Sopra Steria - 2018 Registration document

DETAILED PRESENTATION OF SOPRA STERIA Risk factors and internal control

8.3.4. PARTICIPANTS IN INTERNAL CONTROL AND RISK MANAGEMENT Everyone in the Group has a part to play in risk management and internal control, from the governance bodies and senior management to the employees of each Group company.

PARTICIPANTS IN THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM

Board of Directors / Audit Committee

Executive Management

2 ND LINE OF CONTROL Departments Finance Industrial Human Resources Legal Sustainable Development and Corporate Responsibility

1 ST LINE OF CONTROL Operational Management All entities All geographies All activities

3 RD LINE OF CONTROL Internal Audit

External Audit

Internal Control and Risk Management Department

Executive Management The internal control and risk management system is approved and overseen by Executive Management, thus at the Group’s highest level. As the top level of authority and responsibility for the internal control and risk management system, it monitors the system’s continuing effectiveness and takes any action required to remedy shortcomings identified and remain within acceptable risk tolerance thresholds. Executive Management ensures that all appropriate information is communicated in a timely manner to the Board of Directors and to the Audit Committee. Audit Committee of the Board of Directors The Group’s Audit Committee examines the main features of the internal control and risk management procedures selected and implemented by Executive Management to manage risks, including the organisation, roles and functions of the key actors, the approach, structure for reporting risks and monitoring the effectiveness of control systems. It has access to the elements necessary to reach an overall understanding of the procedures relating to the preparation and processing of accounting and financial information (presented in the following chapter). Each year, the Audit Committee reviews the results of the Group’s risk mapping exercise and holds regular meetings with the Internal Control and Risk Management Department to monitor the implementation and adaptation of the Group’s rules and the internal control process. The Audit Committee also monitors the activity of the Internal Audit Department through the following actions: p meeting with its Director once a year in the presence of the Statutory Auditors, but without the presence of management; p biannual review of the results of internal audit assignments and follow-up on the implementation of action plans resulting from recommendations. p approval of the annual internal audit plan;

Three lines of control In accordance with the AMF reference framework, the internal control and risk management system put in place by the Sopra Steria Group is structured around three lines of control, as presented below. p First line of control: Front-line staff and operational management The first line of control for the internal control and risk management system consists of: • operational management, tasked with implementing the system defined at Group level for the area under its responsibility. This line of control makes sure that the internal control rules and procedures are effectively implemented, fully understood and consistently applied within its scope of operations. • the Group’s employees, who take due note of and apply all of the rules set out within the organisation p Second line of control: Risk management and compliance functions The aim of the second line of control is to monitor the internal control and risk management system on an ongoing and continuous basis to verify its effectiveness and coherence as well as the proper application of its rules and procedures. • Internal Control and Risk Management Department and Compliance Officers at the entities The internal control and risk management system is steered and coordinated by the Internal Control and Risk Management Department at Group level. As the coordinator of the system, and with regard to the risks that have been identified and assessed, the Internal Control and Risk Management Department defines and updates the system’s various components. In carrying out these duties, the Internal Control and Risk Management Department works closely with the Group’s functional and operational departments.

40

SOPRA STERIA REGISTRATION DOCUMENT 2018