Audit and Risk Committee Charter

  1. Introduction
    • The Audit and Risk Committee is a committee of the board of directors of Boom Logistics Ltd ACN 095 466 961 (Company).
    • The board of the Company (Board) established the Audit and Risk Committee under the Company’s constitution.
    • This charter sets out the scope of the Audit and Risk Committee’s responsibilities in relation to the Company and its related bodies corporate (Group).
    • The role of the Audit and Risk Committee is not an executive role.
  2. Objective

The objectives of the Audit and Risk Committee are to:

  • help the Board achieve its objective in relation to:
    • financial reporting;
    • the application of accounting policies;
    • business policies and practices;
    • legal and regulatory compliance;
    • internal control and risk management and compliance systems;
  • maintain and improve the quality, credibility, integrity and objectivity of the financial accountability process (including financial reporting on a consolidated basis);
  • promote a culture of compliance;
  • provide a forum for communication between the Board and senior financial and compliance management;
  • ensure effective internal and external audit functions and communication between the Board and the external and internal auditors;
  • monitor the Company’s adherence to and ensuring processes in place for administering the Code of Conduct adopted by the Board as amended from time to time;
  • to assist the Company in fulfilling its responsibilities relating to compliance;
  • ensure effective communication to the regulators and all stakeholders;
  • ensure compliance strategies and the compliance function are effective; and
  • receive reports from management on contemporary and emerging sources of risk and the risk controls, such as conduct risk, digital disruption, cyber-security, privacy, data breaches, sustainability and climate change, and mitigation measures that management has in place to deal with those risks.
  1. External financial reporting

The Audit and Risk Committee is responsible for:

  • assessing the appropriateness and application of the Group’s accounting policies and principles and any changes to them, so that they accord with the applicable financial reporting framework (including current and emerging accounting standards);
  • obtaining an independent judgment from the external auditor about:
    • the acceptability and appropriateness of accounting policies and principles put forward by management; and
    • the clarity of current or proposed financial disclosure practices as put forward by management;
  • assessing any significant estimates or judgments in the financial reports (including those in any consolidated financial statements) by:
    • querying management as to how they were made; and
    • querying the external auditors as to how they concluded that those estimates were reasonable;
  • reviewing compliance with all related party disclosures required (where applicable) by accounting standards and the Corporations Act 2001 (Cth) (Corporations Act);
  • review and make recommendations to the Board in relation to policies and processes to manage related party transactions and potential conflicts of interest;
  • assessing information from internal and external auditors that may affect the quality of financial reports (for example, actual and potential material audit adjustments, financial report disclosures, non-compliance with laws and regulations, and internal control issues) and assessing whether external financial reporting is consistent with Committee members’ information and knowledge and is adequate for shareholders’ needs;
  • reviewing any half-yearly and annual financial reports (including those prepared on a consolidated basis) with management, advisers and the internal and external auditors (as appropriate) to assess (among other things):
    • the compliance of accounts with accounting standards and the Corporations Act; and
    • the nature and impact of any changes in accounting policies during the applicable period with particular emphasis on the integrity and completeness of information and key disclosures;
  • discussing any draft audit opinion letter with the external auditors before it is finalised;
  • receiving any management letter from the external auditors;
  • recommending for adoption by the Board interim and final financial reports and the annual report;
  • reviewing documents and reports to regulators and recommending to the Board their approval or amendment; and
  • following up on any matter raised by the Board regarding financial reports, audit opinions and management letters.
  1. Risk management and internal control

The Audit and Risk Committee is responsible for:

