APPROVED
by the decision of the
Board of Directors of the JSC
«NC «Kazakhstan temir zholy»
since «__» ______2014
protocol №__

THE POLICY

on organization of internal audit

in Joint Stock Company

«National Company «Kazakhstan temir zholy»

Astana city

CONTENTS:

Table of contents

1.General provisions

2.The Standards of qualitative characteristics

1.1Independenceand objectivity

1.2Professional capacity

1.3The requirements for the Program of quarantees and internal audit quality improving

3.Ethical standards

4.The standards of activity

4.1Annual audit planning

4.2Accomplishment of audit tasks

4.3Audit report

4.4Monitoring of established recommendation implementation

4.5Working documentation

4.6TheService activity report

4.7Appraisal of the Service activity effectiveness

1General provisions

  1. The present Policy on organization of internal audit (further – Policy) in Joint Stock Company «National Company «Kazakhstan temir zholy» (further – the Company) is based on Recommendations on organization of internal audit in joint stock companies, more than fifty percent of voting shares of which directly or indirectly belongs to JSC «Samruk-Kazyna», approved by the decision of Board of Administration JSC «Samruk-Kazyna» (protocol 13.12.2013, № 67/13).
  2. Policy was developed, based on basic provisions and requirements, considered within the Code of Ethics, according to International professional internal audit standards of Institute of internal audit (TheInstituteofInternalAuditorsInc.[1])and Practical instruction for them (further–the Standards) and contain basic requirements for order and activity appraisal of internal audit ServiceJSC «NC «KTZ» (further – the Service).
  3. The Service during its professional activity carry out is guided by status of Service, its’ goal, tasks and functions, rights and authorities and other requirements, identifiedby The Regulation of the Service, Code of Ethics and Standards.
  4. Rulesandotherregulationsofthe Service developedinaccordancewithpresentPolicyaretobeapproved by the AuditCommittee under Board of Directors (further–the Audit Committee) and/orapprovedby Company’s Board of Directors (further – the Board of Directors).
  5. ThePolicydoesn’texcludeopportunityofdevelopmentandapprovalofadditionalrequirementsandstandardsregarding organization of the Service activity, which conform torequirementsof present Policyandotherregulations, approvedby JSC «Samruk-Kazyna» regarding Service activity, and the Standard requirements.

2The Standards of qualitative characteristics

1

2

1

1.1Independence and objectivity

  1. IndependenceofServiceduringimplementationofitstasksandfunctionsisprovidedbyappropriateorganizationalstatus, which considersorganizational subordinationandfunctionalaccountabilityof Serviceto the Board of Directors of the Company. Straightauditofthe Serviceactivityconductedby the Audit Committee of the Company.
  2. Theserviceistobeindependentfrominfluenceofanypersonduringaccomplishmentof assigned tasks andfunctions, in order topropercarrying outand providing objective andimpartialjudgments.
  3. Thecriterion of independence of Service isindependenceduringpreparingof annual audit plan, assigningmethodsandproceduresof internal audit, the scope of work forachievementof goalsandreflection ofaudit report.
  4. Internalauditorsaretobeimpartialandunbiasedattheir workandnot commitconflicts of interests.
  5. Forobjectivityandimpartialityprinciplesfollowingpurposesduringimplementationofduties, internalauditorsare not allowedto be involvedin any activities, whichmight be subject tointernal auditandconductauditactivities orfunctions, has been carried outby themduring the period, which is the subject to audit.

1.2Professional capacity

  1. Internalauditorsaretopossessknowledgeandskills that are necessary for accomplishment of their personalfunctions.
  2. TheServicestaffistohavenecessarygroupknowledgetocarryoutthegivenroleand improve itduring continuousprofessional developmentandfurther training.
  3. Internalauditorsaretoshowprofessionalattitudeto work, criteria ofwhich are the ability to appraise:

Scopeofworkthat is necessary forachievementof audit task goals

Needsandexpectationsofclients, includingcharacterandtermsoftask implementationon providing consultations, also the form of reportregarding results;

Relativecomplexity, significanceorimportanceofmatters, as respects to are provided guarantees andconsultations;

Adequacyandeffectivenessofriskmanagementsystems of internal control andcorporate governance;

Probabilityofsignificant mistakes, fraudornot following the procedure ;

Thecostforprovidingauditguaranteesandconsultationsversus potential benefit.

