Euronext // 2021 Universal Registration Document

Risk management & Control Structure

Control Framework

2.3.3

INTERNAL AUDIT – THIRD LINE OF DEFENCE

Validated by the Audit Committee at least annually, the internal audit plan is developed based on prioritisation of the audit universe using a risk-based methodology, including input of senior management. For each audit, a formal report is issued and circulated. This includes recommendations for corrective actions with an implementation plan and the comments of the auditees. Implementation of accepted corrective actions is systematically followed up, documented and reported to the Audit Committee.

As a third line of defence, Internal Audit has no operational responsibilities over the entities/processes it reviews. The objectivity and organisational independence of the internal audit function is achieved through the Head of Internal Audit not performing operational management functions and reporting directly to the Chairman of the Audit Committee. She also has a dotted reporting line to the CEO.

2

69

2021 UNIVERSAL REGISTRATION DOCUMENT