Intesa Sanpaolo

Audit Report / Information • Mar 27, 2023

Report of the Management Control Committee to the Shareholders' Meeting on the supervisory activities performed in 2022

pursuant to Article 153, paragraph 1, of Legislative Decree 58 of 24 February 1998, and Article 23.1, letter j), of the Articles of Association

Distinguished Shareholders,

It is worth mentioning that the one-tier governance model adopted by Intesa Sanpaolo S.p.A. ("Bank" or "Parent Company") consists of a Board of Directors ("Board") with steering and strategic supervision duties, management duties as well as control duties performed by the Management Control Committee ("Committee" or "Control Body") appointed by the Shareholders' Meeting as part of the Board itself. The Committee currently in office was appointed by the Shareholders' Meeting on 29 April 2022.

The Committee plays a proactive role, within its own areas of responsibility, towards the Corporate Control Functions and engages in constructive dialogue with the Management of the Bank and the Intesa Sanpaolo Group ("Group"), including on the basis of information received during board meetings and deemed worthy of further in-depth analysis. The activities carried out also take account of the indications provided by the Chair of the Committee during the periodic meetings held with the dedicated Secretariat, aimed at a mutual exchange of information deemed worthy of attention and the subsequent planning of the work of the Committee itself.

The Committee, in the fulfilment of its duties and in the interest of the best performance thereof, exchanges information of reciprocal interest and coordinates the performance of their respective duties with the Risks and Sustainability Committee, established within the Board, and with the Surveillance Body pursuant to Legislative Decree 231/2001. A Committee member usually attends meetings of the Risks and Sustainability Committee, subsequently reporting to the Control Body.

Pursuant to Article 153, paragraph 1, of Legislative Decree 58/1998, ("Consolidated Law on Finance"), the Committee is required to report to the Shareholders' Meeting, called to approve the financial statements for the period, on its supervisory activities and on any omissions or reprehensible facts recorded. This requirement is also stated in Article 23.1, letter j), of the Bank's Articles of Association. The Report was prepared taking into account the Consob recommendations on the matter and, in particular, Communication 1025564 of 6 April 2001 and subsequent updates, expressly referred to in the text.

During 2022, the following meetings were held:

• − 25 meetings of the Board of Directors;
• − 45 meetings of the Management Control Committee.

During 2022, in accordance with the provisions of the Committee's Regulations and also in light of the Covid-19 pandemic, Committee members also participated in the meetings remotely. This has not impacted the activities of the Committee, thanks to the IT processes and tools prepared by the Group.

1. SUPERVISION OF COMPLIANCE WITH THE LAW AND THE MEMORANDUM OF ASSOCIATION

Regulatory developments

Following the changes in the Supervisory Provisions and more generally to external regulations, the Committee examined, within its own remit, the proposals to update the following internal sets of regulations:

• − Guidelines for combating money laundering and terrorist financing and for managing embargoes;
• − Group Anti-Corruption Guidelines, as part of the "Progetto Immobili che si muovono per il bene" (Real Estate Moving for the Good Project) aimed at enhancing, for social purposes, some of the Bank's real estate assets that are no longer used and/or difficult to market;
• − Volcker Rule Governance Guidelines;
• − Guidelines for the valuation of Balance Sheet Items;
• − Group Compliance Guidelines;
• − Administrative Financial Governance Guidelines;
• − Compliance Rulebook;

− Group Accounting Policies;

• − Rules on the measurement of Expected Credit Loss pursuant to standard IFRS 9 (Impairment Policy);
• − Harmonized Prudential Supervision Rules;
• − Implementation rules for the administrative financial governance.

The Committee, also as part of the planned initiatives for the transposition of sustainability profiles, reviewed the proposals to update the following internal sets of regulations referable to investment services:

• − Guidelines for the approval of new products, services and activities aimed at specific target customers;
• − Execution and transmission of orders Strategy;
• − Rules for the provision of the advisory services and other investments services;
• − Rules on products sold off premises and using distance communication techniques;
• − Rules for the distribution of interest rate, exchange rate, commodity, equity, credit and index OTC derivatives of IMI Division Corporate & Investment Banking.

The Committee also examined the proposed new adoption of the following internal sets of regulations:

• − Guidelines on the Governance of Regulatory Reporting Non Financial Reporting Financial and Money Markets Area;
• − Rules regarding reporting requirements for securities financing transactions and their reuse (Securities Financing Transaction Regulation);
• − Rules on initial recognition and subsequent software management;
• − Rules governing reporting obligations to the US authorities.

On the occasion of the aforementioned renewal of the Bodies, the Committee expressed its opinion, as required by the Italian Civil Code and its own Regulations, on the additional remuneration provided for management body members to whom the Board of Directors has assigned special offices.

Lastly, the Committee examined Intesa Sanpaolo's Descriptive Document referring to 2021 - indicating the safeguards adopted by the Bank regarding the methods of deposit and sub-deposit of financial instruments and money pertaining to customers, in compliance with the regulatory provisions of the Consolidated Law on Finance - also receiving the final certification issued by EY S.p.A. ("EY") pursuant to the ISAE 3000 Revised certification standard.

Relations with Supervisory Authorities

The Committee is promptly informed, also with the support of its dedicated Secretariat, of the main communications addressed to the Bank by the Italian and European Supervisory Authorities relating to the matters within its remit, with particular regard to the control system.

With regard to relations with the European Central Bank ("ECB"), the Committee received, amongst other things, regular updates on the preparation and development of the Supervisory Plans following the On-site Inspections, Thematic Reviews and Deep Dives by the Authority itself.