  1. Internalauditorsaretopossesssufficientknowledge in order to appraise the risk offraudand also, howorganizationmanagesgiven risk.
  2. Internalauditorsaretopossesssufficientknowledgeregardingkeyrisksandprocedures of control, related withinformationtechnologies, andto be able to usecomputer-aidedmethods ofauditin the sufficient scope forimplementation of charged tasks.
  3. Incase, iftheService staff doesn’t possesssufficient knowledge andskillsforrealization of audit taskorpart of the task, the Service has a right, according to fixed order, to attract consultantsoruseco-sourcingin internal audit.

1.3The requirementsforthe Program of guaranteesandinternal audit quality improving

  1. TheHeadoftheServiceistodevelopandaccept theProgram of guaranteeandinternal audit quality improving, whichconsidersmeasures, aimedfor compliance of the Service activitywith Determinationof internal audit, StandardsandCode of Ethics, alsoprovideitsrealizationby the Service.
  2. TheProgramof guaranteesandqualityimprovingistocoverallkindsoftheServiceactivitiesandconsiderconductingof internal andexternalappraisal, goals and tasks of which, alsothe ways of implementation, are to comply with the Standards requirementsandinternal regulations that control the Service activity.
  3. Internalevaluation,within the Program ofguaranteesandinternalauditqualityimproving,is carried outin the form ofcontinuousmonitoringandperiodical inspections, contentandrequirementsto whichare assignedwithin conformablepoliciesandprocedures.
  4. Upto-datemonitoringiscarriedoutwithuseofprocesses, appraisal and analysis tools, alsoinformation, necessary for furthercompliance appraisal of the Service activitywith Determinationof internal audit, the Code of Ethicsandthe Standards. Processesandtools, usedduringup to-datemonitoringare to include:

Supervisionoverexecutionoftasksinthepartoffollowing the standards of independence, fairness, objectivity, privacyandprofessional ethics by internal auditors;

controloverproceduresandmethodscomplianceofinternalauditandpreparedaccordingto its resultsof policy working documentationon internal audit organization, accepted in Company;

inspectionofadequacyandjustificationof conclusionsandreportson results ofaudit tasks;

filling in test tables (checklists);

feedbackfromclientsandotherinterested person;

selectiveexpertappraisalofworkingdocumentationby subdivision employees, nottaking partin audit accordingly;

takingnecessarymeasuresregardinginternalauditors, on case of non-fulfillment orimproper executionof assigned functions;

analysisofotherresultfiguresofactivity (for instance such as, audit period durationandacceptance of recommendations).

  1. Periodicalinspections of the Service activityare heldat least once every three yearsforcompliance appraisal purposeof the Servicewith Determination of internal audit, the Code of EthicsandStandardsas a form of self-estimation, alsoby attracting qualifiedindependentexternal specialistin the sphere ofinternal audit (certified internal auditor)orgroup (team) auditors, formedamong specialists at the levelFund,Fund’s companies group.
  2. Periodicalinspectionsareheldusinga methodological guideof the Institute of internal auditors onquality assessment or similar techniques.The reporting structure on the results of internal evaluations should provide a sufficient degree of objectivity and credibility for the results of the audit.
  3. External evaluation of the Service performed at least once every five years by a qualified, independent appraiser. External evaluation can be done:

in the form of full external evaluation;

in the form of self-assessment with independent external confirmation.

  1. External evaluation should involve a wide range of issues, including the following elements of the internal audit:

compliance with the Determination of Internal Auditing,requirements of the Code of Ethics and the Standards, Regulations of internal audit division, plans, policies, procedures, practices and applicable statutory and regulatory requirements;

expectations regarding the internal audit activity expressed by the Board, the supreme and functional management;

integration of internal audit in the process of management of the organization, including the interaction between and within groups of key participants;

tools and techniques used by internal audit;

combination of knowledge, experience and skills of staff, including the staff's attention to process improvement;

defining the contribution of the internal audit to improvement of the organization activity.

  1. Head of the Service should discuss with the Audit Committee the frequency of external evaluations, qualifications and independence of the external expert, including any possible conflict of interest. While selecting an external expert Head of the Service shall ensure consideration and observance of standards requirements for the qualifications and independence of the external expert.
  1. Reports on the results of periodic evaluation and external evaluation of theService are considered by the Audit Committee and the Board of Directors with adoption of relevant decisions and recommendations.

