ANNUAL REPORT

OF THE INTERNAL AUDIT DEPARTMENT

ON INTERNAL AUDITING

FOR 2019

Prepared by	Polonca Jug Mauko
Adopted by	Sava Re management board
Consent by	Sava Re supervisory board
Type of document	report
Service/unit	Internal Audit
Confidentiality level	confidential
Report number	6-2019/POR/PJM
Distribution list	Company's management board
	supervisory board members
	members of the supervisory board's
	audit committee
Language versions	Slovenian, English
Date of preparation	28 February 2020
Date of adoption at the
management board meeting	3 March 2020
Date of adoption at the AC and	on 17 March 2020 by the AC and on
SB meetings	25 March 2020 by the SB

Ljubljana, February 2020

1	INTRODUCTION	3
2	ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS,
	RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE	3
3	REVIEW OF THE IMPLEMENTATION OF THE 2019 ANNUAL WORK PLAN	4
4	SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED	5
5	OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY
	WEAKNESSES AND IRREGULARITIES	7
6	STAFF, TRAINING AND OTHER ACTIVITIES	7
7	INTERNAL AUDIT DEPARTMENT'S QUALITY ASSURANCE AND IMPROVEMENT
	PROGRAMME	8

1 INTRODUCTION

The internal audit department has prepared this annual report on internal auditing for 2019 pursuant to article 165 of the Slovenian Insurance Act (ZZavar-1), the internal audit policy of Sava Re d.d. (hereinafter: Sava Re), the medium-term work plan of the internal audit department (hereinafter: the IAD) for the period 2017–2019 and the 2019 IAD annual work plan.

This report includes:

a report on the organisational independence of the internal audit department;
an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re;
an overview of the 2019 annual work plan implementation;
a summary of the major conclusions of the internal audit engagements;
an overview of the implementation of recommendations to remedy weaknesses and irregularities;
an overview of the performance of other activities by the IAD (staff, education and training);
a summary of the internal audit's quality assurance and improvement programme.

The IAD is an independent organisational part that is operationally and organisationally separate from other business parts of Sava Re. In administrative terms, it reports to the Sava Re management board; however, functionally, it reports to the Company's audit committee and the supervisory board. This guarantees autonomy and organisational independence.

Pursuant to the Insurance Act and based on outsourcing agreements, Sava Re d.d. has been performing the key internal audit functions of Zavarovalnica Sava d.d. and Sava Pokojninska Družba d.d. since 1 February 2018. In 2019, pursuant to the Investment Funds and Management Companies Act (ZISDU-3), Sava Re signed a contract with Sava Infond, Družba za Upravljanje d.o.o., by which the latter transferred the performance of the internal audit key function to Sava Re d.d. as of 1 January 2020, for an indefinite period of time.

On 16 February 2020, following the departure of Jožica Palčič to assume another position within the Sava Insurance Group, the IAD director Polonca Jug Mauko was appointed the internal audit function holder of Sava Re d.d. and Zavarovalnica Sava d.d., and the internal audit function holder at the level of the Sava Insurance Group.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE

On the basis of the audit engagements performed, we give an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re for the period from 1 January 2019 to 31 December 2019.

On the basis of all the examinations carried out and methods applied in individual audited areas, the IAD considers the internal controls of Sava Re to be adequate, and the reliability level of their operation good. It also believes that the governance of Sava Re has been appropriate and is improving, working toward achieving the relevant objectives of the operations, and that the Company manages risks effectively, with a view to fulfilling its purpose of effective and financially-sound operations. According to the IAD, there is still room for improvement regarding the operation of the system. Individual irregularities and weaknesses were detected during audit engagements that were stressed by the IAD,

and recommendations were made for their elimination, so that the control procedures and the Company's governance and risk management would be improved. This leads to greater efficiency of internal controls and regularity of operations.

Some irregularities and weaknesses were remedied before the deadlines. The recommendations made in the last quarter and those related to improving information technology require some extra time.