The Committee also received the required information and the consequent updates, within its own remit, with reference to the relations maintained by the Bank with the other Supervisory Authorities, both Italian - Bank of Italy, the Italian Antitrust Authority ("AGCM") and Consob – and from other EU and non-EU countries.

Self-assessment and verification of requirements

With reference to the composition of the 2022-2024 Board of Directors, the Committee checked the compliance of the lists submitted by the shareholders from a formal point of view, with the provisions of the law and the Articles of Association, and the absence of any connection between them. The Committee subsequently checked, at the time of appointment, the existence of the requirements of professionalism, competence, integrity, reputation and fairness, qualified independence and independence of mind, as well as compliance with the limitation of directorships and the time commitment for its members, in accordance with the provisions of applicable regulations, the Articles of Association and its own Regulations.

As required by the internal rules, the Committee performed the usual annual self-assessment of its own composition and operation that was separate to the one carried out by the Board. As is common knowledge, this exercise was also aimed at assessing the correct and effective performance of the tasks entrusted to the Committee in its capacity as the Control Body of the Bank according to criteria and methods consistent with its own attributes.

Again in 2022, in line with the previous year and with the activities carried out by the Board, the Committee availed itself of the preliminary analysis performed by an independent external consultant.

The qualitative and quantitative results confirmed the Committee's adequacy and high level of overall compliance with the provisions of the Corporate Governance Code for listed companies ("Corporate

9) Opinions

Governance Code"), the guidelines of the European Banking Authority ("EBA"), the provisions of Bank of Italy Circular 285/2013 and with best practices. At the end of the process, on 24 February 2023, the Committee expressed an assessment of adequacy with regard to its own size, composition and operation. Moreover, in accordance with the requirements of the internal rules, which incorporate the guidelines issued by EBA and by the European Securities and Markets Authority ("ESMA") implementing the principles set out in the Directive 36/2013/EU ("CRD IV"), on 24 February 2023, the Committee assessed that each of its members meets the necessary requirements, including the absence of significant financial relationships with Group companies, as well as compliance with the limitation of directorships for the purpose of assessing their independence in line with the provisions of the Regulation adopted on this subject by the Board. As envisaged by the Corporate Governance Code, the members of the Committee ascertained the correct application of the assessment criteria and procedures adopted by the Board for evaluating the independence of its members.

Applications

With reference to a complaint pursuant to Article 2408 of the Italian Civil Code filed by a shareholder regarding a potential extraordinary transaction that is the subject of an alleged assignment for the benefit of an investee company, the Committee examined the facts represented, noting that they are devoid of any legal basis, in addition to not presenting any element of censure.

During 2022, no protests were received addressed by customers to the Control Body and related to the Bank's business.

2. SUPERVISION OF COMPLIANCE WITH THE PRINCIPLES OF CORRECT MANAGEMENT

The Committee has overseen compliance with the principles of correct management, holding regular meetings with the heads of the Corporate Control Functions, the Governance Areas and the Group Divisions as well as with the Manager responsible for preparing the Company's financial reports and the Independent Auditors, including in order to verify that management decisions are based on an adequate system of information flows to the Bodies and that the decision-making processes take into account the riskiness and effects of management decisions.

The Committee verified that the flows between the corporate departments and the Managing Director and CEO, as well as between them and the Board, are continuous. Information exchange between the Committee and the Managing Director and CEO is enhanced by regular meetings, mostly focused on the Bank's and the Group's performance, the functionality and effectiveness of the internal control and risk management system as well as on the recommendations made by the Committee in this regard in its own quarterly reports to the Board.

The Committee supervised the observance of the obligations envisaged for most significant transactions in terms of economic, financial and capital importance carried out by the Bank or the subsidiaries, confirming that they were performed according to law and the Articles of Association, and that they were not manifestly imprudent, hazardous, in conflict of interest, in contrast with resolutions taken by the Shareholders' Meeting, or likely to compromise the integrity of the shareholders' equity. The reports pursuant to Article 150, paragraphs 1 and 2 of the Consolidated Law on Finance were provided both as part of the information on the preparation of the financial statements given by the Manager responsible for preparing the Company's financial reports and at the regular meetings with the Managing Director and CEO.

The Committee received periodic information in accordance with the internal regulations on governance of the Most Significant Transactions, i.e. transactions that involve a potential significant change in the overall risk profile defined in the Risk Appetite Framework ("RAF").

Pursuant to the Group Procedures regulating the conduct of Transactions with Related Parties of Intesa Sanpaolo, Associated Entities of the Group and Relevant parties pursuant to Art. 136 of the Consolidated Law on Banking ("RPT Procedures"), the Committee received the quarterly report on transactions with related parties and associated entities, including an assessment of the relevance of the financial reports for the purposes of the Directors' independence requirement. On such occasions, the Committee also received the report on the interests declared by the Directors in performing certain transactions pursuant to Article 2391 of the Italian Civil Code.

Finally, the Committee oversaw the implementation and management of the Group's Code of Ethics, which self-regulates the integration of social and environmental considerations into business processes, practices and decisions.

Given the above, no atypical and/or unusual transactions were carried out - either with third parties, or related parties or intragroup - to be understood as transactions that could give rise to doubts concerning the fairness/completeness of the financial statements, conflicts of interest, the safeguarding of company assets,

11) Principles of correct manageme

nt

5) Complaints

6) Protests

1) Most significant transaction s

or the protection of minority shareholders. Likewise, no management irregularities nor performance anomalies emerged.

