Role of the Board Risk and Audit Committee

The Risk and Audit Committee shall assist the Board in fulfilling its responsibilities for corporate governance and overseeing the company's;

• financial reporting;
• internal control structure;
• risk management systems and reporting; and
• internal and external audit functions.

In doing so, the Committee has the responsibility to maintain free and open communication with the external auditor, internal auditor and management of the Company.

The Committee is empowered to investigate any matter, with full access to all books, records, company operations and people of the Company and the authority to engage independent counsel and other advisers as it determines necessary to carry out its duties.

Membership

The Committee shall be members of, and appointed by, the Board of Directors and shall comprise at least three non-executive directors, a majority of whom are independent. All Committee members shall be financially literate. One member, who does not chair the Board, shall be appointed to chair the Risk and Audit Committee. At least one member shall have accounting and/or related financial management expertise as determined by the Board. All Committee members shall have a reasonable understanding of the industries in which the Company participates and the members between them shall have the accounting and financial expertise to be able to discharge the Committee's mandate effectively.

Meetings

The Committee shall meet at least four times annually. It is to meet, in separate sessions, each of the Chief Financial Officer, external auditor, Internal Audit Lead and the Risk Manager at least once each year and at other times when considered appropriate.

The Managing Director, Chief Financial Officer, Internal Audit Lead and the Partner in charge of the external audit will be routinely invited to attend meetings of the Committee –unless the Chair of the Committee decides otherwise. Other senior managers, including the Risk Manager, may be asked to attend when the Committee is considering specific agenda items.

Committee papers are distributed to all Board members. Minutes of Committee meetings are included in the papers for the next full Board meeting, and a report is provided to the Board on matters addressed by the Committee. There is an open invitation for all other non-executive directors to attend Risk and Audit Committee meetings. All directors are required to attend Risk & Audit Committee meetings that consider the half year and full year financials.

Duties and Responsibilities

The primary responsibility of the Committee is to report to the Board and provide appropriate advice and recommendations on matters related to the Company's corporate reporting processes and risk-management and compliance framework, including oversight of tax risks, in order to facilitate decision-making by the Board.

The Committee shall ensure it understands the Company's structure, controls and operations in order to adequately assess the risks faced by the Company.

Statutory and Governance Reporting

After review with management and the external auditor, the Committee will recommend to the Board the financial statements and reports intended for publication for approval including:

• Annual directors' report and consolidated financial statements;
• Preliminary final report;
• Half-year consolidated financial statements; and
• Half-year report.

Each of the above to be filed with the ASX.

The Committee shall ensure all relevant matters raised in representation letters signed by management (in relation to the preparation of the financial statements and reports) are addressed.

The Committee shall review the results of the half-year review and full year audit and any other matters required to be communicated to the Committee by the external auditor under generally accepted auditing and accounting standards. This will include significant financial reporting issues and judgments made in connection with the preparation of the CSR Group's financial statements.

The Committee will assess the impact of changes in accounting standards and review recommendations from management for the adoption of such changes in the financial statements and reports.

The Chair of the Committee may represent the entire Committee in reporting to the Board.

Internal Controls and Risk Management

The Committee shall at least annually review the adequacy and effectiveness of, and make recommendations to the Board in relation to:

• the Company's risk framework, including risk appetite statements and reporting;
• policies and procedures to assess, monitor and manage financial and non-financial business risks;
• internal compliance and control systems, including the accounting, financial and tax controls;
• any incident involving fraud or significant breakdown of the Company's internal controls;
• legal and ethical compliance programs (including the Company's code of business conduct and ethics); and
• the CSR Group's insurance coverage.

The Committee shall also annually review CSR's Risk Management Framework and Policy to ensure its effectiveness, continued application and relevance.

The Committee shall periodically meet separately with each of the Chief Financial Officer, the Internal Audit Lead, the Risk Manager and the external auditor (without management present) to discuss issues and matters warranting Committee attention, including but not limited to their assessment of the effectiveness of internal controls and the process for improvement.

The Committee shall receive regular reports from the external auditor on changes to accounting standards that may affect the Company on the critically important accounting policies and practices of the Company, and all alternative treatments of financial information within generally accepted accounting principles that have been discussed with management.

External Audit

The Committee shall be directly responsible for making recommendations to the Board on the appointment, re-appointment or replacement (subject to shareholder approval required), remuneration and terms of engagement of the external auditor, and for monitoring the effectiveness and independence of the external auditor.

The external audit firm partner in charge of the CSR Group audit, must be rotated at least every five years. If appropriate, the Board may, following a recommendation from the Committee, extend the eligibility term of the external audit firm partner in accordance with the Corporations Act.

The Committee shall approve all audit and non-audit services provided by the external auditor and shall not engage the external auditor to perform any non-audit or assurance services that may impair or appear to impair the external auditor's judgement or independence in respect of the Company. The Committee may delegate pre-approval authority to a member of the Committee.

The Committee shall advise the Board on the provision of non-audit services in order for the Board to be in a position to make statements required by the Corporations Act to be included in the Company's Annual Report.

At least once a year, the Committee shall obtain and review a report by the external auditor describing:

• the overall scope of the external audit, including risk areas identified and any additional agreed procedures;
• the audit firm's internal quality control procedures;
• any material issues raised by the most recent internal quality control review, or peer review, of the audit firm; or by any inquiry or investigation by governmental or professional authorities, within the preceding five years, respecting one or more independent audits carried out by the firm, and any steps taken to deal with any such issues, should any such incidents arise; and
• all relationships between the external auditor and the Company or any other entity (to assess the auditor's independence). For the half-year and full-year accounts, the external auditor is required to confirm in writing its independence as auditor within the meaning of relevant legislation and the standards set by the relevant accounting bodies.

The Committee shall evaluate the effectiveness of the external audit having regard to a number of factors including but not restricted to:

The Committee will make its recommendation to the Board on the appointment of the external auditor based on its assessment of the independence and performance of the external auditor in accordance with the above review.

Internal Audit and Communication

The Committee shall recommend to the Board the appointment and dismissal of the Internal Audit Lead. The Internal Audit Lead shall be independent of the external auditor.

The Committee shall review the scope of the internal audit plan with the Internal Audit Lead, including the work program and quality control procedures.

The Committee shall review the performance and objectivity of the internal audit function.

The Committee shall establish procedures for dealing with complaints received by the Company (including receipt, retention, and effective treatment of these complaints) regarding accounting, internal accounting controls, or auditing matters, and submission by employees of the Company, including anonymous submissions, of concerns regarding questionable accounting or auditing matters. All such employee submissions shall be treated as confidential. The Committee shall also receive corporate reports on whistleblower activity and notification of other ethical breaches under CSR's whistleblower report systems and code of business conduct and ethics.

Committee Performance

The Committee shall evaluate its performance at least once every two years to determine whether it is functioning effectively.

Reviewed and updated: May 2022

Next review date: May 2023