Risk management and internal compliance and control systems

  • overseeing the establishment and implementation of risk management and internal compliance and control systems and ensuring there is a mechanism for assessing the efficiency and effectiveness of those systems;
  • approving and recommending to the Board for adoption policies and procedures on risk oversight and management to establish an effective and efficient system (including internal controls) for:
    • identifying, assessing, monitoring and managing material business and financial risks; and
    • disclosing any material change to the risk profile;
  • regularly reviewing and updating the risk profile and risk management of the Company within the context of the Board determined risk appetite, and making recommendations to the Board in respect of the Company’s risk appetite and particular risks or risk management practices;
  • regularly reviewing and approving policies and procedures on risk oversight and management to establish an effective and efficient system for:
    • identifying, assessing, monitoring and managing risk; and
    • disclosing any material change to the Group’s risk profile;
  • receiving reports/plans from the management of the Company concerning the Group’s material risks in order to assess the internal processes for identification and assessment, determining, monitoring and managing and mitigating these risks and to monitor the risk profile of the Group;
  • assessing the adequacy of the internal risk management, compliance and internal control system with management and internal and external auditors;
  • monitoring the effectiveness of the internal risk control system;
  • ensuring the risk management system takes into account all material risks, including risks arising from:
    • implementing strategies (strategic risk);
    • operations or external events (operational risk);
    • legal and regulatory compliance (legal risk);
    • changes in community expectation of corporate behaviour (reputation risk);
    • a counterparty’s financial obligations within a contract (credit risk);
    • changes in financial and physical market prices (market risk); and
    • being unable to fund operations or convert assets into cash (liquidity risk);
  • assessing if management has controls in place for unusual transactions and any potential transactions that may carry more than an acceptable degree of risk;

Key financial risk

  • assessing and prioritising the areas of greatest potential financial risk, including:
    • safeguarding intellectual property and other assets;
    • litigation and claims;
    • non-compliance with laws, regulations, standards and best practice guidelines that may result in significant financial loss;
    • important judgments and accounting estimates; and
    • maintenance of proper accounting records;
  • assessing the internal process for determining areas of greatest potential financial risk;
  • assessing and monitoring the management of areas of greatest potential financial risk;
  • reporting to the Board on the adequacy of the financial risk management;
  • reviewing the Group’s financial risk management procedures to ensure that the Group complies with its legal obligations, including to assist the Managing Director / Chief Financial Officer (as applicable) to provide declarations in relation to each of the Group’s financial reports required by both section 295A of the Corporations Act and Recommendation 4.2 of the ASX Corporate Governance Principles and Recommendations (4th edition);

Legal and regulatory risk

  • assessing and prioritising the areas of greatest legal and regulatory risk;
  • assessing the internal process for determining, monitoring and managing areas of greatest legal and regulatory risk;
  • receiving reports from management of any actual or suspected fraud, theft or other breach of the law and the “lessons learned”;
  • monitoring compliance with legal and regulatory obligations;
  • reporting and making recommendations to the Board regarding:
    • the management of areas of greatest legal and regulatory risk (including fraud and theft); and
    • compliance with legal and regulatory obligations;
  • receiving and reviewing reports from the senior compliance manager;

Disclosure and reporting

  • ensuring management establishes a comprehensive process to capture information that must be disclosed to the ASX;
  • reviewing management’s processes for ensuring and monitoring compliance with laws, regulations and other requirements relating to the external reporting of financial and non-financial information (including, among other things, preliminary announcements, interim reporting, open or one-on-one briefings and continuous disclosure);
  • assessing management’s processes for ensuring non-financial information in documents (both public and internal) does not conflict inappropriately with financial reports and other documents;
  • assessing internal control systems relating to the release of potentially adverse information; and
  • reviewing for completeness and accuracy the reporting of corporate governance practices in accordance with the ASX Listing Rules.
  1. External audit

The Audit and Risk Committee is responsible for:

