Internal Control

(1) Governance Control

The control structure of the Control Systems is set out as follows:

The Board

- responsible for the Control Systems and reviewing their effectiveness;

- oversee the Control Systems on an ongoing basis with the assistance of Audit Committee;

- ensure presence of appropriate and effective Control Systems;

- define management structure with clear lines of responsibility and limit of authority; and

- determine the nature and extent of significant risk (including the environmental, social and governance (“ESG”) risks) that the Company is willing to take in achieving the strategic objectives and formulate the Group’s risk management strategies.

Audit Committee

- review and discuss the Control Systems with the management annually to ensure that the management has performed its duty to have effective Control Systems. This discussion also includes the adequacy of resources, staff qualification and experience, and the Company’s accounting, internal audit and financial reporting functions and of those relating to the Company’s ESG performance and reporting;

- review the nature and extent of significant risks, and the Group’s ability to respond to changes in its business and the external environment;

- consider major findings on internal control matters (if any) raised by internal or external auditors and make recommendations to the Board; and

- review and discuss annually with significant control failings or weaknesses that are identified by the auditors;

Executive Committee

- review the effectiveness of ESG-related risk management and internal control systems and report to the Audit Committee for its review.

The management (includes heads of business units, departments and divisions)

- design, implement and monitor the Control Systems properly and ensure the Control Systems are executed effectively;

- monitor risks and take measures to mitigate risks in their day-to-day operations;

- give prompt responses to, and follow up the findings on internal control matters raised by internal or external auditors; and

- provide written confirmation to the Board on the effectiveness of the Control Systems.