Saint-Gobain // Universal Registration Document 2021

Risks and control Internal control

Guidelines and procedures 2.5

Compagnie de Saint-Gobain has developed internal control and risk management procedures for its own needs and those of its subsidiaries.

Internal control guidelines 2.5.1 In 2021, the internal control reference framework library is as follows:

ICRF

MINI ICRF

ITAC

ICQRF

ACRF

ITACs 2.5.1.3 The Automated Control Reference Framework (ITAC) supplements the Group’s Internal Control Reference Framework (ICRF) and lists the controls that are wholly or partially automatable, the implementation of which is mandatory. The Group companies are responsible for the implementation of this reference framework in the business applications within their scope ( e.g. SAP) in order to guarantee the perpetuation of the control, limit its recurring costs and minimize the risk of human error or fraud. In the 2021 edition of the ITAC standard, which covers eight processes, there are 95 controls listed. They are divided into three categories: automated process, automated workflow approval and automated reporting (R). Two additional manuals were added to the Group’s Internal Control Reference Framework in 2020. ICQRF 2.5.1.4 The ICQRF (Internal Control Quality Reference Framework) manual deals with internal control applied to quality. ACRF 2.5.1.5 The ACRF (Anti-corruption Reference Framework) manual summarizes the internal controls related to the fight against corruption and influence peddling. All of the reference frameworks are available on the IABC (Internal Audit and Business Control) Intranet. Other tools are also available on the Intranet site to help entities implement the controls (tool box: typical procedures, flow diagrams, library of controls) and best practices. The best practices are compiled by: the Internal Audit Department – auditors gather best ■ practices during their audit missions; the Internal Control Department, using a system of ■ external monitoring (notably the Institut français de l’audit et du contrôle interne, IFACI);

There are three main manuals: ICRF : Internal Control Reference Framework, in its ■ standard format, applicable to companies with annual sales in excess of €20 million and the support units (Finance, HR/Payroll and SGTS Shared Services Centers, IT Expertise Centers, R&D Centers); MINI ICRF : Internal Control Reference Framework ■ applicable to companies with annual sales of less than €20 million; ITAC : Internal Control Reference Framework applicable ■ to all of the Group’s business applications and ERP. ICRF 2.5.1.1 Section 1 of the Internal Control Reference Framework highlights the role of each person in the perpetuation of the internal control and risk management system within the context of Transform & Grow. Section 2 of the Internal Control Reference Framework presents the Group’s risk universe. Each ICRF control is referenced against the relevant risk sub-categories. Each process contains a control/risk matrix used to refer specifically to risk types by control and contributing to understanding the control system. Section 3 of the Internal Control Reference Framework presents the list of mandatory controls to be implemented by all Group subsidiaries (250 controls in the 2021 version). The Mini ICRF 2.5.1.2 This framework has the same structure as the standard ICRF with 17 chapters. It sets out 100 controls, which have been carefully selected and developed for small entities. The Mini ICRF also presents a practical tool for the consolidation of newly acquired companies.

6

SAINT-GOBAIN UNIVERSAL REGISTRATION DOCUMENT 2021 247