In standard internal audit engagements, due consideration was given to potential instances of fraud and exposure as well as the potential vulnerability of IT support to operations. The internal control system in the areas subject to the audit has been introduced and functions so as to prevents the occurrence of fraud. Moreover, recommendations were made after the conducted audits to improve the information system.

3 REVIEW OF THE IMPLEMENTATION OF THE 2019 ANNUAL WORK PLAN

In 2019, the IAD carried out internal audit engagements and other activities in accordance with the IAD 2019 annual work plan.

A total of 24 audit engagements were conducted:

1_R_2019/Sre	Audit of the control over external IT providers;
2_R_2019/SRe	Audit of operations of TBS;
3_R_2019/Sre	Audit of investment property management;
4_R_2019/Sre	Audit of the implementation of a uniform ASP.ins version and of the
installation protocol;
5_R_2019/Sre	Audit of the process of investment policy development;
6_R_2019/Sre	Audit of the process of management of new Group companies;
7_R_2019/Sre	Audit of salary and travel order accounting;
8_R_2019/Sre	Audit of the process determining cost allocation keys;
9_R_2019/SRe	Audit of accuracy and completeness of presentation of off-balance sheet
items;
10_R_2019/SRe	Audit of IT strategy – outsourcing – not carried out;
1_SV_2019/SRe	Informal consulting engagement – participation in the selection of the
provider of IT support to the finance area
2_SV_2019/SRe	Informal consulting engagement – participation in the IFRS 9 and IFRS 17 task
force;
3_SV_2019/SRe	Informal consulting engagement – Group audit;
4_SV_2019/SRe	Informal consulting engagement – cooperation with the compliance function
– not carried out;
1_SOD_2019/SRe	Audit of rights of access to databases and client data (data protection) – SPD
North Macedonia;
2_SOD_2019/SRe	Audit of reinsurance (limited to life insurance) – ZS;
3_SOD_2019/SRe	Audit of recording and monitoring of fixed assets (tangible and intangible)
and compliance with IFRS 16 – ZS;
4_SOD_2019/SRe	Corporate governance audit – SO Montenegro;
5_SOD_2019/SRe	Corporate governance audit – SPD North Macedonia;
6_SOD_2019/SRe	Audit of the management of IT processes – SŽO Serbia;
7_SOD_2019/SRe	Audit of the management of IT processes – SO North Macedonia;
8_SOD_2019/SRe	Audit of protection of personal data – SO Montenegro;
9_SOD_2019/SRe	Audit of the optimisation model – investment policies – SNO Serbia;

10_SOD_2019/SRe Audit of the functioning of the multi-currency feature (support to all processes for: claims, recourses, premiums) – ZS.

An audit of Sava's IT strategy has not been carried out and has been postponed to the first quarter of 2020 within the scope of the IAD annual work plan for 2020, as in November 2019 the strategy had not yet been adopted by the Company's bodies. Consulting engagement 4_SV_2019/SRE Informal consulting engagement – cooperation with the compliance function – has not been carried out, as the risks have decreased and there was no longer a need for it. Additionally, a non-standard (follow up) audit of TBS TEAM 24, d.o.o. operations was performed.

In total, 23 internal audit engagements were performed.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

Based on risk ratings, the internal audit covered ongoing and comprehensive supervision over the operations of the Company aimed at verifying and assessing whether the risk management processes, control procedures and corporate governance are adequate and function so as to facilitate achievement of the Company's following important goals:

effective and efficient operation, including meeting the goals related to business and financial performance, and protecting assets against loss;
reliable, timely, transparent internal and external financial, and non-financial reporting;
compliance with statutory and other regulations, including internal rules;
evaluation to determine whether information technology management in the Company supports and contributes to its strategies and objectives;
assessment of fraud risk and the method of addressing this risk at the Company.

The IAD regularly reported on its work to the auditees, submitting reports to the Company's management board for information, and conclusions and recommendations for approval. On the basis of feedback received from those responsible for the implementation of recommendations, it periodically reported on the implementation thereof to the management board, audit committee and the supervisory board.

The IAD submitted a more detailed overview of the internal audit engagements with all conclusions, irregularities and recommendations to the management board, audit committee and the supervisory board via its quarterly reports.

