ESR AR 2019 EN

FINANCIAL REPORTING AND INTERNAL CONTROL Financial reporting The Directors acknowledged their responsibility for the preparation of the consolidated financial statements of the Group for the year ended 31 December 2019. The statement by the auditors about their reporting responsibilities for the auditors’ report on the financial statements is set out in the Independent Auditor’s Report on pages 118 to 122 of this annual report. The Directors were not aware of any material uncertainties relating to events or conditions that may cast significant doubt on the Company’s ability to continue as a going concern. External Auditor’s Remuneration The total fees paid to Ernst & Young, the Company’s external auditors, during the year ended 31 December 2019 were US$6,286,000, of which US$4,903,000 was for audit services (including reporting accountant’s fees paid in relation to the global offering and listing of shares of the Company on the Stock Exchange, and statutory audit fee of subsidiaries) and US$1,383,000 was for non-audit services mainly relating to tax and transaction service. Internal controls and risk management The Board is responsible for establishing, maintaining and reviewing the adequacy and effectiveness of the risk management and internal control systems including ensuring the adequacy of resources, staff qualifications and experience, training programmes and budget of the Company’s accounting and financial reporting function. Such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss. Reporting to the Board, the Audit Committee is delegated with the authority and responsibility for ongoing monitoring and evaluation of the effectiveness of the relevant systems. To prudently manage its long-standing principle, the Group has put in place a robust and inclusive framework to manage risks at different business operations in diversified segments within the organisation. The Company implemented the following risk management and internal control structures and measures to identify, control and manage its significant risks: • Enterprise Risk Management (ERM) Framework based on ISO31000 and COSO for identifying, evaluating and managing significant risks. This includes establishment of risk context, the identification of risk factors, the evaluation of risk levels and related impacts on the business performance of the Group. • Since the risk profile may vary from time to time, the management performs risk assessment by reviewing and updating the risk profiles on an as-needed basis but at least once a year. • The Company has an internal control function to carry out an analysis and independent appraisal of the adequacy and effectiveness of the systems. • Stringent internal policies and processes are in place to prevent the misuse of inside information and avoid conflicts of interest, including having a whistleblowing policy in place. The Company has adopted a whistleblowing policy, which requires employees and encourages outside third parties that have business relationship with the Group to report their concerns about improprieties and misconduct in relation to the Group. All whistleblowing reports will be reviewed by the Group’s Head of Compliance and the General Counsel. The ensuing investigation reports will be sent to the Audit Committee of the Company for further action. The main features of the risk management and internal control systems are as follows: • The Board is responsible for overseeing the risk management and internal control systems to ensure core values, strategic planning and operational procedures and communications within the Group are effective; • Risk management and internal control functions assist the Board to ensure that Group’s effective implementation of framework, policies, procedures and controls are in place. Risk management function initiates a risk management plan and prioritises the Company’ s key risks as well as evaluation of the control mechanisms/activities which contribute to mitigating the risk of business disruption or non-compliance with applicable rules and regulations. The identified risks are evaluated based on the likelihood of occurrence and magnitude of impact should the risks materialise; • Internal audit function will perform independent appraisal of major operations on an ongoing basis; and • Appropriate risk mitigating activities are in place including identification of risks to the achievement of its business objectives across the entity and analyses risks as a basis for determining how the risks should be managed. Refer to “Risk Management” on pages 54 to 56 of this annual report for further details of the Group’s risk management programme. 65 ESR Annual Report 2019 CORPORATE GOVERNANCE REPORT