3) Adequacy of information Significant events and the main transactions with related parties of major significance (including intragroup ones) and the other significant transactions carried out in compliance with the RPT Procedures were adequately reported and illustrated in the reports on operations and the notes to the Intesa Sanpaolo S.p.A. draft financial statements as at 31 December 2022 and the Intesa Sanpaolo Group's consolidated financial statements as at 31 December 2022 (together the "2022 Financial Statements").

3. SUPERVISORY ACTIVITIES OF THE PROCEDURES FOR EFFECTIVE IMPLEMENTATION OF THE CORPORATE GOVERNANCE RULES LAID DOWN IN THE CORPORATE GOVERNANCE CODE

17) Complianc e with the Italian Corporate Governanc e Code

The Committee examined the Report on Corporate Governance and Ownership Structures ("Report on Corporate Governance") for 2022 which was then approved by the Board of Directors on 28 February 2023, with particular reference to the information about the main features of the risk management and internal control systems in relation to the financial reporting process.

In this area, the Committee favourably noted that the Report was prepared taking into account the Recommendations for 2023 addressed by the Chair of the Italian Corporate Governance Committee to all the Chairs of the management bodies of Italian listed companies, the results of which indicate a general level of adequacy of the Bank's corporate governance, and the recent amendments to the Corporate Governance Code.

The Report on Corporate Governance, which should be consulted for further details, illustrates among other things the management and control model of Intesa Sanpaolo and provides a complete disclosure of how the Bank has adopted and implemented the recommendations of the Corporate Governance Code.

4. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ORGANISATIONAL STRUCTURE

12) Organisatio nal structure

The Committee carried out the usual survey of the organisational structure of the Corporate Control Functions and main Divisions of the Group, focussing on the adequacy of risk monitoring processes and procedures to support the business carried out.

In 2022, The Committee analysed, including at its own request:

• − the proposed reshaping of the Internal Audit model so as to centralize all internal audit responsibilities on Asset Management activities in the Parent Company in order to achieve greater synergy in terms of methodology, organisation and tools;
• − the organisational structure of the Chief Lending Officer Governance Area, verifying in particular the presence of the necessary skills to deal with the various initiatives in which this Area is involved;
• − the progress of the upskilling and reskilling programme for Group staff envisaged in the 2022-2025 Business Plan, with particular regard to the Corporate Control Functions, as well as the process to support the achievement of employee development goals over the Plan period;
• − the updated organisational chart for the second level Control Functions through which the Chief Operating Officer Governance Area, also in line with what has recently been highlighted by the ECB, analyses - in both qualitative and quantitative terms - the overall needs of the Structures of the Governance Areas of the Chief Compliance Officer and Chief Risk Officer.

With regard to the assessments conducted by the Committee on the adequacy of Corporate Control Functions, see the chapter set out further below in this report.

In referring you to the Report on Corporate Governance for further details about the Group's organisational and operational structure, the Bank's organisational chart as at today's date is shown below.

5. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ADMINISTRATIVE AND ACCOUNTING SYSTEM AND OF THE ACCOUNTING AND FINANCIAL INFORMATION

The Committee - including in its capacity as Internal Control and Audit Committee pursuant to Article 19, paragraph 2, letter c) of Legislative Decree 39/2010 - examined the regular report on the activity carried on and the corrective measures prepared by the Manager responsible for preparing the Company's financial reports to support the statutory certifications and has analysed the causes and remedies of any shortcomings of the accounting structure.

The Management and Financial Governance function outlined the half-yearly reports on governance and control activities performed on the internal control system relevant for the financial reporting process, with the relative Tableaux de Bord ("TdB") which summarise the main issues requiring attention and the progress of the relative mitigation actions, the report on the activities carried out in 2022 by the Balance Sheet Items Valuation Unit, as well as the action plan for 2023.

Considering the governance and oversight activities carried out in 2022, as well as the reduced level of residual risk, the Management and Financial Governance function expressed a positive opinion - despite the presence of some areas for further improvement for which mitigation measures are underway - on the statutory requirements of the financial reporting, allowing the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports to issue the certifications required under Article 154-bis of the Consolidated Law on Finance for the consolidated half-yearly report as at 30 June 2022, the consolidated results as at 31 December 2022 sent for reporting purposes to the competent Authorities as well as the 2022 Financial Statements.

The Committee - after receiving a biannual update as at 30 June - examined the Report on tax risk oversight activities carried out by the Bank in 2022, as required by the cooperative compliance scheme, and the activities plan for 2023. The Committee, together with the Manager responsible for preparing the Company's financial reports, met with the Independent Auditors - in accordance with Article 150, paragraphs 3 and 5 of the Consolidated Law on Finance - to examine the audit plan and receive updates on the activities underway to formulate the opinion on the 2022 Financial Statements.

As part of its supervisory activity on accounting and corporate reporting, including to contribute to the assessment on the correct use of accounting standards, the Committee met with the Manager responsible for preparing the Company's financial reports, the other relevant functions of the Bank as well as the Independent Auditors to review the procedures for the preparation of the Consolidated Half-Yearly Report as at 30 June 2022, the Consolidated Interim Report as at 30 September 2022, and the 2022 Financial Statements.

The Committee also examined the process of preparing Pillar 3 and the Consolidated Non-Financial Statement ("CNFS") - presented together with the Principles for Responsible Banking ("PRB") - regarding

16) Meetings with the Independe nt Auditors

which it checked its compliance with the provisions of Legislative Decree 254/2016 and the Global Reporting Initiative Standards, as well as how the Bank manages and organises environmental, social, personnel and human rights issues. These documents were approved by the Board on 16 March 2023.

The Committee also conducted various preliminary investigations on the impacts deriving from the introduction of IFRS 17 - the new accounting standard for the valuation of insurance contracts, which entered into force on 1 January 2023 -, favourably noting that the implementations in progress are proceeding in line with the established timescales and taking into due consideration the indications formulated by the Supervisory Authorities.

