AXWAY_REGISTRATION_DOCUMENT_2017

CONSOLIDATED FINANCIAL STATEMENTS AXWAY GROUP AND ITS BUSINESS ACTIVITIES Report of the Board of Directors on corporate governance and internal control CORPORATE GOVERNANCE CORPORATE RESPONSIBILITY

2017 ANNUAL FINANCIAL STATEMENTS

CAPITAL AND AXWAY SOFTWARE STOCK

INFORMATIONS ADMINISTRATIVES ETbJURIDIQUES

COMBINED GENERAL MEETING OFb6bJUNEb2018

External procedures The internal control system is also monitored externally by the Statutory Auditors and certifying agencies. Statutory Auditors The Statutory Auditors assess and test the internal control and procedures in place. The Statutory Auditors are called upon by the Company throughout the year. Their actions are not limited to the accounting department. To gain better understanding of the operations and the transactions in the financial statements, the Statutory Auditors hold regular meetings with Operational Managers, who are in the best position to explain Axway’s business activities. Certifications In terms of security, Axway remains compliant with HIPAA regulations, published by the Department of Health and Human Services (HHS), which defines the security rules for the electronic management of health insurance in the United States. Each year, Axway has an independent audit, performed by a third party, of its cloud services in the United States, France and Germany. The resulting SSAE16/ISAE3204/SOC1 Type II report states how Axway has implemented its main controls and objectives with regard to compliance with these standards. This standard aims to reassure users of these outsourced services in terms of the reliability of the internal security and control system used to monitor services performed on their behalf. Axway will also implement an SOC2 Type II audit for 2018. Axway also renewed its ISO/IEC 27001:2013 certification for 2018-2021 at the end of an annual audit program conducted by the certifying body Dekra. In addition to its certification processes, the Company has updated its Axway Cloud Security Statement intended for its clients. This guide aims to provide brief responses to questions raised concerning the cloud, in particular, by clients. Client audits The system is regularly reviewed during client audits. These are becoming increasingly frequent, particularly due to the strict regulations in the health and finance sectors. The efforts undertaken to ensure we keep up with the state of the art and meet these demands are regularly recognized by our clients; any comments made or watch-points identified are used to improve the system.

Evaluation, improvement process and measures to control the main risks Internal and external evaluations of the internal control system and its procedures make it possible to identify areas of improvement and give rise to the set-up of action plans aimed at reinforcing internal control. Through internal audits, internal control is continuously evaluated for entities and business segments and lead to the implementation of corrective actions whenever necessary. The implementation of these action plans is continuously monitored to ensure the risks identified are dealt with. No major failure of the internal control system had been identified to date. Several measures have been set up to improve the internal control system. External certification will be obtained for some of these measures in order to confirm their conformity with best practices. The continuous improvement program headed by the PRS team, which includes a project to improve the consistency of the Quality Management System (QMS), continued and led to the renewal of the ISOǾ9001:2008 certification for Global Customer Services operations in France during 2017. The renewal inǾ2018 will be completed based on its revision ISOǾ9001:2015. InǾ2017, the Company continued to implement its comprehensive program for information security management (Information Security Management System), pursuant to the requirements of ISO/CEI 27001-27002 and 27005, covering internal systems as well as the security aspects built into Axway products. In addition, there is a team dedicated to the customer experience. A customer satisfaction survey system for clients and partners has been implemented. Campaigns have been carried out, allowing us to measure customer satisfaction and customers’ perception of the quality of our products and services, with the aim of constantly improving our offering. Moreover, on closing each case handled by the Support Service, customers are questioned about the quality of the services (transactional study). Finally, the Customer engagement team collects feedback from the user groups. In addition to the internal control and risk management system described in the previous paragraphs, details of the measures used to minimize risks are given in ChapterǾ1 SectionǾ13 (“Risk factors”).

100

AXWAY - 2017 REGISTRATION DOCUMENT

www.axway.com