A brief summary of the key conclusions in the areas audited is provided below.

Audit of the control over external IT providers

Supervision over the external IT providers is implemented; however, its scope is limited. Supervision over the systems and equipment (infrastructure) is carried out by the IT department, whereas the work of external software solutions providers is supervised by the supervisory boards or project teams. To improve control of costs and capital investments, IT staff in charge have set up an IT-controlling process. To ensure better and more effective supervision of external IT providers, we need to set and monitor key quality and effectiveness indicators, introduce regular contract reviews and procurement procedures, as well as new IT solutions. Most of the findings and corresponding recommendations have already been implemented.

Audit of investment property management

The audit mainly focused on the assessment of the effectiveness and efficiency of investment property management. Software support for the management of this portfolio is still being completed, so the process currently requires a lot of manual work and associated manual controls.

Audit of the implementation of a uniform ASP.ins version and of the installation protocol

The aim of the audit was to assess the appropriateness of the development of ASP.ins solution with respect to producing a uniform version for all members of the Sava Insurance Group that use ASP.ins, whereby ASP is to provide for the simplification both of software solution maintenance and the user installation process protocol. The resulting assessment of the audit maintains that development is progressing in the right direction and that the uniform version of ASP.ins will be set up subject to implementation of the foreseen activities.

Audit of the process of investment policy development

The audit reviewed the process of long-term and short-term optimisation of investments. The audit examined in which application the process of investment policy development was performed, the accuracy of input data relative to the source, the verification and approval of output data, records of potential changes in the process and application, and conformance of output data with planning documents. The audit findings and resulting recommendations have been fully implemented.

Audit of the process of management of new Group companies

The audit was carried out to assess the appropriateness of the processes, policies and rules in place that serve as the basis for the governance of the Sava Insurance Group. We used the acquisition of Sava Infond, a strategic investment, to check the processes in place, the policies and rules that are the basis for the governance of Group companies, compliance with the protocol on the harmonisation of governance rules and procedures of the Group, and the work of the various business functions involved in the process. The auditors' recommendations have been fully implemented.

Audit of salary and travel order accounting

The objective of the audit of salary and travel order accounting was to assess the appropriateness of the process of salary and travel order accounting, and to examine its compliance with the applicable legislation and internal acts. Most of the findings and corresponding recommendations have already been implemented.

Audit of the process of determination of cost allocation keys

The subject-matter of the audit was the appropriateness of the process and basis for defining the keys for the distribution of income and expenses, including investment-related income and expenses. The company has an appropriate methodology (keys) in place for the allocation of costs, income and expenses to cost units (official insurance classes), which in all material aspects ensures appropriate allocation of costs, income and expenses to insurance classes.

Audit of accuracy and completeness of presentation of off-balance sheet items

The subject-matter of the audit was to assess the appropriateness of the process that ensures the accuracy and completeness of the presentation of off-balance sheet items. The off-balance sheet items are recorded by the accounting department and are refreshed on a quarterly basis during the compilation of Sava Re and Sava Insurance Group quarterly financial reports. Performance and effectiveness, as well as the system of internal controls were assessed as very good.

Audit of operations of the subsidiary TBS TEAM 24 d.o.o.

This audit largely focused on the regulation of the control environment, the company's core business process, invoicing of services to clients, cost control relating to the subsidiary TBS Team 24 d.o.o. The

audit was conducted at the beginning and again at the end of 2019. With respect to the business of TBS Team 24 d.o.o. in 2019, the audit found coordinated company activities within the Sava Insurance Group.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY WEAKNESSES AND IRREGULARITIES

The IAD periodically reports on the implementation of recommendations made and proposals given based on identified irregularities and weaknesses. In the period 1 January 2019–31 December 2019, we monitored the implementation of 106 recommendations, of which 66 applied to Sava Re and 40 to the audited subsidiaries. Based on the internal audits performed, we put forward 70 recommendations in 2019.

Of the 66 recommendations made to Sava Re, 52 have been implemented, while 14 are pending. Of the 40 recommendations made to subsidiaries, 32 have been implemented, 1 has been withdrawn at the proposal of the management board, and 7 remain pending.