The Bank's financial statements and the Group's consolidated financial statements, pursuant to Legislative Decree 38/2005, are prepared in compliance with the IAS/IFRS issued by the International Accounting Standards Board and relative interpretations of the International Financial Reporting Interpretations Committee, endorsed by the European Commission, as provided for by Regulation (EC) No 1606/2002. These documents are drawn up on the basis of the instructions issued by the Bank of Italy with Circular 262/2005 as subsequently amended.

The Intesa Sanpaolo draft financial statements as at 31 December 2022 and the Group's consolidated financial statements as at 31 December 2022 were approved on 28 February 2023 by the Board of Directors. The disclosure to the public, under the provisions of the prudential supervisory regulations, was provided on the Bank's website within the term laid down for publication of the financial statements.

On 23 March 2023, pursuant to Article 14 of Legislative Decree no. 39/2010 and Article 10 of Regulation (EU) No 537/2014, the Independent Auditors issued the reports on the audit of the Intesa Sanpaolo S.p.A.'s financial statements and on the consolidated financial statements of the Intesa Sanpaolo Group for the year ended 31 December 2022. In particular, the Independent Auditors:

• issued an opinion in which they affirm that the financial statements provide a true and fair view of the financial position and operating results of Intesa Sanpaolo and the Group, and of the profit and loss and the cash flows for the year ended at that date;
• presented the key aspects of the audit which, in their own professional opinion, are most significant and are used in forming their overall opinion of the financial statements;
• attested that the reports on operations and some specific information contained in the Report on Corporate Governance are consistent with the financial statements to which they refer and are prepared in compliance with the law;
• declared they had nothing to report pursuant to Article 14, paragraph 2, heading e), of Legislative Decree 39/2010, based on the knowledge and understanding of the company and its context acquired during the audit;
• verified the approval by the directors of the CNFS pursuant to Article 4 of the Consob Regulation implementing Legislative Decree 254/2016.

Moreover, on 23 March 2023, the Independent Auditors issued the Committee with the additional report envisaged under Article 11 of Regulation (EU) 537/2014, according to which no significant shortcomings were found in the internal control system for the financial reporting and/or in the accounting system, which should be brought to the attention of those responsible for Governance activities.

The annual confirmation of independence was issued, together with this report, pursuant to Article 6, paragraph 2, letter a) of Regulation (EU) No 537/2014 and paragraph 17 of the International Standard on Auditing (ISA Italia) 260.

6. SUPERVISORY ACTIVITY OF THE STATUTORY AUDIT PROCESS AND THE INDEPENDENCE OF THE INDEPENDENT AUDITORS

Intesa Sanpaolo has adopted specific Group Regulations for the governance of appointments given to independent auditors and their networks. Amongst the rules laid down by said Regulations - which are enforced save any different provisions of law or other mandatory regulations - the following rules should be borne in mind: a Sole Auditor for the Group; consistency of appointments with the Parent Company's indications; alignment of the duration of the statutory auditors' appointment.

The Regulations also include specific prior authorisation, monitoring and regular reporting procedures to the Committee, which are aimed at overseeing the independence of the independent auditors. For the purpose of this monitoring, the following types of appointment are defined:

• Audit, i.e. statutory audit services pursuant to Article 14 of Legislative Decree 39/2010 and Article 2409 bis of the Italian Civil Code as well as the other voluntary audit services;
• Audit Related, i.e. the tasks assigned by law or on behalf of an Authority as well as the operations which represent an extension of the audit appointment (issuance of certificates, examination of reports, agreed audit procedures). These appointments are usually conferred upon the Auditor as, by nature, they do not cause any detriment to the independence thereof;
• Non Audit, involving services not included in the previous Audit or Audit Related types, which under the

4) Reports by the Independe nt Auditors

16) Meetings with the Independe nt Auditors

Regulations cannot be given to the Main Auditor.

Monitoring also ensures that the Main Auditor is not given appointments expressly prohibited under Articles 10 and 17, paragraph 3 of Legislative Decree No. 39/2010.

EY is the independent auditor which was assigned the role of Sole Auditor. Each appointment proposal concerning subjects belonging to its network has been monitored in advance and - where required authorised. Based on the results of this control process, we confirm that during the 2022 financial year no further non audit appointments were granted to EY and parties connected to them by ongoing relationships. According to the provisions of the Group Regulations, the full picture of the assignments to the Independent Auditors is described twice a year to the Management Control Committee by the Manager responsible for preparing the Company's financial reports, including for the purposes of the related reporting obligations in the financial statements and to the Shareholders' Meeting. A complete picture of the amounts paid to the Independent Auditors in 2022 is represented in the Annex to the financial statements entitled "Fees for auditing and the services other than auditing pursuant to Article 149-duodecies of Consob Regulation no. 11971", to which reference should be made.

The details of the fees for the Audit-Related assignments for 2022 are shown below.

				(millions of euro)
Type of service	Intesa Sanpaolo		Group Company (*)
	EY	EY network	EY	EY network
Certification services (**)	2.62	-	3.93	-
Other services:
agreed audit procedures	0.09	-	0.41	-
non-financial statement	0.12	-	-	-
Total	2.83	-	4.34	-

(*) Subsidiary Group Companies and other consolidated companies.

(**) Including audit costs, on a voluntary basis, for "Pillar 3" disclosure.

Fees net of VAT, out-of-pocket expenses and Consob contribution.

