Société Générale / Risk Report - Pillar III

4 INTERNAL CONTROL FRAMEWORK CONTROL OF THE PRODUCTION AND PUBLICATION OF FINANCIAL MANAGEMENT INFORMATION

IGAD has six distinct audit departments aligned with the Group organisation. The Audit departments, placed under the supervision of a head of internal Audit, each have the responsibility for a scope of activity. A matrix organisation allows coverage of the main cross-business issues at the Group level. In France, the internal Audit teams are hierarchically linked to the Inspection unit. Abroad, the internal Audit teams have a strong functional link (supervision over hiring, audit plans, missions and their follow-up) with IGAD top management. The six Audit departments are: French Retail Banking Audit handles the audit of Retail Banking p activities in France (BDDF Business Unit), the audit of the Boursorama and GTPS Business Units as well as the audit of the Group’s activities in French Overseas territories; Crédit du Nord inspection is in charge of the internal audit of Crédit p du Nord and its subsidiaries (CDN Business Unit); Audit for Europe, Russia, Africa - International Retail Banking and p Financial Services is responsible for auditing the EURO, AFMO, RUSS, ALDA, SGEF and ASSU Business Units; Global Banking and Investor Solutions Audit is responsible, on a p worldwide basis, for auditing the MARK, GLBA, SGSS, WAAM, AMER

and ASIA Business Units and the GBSU Service Unit. This department also audits the Group’s Shared Service Centres (SG EBS and SG GSC); Group Information Systems Audit is responsible for auditing all IT p functions within the RESG, GBSU Service Units and for auditing the ITM Service Unit. The IT audit teams are organised as a global function with strong expertise on IT security and the ability to interact with all teams within IGAD; Group functions audit is responsible for auditing the RISQ, DFIN, p CPLE, SEGL and HRCOI/COMM Service Units, as well as the Purchasing (ACHA) and Real estate (IMM) functions of the RESG Service Unit. The department also comprises a team in charge of the Model Risk management audit teams, which interacts with other Audit and Inspection teams, and a team dedicated to the audit of risks related to Sanctions and Embargos, created in 2019. Besides being responsible for the internal audit of the divisions falling within their scope, these teams also provide expertise and coordination in support of the work performed by other audit teams in the areas applicable to them, notably on issues related to Risk, Compliance and Finance.

CONTROL OF THE PRODUCTION AND 4.2 PUBLICATION OF FINANCIAL MANAGEMENT INFORMATION

The players involved There are many participants in the production of financial data: the Board of Directors, and more specifically its Audit and Internal p Control Committee, has the task of examining the draft financial statements which are to be submitted to the Board, as well as verifying the conditions under which they were prepared and ensuring not only the relevance but also the consistency of the accounting principles and methods applied. There has been a strengthening of the Audit and Internal Control Committee’s role in the follow-up of the process of elaboration of the financial information in accordance with the audit reform. It also approves the Group’s financial communication. The Statutory Auditors meet with the Audit and Internal Control Committee during the course of their assignment; the Group Finance Division gathers all accounting and p management data compiled by the subsidiaries and the Business Units/Services Units in a series of standardised reports. It consolidates and verifies this information so that it can be used in the overall management of the Group and disclosed to third parties (supervisory bodies, investors, etc.). The Group Finance Division also has a team in charge of the preparation of the Group regulatory reports. Units/Services Units carry out certification of the accounting data and entries booked by the back offices and of the management data submitted by the front offices. They are accountable for the financial statements and regulatory information required at the local level and submit reports (accounting data, finance control, regulatory reports, etc.) to the Group Finance Division. They can perform these activities on their own or else delegate their tasks to Shared Service The Finance Divisions of subsidiaries and Business p

Centres operating in finance and placed under Group Finance Division governance; The Risk Division consolidates the risk monitoring data from the p Group’s Business Units/Services Units and subsidiaries in order to control credit, market and operational risks. This information is used in Group communications to the Group’s governing bodies and to third parties. Furthermore, it ensures in collaboration with the Group Finance Division, its expert role on the dimensions of credit risk, structural liquidity risks, rates, exchange rates, on the issues of recovery and resolution and the responsibility of certain closing processes, notably the production of solvency ratios; The back offices are responsible for all support functions to front p offices and ensure contractual settlements and deliveries. Among other responsibilities, they check that financial transactions are economically justified, book transactions and manage means of payment. Beyond consolidating accounting and financial information as described above, the Group Finance Division is charged with significant control responsibilities: monitoring the financial aspects of the Group’s capital transactions p and its financial structure; managing its assets and liabilities, and consequently defining, p managing and controlling the Group’s financial position and structural risks; ensuring that the regulatory financial ratios are respected; p defining accounting standards, standards, frameworks, principles p and procedures for the Group, and ensuring that they are observed; verifying the accuracy of all financial and accounting data published p by the Group.

31

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020