  • approving and recommending to the Board for acceptance, the terms of engagement with the external auditor at the beginning of each year;
  • regularly reviewing with the external auditor:
    • the scope and adequacy of the external audit;
    • identified risk areas;
    • review the annual audit plan of the external auditors; and
    • any other agreed procedures;
  • approving and recommending to the Board for adoption, policies and procedures for selecting, appointing or removing an external auditor, including criteria for:
    • technical and professional competency;
    • adequacy of resources; and
    • experience, integrity, objectivity and independence;
  • recommending to the Board for approval, the appointment or removal of an external auditor based on those policies and procedures referred to in paragraph (c);
  • reviewing and assessing on a regular basis the compliance of the external auditor with criteria referred to in paragraph (c);
  • recommending to the Board the remuneration of the external auditor;
  • regularly reviewing the effectiveness and independence of the external auditor taking into account:
    • the length of appointment;
    • the last dates lead engagement partners were rotated;
    • an analysis and disclosure of fees paid to external auditors, including the materiality of fees paid for non-audit services and the nature of those services; and
    • any relationships with the Group or any other body or organisation that may impair or appear to impair the external auditor’s independence;
  • satisfying itself that the external auditor can do an effective, comprehensive and complete audit for the external auditor’s set fee;
  • recommending to the Board for approval the types of non-audit services that the external auditor may provide without impairing or appearing to impair the external auditor’s independence;
  • meeting periodically with the external auditors and inviting them to attend Audit and Risk Committee meetings to:
    • review their plans for carrying out internal control reviews;
    • consider any comments made in the external auditor’s management letter, particularly, any comments about material weaknesses in internal controls and management’s response to those matters; and
    • make recommendations to the Board;
  • asking the external auditor if there have been any significant disagreements with management, whether or not they have been resolved;
  • monitoring and reporting to the Board on management’s response to the external auditor’s findings and recommendations;
  • reviewing all representation letters signed by management and ensuring information provided is complete and appropriate; and
  • receiving and reviewing the reports of the external auditor and outcomes of the annual audits, ensuring that any reported major deficiencies or weaknesses in controls have been identified and that appropriate and timely corrective action is taken by management.
  1. Internal audit

The Audit and Risk Committee is responsible for:

  • approving the engagement terms and conditions of the internal auditor;
  • overseeing the process, and review the procedures for the selection, appointment and removal of the internal auditor;
  • ratifying the engagement and dismissal by management of any chief internal audit executive;
  • ensuring any chief internal audit executive is independent of the external auditor;
  • ensuring the external auditor does not provide internal audit services;
  • overseeing the scope and objectives of the internal audit, including reviewing and approving the internal audit team’s mission, charter, qualifications and resources;
  • reviewing and approving the scope and adequacy of the internal audit plan and risk-based work program;
  • monitoring the progress of the internal audit work program and considering the implications of the internal audit findings for the control environment ,including review of internal audit’s periodic reports on the generally observed compliance with internal control and financial practices, provided in addition to reports on specifically agreed reviews;
  • monitoring and reporting to the Board on management’s responsiveness to internal audit findings and recommendations;
  • evaluating the process for monitoring and assessing the independence, objectivity and effectiveness of the internal audit function including considering whether the provision of any non-audit services compromises the independence of the internal auditor;
  • overseeing the liaison between the internal audit team and the external auditor;
  • receiving and reviewing the internal audit team’s reports and actions taken by management; and
  • ensuring the internal audit team reports directly to the Audit and Risk Committee.
  1. Group audit committees

The Audit and Risk Committee is responsible for:

  • reviewing and approving the charter of any committee dealing with Audit and Risk management and compliance within the Group; and
  • receiving and reviewing reports from any such committee.
  1. Other responsibilities

The Audit and Risk Committee is responsible for:

