EDF / 2018 Reference document

RISK FACTORS AND CONTROL FRAMEWORK Control of Group risks and activities

The Group Information Systems 2.2.1.4.6 Department

The key processes relevant to the proper functioning of the Audit Department for the entire chain of its activities (from the drafting of the audit programme up to monitoring of the implementation of recommendations) are set out and coordinated. The audit unit regularly submits voluntarily to evaluation by IFACI (2) . The last evaluation of 2018 stated, as previously, that the audit practices were compliant with the international standards of the profession. Functioning procedures The Group's audit unit carries out comprehensive audits of EDF entities and controlled subsidiaries. These audits include the examination of the robustness of their internal control and are carried out every three to five years according to their extent. The Audit Department carries out cross-functional corporate audits, while the Audit Departments of the subsidiaries perform audits within their scope of responsibility. The Audit Department is the sole entity empowered to carry out audits of subsidiaries for corporate-level risks. The audit programme is reviewed by the Chairman and CEO, the Risk Committee, and thereafter by the Board of Directors. It is drawn up to reflect: the need to audit the main Group entities at intervals suited to their importance ■ in order to assess in particular that their internal control is correctly implemented; the main accounting and financial processes and "Group Head" processes (HR, ■ IS); major projects; ■ risks of the Group’s risk mapping which were not addressed by the ■ aforementioned audits at intervals suited to the critical nature of the risk; monitoring of Executive Management decisions. ■ Digital tools have been developed to support the auditors in exploiting bulk data and targeting discrepancies. All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties and are sent to the Audit Department. In the next 12 to 18 months, the Audit Department will ensure the application of these corrective actions or any other action decided by management in order to put a halt to any irregularities detected. A half-yearly summary report is prepared. It summarises the significant events of the audits carried out by the unit, the main findings of the corporate audit and the corresponding recommendations. The half-yearly report presents the assessment of the audit programme, the satisfaction of the audited parties, as well as HR and budget reports. Furthermore, it identifies any recurring or generic problems observed in several audits and which merit special attention on the part of Management. It provides an audit-based vision of the level of control of the Group’s risks. This report is presented to the Chairman and Chief Executive Officer, the Risk Committee and thereafter to the Audit Committee and the Board of Directors. External control 2.2.1.6 Like all listed companies, the EDF group is subject to review by the AMF (French Financial Markets Authority). As a company majority owned by the French State, EDF is also subject to control by the Cour des Comptes (French Court of Auditors), State Controllers, the Inspectorate of Finance, Economic Affairs Committees or ad hoc Committees of inquiry of the French National Assembly and Senate. According to law, the Statutory Auditors certify the annual financial statements (parent company and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report includes the verifications on the information on corporate governance required by the articles L. 225-237-3 et seq. of the French Commercial Code. In the light of its activity, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN).

Among its various missions, the Group Information Systems Department (GISD) oversees the implementation of the policies on Information Systems Governance and Digital Transformation, Group Information Systems Security and Data Management and is in charge of leading internal control and hedging of associated risks (See section 2.2.2.2.4 "Security of Information Systems (IS)"). Also, the Group Information Systems Department co-organises, with the Legal Department, the Group instruction on the protection of personal data. The entities are liable for the application of this instruction pursuant to the application of the Ethics and Compliance policy of the Group. The Security and Economic Intelligence 2.2.1.4.7 Department The organisation of security within the EDF group aims to ensure compliance with the requirements defined in the Security of Assets against Malicious Acts Group policy. The Security and Economic Intelligence Department has the task of organising the management, coordination and control of this policy and in particular for preparing and providing to the entities the explanatory notes, practical guides and methodologies for applying the requirements of the policy. The 3 rd line of control, the Group’s audit 2.2.1.5 unit The Group’s Audit unit is composed of all of the audit resources of the Group exercising an internal audit activity. Pursuant to a decision of the Chairman and CEO this function is supervised by the Group Audit Director. The Group audit unit includes the Audit Department ("DAi" reporting to the General Secretary) and audit teams specific to each of the main French and foreign subsidiaries. Relations between the Audit Department and the various audit teams, and their respective powers, take into account whether the teams belong to EDF or to subsidiaries that are operators of regulated infrastructure, for which the relationships are adapted to ensure compliance with the principle of management independence. The Audit Department carries out functional supervision of the business line (co-appointment and peer assessment of Audit Directors of the subsidiaries by the Audit Department – excluding RTE and Enedis –, exchanging best practices, training, sharing tools and methods, etc.). At the end of 2018, the Group audit unit consisted of 55 FTE (1) . Operating standards for EDF and controlled subsidiaries The DAi applies the international standards defined by the Institute of Internal Auditors, promotes them and monitors their compliance. The missions, powers and responsibilities of the auditors as well as the rights and duties of the audited parties are set out in a charter which was updated in May 2016. This charter, signed by the Chairman and CEO reiterates the independent nature of the audit function and specifies the missions and commitments of the internal audit function, the duties and rights of the auditors and audited parties. It includes a code of ethics applicable to the Group audit unit as a whole. This code is intended to promote a culture of ethics and serves to reiterate that the auditor must comply with and apply certain basic principles relevant to the profession and the conducting of internal audits. The Chief Audit Executive has direct access to the Chairman and Chief Executive Officer and reports on the Audit work to the Audit Committee, providing it with useful information on the adequacy of the workforce to carry out the duties to be performed. All of the auditors are trained in the same methodology, compliant with international standards. They are recruited from the various businesses of the Group as well as from external audit firms. The auditors are evaluated at the end of each mission.

2.

uF ll-Time Equivalent. (1) Institut français de l’Audit et du Contrôle Interne (French Institute of Audit and Internal Control). (2)

131

EDF I Reference Document 2018