Pozavarovalnica Sava

Audit Report / Information • Apr 19, 2021

ANNUAL REPORT

OF THE INTERNAL AUDIT DEPARTMENT

ON INTERNAL AUDITING

FOR 2020

Prepared by	Polonca Jug Mauko
Adopted by	Sava Re management board
Consent by	Sava Re supervisory board
Type of document	report
Department/unit	internal audit
Confidentiality level	confidential
Report number	2-2021/POR/PJM
Distribution list	Sava Re management board
	Company's supervisory board
	members
	Company's members of the
	supervisory board's audit committee
Language versions	Slovenian, English
Prepared on	27 February 2021
Date of adoption at
management board meeting	9 March 2021
Date of adoption at the AC and	16 March 2021 (AC) and 24 March
SB meetings	2021 (SB)

Ljubljana, February 2021

CONTENTS

1	INTRODUCTION	3
2	ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL
	CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE	3
3	OVERVIEW OF THE ACHIEVEMENT OF THE ANNUAL WORK PLAN FOR 2020	4
4	SUMMARY OF KEY CONCLUSIONS OF THE INTERNAL AUDIT ENGAGEMENTS	5
5	OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO ELIMINATE
	WEAKNESSES AND IRREGULARITIES	11
6	STAFF, TRAINING AND OTHER ACTIVITIES	12
7	THE INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME	13

1 INTRODUCTION

The internal audit department prepared this Annual report of the internal audit department on internal auditing for 2020 pursuant to article 165 of the Slovenian Insurance Act (ZZavar-1), the internal audit policy of Sava Re d.d. ("Sava Re"), the strategy of the internal audit department ("IAD") for 2020– 2022 and the annual work plan of the IAD for 2020.

This report includes:

• a report on the organisational independence of the internal audit department;
• an assessment of the effectiveness and efficiency of Sava Re's internal controls, risk management and corporate governance;
• an overview of the achievement of the annual work plan for 2020;
• a summary of key conclusions of the internal audit engagements;
• an overview of the implementation of recommendations to eliminate weaknesses and irregularities;
• an overview of the implementation of other IAD activities (employees, education and training);
• a summary of the internal audit quality assurance and improvement programme.

The IAD is an independent organisational unit that is functionally and organisationally separate from other Sava Re units. Administratively, it reports to Sava Re's management board, while functionally it reports to Sava Re's supervisory board and its audit committee. This ensures the autonomy and organisational independence of the IAD's activity.

Pursuant to the Insurance Act and based on outsourcing agreements, Sava Re has been performing the key internal audit functions of Zavarovalnica Sava and Sava Pokojninska Družba since 1 February 2018. In 2019, pursuant to the Investment Funds and Management Companies Act (ZISDU-3), Sava Re signed a contract with Sava Infond, Družba za Upravljanje, whereby the latter transferred the performance of the internal audit key function to Sava Re as of 1 January 2020 and for an indefinite period of time. In January 2021, pursuant to the Insurance Act, Sava Re signed a contract with Življenjska Zavarovalnica Vita, whereby the latter transferred the performance of the internal audit key function to Sava Re as of 22 January 2021 and for an indefinite period of time.

On 16 February 2020 – when Jožica Palčič left the company for another job within the Sava Insurance Group – Polonca Jug Mauko was appointed director of the IAD and holder of the internal audit key function in Sava Re, Zavarovalnica Sava and the Sava Insurance Group.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE

Our assessment of the effectiveness and efficiency of Sava Re's internal controls, risk management and corporate governance from 1 January 2020 to 31 December 2020 is based on audits carried out in the Company.

Based on all tests carried out and methods used in individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is GOOD. It also believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business objectives and that Sava Re's risk management was efficient, with the purpose of providing effective and economical operations. According to the IAD, there is still room for improvement regarding the operation of the system. The internal audit engagements revealed certain

irregularities and deficiencies; the IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. This leads to greater efficiency of internal controls and enhances the regularity of operations.

Some of the irregularities and deficiencies revealed were eliminated before the deadlines. Recommendations made in the last quarter and those related to the IT system require more time.

In standard internal audit engagements, due consideration was given to potential instances of fraud and potential exposure or vulnerability of IT support for operations. The internal control system in the areas audited has been implemented and functions to prevent the occurrence of fraud. After the audits, recommendations for improving the IT system were also made.