As at 31 December 2019, 100% of overdue recommendations made at the Sava Insurance Group level were implemented, taking into account one withdrawn recommendation. Nine auditor days were spent monitoring the implementation of recommendations in 2019.

6 STAFF, TRAINING AND OTHER ACTIVITIES

From 1 January 2019 to 30 November 2019, the IAD employed 9 staff, and that number increased to 10 as of 1 December 2019.

A total of 8 employees in the IAD have obtained the title of certified internal auditor and 1 employee is a CISA-, CRISC- and CISM-certificate holder.

We believe that the number and composition of the IAD staff allows the proper completion of planned activities, provided there are no extended unplanned absences and/or increased unplanned dimensions to the work.

In 2019, IAD employees received training in various areas. In addition to training sessions organised by the Slovenian Institute of Auditors, the Slovenian Insurance Association, Croatian Institute of Internal Auditors, the ECIIA international conference, in-house training sessions in ERM and international webbased seminars, we regularly follow articles on current topics related to internal audit, accounting, finance and taxation. We successfully implemented the Sava Insurance Group workshop for internal auditors, where we presented the new internal audit methodology and new features of the audit software support, and where we attended soft skills courses.

In 2019, the IAD prepared the 2020 IAD annual work plan, its work strategy for the period 2020–2022, and 4 quarterly internal audit reports for the periods October–December 2018, January–March 2019, April–June 2019 and July–September 2019, and the 2018 annual report.

The director of the IAD regularly took part in the meetings of the management board, audit committee, supervisory board, risk management committee, and executive meetings. The operations were also monitored through the review of the documents prepared for the meetings of the management board, the risk management committee and the executive meetings. Other activities also comprise the managing of the department.

The IAD was engaged in regular quarterly risk assessments at the Sava Insurance Group and Sava Re levels; it also prepared an internal audit contribution to SFCR reporting. Furthermore, it contributed to those parts of the 2020 annual and 2020–2022 strategic planning processes that relate to the IAD, and to the IAD section of the Sava Insurance Group's annual report.

Cooperation with the external auditor involved the drafting of a contract for the period 2019–2021 on the auditing of the consolidated and separate financial statements and SFCR reporting, and coordination of the work of external auditors and the monitoring of conclusions after the pre-audit and final audit, and contributions at joint meetings.

The IAD's development in 2019 streamlined its operation regarding the introduction of a new software solution to support the comprehensive internal audit process at the Sava Insurance Group internal audit level.

The IAD provided technical assistance to internal auditors in subsidiaries related to methodology, provision of software support of the comprehensive internal audit process, and the induction of new employees in subsidiaries, while the key function holders also actively collaborated with each other.

7 INTERNAL AUDIT DEPARTMENT'S QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

The IAD performed a quality assessment of its operations in accordance with the requirements of the relevant standards. The assessment is conducted on the basis of the quality assurance and improvement programme covering all aspects of the IAD's operation. The IAD director reports on the results of this programme to the management board and the audit committee of the supervisory board.

The external quality assessment of IAD in Sava Re d.d. in 2019 was performed by Deloitte revizija d.o.o. with the following auditing team as external assessors: Barbara Žibert Kralj, partner, authorised auditor responsible for quality control of the performed tasks, Katarina Kadunc, certified internal auditor, authorised auditor, FCC, and Urban Goršič, CIA, CFE. Based on the procedures performed, the external assessment of the IAD operations in Sava Re d.d. confirmed conformance of the internal audit with the International Standards for the Professional Practice of Internal Auditing, Code of Professional Ethics of Internal Auditors, and the Code of Internal Auditing Principles. The IA maturity model of Deloitte shows that the majority of capabilities of IA of Sava Re d.d. is at the upper advanced or leading level of maturity.

