Finance, Audit and Risk Committee Mandate

Introduction and Purpose

The Finance, Audit and Risk Committee (the “Committee”) is a standing committee appointed by and responsible to the Board of Directors (the “Board”) of CIRO. The Committee is responsible for assisting the Board in its oversight of:

the integrity and effectiveness of CIRO’s accounting and financial reporting processes;
the qualifications, independence and performance of CIRO’s external and internal auditors;
the financial affairs of CIRO;
CIRO’s processes relating to its internal control systems and security of information;
CIRO’s policies and processes for risk management; and
other matters as the Board may delegate or direct from time to time.

Membership

The Committee will consist of at least five directors and may include the chair of the Board (the “Board Chair”).
A majority of the Committee members, including the chair of the Committee (the “Committee Chair”), will at all times be Independent Directors, as defined in the by-laws of CIRO (the “By-Laws”).
Each member of the Committee will be financially literate, within the meaning of National Instrument 52-110 – Audit Committees, as such qualification is interpreted by the Board in its business judgment, or become financially literate within a reasonable time after appointment to the Committee. At least one member of the Committee will have accounting or related financial management expertise, at least one member of the Committee will have risk management expertise, and at least one member of the Committee will have information security and technology management expertise, as such qualifications are interpreted by the Board in its business judgment.
The members of the Committee, including the Committee Chair, will be appointed by the Board for one-year terms upon the recommendation of the Governance Committee.
Any member of the Committee may be removed or replaced at any time by the Board (for clarity, subject to the requirements provided for in paragraphs 1 through 4 of this section above) and shall automatically cease to be a member of the Committee upon ceasing to be a director.

Meetings and Reporting to the Board

The Committee will meet regularly and as often as it deems necessary to carry out its responsibilities, but not less than four times a year. Meetings may be called by the Committee Chair or a majority of the members of the Committee.
Meetings are chaired by the Committee Chair, who is responsible for leadership of the Committee and reporting to the Board. If the Committee Chair is not present at any meeting of the Committee, one of the other members of the Committee who is present shall be chosen by the Committee to preside at the meeting.
Attendance by invitation at all or a portion of Committee meetings is determined by the Committee Chair or the Committee’s members, and would normally include the Chief Executive Officer, and such other officers or support staff as may be deemed appropriate. The Board Chair may attend and speak at all meetings of the Committee, whether or not the Chair is a member of the Committee. Each meeting may include a closed in camera session at which only members of the Committee are present.
At least annually, the Independent Directors on the Committee will meet in a closed in camera session at which only such Independent Directors are present.
A majority of the Committee members, which must include a majority of the Independent Directors on the Committee, will constitute a quorum. The act of the majority of the Committee members present at any meeting at which a quorum is present will be the act of the Committee.
The Committee is encouraged to meet regularly in separate, private sessions with senior management, the external auditors and the head of the internal auditor. The Committee is authorized to request information from the CEO or any officer or employee of CIRO or its outside legal counsel or independent auditors or to request that any such persons attend a meeting of the Committee or meet with any members of, or advisors to, the Committee.
The Committee shall maintain written minutes of its meetings, which will be filed with the meeting minutes of the Board.
A written resolution signed by all Committee members entitled to vote on that resolution at a meeting of the Committee is as valid as one passed at a Committee meeting.
The Committee will periodically report to the Board on the Committee’s activities and recommendations, and will report each year with respect to the Committee’s overall activities in compliance with this mandate.
All matters dealt with by the Committee shall be treated as being confidential, subject to reporting to the Board or as the subject matter otherwise requires.
The Committee may obtain, at CIRO’s expense, advice and assistance from internal resources and external advisors or professionals as the Committee may determine to be necessary to carry out its responsibilities. If advice and assistance from external advisors or professionals is obtained, the Committee will provide notice to the Governance Committee.

Specific Responsibilities

The Committee’s specific responsibilities include the following:

