2021 Universal Registration Document

2 RISK FACTORS AND INTERNAL CONTROL Internal control and risk management

Participants in internal control and risk management 3.4. Everyone in the Group has a part to play in risk management and internal control, from the governance bodies and senior management to the employees of each Group company.

Board of Directors Audit Committee

Executive Management

3 rd line of control

External Audit

1 st line of control Operational Management All entities All geographies All business activities

Internal Audit Department

Functional Departments Internal Control Department 2 nd line of control

EXECUTIVE MANAGEMENT The internal control and risk management system is approved and overseen by Executive Management, thus at the Group’s highest level. As the top level of authority and responsibility for the internal control and risk management system, it monitors the system’s continuing effectiveness and takes any action required to remedy identified shortcomings and remain within acceptable risk tolerance thresholds. Executive Management ensures that all appropriate information is communicated in a timely manner to the Board of Directors and to the Audit Committee. AUDIT COMMITTEE OF THE BOARD OF DIRECTORS The Group’s Audit Committee examines the main features of the internal control and risk management procedures selected and implemented by Executive Management to manage risks, including the organisation, roles and functions of the key actors, the approach, structure for reporting risks and monitoring the effectiveness of control systems. It has access to the elements necessary to reach an overall understanding of the procedures relating to the preparation and processing of accounting and financial information (presented in the following chapter). Each year, the Audit Committee reviews the results of the Group’s risk mapping exercise and holds regular meetings with the Internal Control Department to monitor the implementation and adaptation of the Group’s rules and the internal control process. The Audit Committee also monitors the activity of the Internal Audit Department through the following actions: approval of the annual internal audit plan; p meeting with its Director once a year in the presence of the p Statutory Auditors, but without the presence of management; biannual review of the results of internal audit assignments and p follow-up on the implementation of action plans resulting from recommendations. Three lines of control In accordance with the AMF reference framework, the internal control and risk management system put in place by the Sopra Steria Group is structured around three lines of control, as presented below:

first line of control: Front-line staff and operational management p The first line of control for the internal control and risk management system consists of: operational management, tasked with implementing the system • defined at Group level for the area under its responsibility. This line of control makes sure that the internal control rules and procedures are effectively implemented, fully understood and consistently applied within its scope of operations, the Group’s employees, who take due note of and apply all of • the rules set out within the organisation; second line of control: Risk management and internal control p The aim of the second line of control is to monitor the internal control and risk management system on an ongoing and continuous basis to verify its effectiveness and coherence as well as the proper application of its rules and procedures. Internal Control Department and Compliance Officers at the • entities The internal control and risk management system is steered and coordinated by the Internal Control Department at Group level. As the coordinator of the system, and with regard to the risks that have been identified and assessed, the Internal Control Department defines and updates the system’s various components. In carrying out these duties, the Internal Control Department works closely with the Group’s functional and operational departments. The Group Internal Control Department consists of a team of four people. The Group also has a network of Compliance Officers, appointed in each of the Group’s entities and across all its geographical operations. In 2021, there were 15 Compliance Officers. In the largest entities, they are assisted by a deputy. These Compliance Officers are responsible for adapting the guidelines and rules defined at Group level. In particular, they are tasked with making sure that all components of the internal control and risk management system as well as those of the Group’s compliance programme are effectively implemented, fully understood and consistently applied. They are also responsible for raising alerts in the event of difficulties encountered in the implementation of any of these components for their scope. The Internal Control Department, supported by entity-level compliance officers, oversees monitoring of Group rules to ensure

47

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021