9. Internal Control Systems

Acknowledgment

The Group’s Internal Control System is designed to support the Board of Directors and management to achieve the Group’s business goals and contribute to protecting shareholders’ investments and the Group’s assets. The objective of the Group’s Internal Control Framework is to ensure that internal controls are established, policies and procedures are properly documented, maintained, and adhered to, and are incorporated by the Group within its normal management and governance processes. It also acknowledges that this system is designed to reduce the risks of failure to achieve the Group’s business goals and not eliminate them permanently and thus provides reasonable and not absolute assurance of the error of financial statements or serious losses. The Group has also established formal procedures whereby the main risks faced by the Group are continuously identified and managed with an estimate of their potential impact. The Board of Directors acknowledges its responsibility for the Internal Control System, its independence in the Group, and its review and effectiveness.

Complementing the Internal Control System, EMSTEEL’s risk management and governance framework, is reinforced by the Three Lines of Defense model, adopted from the Institute of Internal Auditors. This model serves as a fundamental pillar in ensuring robust oversight, accountability, and effective risk management. The first line of defence comprises operational management, responsible for identifying, assessing, and managing risks within their day‑to‑day activities. The second line of defence includes risk management and compliance functions, which provide oversight, guidance, and support to ensure risks are managed in alignment with EMSTEEL’s policies and regulatory requirements. The third line of defence is the internal audit function, which independently evaluates the effectiveness of the first and second lines, providing assurance to the Board and senior management on the adequacy of risk management, control, and governance processes. Together, these three lines work cohesively to safeguard EMSTEEL’s objectives, enhance decision‑making, and ensure compliance with legal and regulatory standards, thereby strengthening our overall corporate governance framework.

Group Head of Internal Audit

Kartikeya Y Nath has been appointed as the Group Head of Internal Audit, effective October 2024, following the authority granted to the Audit and Risk Committee by the Board of Directors. Prior to this role, he served as the Head of Global Internal Audit and Chief Risk Officer for major steel manufacturing companies with a global presence. Kartikeya Y Nath has over two decades of professional experience with Big 4 consulting firms and steel manufacturing companies. Throughout his career, he has gained extensive expertise in various areas, including internal audits, internal controls, risk management, corporate governance, IFRS, financial reporting, assurance, transaction services, corporate finance, regulatory compliance, financial advisory, investigations, policy development, and management audits and consulting. His experience spans a broad range of industries. In addition to being a qualified Chartered Accountant of India (CA), Kartikeya Y Nath holds a Bachelor of Law (LLB) and a Bachelor of Commerce (B. Com) degree.

Ethics and Compliance Officer

Mohammad AlSuwaidi was appointed as Compliance Officer at the Group, effective 9 October 2024. He has extensive experience in regulatory compliance, is a certified Anti‑Money Laundering Specialist (ACAMS) and holds certifications in Global Financial Compliance from the Chartered Institute of Securities and Investments (CISI). With 8 years of professional experience in regulatory compliance, he has held key roles at leading UAE regulatory authorities. At the Securities and Commodities Authority (SCA), he oversaw regulatory compliance frameworks for licenced financial institutions, investment funds, and capital market intermediaries ensuring adherence to the UAE laws and SCA regulations. At the Ministry of Economy, he contributed to the development of Anti‑Money Laundering (AML) policies and conducted regulatory examinations for Designated Non‑Financial Businesses and Professions (DNFBPs). His efforts enhanced the national AML Framework, supporting the UAE’s commitment to international standards. In addition, he served on the Appeals Committee Member at the UAE’s Ombudsman Unit that has been established by the Central Bank of the UAE, addressing consumer complaints and disputes with licenced financial institutions.

Dealing with Important Problems / Issues

Internal Audit

The Internal Audit department provides independent assurance and consulting services using a disciplined systematic approach to improve the effectiveness of risk management, internal control and governance processes across the Group’s operations. It also aims to assist management in achieving its goals by making the necessary effort to positively improve the efficiency and effectiveness of operations. The Internal Audit department abides by the rules and regulations that define its work and exercises independence that enables it to perform its duties and work in accordance with the relevant requirements of the Authority Board Resolution number (03/RM) of 2020 and any subsequent amendments thereto.