Oversight and Monitoring of Financial Reporting

Review with the external auditor and management, and recommend to the Board for approval, the audited annual financial statements and the notes and Management Discussion and Analysis accompanying all such financial statements, the financial content of CIRO’s Annual Report, and any other reports of a financial nature which require approval of the Board.
Review with management, and approve, the quarterly unaudited interim financial statements prior to their submission to the Canadian Securities Administrators.
Receive confirmation from management that the financial statements, along with all other financial information, fairly present in all material respects the financial condition, results of operations and cash flows as of the date or periods presented in the statements.
Review and assess, in conjunction with the external auditor and management, any significant financial reporting issues, estimates and judgments made in connection with the preparation of the audited and unaudited financial statements, including:
1. the appropriateness of accounting policies and financial reporting practices used by CIRO, including alternative treatments that are available for consideration;
2. any significant proposed changes in financial reporting and accounting policies and practices to be adopted by CIRO;
3. the effect of off-balance sheet structures on CIRO’s financial statements and material or non-financial arrangements that do not appear in CIRO’s financial statements; and
4. any new or pending developments in accounting and reporting standards that may affect or have an impact on CIRO.
Review management’s reports on any litigation matters that could materially affect the financial position or operating results or operations of CIRO, and the manner in which these matters have been disclosed in the financial statements, and where the financial condition could be significantly affected, make recommendations with respect to such matters to the Board. Notwithstanding this requirement, any review of litigation shall not include discussion of the merits or strategy of any enforcement-related activities or litigation taken in the exercise and pursuit of CIRO’s mandate which would otherwise be outside of the Board’s ordinary purview.

Oversight of External Audit Activities

Recommend to the Board the annual appointment of the independent external auditor and oversee the work of the external auditor.
Evaluate the qualifications, performance and independence of, and determine compensation for, the external auditor. In evaluating the performance of the external auditor, the Committee will evaluate the performance of the external auditor’s lead partner.
When there is to be a change in the external auditor, review all issues related to the change and assume leadership in the selection process of a new external auditor, for recommendation to the Board.
Review and approve the annual engagement letter and audit plan, including the proposed audit scope, focus areas, timing, staffing and key decisions underlying the audit plan (i.e., materiality), as well as the appropriateness and reasonableness of proposed audit fees.
Approve, before the fact, the engagement of the external auditor for all non-audit services (including the fees, terms and conditions for the performance of such services), and consider the impact on the independence of the external audit work of fees for such non-audit services. When appropriate, the Committee may delegate to one or more Committee members or to management the authority to grant pre-approvals of permitted non-audit services, and the full Committee shall review the pre-approvals at its next scheduled meeting.
Ensure there is a clear understanding between the Board, the Committee, the external auditor and management that the external auditor reports to the Board through the Committee and directly to the members of CIRO in accordance with its legal and professional duties.
Meet with the external auditor at least annually or as requested by the external auditor, without management present.
Review significant communications from the external auditor including material unadjusted items and the management letter to be issued.
Receive and resolve any disagreements between management and the external auditors regarding all aspects of the financial reporting.
Review with the external auditor the results of the annual audit, including, but not limited to:
1. any difficulties encountered, or restrictions imposed by management during the annual audit;
2. the external auditor’s evaluation of CIRO’s system of internal accounting controls, procedures and documentation, for financial reporting purposes; and
3. the post-audit or management letter containing any findings or recommendations of the external auditor including management’s response thereto and the subsequent follow-up to any identified internal accounting control weaknesses.
Ensure that the underlying accounting policies, disclosure and key estimates are considered to be the most appropriate in the circumstances, within the range of acceptable alternatives.
Review annually and report to the Board on the external auditor’s System and Organization Controls 2 (SOC2) reports.
Facilitate open communications among the external auditor, management, the internal auditor and the Board.

Oversight of Internal Controls

Periodically review the adequacy of internal controls and inquire on the practices and procedures of CIRO that enable management’s reliance on internal control systems and report or make recommendations to the Board thereon.
Review with management, the external auditor, and the internal auditor any major issues as to the adequacy of CIRO’s internal controls, any special steps adopted in light of material control deficiencies, and the adequacy of disclosures about internal controls over financial reporting.

Oversight of Risk Management

At least annually, review and approve CIRO’s risk management framework prepared by management, including CIRO’s risk appetite and risk policy statements, and the guiding principles that underpin and support a risk-aware culture, as well as the approach for identification, assessment, management and reporting of key risks.
Recommend to the Board for approval CIRO’s risk appetite statement.
At least annually, review and discuss with management CIRO’s significant risk exposures, associated controls and control deficiencies, and the steps management has taken or proposes to take to monitor and control or mitigate such risk exposures and to address such control deficiencies. For clarity, the Committee’s responsibilities relative to oversight of significant risks include risks identified by management as well as risks raised by external parties, and risks associated with areas for which other Board committees provide operational oversight.
Review and approve, as appropriate, management’s proposed treatment of any risks deemed to be outside of CIRO’s risk tolerance.
Review reports from the internal auditor, in its capacity as the third line of defence, relating to the adequacy of CIRO’s procedures and controls to manage its risk exposure, together with management’s responses in respect of the effectiveness of such procedures and controls.
On an annual basis, review the adequacy of CIRO’s insurance coverage, including CIRO’s directors and officers liability insurance coverage.

