently by appropriately allocating resources to achieve the duly set business target goals.

The Company’s Board of Directors has assigned the Audit, Environmental, Social Responsibilities and Corporate Governance Committee (Audit Committee) to oversee that the Company’s internal control and risk management systems are appropriate and effective, including to ensure that the Company punctually complies with relevant laws and regulations without conflicts of interest or related parties transactions. The Audit Committee is also responsible for monitoring and overseeing the operation of the Company, assuring the Company’s assets are not used for illegal or unauthorized purposes, and protecting the Company’s assets by preventing leakage, loss, fraud, or misconduct. The Company has established a check and balance mechanism, Besides, the Company implemented measures such as monitoring, controlling, and conducting internal audits to ensure that a company's operations align with the principles of corporate governance in relation to anti-corruption and business ethics. An independent Internal audit business unit is responsible for auditing and evaluating efficiency and sufficiency of the internal control, risk management, and corporate governance systems in the operations of all the Company’s departments. In doing this, the Company has adapted and applied international standard frameworks of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and the Enterprise Risk Management. Moreover, the Company placed great importance on protecting information, cyber security, including personal data, in compliance with the Personal Data Protection Act B.E. 2562 (2019). The Company also applied the guidelines of information security management system ISO/IEC 27001:2013 and of personal information management ISO/IEC 27701:2019, which are the international standards for information security and personal information, throughout the entire organization with the aim to perfect of the internal control and risk management to maximize the efficiency and effectiveness of the Company’s operations. Additionally, the Company’s establishes the compliance business unit to update and study all the laws, regulations, announcements, and orders related to the Company’s business operation and further publicize them for employees’ understanding, as well as supervising and ensuring the Company’s proper business operation.

Additionally, the Audit Committee has evaluated the sufficiency of the internal control system and reported to the Board of Directors on a yearly basis with reference to “Internal Control Sufficiency Evaluation Form” of The Securities and Exchange Commission. The assessment results are disclosed in “Report from The Audit Environmental Social and Governance Committee” in the Form 56-1 One Report for the year 2023.

In the year 2023, the Company found no significant flaws in the Company's internal control system, details of which are as follows:

• Environment of Control The Company has established a good internal control environment by organizing clear and suitable organizational structure and chain of command, and also setting business goals and Key Performance Indicators (KPI) for evaluating efficiency of performance in accordance with the organization's goals. The Company has also arranged for written authority and operation manuals as guidelines for the Company’s daily operation. In addition, the Company has also instilled all its executives and employees with the awareness of good corporate governance by establishing a Good Corporate Governance Policy, Business Morality, and Ethics of the Company’s Directors, Executives and Staff, and also arranging for ongoing promotion activities to educate the Company’s employees and increase their awareness of working transparently and fairly, taking into account of all groups of stakeholders, on yearly basis.
• Risk Assessment Apart from assessing the sufficiency of the internal control system with reference to the "Internal Control Sufficiency Evaluation Form" in accordance with COSO Framework (The Committee of Sponsoring Organizations of the Treadway Commission) of The Securities and Exchange Commission, the Company has also conducted annual self-risk assessment in due compliance with the Guideline on Supervision on the Finance Business Group of the Bank of Thailand which covering significant risks such as strategic risk, credit risk, market risk, liquidity risk, information technology risk and operational risk. Such self-risk assessment was conducted by evaluating the relevant risks level, risks management quality, risks trends, and specifying method and direction for managing or controlling such relevant risks. The Company has submitted the outcome of the aforesaid self-risk assessment to Krung Thai Bank Public Company Limited for its further reporting to the Risk Management Committee of the Financial Business Group.
• Control on Management’s Operation The Company has clearly divided duties and responsibilities of each managerial position and reviewed the authority and operation manuals to match perfectly with the Company’s current organizational and operational structures. The Company, on regular basis, re-examines and verifies that its business performance is in due compliance with relevant rules, regulations, articles of association as well as authority and operation manuals, to ensure the Company’s efficient operation with sufficient and appropriate internal control system. Concerning Related Parties Transaction, the Company’s Board of Directors has approved a principle for making commercial agreements in the form of Related Parties Transaction to conform with the aforementioned laws and regulations, by allowing the Company’s Management to do commercial transactions, programs or agreement with related parties according to the definition given to Related Parties Transaction under the laws governing securities and exchange. However, the said commercial transaction, program or agreement shall be in the same manner as an ordinary person would do with a general contracting party in the same situation, with normal bargaining power and no influence in the status of a director, executive or related person (transactions with general commercial agreements). The aforesaid includes ongoing programs and programs that may occur in the future. The Company’s Management shall, for this purpose, set the regulatory framework as guideline for operation and prepare a summary report of the said Related Parties Transaction to be considered and approved respectively by the Audit Committee and the Board of Directors Meetings within a reasonable time. If the Company has Related Parties Transaction that may have conflict in the future, the Company would arrange for the Audit Committee to consider the appropriateness of the said transaction. If the Audit Committee has no expertise in considering the Related Parties Transactions, the Company will arrange for people with special expertise such as auditor, property appraiser or law firm etc., who are independent from influences of the Company and the conflicted person, to give opinions on the said transaction.
• Information and Data Communication Systems The Company gives importance to information system and data communication, as well as promotes and supports continuous system development, so that all information is accurate and up to date. The Company uses modern and efficient information technology system, including data security starting from data collection, data processing, and data tracking, so that the Company’s operation and the Management’s or stakeholders’ using of important information are complete, accurate, and sufficient in a timely manner for making business decisions. There is also a policy on security of information technology and data usage, and establishment of KTC UNITE system as internal communication channel for publicizing policies, rules, regulations, orders and operation manuals, including news and other messages and information throughout the organization.
  