The IAD also conducted a self-evaluation of its operations in accordance with the standards in 2019. The results confirmed that the operation of the IAD is in accordance with the definition of internal auditing, the standards and the code of ethics. As regards the Standards with which the Company is not fully compliant, the IAD drew up an action plan to improve the situation and seeks compliance in its daily work. Pursuant to the internal audit guidelines, we supplemented the programme designed to ensure and improve the quality of IAD activities with the Statement of compliance of the internal audit's actions with the Standards, code of ethics, as well as disclosure and avoidance of conflicts of interests.

At the end of January 2020, we proposed to the management board, members of the supervisory board's audit committee and members of the supervisory board a questionnaire on their satisfaction with internal audit (for the IA maturity model). The average of all grades based on returned questionnaires is 3.7 out of 4. The management board sees the internal audit as an important

component of the Company's risk management framework and believes the internal audit plays an important role in the Company.

The work methodology has been improved, primarily from the perspective of the further development of the IA process in the Pentana application. Moreover, in 2019 we also renewed the internal audit methodology (Internal Audit Manual) at the Sava Re level, and initiated the process for reviewing the internal audit methodology of other Sava Insurance Group companies.

In February 2020, we compiled and submitted to the audit committee a "Programme for improving the quality of internal audit activities at Sava Re d.d." along with a self-assessment of our work in 2019.

Pursuant to the list for verification of the independence of the IA function we did not find that independence has been violated or hindered during the course of any of our audits.

In the annual work plan, the IAD also envisaged evaluating the performance of the internal audit. The IAD also monitors the implementation of recommendations proposed to the management board. Most of the recommendations proposed in 2019 were adopted by resolutions of the management board, while one was withdrawn based on a resolution of the management board; all the audits foreseen for 2019, except for one, were carried out.

As director of internal audit, I believe that the operation of the IAD in 2019 complied with the relevant standards and that the annual work plan was successfully implemented.

Director of Internal Audit and Internal Audit Function Holder

Polonca Jug Mauko

OPINION OF THE SUPERVISORY BOARD ON THE ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING IN 2019

In 2019, the Internal Audit Department of Sava Re, d.d, ("IAD") carried out audits in the areas set out in its annual work plan for 2019.

The audit goals pursued by the IAD were geared towards verifying whether risk management procedures were adequate and efficient and whether internal controls and governance processes in the reinsurer's most important operating segments were effective and efficient. The IAD assessed the adequacy of internal controls for the prevention of fraud and potential threats to information technology supporting operations.

A total of 23 internal audit engagements were carried out at Sava Re and in its subsidiaries in 2019, with the IAD collaborating in audit reviews in several companies, issuing altogether 70 recommendations. The supervisory board finds that the IAD operated in line with the guidelines set by the supervisory and management boards, thereby contributing significantly to managing the risks involved in the operations of Sava Re and the Group.

On the basis of all the examinations carried out and methods applied in individual audited areas, the IAD considers that the internal controls of Sava Re are adequate, and the reliability level of their operation is good. Furthermore, it believes that the governance of Sava Re was appropriate and undergoing ongoing improvement in order to achieve major business goals, and that risks are effectively managed while striving for efficient and economical operations. Even so, the IAD is of the opinion that there remain opportunities to improve the functioning of the internal control system. The audit engagements revealed individual irregularities and weaknesses to which the IAD drew attention, recommending their remedy aimed at improving control procedures, corporate governance and risk management. The Company's management board is aware of the potential impacts that the identified violations, irregularities and weaknesses may have on the achievement of its key goals and is therefore taking remedial action. This leads to greater efficiency of the internal controls and regularity of operations.

The supervisory board members monitored the effectiveness and efficiency of the IAD through quarterly reports and the annual report of the IAD. They were submitted summaries of the internal and external quality assessments of the IAD. The results of these assessments showed that the operation of the IAD complies with the International Standards for the Professional Practice of Internal Auditing, the Code of Ethics of Internal Auditors and the Code of Internal Audit Principles.

Based on the above, the supervisory board hereby gives its positive opinion on the "Annual report of the IAD on internal auditing for 2019".

Ljubljana, 25 March 2020

Supervisory Board of Sava Re d.d. Chair

AI Terminal

Pozavarovalnica Sava

1987_rns_2020-04-20_9941857d-c487-475d-915f-c91af03b7149.pdf