Sopra Steria - 2019 Universal registration document

2 RISK FACTORS AND INTERNAL CONTROL Internal control and risk management

On the production front, Sopra Steria’s Quality System defines all the production, management and quality assurance processes strengthen these aspects, the Group developed and released its required to successfully manage projects. The primary goal is to Delivery Rule Book in 2019 (a set of 21 mandatory rules covering all contribute effectively to the delivery of high quality IT systems that phases, from pre-sales to the end of production for services). The meet clients’ needs in line with time and budget constraints. This rollout of this Delivery Rule Book is under way at all Group entities. methodology defines project management practices and processes Information security risks and IT/communications infrastructure risks suited to various environments and at different levels of are subject to the specific oversight of the Chief Information Security management and supervision, as well as software engineering Officer (CISO) function. the primary characteristics of their activities. In order to further

practices and processes. The basic principles of the Quality System are described in a Quality Manual supplemented by procedural guides and operating manuals. UK, Scandinavia and CIMPA apply mechanisms that are similar but rely on specific methods geared to

The Group’s rules and procedures are regularly updated and supplemented to best reflect the Group’s organisation and manage the identified risks.

Participants in internal control and risk management 3.4. Everyone in the Group has a part to play in risk management and internal control, from the governance bodies and senior management to the employees of each Group company.

INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM STAKEHOLDERS

Board of Directors / Audit Committee

Executive Management

2 ND LINE OF CONTROL

1 ST LINE OF CONTROL

3 RD LINE OF CONTROL

Operational Management

Internal Audit

Departments Finance Industrial Human Resources Legal Sustainable Development and Corporate Responsibility

External Audit

All entities All geographies All activities

Internal Control

EXECUTIVE MANAGEMENT The internal control and risk management system is approved and overseen by Executive Management, thus at the Group’s highest level. As the top level of authority and responsibility for the internal control and risk management system, it monitors the system’s continuing effectiveness and takes any action required to remedy identified shortcomings and remain within acceptable risk tolerance thresholds. Executive Management ensures that all appropriate information is communicated in a timely manner to the Board of Directors and to the Audit Committee.

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS The Group’s Audit Committee examines the main features of the internal control and risk management procedures selected and implemented by Executive Management to manage risks, including the organisation, roles and functions of the key actors, the approach, structure for reporting risks and monitoring the effectiveness of control systems. It has access to the elements necessary to reach an overall understanding of the procedures relating to the preparation and processing of accounting and financial information (presented in the following chapter). Each year, the Audit Committee reviews the results of the Group’s risk mapping exercise and holds regular meetings with the Internal Control Department to monitor the implementation and adaptation of the Group’s rules and the internal control process.

47

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2019