  In addition, the Company has assigned the Company Secretary to be responsible for preparing the information and supporting documents for the meeting in advance, with summary of comments and resolutions of the meeting clearly stated in the minutes of every Board of Directors Meeting. For outsiders, the Company also set up communication channels for outsiders to complain or inform the fraud clues through the channel specified by the Company.
• Monitoring and Evaluation Systems The Company’s Board of Directors has established an internal control system that covers all aspects, such as accounting and finance, operation, compliance with laws and regulations, and property custody. The Company has monitored its business performance according to the set targets by having Board of Directors Meeting and a hierarchical monitoring system, levelling from the Board of Directors and the Management team, to monitor the goals and oversee the implementation of all strategic plans, plans, and projects that are operating under Annual Business Plan approved regularly by the Board of Directors, by regularly comparing business goals with the operating results and further reporting to the Board of Directors.
  
  In addition, the Company has arranged for regular audit on the compliance of internal control system by responsible person in the responsible business unit, and having the internal audit business unit perform operational inspection and report the results independently to the Audit Committee. In 2023, the Audit Committee held 12 meetings.
  
  In the Audit Committee Meeting No. 12/2023, on December 20, 2023, the Audit Committee assessed the internal control system from the evaluation report and concluded that, from the assessment of internal control system in 5 aspects, among others include internal control, risk assessment, operational control, information and communication system, and tracking system, the Audit Committee was of the opinion that the Company has sufficient internal control system and suitable for the Company's business operation. The risk management is at an acceptable level, accounting systems and financial reports are accurate and reliable as well as in due compliance with the laws and regulations related to the Company's business operation.

Head of Internal Audit and Head of Compliance of the Company

The Company’s Head of Internal Audit is Mr. Pornchai Wijitburaphat and Head of Compliance of the Company is Ms. Chotika Thanawaleekul.

(Please find more details in “Profiles of Internal Audit and Compliance” topics)

The Audit Committee is of the opinion that the qualifications of the Head of Internal Audit and Head of Compliance are appropriate, and they both perform their duties efficiently.

However, the appointment, evaluation, dismissal, transfer or employment termination of Head of Internal Audit must be approved by the Audit Committee.

Head of Internal Audit has the following responsibilities:

1. Assessing the sufficiency and effectiveness of the working process and the information system, internal control and risk management under the mission and scope of the audit operation.
2. Reporting key issues about the controlling process of all the Company's activities and ways to improve the process of those activities.
3. Giving suggestion to the Company’s Management for efficient, effective and economical business operation with good corporate governance.
4. Proposing information about the progress and performance of the annual audit plan and the sufficiency of resources needed in the audit process.
5. Coordinating and supervising the monitoring and other controlling process such as risk management, compliance with rules and regulations, security, ethics, environment, and auditing.
6. Performing other duties related to internal audit as assigned by the Audit Committee.

Head of Compliance has the following responsibilities:

1. Supervising and reviewing to ensure that the Company has complied with the laws and regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations.
2. Providing legal opinions to the Company’s Board of Directors and the Management to ensure that the Company's business operation complies with the laws and regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations, as well as following up with the Management to suspend any transaction or action that may violate the aforesaid laws and regulations.
3. Reviewing evidence in a suspicious event that a transaction or any action may violate the laws or regulations of The Stock Exchange of Thailand or other governmental agencies’ regulations, which has or may affect the Company’s financial status and performance significantly.
4. Coordinating with Head of Internal Audit and the Audit Committee in order to review or jointly find guidelines for the Company to have an appropriate and effective internal control and internal audit systems.
5. Participating in consideration, determination and recommendation regarding suitability in the Company's operation, to ensure the Company’s compliance with policy, guidelines, rules or regulations, and correctly comply with all recommendations specified by laws.
6. Being center of information dissemination as well as providing knowledge and advice to various departments within the Company regarding work procedures in order to comply with the laws, rules and regulations that should be followed.