3Ethical standards

  1. Internal auditors should base their work on the principles of integrity, objectivity, confidentiality, professional competence, and to adhere to the principles comply with those Code of Conduct.
  2. Honesty - the principle according to which internal auditors are required to perform their work conscientiously and responsibly and, if required by professional standards of internal audit, disclose relevant information.
  3. Objectivity - a principle according to which internal auditors are required to demonstrate the highest level of professional objectivity in gathering, evaluating and transmitting information about the object of audit and their judgments should not be influenced by their own interests and those of others.
  4. Privacy - a principle according to which internal auditors should not disclose information received by them in accordance with their powers, except when such disclosure is permitted by conditions of providing or it’s necessary in accordance with the laws.
  5. Professional competence - a principle according to which internal auditors should fully apply the knowledge, skills and experience needed to provide internal audit services, to continuously improve their professional skills and the quality of work.

4The Standards of activity

2

3

4

4.1Annual audit planning

  1. Head of the Service must effectively manage the activities of the Service in order to maximize the usefulness of internal audit for the Company.
  2. Annually, no later than November 1, service should start drafting a risk-based annual audit plan for the coming year, which shall include business processes, procedures, or activities or functions (division of the Company), subject to internal audit.
  3. Preliminary procedure prior to the development of risk-based annual audit plan are:

formulation / update Maps (list) audit areas;

analysis ofapproved Maps and the Company's risk register for the planning year.

  1. Map audit areas drawn on the basis of all business processes of the Company, including, on support of projects undertaken by a subsidiary and, if necessary, associates and jointly-controlled entities of the Company. Also, when compiling / updating audit areas Map, the structure of the Company's assets is taken into account, including the acquisition or alienation of participant shares in subsidiaries, associates and jointly-controlled entities of the Company.
  2. Audit areasMap, in the prescribed manner shall be approved by the Audit Committee of the Company. On an annual basis, or in other appropriate cases, Map audit areas should be updated and go through the procedure of approval, in the prescribed manner.
  3. It may be performed audits of business processes not covered by Map of the areas of audit by the Service according the decision of the Board of Directors of the Company.
  4. After determining the areas subject to internal audit, internal auditors should assess the importance of each area in terms of the tasks assigned to the Service, and to identify areas that should be covered by the annual audit plan. In this case, the focus should be on those business processes and activities of the Company, which are associated with the highest risk, in accordance with the Risk Map and / or those business processes in which the internal control system the most unreliable.

As a basis for the development of the annual audit plan is risk Map, the drafting of which should be provided by management of Company, responsible for the effectiveness of risk management and internal control and audit areas map, compiled by the internal auditors. The Service, in turn, should carry out an independent assessment of the risks, in order to ensure the identification of new risks and / or a possible reassessment of existing risks. The Service should check assessment of the key risks faced by the Company, as well as assist in managing risks by making recommendations based on the basis of the audit assignments and provided information.

  1. Head of the Service is to provide an annual risk-based audit plan (in the form of Annex 1), with the resources of the Service to implement the plan, including cost estimates of time to conduct the internal audit and the time required for training internal auditors, their annual labor holidays (in the form of Annex 2).
  2. To determine the scope of coverage of the annual audit plan, the Service should consider the following:

1) preliminary assessment of the internal control system of business processes included in the Map of audit areas;

2) resources should be concentrated on the business processes and activities of the Company, which display the highest (high) risks;

3)the audit plan should include the risks identified by the Company management as a "key" ("high"), as a result of the risk assessment process;

4) the audit plan should include an adequate amount of non-core (moderate) and low risk, to confirm the adequacyof the rating criteria and accuracy of risk determination to ensure full coverage of the audit;

5) the cost and budgetstructure of the Company, subsidiaries of business plans, and, if necessary, associates and jointly controlled entities of the Company;

6) changes in corporate and organizational structure of the Company;

7) information, available to the Service on specific areas of the Company, in particular, regarding the quality of internal control systems and the changes made to the internal control system recently;

8) modified and plannedsurvey results to introduce and develop into processes / projects;

9) management and structural divisions’ offers of the Company on holding an audit;

10)degree to which the Service can use the work of others, such as external auditors, regulators and supervisors, experts, appraisers.

  1. It must be identified objectives to demonstrate the usefulness and effectiveness of internal audit for the Company during formation of the annual audit plan for each assignment.
  2. Purpose of audit assignments should relate to the results of a preliminary assessment of risks and the internal control system relating to the Audit object (business-process / sub process, structural subdivision, subsidiary, the Company), and evaluation of corporate governance in the Company as a whole.
  3. Head of the Service should provide clear and concise statement of purpose of audit assignments for their adequate understanding and appreciation of both the auditee and customers, and internal auditors. It must be justified the corresponding form (sort of) audit,within the objectives of the audit assignment, based on the audit area:

Operational audit - confirmation of opinions about the degree of confidence in the effectiveness of theauditing object (by the Company), including the assessment of reliability and efficiency of internal control systems;

Financial audit - confirmation of opinions that accounts of audited object accurate and timely, and compiled on the basis of their statements are reliably;

Compliance audit- assessment of compliance with legal requirements, internal documents of the Company and adequacy of systems and procedures being used to ensure compliance with these requirements.