  • overseeing the implementation of the Group’s corporate code of conduct and assessing compliance with it. The Committee is to review Management’s processes for promoting compliance with the code (such as training and communications), as well as the action taken in relation to any significant breaches;
  • ensuring that a Speaking Up Policy is maintained and that there are processes in place for administering the Speaking Up Policy. The Committee is to review Management’s processes for promoting compliance with the Speaking Up Policy (such as training and communications), as well as the action taken in relation to any significant matters reported;
  • overseeing the implementation of the Group’s code of conduct for directors and senior executives of and assessing compliance with it;
  • assessing and recommending to the Board for adoption the scope, cover and cost of insurance, including insurance relating to directors and officers liability, company reimbursement, professional indemnity, crime, and special accident liability;
  • if it considers appropriate, investigating any complaint or allegation made to it;
  • reporting to the Board on any industry development affecting the control environment;
  • reviewing and monitoring any related party transaction and recommending its approval;
  • ensuring the audit, risk management and compliance policies and procedures are adequately documented and that those documents are reviewed and updated for any legal and regulatory developments;
  • to maintain open communication channels among the Committee, management and internal and external advisers in order to review and discuss specific issues, exchange views and information and confirm respective duties and responsibilities as appropriate;
  • monitoring, reviewing and assessing the Company’s compliance, including the effectiveness of its compliance program; and
  • assisting in the provision of appropriate compliance information to the Board.
  1. Audit and Risk Committee composition
    • Subject to section 2, the Audit and Risk Committee should comprise:
      • at least three members;
      • only non-executive directors, who must be financially literate with at least one of whom is financially qualified and competent; and
      • a majority of independent directors.
    • While the Company will aim to have an Audit and Risk Committee of the size and composition outlined in section 1 above, this may not always be practicable given the size of the Board and the circumstances of the Group, including the nature of the Group’s business. Accordingly, the Board has absolute discretion to determine the appropriate size and composition of the Audit and Risk Committee from time to time.
    • The Audit and Risk Committee will appoint its chairperson. The chairperson should be an independent director and may not be the chairperson of the Board, subject to section 2.
    • The Audit and Risk Committee will appoint a secretary.
    • The Audit and Risk Committee must be of sufficient size, independence and technical expertise to effectively discharge its mandate.
    • Each member of the Audit and Risk Committee must be able to read and understand financial statements and at least one member must be a qualified accountant or other financial professional with experience in financial and accounting matters.
    • Each member of the Audit and Risk Committee should have an understanding of the industry in which the Group operates.
    • The Board will decide appointments, rotations and resignations within the Audit and Risk Committee having regard to the ASX Listing Rules and the Corporations Act.
    • A member may act by their alternate.
  2. Audit and Risk Committee meetings
    • The Audit and Risk Committee will meet as often as it considers necessary, however must hold at least four (4) meetings a year, with additional meetings called as required.
    • A quorum for an Audit and Risk Committee meeting is two Audit and Risk Committee members.
    • Audit and Risk Committee meetings may be held by any technological means allowing its members to participate in discussions even if all of them are not physically present in the same place. A member who is not physically present but participating by technological means is taken to be present.
    • The Audit and Risk Committee may pass or approve a resolution without holding a meeting in accordance with the procedures (so far as they are appropriate) in the Company’s constitution or equivalent.
    • The Audit and Risk Committee may invite other persons it regards appropriate to attend Audit and Risk Committee meetings. The following people may be invited to attend all or part of an Audit Committee meeting:
    • Chief Executive Officer;
    • Chief Financial Officer;
    • Group Financial Controller;
    • Internal Auditor;
    • External Auditor; and
    • other staff members or external parties as requested by the Committee.

Any member of the Board may attend any Audit Committee meeting.

  1. Minutes of Audit and Risk Committee meetings
    • The Audit and Risk Committee must keep minutes of its meetings.
    • Minutes of each Audit and Risk Committee meeting must be included in the papers for the next full Board meeting after each meeting of the Audit and Risk Committee, except if there is a conflict of interest.
    • Minutes must be distributed to all Audit and Risk Committee members, after the Audit and Risk Committee chairperson has approved them.
    • The agenda and supporting papers are available to directors upon request to the Audit and Risk Committee secretary, except if there is a conflict of interest.
  2. Reporting to the Board

The Audit and Risk Committee chairperson must report the Audit and Risk Committee’s findings to the Board after each Audit and Risk Committee meeting.

  1. Access to information and independent advice
    • The Audit and Risk Committee may seek any information it considers necessary to fulfil its responsibilities.
    • The Audit and Risk Committee has access to:
      • management to seek explanations and information from management; and
      • internal and external auditors to seek explanations and information from them, without management being present.
    • The Audit and Risk Committee may seek professional advice from employees of the Group and from appropriate independent external advisers where it considers it necessary or appropriate, at the Company’s cost. The Audit and Risk Committee may meet with these employees or external advisers without management being present.
  2. Role of management
    • Management is responsible for designing and implementing risk management and internal compliance and control systems which identify the material risks facing the Group. These compliance and control systems are designed to provide advanced warning of material risks before they eventuate.
    • Management must regularly monitor and evaluate the effectiveness of these processes and risk plans and the performance of employees implementing them, including through the procedures listed in Appendix A. In addition, management must promote and monitor the culture of risk management within the Group and compliance with internal risk systems and processes by employees.
    • All employees are responsible for implementing, managing and monitoring these processes and risk plans with respect to material business risks, as appropriate.
    • Management must report at each Board meeting on risk management to the directors and Audit and Risk Committee. The reporting must identify the Group’s material risks and the extent to which:
      • the Company’s ongoing risk management program effectively identifies all areas of potential risk, including with respect to licensing and regulatory issues;
      • adequate policies and procedures have been designed and implemented to manage identified risks;
      • a regular program of audits is undertaken to test the adequacy of and compliance with prescribed policies; and
      • proper remedial action is undertaken to redress areas of weakness.
  1. Identified risks

