Euronext - 2020 Universal Registration Document

Risk Management & Control Structure

Control Structure

2.3.2

INTERNAL AUDIT – THIRD LINE OF DEFENSE

2.3.1.4 Chief Risk and Compliance Officer The Chief Risk and Compliance Officer is appointed by the Managing Board, reports to the Chief Executive Officer and has a line of communication to the Audit Committee of the Supervisory Board. This reporting structure provides the necessary independence of the Compliance department activities. Compliance Officers are located in countries where Euronext conducts its activities and are supported as necessary by local legal staff in order to benefit from the local expertise and knowledge of the local business and environment.

As a third line of defense, Internal Audit has no operational responsibilities over the entities/processes it reviews. The objectivity and organisational independence of the internal audit function is achieved through the Head of Internal Audit not performing operational management functions and reporting directly to the Chairman of the Audit Committee. He also has a dotted reporting line to the CEO. Validated by the Audit Committee at least annually, the internal audit plan is developed based on prioritization of the audit universe using a risk-based methodology, including input of senior management. For each audit, a formal report is issued and circulated. This includes recommendations for corrective actions with an implementation plan and the comments of the auditees. Implementation of accepted corrective actions is systematically followed up, documented and reported to the Audit Committee.

2

61

2020 UNIVERSAL REGISTRATION DOCUMENT