The scope and frequency of audits depend on several factors, including, for example: the results of previous years’ audits, the results of the business risk assessment related to the various activities in the Group, the materiality, the efficiency of the Internal Control Systems, and the resources available to implement internal audits. The Internal Audit department works in accordance with the directives of the Audit and Risk Committee, and the ARC plays a fundamental role in matters related to auditing and governance through review, approval of the risk-based annual audit plan and the participation of the Chairman, the Board of Directors and Executive Management in discussing the audit results. On the administrative side, the Group Head of Internal Audit reports to the Group CEO.

Ethics and Compliance

The Ethics and Compliance function is responsible for monitoring the compliance of EMSTEEL Group and its employees with the applicable laws, regulations, statutory requirements, resolutions, policies and procedures, and rules of business through effective coordination with all internal and external stakeholders. The Ethics and Compliance function has a direct reporting line to the Audit and Risk Committee and reports operationally to the Group Chief Executive Officer. The Ethics and Compliance function is responsible for:

  • Reviewing the employees’ compliance with the Code of Business Conduct.
  • Reviewing the appropriateness of practices and procedures for compliance with applicable laws, regulations, and resolutions.
  • Reviewing and assessing effectiveness of the Ethics and Compliance System with inclusion and disclosure requirements and other legal and legislative requirements related to the Group’s activities.
  • Developing and updating key compliance procedures related to Anti Money Laundering (AML) and Sanctions Screening of key counterparties.

The Group has developed a comprehensive Ethics and Compliance Framework to monitor and manage key risks associated with our dynamic business environment. The Ethics and Compliance team ensures that the Framework is adequately designed and adapted to our business and operational needs. Below are the key areas of the Framework with details in the following respective sections:

Anti‑Bribery & Corruption

Ensuring compliance with all Anti‑Bribery and Corruption laws and regulations applicable on our business and operations.

Conflicts of Interest and Related Party

Ensuring that all conflicts of interest are properly identified and managed.

Gifts, Hospitality and Entertainment (GHE)

Ensuring ethical and transparent practices for receiving and giving Gifts, Hospitality and Entertainment.

Sanctions & Export Controls

Ensuring compliance with applicable and evolving sanctions and export controls and screening key‑counterparties before any business transactions.

Third‑Party Risk Management

Ensuring that all third‑party risks are managed with effective understanding of third‑party operations.

Whistleblowing, Investigation and Ethics Review Committee

Maintaining anonymity and safeguarding whistleblowers in compliance matters to maintain trust among employees and other stakeholders.

Inside Information Management and Insider Dealing

Ensuring compliance with SCA and ADX regulations regarding inside information and insiders’ dealing.

Fraud Control  Prevention, Detection and Response

Ensuring effective controls are in place for fraud prevention, detection and response.

Data Privacy & Protection

Ensuring all personal data is protected to maintain trust of employees and other stakeholders.

Risk

EMSTEEL Group has implemented an effective Risk Management Framework that is consistent with the Group achieving its corporate objectives. Risk Management deals with understanding, documenting, and managing the Group’s risk exposure and taking mitigation measures, where necessary, to ensure that those risks are contained to acceptable levels consistent with the Group’s risk appetite. Risk Management is a critical function within EMSTEEL Group. The Risk Policy is applicable for all business lines, departments, and sections. It is also applicable for strategic and corporate governance activities that are undertaken by the Executive Management. The Board of Directors has an oversight responsibility pertaining to the Group’s Risk Management Framework. The BoD has approved the Risk Policy and provides the necessary support to ensure that adequate and robust risk management is incorporated into the culture of EMSTEEL Group. The Risk Management (RM) section has been established to facilitate the implementation of the Risk Management Framework and Risk Policy. The Audit and Risk Committee provides an oversight to the RM section. The Risk function has a direct reporting line to the Audit and Risk Committee and reports operationally to the Group General Counsel. Until August 2024, this oversight was provided by the Strategic Investment and Risk Committee.

Reports issued by the Internal Audit Department to the Group’s Board of Directors

During 2024, reports related to 10 engagements were issued by the Internal Audit department based on the Group Internal Audit Plans approved by the Audit and Risk Committee.