The fees for Audit Related assignments mainly refer to activities attributable to the recurrent obligations regarding the deposit and sub-deposit of the assets of the customers of the intermediaries (pursuant to the provisions of the Bank of Italy Regulation of 5 December 2019), checks aimed at issuing comfort letters in implementation of international issue programmes and other contractual activities envisaged by the commitments already assumed by the Bank.

The Committee examined a proposal to engage EY for Audit Related activities for Intesa Sanpaolo.

Moreover, some integrations to the proposed audit activities envisaged with EY were submitted to the Committee - in line with the terms of the proposals - as a result of circumstances that entail an increase in timescales with respect to prior estimates. In detail, the adjustment was necessary because of the obligation - for issuers whose securities are admitted to trading on regulated European markets - to prepare and make available to the public financial reports in the single electronic reporting format (ESEF). In addition, in application of ESMA's publication on enforcement priorities related to the 2022 financial statements, an adjustment of the statutory audit assignment of the Consolidated Financial Statements, limited to FY 2022, was necessary due to additional and non-recurring audit procedures related to the introduction of IFRS 17, unforeseeable at the time of the audit tender. The Committee expressed a favourable opinion on the integration proposals, then approved by the Board.

Lastly, the Committee examined the proposed integration of the fees envisaged for the Audit Related assignment relating to Pillar 3 of Intesa Sanpaolo, due to regulatory developments and the increased disclosures expected in 2022. The Committee expressed a favourable opinion on the integration proposal, then presented to the Board for information.

7. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE INTERNAL CONTROL SYSTEM

The Group's Integrated Internal Control System Regulation, implementing the current Supervisory Rules, outlines the duties and responsibilities of all the stakeholders in the internal control system, the procedures for coordination and interaction between Control Functions, the guidance and coordination procedures of the Group companies and international branches and the main information flows between the various stakeholders in the system. The internal control system is structured on three levels:

− Level I: line controls conducted by the operating and business structures - including through units dedicated solely to control duties - and as far as possible incorporated in IT procedures, aimed at ensuring the proper conduct of the operations;

7-8) Additional audit assignment s

9) Opinions

9) Opinions

13) Internal control system

• − Level II: controls aimed at ensuring the proper implementation of the risk management process, observance of operating limits and compliance of the operations with regulations. The functions assigned to such controls are separate from the ones in charge of production and contribute to the definition of the governance policies and the risk management process. These controls are performed:
  • ✓ by the Chief Compliance Officer Governance Area, which has the duties and responsibilities of compliance with regulations and also includes the anti-money laundering function,
  • ✓ by the Chief Risk Officer Governance Area, which has the duties and responsibilities of the Risk Management function and also includes the Validation function;
• − Level III: internal audit controls aimed at identifying violations of procedures and regulations, as well as assessing the completeness, adequacy, functionality and reliability of the internal control system and information system at Group level, in relation to the nature and intensity of the risks. At Intesa Sanpaolo, the Chief Audit Officer reports directly to the Board of Directors and also reports functionally to the Committee, without prejudice to the appropriate sharing of information with the Managing Director and CEO.

The Group's internal control system - described in detail in the Report on Corporate Governance, to which reference should be made for further details - also sees other functions involved with control responsibilities (the Business Continuity function, the Cybersecurity function, the specialist functions) and, among others, also the Manager responsible for the Group Business Continuity Plan, the Manager responsible for preparing the Company's financial reports, the Independent Auditors and the Parent Company's Surveillance Body pursuant to Legislative Decree 231/2001.

With reference to the latter, every six months the Committee examined the report on the activities carried out noting that, according to the disclosure made, there are no facts or circumstances worthy of mention. Based on a synergistic approach, the Committee and the Surveillance Body promptly exchanged relevant data and information during the year, by coordinating during joint meetings on matters of mutual responsibility.

Below you will find a summary of the activities conducted by the supervisors responsible for carrying out internal controls.

Chief Compliance Officer

The Chief Compliance Officer delivered the institutional and periodic reports within his remit to the Committee, and in particular the half-yearly report, the annual report and Risk Assessment with the action plan for 2023 prepared pursuant to the regulations in force; the Compliance Tableau de Bord, which provides an overview on the outlook for the most significant areas of attention, is enclosed with these reports which also provide a summary report on the progress of complaints, protests and appeals by customers. The endof-year report also includes the details of the activities carried out in 2022 and the activities planned for 2023 with reference to the central depositories and the entities managed according to the guidance, coordination and control model, the report on the Governance of the Group asset management companies, the Product Governance Report, the regulatory areas overseen and details of the human and financial resources allocated to compliance macro-processes.

Pursuant to the regulations issued by Consob, the Chief Compliance Officer, with the collaboration of the Chief Operating Officer, presented to the Committee the annual report on the terms of provision of services and investment activities and ancillary services and of distribution of financial products issued by insurance companies or banks.

Furthermore, the Chief Compliance Officer submitted the following to the Committee:

• − the annual report on conflict of interest situations recorded in the area of investment or ancillary services, investment activities and distribution of insurance-based investment products;
• − at the request of the Committee, the progress of the Compliance Next Programme, analysing, among other things, the aspects connected to the FTE savings resulting from the implementation of the initiatives envisaged therein;
• − a report on the proceedings launched by the AGCM as part of its examination of business practices implemented by the Bank.

To enable the Committee to adequately perform its supervisory role on compliance with the rules for combating money laundering, terrorist financing and for embargo management as well as verifying the completeness, functionality and adequacy of the relative control system, the head of the Anti-money laundering function illustrated the half-yearly report and the annual report for 2022, with their respective Tableaux de Bord, the annual Risk Assessment in the areas of money laundering, terrorist financing and breach of embargoes, as well as the action plan for 2023. These reports include summary information on the progress of the training plan, as well as details of the human and financial resources allocated to compliance macro-processes with respect to anti-money laundering, anti-terrorism, embargoes and anticorruption regulations.

