Our company organizes and improves its operations by implementing the "Three Lines of Defense" model in its internal control system.

**First Line of Defense: ** The units responsible for the company’s core operations implement and report daily controls in accordance with the directives given by executive management.

Second Line of Defense: The units supporting the company’s core operations also implement and report daily controls in accordance with the directives given by executive management.

**Third Line of Defense: ** The internal control system implemented by the executive management is verified for its effectiveness and accuracy. It reports its main functions to the Risk and Audit Committee and administrative matters to the executive management.

In October 2021, the Board of Directors developed and approved the company’s Internal Control Policy. The objective of this policy is to regulate, audit, and monitor the following areas related to the effective operation of the company:

• Managing the company's operations efficiently in accordance with laws and the regulations that comply with them; • Protecting and ensuring the reliability of the company’s assets; • Preventing, detecting, and correcting fraud and errors; • Ensuring the completeness and accuracy of accounting records; • Preparing operational and financial information in a timely, accurate, and realistic manner; • Regularly monitoring and managing risks.

Gobi JSC implements internal control through the following levels: • All employees, • Unit management, • Executive management team, • Internal Audit Department, • The Risk and Audit Committee of the Board of Directors, • The Board of Directors, • External auditors.

The Internal Control Policy document includes the rights and responsibilities of these stakeholders, and the Board of Directors, through the Risk and Audit Committee, oversees the company's internal control activities.

Objective

The purpose of the Internal Audit Division is to protect and enhance the organization's value by evaluating and supporting the continuous improvement of the company’s governance processes, risk management effectiveness, and internal control efficiency. The department adheres to the Code of Conduct, core principles, and international standards of professional practice as established by the Institute of Internal Auditors.

Structure and Organization

The internal audit function operates within the structure of the Internal Audit Department under the Risk and Audit Committee of the Board of Directors. The committee is responsible for approving the internal audit charter, strategic objectives, risk-based audit plans, and resource budgets. It also appoints the head of the department, sets their compensation, and oversees the execution of the audit plan, ensuring the department’s independence and objectivity.

**Scope of Activities ** To achieve the company's goals and objectives, the internal audit function ensures that decision-making, policy formulation, business and support processes, compliance, and reporting activities are conducted effectively and deliver quality results.