3 OVERVIEW OF THE ACHIEVEMENT OF THE ANNUAL WORK PLAN FOR 2020

In 2020, the IAD carried out internal audit engagements and other activities in accordance with its annual work plan for 2020.

A total of 28 audit engagements were carried out:

• 1. 1_R_2020/SRe Audit of the compliance function;
• 1. 2_R_2020/SRe Audit of the implementation of the succession policy;
• 1. 3_R_2020/SRe Audit of the implementation of SimCorp software support;
• 1. 4_R_2020/SRe Audit of the calculation of combined ratios;
• 1. 5_R_2020/SRe IFRS 9 project audit;
• 1. 6_R_2020/SRe Audit of the calculation of SCR Sava Insurance Group and Sava Re;
• 1. 7_R_2020/SRe Audit of operating costs;
• 1. 8_R_2020/SRe Audit of the appropriateness of analyses of equity securities returns in SIMCORP;
• 1. 9_R_2020/SRe Audit of the appropriateness of analyses of debt securities returns in SIMCORP;
• 1. 10_R_2020/SRe IFRS 17 project audit;
• 1. 11_R_2020/SRe Audit of the liquidity management process;
• 1. 12_R_2020/SRe Audit of the IT strategy external service provider;
• 1. 1_SV_2020/SRe Formal consulting engagement the project of selecting new software support for the reinsurance process;
• 1. 2_SV_2020/SRe Formal consulting engagement related to IT management 360°;
• 1. 3_SV_2020/SRe Informal consulting engagements;
• 1. 1_SOD_2020/SRe Audit of the procurement process Illyria (Kosovo);
• 1. 2_SOD_2020/SRe Audit of the claims handling process Illyria (Kosovo);
• 1. 3_SOD_2020/SRe Audit of the system of reporting to the parent Sava Penzisko Društvo (North Macedonia);
• 1. 4_SOD_2020/SRe Audit of the IT management 360° process Sava Osiguranje (Montenegro);
• 1. 5_SOD_2020/SRe Audit of Group/non-Group reinsurance protection Sava Neživotno Osiguranje (Serbia);
• 1. 6_SOD_2020/SRe Audit of the process of commission accounting Illyria (Kosovo);
• 1. 7_SOD_2020/SRe Audit of the sales process and of commission accounting Illyria Life (Kosovo);
• 1. 8_SOD_2020/SRe Audit of the sales process Illyria (Kosovo);
• 1. 9_SOD_2020/SRe Audit of the underwriting process in relation to profitability of certain key segments – Sava Neživotno Osiguranje (Serbia);
• 1. 10_SOD_2020/SRe Audit of the investment process Sava Životno Osiguranje (Serbia);

• 1. 11_SOD_2020/SRe Audit of the procurement process and of cost management Sava Osiguruvanje (North Macedonia);
• 1. 12_SOD_2020/SRe Audit of the calculation of capital adequacy Illyria (Kosovo);
• 1. 13_SOD_2020/SRe Audit of the calculation of capital adequacy Illyria Life Kosovo.

After the outbreak of the Covid-19 epidemic in Slovenia, when we started working from home, Sava Re and all its subsidiaries appointed a crisis management team also involving the IAD. This triggered a formal consulting engagement entitled "Business continuity – Covid-19" that lasted the entire year, which represents work not included in our work plan for 2020.

In addition, there was also an IT management audit in Vita, which focused on IT risks and was required by Sava Re's management, and a consulting engagement at the Group level covering "remote signing". The "Audit of the underwriting process in relation to profitability of certain key segments" (9_SOD_2020/SRe) in Sava Neživotno Osiguranje (Serbia), where we should have participated, did not take place in 2020 due to the external contractor's unavailability and was postponed to Q4 2021. We did participate, however, in the "Audit of the human resources function" (14_SOD_2020/SRe) in Illyria Life (Kosovo), which was not planned.

In total, 31 internal audit engagements were performed. After the outbreak of the Covid-19 epidemic in Slovenia, when we started working from home, the majority of internal audit engagements were carried out remotely, using the MS Teams tool.