Also at the Committee's request, the head of the Anti-money laundering function also submitted:

• − the progress of activities to further strengthen the anti-money laundering model and the anti-financial crime controls in place at the Intesa Sanpaolo New York branch, together with the updated version of the BSA/AML/OFAC Sanction Policy and Compliance Program;
• − specific updates on the progress of the ENIF Programme, with a focus on the various areas of intervention identified;
• − the proposal to update the Sydney branch's Anti Money Laundering and Counter-Terrorism Financing Program, as required by Australian regulations, with a view to its submission to the Board for approval;
• − the results of further investigations carried out on REYL & CIE SA and on the Italian Companies of the Group which show no risk of transmission of administrative liability for the Parent Company pursuant to Legislative Decree 231/2001, charged to the Subsidiary;
• − the Anti Financial Crime Training Plan, which includes the definition of the training macro-objectives for the 2023-2025 three-year period and the definition of the 2023 annual plan.

Chief Risk Officer

The Chief Risk Officer submitted the following to the Committee: the Tableau de Bord of the critical issues in his own Governance Area on a six monthly basis, the annual report on the activities carried out in 2022, the Risk Assessment and the plan of the activities scheduled for 2023, including those for the Validation function. In accordance with Article 13, paragraph 2, of the Regulations issued by the Bank of Italy and Consob pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance, he also illustrated the Report on risk management activities within the scope of the investment services to customers carried out during 2022.

The Chief Risk Officer also described:

• − the results of the annual assessment on the overall consistency of the ratings of the External Credit Assessment Institutions with the measurements processed independently by the Bank;
• − the results of the 2021-2022 assessment conducted on the dissemination of the risk culture and its perception within the Group as well as the main strengthening initiatives already implemented in 2022 and planned for the current period.

Chief Audit Officer

The Committee mainly uses the Internal Audit function to carry out its supervisory duties. The Chief Audit Officer normally participates at meetings and provides ongoing information about the activities carried out some of which at the Committee's own request - and on the progress of the remediation plans put in place by the competent corporate functions to overcome the critical issues encountered. The high priority issues reported by the Committee are taken into account at the time of defining the annual Internal Audit plan.

During the year, the Chief Audit Officer systematically and promptly reported the main findings that emerged whilst performing his own activities to the Committee, including at its specific request. In particular, the results of the checks on the following points should be noted:

• − critical issues identified with reference to the partnership with Nexi Payments, following the transfer of the ISP business line concerning the POS Acquiring activity. In this regard, during the period, the Committee positively noted that the remedial actions completed and those in progress led to a significant containment of the risk identified at the time;
• − regulatory framework of Transactions with Related Parties and Associated Entities, from which certain areas for improvement have emerged and for which the necessary remedial actions have already been carried out;
• − the Group's ability to produce the Single Customer View report, as required by the instructions of the National Interbank Deposit Guarantee Fund;
• − alignment of the internal control system of REYL & CIE SA to that of the Group, as requested by the ECB acknowledging that the planned initiatives are in an advanced stage of implementation;
• − Internal Survey intended for all the resources of the Chief Audit Officer area and the Group's Italian Companies aimed at measuring the internal climate, as envisaged by the Internal Model of the quality assurance and improvement process;
• − compliance of the Bail-in Dry-Run exercise conducted by the Group with the requirements defined by the Single Resolution Board.

The Chief Audit Officer also presented to the Committee, including at its specific request:

− an update on the development of the Continuous Auditing model – one of the streams of the Data Driven 2022-2025 Audit Strategic Plan – created through the massive use of databases and Machine Learning and Artificial Intelligence approaches;

− an in-depth analysis of the audit activities carried out in the ICT field with a focus on Cloud Computing, in the light of the recent adoption of this technology in the European and Italian banking sector.

Every three months, using the Synthetic Audit Tableau de Bord, the Chief Audit Officer reported to the Committee on the outlook for the most significant weaknesses found during the Internal Audit activities including in light of the respective remediation plans. Every six months, within the context of a specific report, he submitted his own considerations and assessments on the adequacy of the internal control system for risk management and presented, at the Committee's request, the changes in the least significant weaknesses set out in the Analytical Audit Tableau de Bord. On an annual basis, he prepared and shared with the Committee, the final report on the activities carried out, the results of the Risk Assessment Audit and the activities plan for the following financial year. The final report on the activities carried out in 2022 also fulfils the obligations laid down by the Bank of Italy with regard to disclosures to the Bodies on some specific areas such as liquidity risk management, anti-money laundering, information systems and business continuity, Parent Company Governance of the Group asset management companies, the result of the audits carried out at international branches and the internal systems for reporting violations of the rules governing banking (so-called whistleblowing).

The Chief Audit Officer also conducted the compulsory assurance activities and prepared the following regular disclosures pursuant to the current Supervisory Rules:

• − the annual report on the outsourcing of essential or important functions outside the Group;
• − the quarterly report on whistleblowing reporting;
• − the annual report on internal audit activities required by Article 14 of the Consob-Bank of Italy Joint Regulation pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance.

During Board meetings, the Committee examined the reports from the Internal Audit Department on the results of consistency checks on the operating practices followed in the actual delivery of the 2021 incentive system as well as on the quantification and approval of the 2022 incentive system with the policies and the application parameters approved by the various Bodies and with the provisions issued by the Bank of Italy on this subject in transposing EU Directives. The Chief Audit Officer expressed his opinion of adequacy.