There are a number of risks that are inherent to the business activities that the Group undertakes.  These risks may change over time as the external environment changes and as the Group expands its operations, particularly into overseas markets.  The risk management process requires the regular review of the Group’s existing risks and the identification of new and emerging risks facing the Group, including financial and non-financial matters.  It also requires the management, including mitigation where appropriate, of these risks.

  1. Review of risk management
    • The division of responsibility between the directors, the Audit and Risk Committee and management aims to ensure that specific responsibilities for risk management are clearly communicated and understood by all.
    • The reporting obligations of management ensure that the directors and the Audit and Risk Committee are regularly informed of material risk management issues and actions. This is supplemented by the Audit and Risk Committee’s responsibilities as set out in this charter.
    • When reviewing risk management reports, the directors may request a separate written statement from the Managing Director and the Chief Financial Officer confirming that the Company’s risk management and internal control systems have been operating effectively in relation to all material business risks for the relevant accounting period and that nothing has occurred since the period end that would materially change this position.
  2. Review and changes to this charter
    • The Audit and Risk Committee will review this charter periodically to ensure that it is operating effectively and whether any changes are required.
    • The Board may change this charter from time to time by resolution.
  3. Approved and adopted

This charter was approved by the Board on 2025.

Appendix A

The following are intended to form part of the normal procedures for management’s risk and compliance responsibilities:

  • Evaluating the adequacy and effectiveness of management reporting and control systems used to monitor adherence to policies and guidelines and limits approved by the Board for the management of balance sheet risks.
  • Evaluating the adequacy and effectiveness of the Group’s financial and operational risk management control systems by reviewing risk registers and reports from management and external auditors.
  • Evaluating the structure and adequacy of the Group’s business continuity plans.
  • Evaluating the structure and adequacy of the Group’s own insurance program, having regard to the Group’s business and the insurable risks associated with its business.
  • Reviewing and making recommendations on the strategic direction, objectives and effectiveness of the Group’s financial and operational risk management policies.
  • Overseeing the establishment and maintenance of processes to ensure that there is:
    • an adequate system of internal control, management of business risks and safeguard of assets; and
    • a review of internal control systems and the operational effectiveness of the policies and procedures related to risk and control.
  • Evaluating the Group’s exposure to fraud and overseeing investigations of allegations of fraud or malfeasance.
  • Disclosing whether the Group has any material exposure to economic, environmental and social sustainability risks and, if it does, how it manages or intends to manage those risks.
  • Reviewing the Group’s main corporate governance practices for completeness and accuracy.
  • Reviewing the procedures that the Company has in place to ensure compliance with laws and regulations (particularly those which have a major potential impact on the Company in areas such as trade practices and consumer laws, industrial relations, occupational health and safety, and the environment).
  • Reviewing the procedures in place to ensure compliance with insider trading laws, continuous disclosure requirements and other best practice corporate governance processes (including requirements under the ASX Listing Rules, Corporations Act and Australian Accounting Standards Board requirements).
  • Advising the Board on the appropriateness of significant policies and procedures relating to financial processes and disclosures and reviewing the effectiveness of the Company’s internal control framework.
  • Reviewing the Company’s policies and culture with respect to the establishment and observance of appropriate ethical standards.
  • Reviewing and discussing with management and the internal and external auditors the overall adequacy and effectiveness of the Company’s legal, regulatory and ethical compliance programs.