Information system audit (information technologies)- evaluation of safety (security) information systems of the Company and their effectiveness.

  1. In compiling the annual audit plan, the Service must pay the necessary attention to one of the important tasks related to the assessment and the issuance of the recommendations aimed at improving corporate governance with respect to achieving the following objectives:

1) implementation, compliance and promotion of appropriate ethical standards and valuables ​​in the Company;

2) effective provision of information on the risks and control the relevant authorities and departments of the Company;

3) effective coordination and exchange of information between the Board of Directors, the executive body of the Company and external and internal auditors.

  1. Evaluating the effectiveness of internal control system of the Company (as a whole and / or in the context of key business processes), the evaluation of risk management and corporate governance should be implemented by the Service, at least annually, to provide guarantees to the Board of Directors in their respective areas on an annual basis, and well as for justified planning of the Service activity.
  2. The terms of audit assignment execution in the annual audit plan should be established taking into account the least impact on the current activities of the audit object. Expected terms of audit assignments execution should provide timely and actualreports presented to interested parts.
  3. Draft annual audit plan (for the coming year) must be submitted for approval by the Board of Directors of the Company no later than
    December 1 after a preliminary review by the Audit Committee and in accordance with its decision.
  4. The Service submits an analytical note on the justification of the audit plan and audit assignments along with the draft annual audit plan.
  5. The annual audit plan approved by the Board of Directors should be submitted by the Head of the Service to the Chief of executive body, in order to inform.
  6. Head of the Service shall review the annual audit plan and discuss with the leaders of audit assignments the subject of necessity of making some changes and additions, in the case of:

obtaining unscheduled tasks from the Audit Committee and / or Board of Directors;

identify new risks and / or reassessment of existing risks on the results of audit assignments.

  1. Head of Service provides timely corrections of annual audit plan and amendments in the prescribed manner.

4.2Accomplishment of audit tasks

  1. Head of the Service shall ensure the efficient organization of planning and conducting audit assignments considered in annual audit plan, through the implementation of best practices and procedures to facilitate the achievement of the audit assignment objectives as well as the goals and tasks of internal audit as a whole.
  2. The process of conducting audit includes several stages, namely:

• the planning of audit, including holding preliminary examination;

• carrying out audit:

• formation of audit results;

• IAS work with audit materials after approval of the final edition of "Audit Report", including monitoring ofthe IAS recommendations implementation.

  1. The leader of the audit assignment shall exercise control over the conduct of internal audit by monitoring:

1) Amount of actual work in comparison with the planned volume;

2) performance of the audit assignment in accordance with the estimation of time spent on internal audit;

3) timely inspection of the work performed to be taken to avoid any unusual situations after completion of the audit.

  1. Internal audit of the audit objects in areas other than the location of the Company, in the case of out on their location, subject to prior registration of business trips according to appropriate order of the Company internal documents.
  2. If necessary, the duration of the audit engagement may be extended by the Head of the Service, based on the memo audit assignment leader, by making appropriate additions to the audit assignment.
  1. Audit assignment planning
  1. The process of audit assignment planning includes following stages:

1) Preliminary examination of the audited object (business process);

2) development of audit program;

3) identifying resources to perform the audit engagement, including the calculation of time spend on internal audit;

4) Audit assignment compiling.

  1. Planning of audit assignment performed by the leader of the audit assignment with the involvement of internal auditors.
  2. The planning process of the audit assignment is to begin, as a rule, at least 15 working days before the start of the audit assignment.
  3. Materials on planning of audit assignment are submitted to the Head of the Service 5 business days prior to the commencement of the audit assignment.
  4. Responsibility for the quality, completeness and timeliness of the audit assignment and materials planning, presentation to the Head of theService lay to the leader of audit assignment.
  5. While execution urgent unplanned tasks or inventory of assets and liabilities, the Service has the right to implement them without separate planning procedures.
  6. Internal auditorsshould develop and document the planning process of each audit assignment in order to effectively conduct an internal audit.

А) Preliminary examination of audit object(business process):