As per its request, the Committee examined the results of the Quality Assurance Review ("QAR") of the Chief Audit Officer's area carried out by an independent external consultant, favourably noting the assessment of general compliance with international standards for professional practice and the Code of Ethics, which is the highest rating among those stipulated in the standards defined by the Quality Assessment Manual issued by the Institute of Internal Auditors. The Committee also examined the results of the QAR conducted by the same consultant on the guidance and coordination role played by the Internal Audit Department on foreign subsidiaries and on the related measures implemented by these subsidiaries, which showed a level of compliance in line with that recorded on the Parent Company.

Integrated Reporting by the Corporate Control Functions

The Integrated Tableau de Bord was submitted to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact among those highlighted by the Corporate Control Functions and the Management and Financial Governance function in their own Tableaux de Bord, with details of the progress of their respective mitigation actions. On the basis of the assessments carried out by the Corporate Control Functions in 2022, the annual summary report was drawn up which shows that overall risk management is adequate in terms of completeness, functionality and reliability of the internal control system. This opinion is supported by the Integrated Risk Assessment, the results of which were included in the 2023 RAF.

Moreover, the Integrated Tableau de Bord of the International Subsidiary Banks was also presented to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact on the international perimeter.

To analyse the causes and remedies of the critical issues highlighted by the Corporate Control Functions and monitor the actions aimed at improving the efficiency of the internal control system, the Committee - in the presence of the Chief Audit Officer - held the following meetings, at its own request:

• − with the Chief IT Digital & Innovation Officer, to examine the new strategic roadmap for IT convergence of International Subsidiary Banks;
• − with the head of the Insurance Division, also in the presence of the Chief Compliance Officer and the head of the Legal Affairs Department - Group General Counsel, to monitor the progress of the remedial actions relating to Intesa Sanpaolo RBM Salute. In relation to the latter and to the proceeding opened by the AGCM against it and the supplier Previmedical for alleged unfair business practices in the offer of insurance services, the Committee noted favourably that the Lazio Regional Administrative Court -

deeming the complaint raised by the Subsidiary to be well-founded - upheld the appeal filed by Intesa Sanpaolo RBM Salute, cancelling the AGCM's measure in its entirety.

Lastly, the Committee periodically reviewed the Risk Assessment carried out by the Corporate Control Functions on the progress of the macro-initiatives of the 2022-2025 Business Plan, focusing on the main aspects subject to monitoring and the actions identified from time to time to mitigate the related potential risks.

Assessment of the Corporate Control Functions

For the purposes of assessing the suitability of the essential elements of the risk management internal control system architecture, the Committee examined the annual disclosure on the changes in staff, costs and investments directly attributable to the Corporate Control Functions. Further details on the staffing and Target sizing of the structures of the Corporate Control Functions are provided in their respective periodic reports to the Corporate Bodies. In light of the results obtained during its activities, the Committee expressed its own considerations on the aspects of independence, objectivity and effectiveness of risk management actions for the annual assessment carried out by the Board of Directors regarding the adequacy of the Corporate Control Functions.

For the purpose of paying the variable component of remuneration for 2022, the Committee first met with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to receive the results of the activities carried out by the respective areas during 2022. During the Performance Evaluation phase, it met with the competent structures of the Chief Operating Officer to examine the evaluation proposals made by them and express its opinion to the Remuneration Committee - within the scope of its responsibility - on the achievement of the objectives by the Chief Audit Officer, the Chief Compliance Officer, the Head of the Anti Financial Crime Department, the Chief Risk Officer, the Head of the Internal Validation and Controls Department, the Manager responsible for preparing the Company's financial reports and the Head of the Safety and Protection Department as Data Protection Officer.

For the purposes of the 2023 incentive system, during the Goal & Target Setting phase, the Committee first met with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to examine the activities plan envisaged by each of their respective functions for 2023, including in order to evaluate the panel of possible Key Performance Indicators with which to monitor the effectiveness of the action by the relative functions and evaluate the managers' performance. The Committee then expressed its opinion within its own remit - to the Remuneration Committee for the purpose of defining the objectives and individual performance levels to be attributed to the said Chiefs as well as to the heads of the Validation and Anti-Money Laundering functions and to the Manager responsible for preparing the Company's financial reports. The Committee took positive note of the forecast, also for 2023, of a Group transversal KPI pertaining to ESG issues.

8. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE GOVERNANCE AND RISK MANAGEMENT PROCESS

The Committee monitored:

• − compliance with the provisions relating to the Internal Capital Adequacy Assessment Process and the Internal Liquidity Adequacy Assessment Process (ICAAP/ILAAP), analysing, in particular, scenarios and methodological and process aspects, as well as the results of the Validation function on the adequacy of the framework for the quantification of economic capital and for managing liquidity risk as well as the results of the Internal Audit self-assessment on the quantification and assessment processes adopted;
• − the completeness, adequacy, functionality and reliability of the internal risk measurement systems to determine capital requirements, checking their compliance with regulatory requirements including for the purpose of the annual certification issued by the Board of Directors. The Committee examined the specific annual reports by the Internal Audit and Validation functions as well as the Action Plan of the Risk Management function in order to mitigate the critical points highlighted;
• − the completeness, adequacy, functionality and reliability of the RAF for 2023, examining its methodological aspects, definition process and consistency with the Recovery Plan.