Oversight of Internal Audit Activities

Recommend to the Board for approval the engagement and, where appropriate the termination, of the internal auditor, which will have direct access to the Committee.
At least annually review and approve the internal audit charter.
At least annually review and assess the performance, qualifications, skills and resources, as well as independence of the internal auditor. In evaluating the performance of the internal auditor, the Committee will also evaluate the performance of the lead partner, and will consider whether the provision of non-internal audit services is compatible with maintaining the internal auditor’s independence.
At least annually, review and approve the internal audit plan, including the areas to be audited, as well as estimated fees, and ensure that the work of the external auditor and the internal auditor is coordinated.
Review the periodic reports on internal audit activities, including audit findings, recommendations and progress in meeting the annual audit plan.
Meet with the internal auditor, as frequently as the Committee deems necessary, to discuss their reports and recommendations, the extent to which prior recommendations have been implemented and any other matters that the internal auditor brings to the attention of the Committee.
Pre-approve all internal audit services and permitted non-internal audit services (including the fees, terms and conditions for the performance of such services) to be provided by the internal auditor. When appropriate, the Committee may delegate to one or more Committee members or to management the authority to grant pre-approvals of internal audit and permitted non-internal audit services, and the full Committee shall review the pre-approvals at its next scheduled meeting.

Oversight of the Finance Function

Review the annual operating and capital budgets for submission to the Board for approval, including the appropriateness and validity of any material assumptions and estimates used in the preparation of such budgets and the consistency of the budgets with strategic plans and initiatives approved by the Board.
Periodically review CIRO’s fee model to ensure that it continues to meet the requirements of the relevant Recognition Orders (as defined in the By-Laws).
Periodically review the allocation of costs, to ensure that CIRO operates on a cost recovery basis and that such costs are allocated equitably.
Review with management on a quarterly basis any significant variances from approved operating budgets and the reasons for such variances.
Periodically review material finance and expense-related policies.
Annually review and approve the adequacy of the cumulative reserves.
Meet privately with the Chief Financial Officer at the conclusion of each Committee meeting.

Oversight of Pension Plans and Investments

With respect to the pension and supplementary executive retirement plans of CIRO (jointly referred to as the “Plans”), the Committee shall receive and review an annual report from management on the operation and financial performance of the Plans, including a certificate of compliance that CIRO has made all required regulatory filings and has complied with the requirements of (i) the Plans; (ii) applicable laws, including the Ontario Pension Benefits Act; (iii) all relevant CIRO policies; and (iv) the Management Pension Committee (“MPC”) Charter.
Review and approve any substantive amendments to the Plans not impacting benefits, such as a Plan merger.
Review and recommend to the Board for approval the audited annual financial statements of the Plans and the appointment of the Plan auditor.
Review and, to the extent contemplated by the MPC Charter, approve the selection, retention and performance criteria of the investment manager(s), actuary, investment consultant, custodian and third-party administrators of the Plans.
Review and, to the extent contemplated by the MPC Charter, approve changes to the funding and rebalancing policies, defined benefit fund management structure and defined contribution investment options.
Periodically review the investment performance of the Plans’ investments.
On an annual basis, review the adequacy of the Plans’ Statement of Investment Policies and Procedures (SIPP) and approve any substantive amendments.
Review and approve changes to the risk tolerance limits for the defined benefit plans.

Internal Confidential Complaints and Code of Conduct

Fulfill the responsibilities assigned to the Committee under CIRO’s procedures for the confidential receipt, retention and treatment of complaints or concerns regarding accounting or auditing matters or internal controls and for the protection from retaliation of those who report such complaints or raise such concerns in good faith.
Oversee management’s monitoring of compliance with the code of conduct applicable to employees of CIRO with respect to the systems and processes for making and addressing complaints in relation to financial and related matters requiring redress.

Other Responsibilities

Conduct or oversee, as appropriate, inquiries into any other budget or finance matters as requested by the Board or management.
Overseeing and at least annually reviewing the adequacy of CIRO’s processes for monitoring privacy and data security risk exposures and measures, information systems and recovery plans based on, among other things, the Committee’s periodic review of the Information Security Program, relevant internal and external audit reports and BCP/disaster recovery scenario test results.
Review at least annually the adequacy of this mandate and recommend any proposed changes to the Board for approval.
Such other matters that are assigned to it, or to the Committee Chair, by the Board.