Combined assurance for effective governance

The board, supported by the audit committee, is ultimately responsible for Exxaro's system of internal controls, which were designed to evaluate, manage and provide reasonable assurance against material misstatement, loss and the failure to achieve strategic objectives. The system of internal controls supports the integrity of internal decision making and external reporting.

In line with King IV Principle 15, Exxaro applies a combined assurance model based on a five lines of defence approach to optimise assurance from management, internal functions and independent external providers. This approach promotes effective governance, supports a strong ethical culture, and strengthens mechanisms to ensure regulatory compliance and control effectiveness.

Using the board-approved ERM framework, management identifies and assesses the key risks facing the group and implements appropriate internal controls, supported by comparable information and trend analysis where possible. Combined assurance is embedded within the ERM framework and aligned to the strategic risk profile, ensuring that assurance activities are planned and executed with reference to the group's strategic, operational, compliance, sustainability and emerging risks.

Five lines of defence and assurance coverage

Exxaro's combined assurance framework clarifies roles and responsibilities across the following five lines of defence:

Line 1 – Management: Owns and manages risks and controls within operations, supported by policies, procedures, KPIs, key risk indicators and management self-assessments
Line 2 – Oversight and specialist functions: Provide guidance, monitoring and challenge through risk management; compliance; BCM; safety, health and environment and other oversight activities
Line 3 – Internal audit: Provides independent and objective assurance on the effectiveness of governance, risk management and internal controls processes
Line 4 – External assurance providers: Includes external audit, regulators and other independent assurance providers
Line 5 – Governance and oversight structures: Executive committee, board committees and the board provide strategic oversight and accountability

Assurance review

	Function assured
Focus area	Assurance provider	Level of assurance*	Corporate	BU
External/statutory audit	KPMG	4	Yes	Yes
Sustainable development/KPIs	KPMG	4	Yes	Yes
Environmental liability provisioning	KPMG	4	Yes	Yes
Mining rights and environmental legal compliance	Legal	2		Yes
B-BBEE dtic code compliance	Empowerdex	4	Yes	Yes
Mining Charter III compliance	Internal audit	3	Yes	Yes
Insurance risk surveys	IMIU	4		Yes
Mineral Resources and Mineral Reserves statement	Internal audit	3	Yes	Yes
Governance, risk and internal controls	Internal audit	3	Yes	Yes
Employee benefits	Internal audit	3	Yes	Yes
SLP projects	Internal audit	3		Yes
ISO and Occupational Health and Safety Assessment Series certifications	Various	4		Yes
IT general controls	Internal audit	3	Yes

*	Level of assurance refers to independent external assurance.

This integrated approach ensures that material risks are adequately covered by assurance activities, critical controls are monitored and tested, and assurance outcomes inform management actions and governance oversight, supporting confidence that risks are managed within approved risk appetite and tolerance levels.

Approach, governance and reporting

Exxaro defines assurance broadly to include management oversight, internal audit, external assurance and regulatory inspections. The combined assurance model seeks to optimise all assurance activities to collectively support:

The integrity of internal decision making by management, the board and its committees
The reliability of external disclosures, including:

Corporate governance disclosures in terms of King IV
The IR, financial statements and ESG reporting

The combined assurance model is operationalised through the combined assurance forum, which facilitates coordination and alignment across assurance providers, reduces duplication of effort, and minimises operational disruption and audit fatigue. The activities of the combined assurance forum, together with key assurance outcomes, are reported to the audit committee quarterly.

Assessment of control effectiveness

The board and the audit committee assessed the effectiveness of Exxaro's system of internal controls for the year ended 31 December 2025 as satisfactory. This assessment was informed by:

Management self-assessments and formal confirmations by executive management
Reports from internal audit
Independent external audit outcomes
Regulatory inspections
Reports from other assurance providers

Outcome of assurance

As at 31 December 2025, there were 272 (2024: 375) open findings, reflecting a decrease of 103 (27%) open findings in the year. Of the 272 open findings, 81 (30%) are classified as "ready for audit" (a three-month waiting period is applied before performing follow-up procedures for the control to be fully embedded). The split by status of findings is depicted below:


			Current period reporting
Status of findings			Internal audit
Follow-up in progress			103
Ready for audit			81
Within timelines			88
Overdue			0
Total			272