The Committee then examined the following periodic reports:

• − the results of the annual checks by the Asset Monitors on the Covered Bonds programmes;
• − the results of the annual assessment of the IT risk exposure on the procedures in operation in the Group;
• − the results of the checks and controls of the Group's business continuity plan;
• − preparation of the Group's IT security plan for the current year;
• − report on operational and security risks in payment services;

9) Opinions

9) Opinions

− report by the Data Protection Officer on the activity carried out as at 30 June and 31 December 2022, together with the activities plan for 2023. Among other things, the Committee examined the results of the Data Protection Benchmark - a survey conducted by a consulting firm on several large European banks to compare compliance with the key areas of the General Data Protection Regulation ("GDPR") which highlighted an excellent positioning of the Group with limited areas for improvement.

The Committee then met the Chief IT, Digital & Innovation Officer, including at its own request, to examine:

− the progress of the Group's Data Strategy;

− Cybersecurity Strategic Intelligence activities implemented by the Bank, and the Group Cyber Resilience Program, aimed at mitigating cyber risks as well as business continuity risks arising from the changed geopolitical environment, also as a result of the Russian-Ukrainian conflict, focusing on the actions taken for their mitigation. On that occasion, the Committee was made aware of the safeguards in place for monitoring possible vulnerabilities connected to the IT systems of the Group's outsourced service providers.

The Committee also met the Chief Lending Officer to discuss:

• − the progress of the remediation plan launched with reference to Leveraged Transactions; the aspects related to NPL outsourcing; the progress of actions under the new Sector Framework and the digital evolution of credit governance and lending processes;
• − the half-yearly report on the adjustments made, subject to individual measurement, on NPL positions under his responsibility.

The Committee continued within its area of responsibility, including meeting with the Group's in-house Emergency Management Unit, to monitor aspects related to the open military conflict between Russia and Ukraine, analysing the impacts arising from the decisions taken at the EU and international level and from the changes in the geopolitical environment.

9. SUPERVISORY ACTIVITIES OF COMPLIANCE WITH THE REGULATIONS APPLICABLE TO THE BANK IN ITS CAPACITY AS THE PARENT COMPANY

The Committee - including by making use of the support of the Corporate Control Functions - found that the Bank, within the framework of the management and coordination activity of the Group, exercises control over the development of the different business areas in which the Group operates and the incumbent risks, over the maintenance of conditions of economic, financial and equity equilibrium both of the individual companies and of the Group as a whole, as well as over the assessment of the various risk profiles contributed by individual subsidiaries and the total risk. The rules and procedures in place allow the Parent Company to promptly fulfil its disclosure obligations to the public in accordance with current provisions pursuant to Article 114, paragraph 2, of the Consolidated Law on Finance. The information flows between the Parent Company and its subsidiaries guarantee an effective exchange of information with regard to the corporate governance systems and the overall performance of the business.

The Committee, as foreseen inter alia by Article 151-ter, paragraph 1 and 4, of the Consolidated Law on Finance, exchanged information flows with the Boards of Statutory Auditors of the main Italian subsidiaries of the Group and, in order to examine the critical issues found by the Corporate Control Functions and to monitor the remedial actions aimed at improving the efficiency of the internal control system, met, in the presence of the Chief Audit Officer, the Board of Statutory Auditors of Fideuram-Intesa Sanpaolo Private Banking.

The Committee also reviewed the proposed update to the Report on Management and Coordination Powers in respect of the Group's asset management companies and issued a favourable opinion on said update. Moreover, with a view to ensuring consistency at Group level in the manner of transposing and implementing Legislative Decree 231/2001, the Committee analysed the usual half-yearly report on the activities carried out by the Surveillance Bodies pursuant to Legislative Decree 231/2001 of the Italian companies of the Group.

10. CONCLUSIVE ASSESSMENTS ON THE SUPERVISORY ACTIVITY CARRIED OUT

As detailed in the Report, the Committee verified the functionality of the internal procedures, which have been found fit also in 2022, to guarantee compliance with the laws, regulations and articles of association. The Committee ascertained that the decision-making process takes into due consideration the riskiness and the effects of management decisions taken and that Corporate Bodies have an adequate information flow system, including with reference to any directors' interests. The organisational structure, the administrative and accounting system and the statutory audit process were found adequate and functional for the tasks they are expected to perform.

15) Subsidiarie s requiremen ts

9) Opinions

14) Adequacy of the accounting system

In particular, the Committee has reason to believe that the Bank's and Group's administrative and accounting system is such as to ensure a fair presentation of the operational events and that there are no significant shortcomings in the internal control system in relation to the financial reporting process. The Committee also found that the administrative and accounting procedures are effectively followed for the preparation of the financial statements and all other financial reports.

The non-existence of critical elements such as to affect the governance and risk management process and the structure of the internal control system was also verified. The Committee has in fact assessed compliance with the supervisory provisions with reference to the general principles of the internal control system, the role of the company Bodies, as well as the role and requirements of all the functions involved in the control system, checking their substantial adequacy, the correct performance of tasks and the proper coordination thereof. Where considered appropriate, the adoption of functional corrective measures was promoted to address any deficiencies detected.

Taking into account all the foregoing, having considered the content of the opinions issued by the Independent Auditors, and having taken note of the attestations issued jointly by the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports, the Committee does not report - in as far as it is within its remit - any impediment to the approval of the financial statements of Intesa Sanpaolo S.p.A. as at 31 December 2022 accompanied by the Report on operations and the notes thereto, as approved by the Board on 28 February 2023.

Lastly, the Committee expresses a favourable opinion on the proposal for the allocation of the profit for the year and the related distribution of dividends made by the Board of Directors.

Milan, 23 March 2023 For the Management Control Committee

The Chair – Alberto Maria Pisani

This is an English translation of the original Italian document. In cases of conflict between the English language document and the Italian document, the interpretation of the Italian language document prevails.

13) Internal control system

18) Conclusive assessmen ts