4 SUMMARY OF KEY CONCLUSIONS OF THE INTERNAL AUDIT ENGAGEMENTS

Considering the risks involved, the internal audit entailed ongoing and comprehensive supervision over the operations of the Company aimed at verifying and assessing whether its internal controls, risk management and governance were adequate and ensuring the achievement of the following key business objectives of Sava Re:

• effective and efficient operations, also by attaining the objectives of business and financial performance, and protection of assets against loss;
• reliable, timely and transparent internal and external financial and non-financial reporting;
• compliance with laws and other regulations, including internal rules;
• IT management in the Company supporting and contributing to its strategies and objectives; and
• assessing fraud risk and the method of addressing this risk by the Company.

The IAD regularly reported on its work to the auditees, and it sent the Company's management board reports for information, and conclusions and recommendations for approval. Based on information provided by the persons responsible, the IAD regularly reported to the management board and the supervisory board and its audit committee on the implementation of its recommendations.

Moreover, the IAD reported to the management board and the supervisory board and its audit committee on internal audit engagements with all conclusions, irregularities and recommendations through its quarterly reports.

The IAD assesses the adequacy and efficiency of the internal control system in relation to risks in accordance with Standard 2410.A1. In this, we use the following rating scale for assessing the internal control system, in accordance with the Sava Insurance Group methodology:

VERY GOOD – The control system of the audited business unit / organisational unit is very good in every respect; the internal controls set up are strong, all key controls are operating and there are no deviations. Supervision is optimal. Risk is very low. There are no findings assessed as medium or high risk.

GOOD – The control system is generally good; minor weaknesses may be addressed by the head of any business function / organisational unit during the business process. Management has good control of operations; authorisations and powers are observed. In the case of deviations, immediate action follows and processes are improved continuously. Supervision is carried out regularly. The risk is low. One to two findings were assessed as medium risk; no fundings were assessed as high risk.

ADEQUATE – A combination of some weaknesses in the control system requires immediate corrective action by the head of the business area / organisational unit. Management is aware of the required monitoring and supervision; procedures and responsibilities are roughly defined. Supervision is occasional. Risk is medium. Most findings are assessed as medium risk.

NOT APPROPRIATE – Major weaknesses in the control system are undermining operations and must be immediately addressed by the head of the business area / organisational unit as a matter of priority. Supervision is not carried out according to defined processes but left to individuals. The risk is high. There are findings assessed as high risk.

INADEQUATE – There is a high degree of major weaknesses (non-compliance, complete lack of controls), requiring complete reorganisation of the business function / organisational unit. There is no supervision. The risk is very high.

Despite the given scale and in view of the professional and ethical standards required of the certified internal auditor, part of the assessment of the internal control system remains the discretion of the certified internal auditor.

A summary of the key conclusions in the areas audited is provided below.

Audit of the compliance function (1_R_2020/SRe)

The audit was carried out to review and assess the appropriateness and effectiveness of the provision of the compliance key function. Based on the processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the (sub)processes reviewed in the area audited as GOOD, which means that management has generally good control of compliance in the Company and in the Group. We made 3 recommendations, of which 1 was labelled medium-risk and 2 were labelled low-risk, and we identified 1 opportunity for improvement. The recommendations related to the following: improvement of the procedure leading to adoption of internal acts, inclusion of a review of Sava Re's documentation management in the annual work plan of the compliance function for 2021 and possible strengthening of the team in this area from within the Sava Insurance Group. Audit conclusions and the resulting recommendations have been fully implemented.

Audit of the implementation of the succession policy (2_R_2020/SRe)

The audit was carried out to check the existence of relevant internal acts in the area of succession, and to review and assess the appropriateness of succession policy implementation in practice. Based on the processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the Company's succession policy implementation as GOOD. Succession planning is managed as a strategic process and included in the adopted strategy of the Company and the Group. In the process of identifying key positions and selection of those employees who could become future members of the management board and of management one level below the management board, development activities are carried out, while certain smaller amendments are already required. We made 3 recommendations labelled medium- and low-risk.

Audit of the implementation of SimCorp software support (3_R_2020/SRe)

The audit was carried out to assess the appropriateness of implementation of SimCorp software support and/or of planned development activities within this implementation (time aspect, financial aspect, human resources availability aspect), as well as to assess the appropriateness of implementation of planned functionalities. Based on the processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the processes reviewed in the area audited as ADEQUATE. We made 9 recommendations labelled medium-risk, as well as 12 goodpractice recommendations labelled opportunity. Medium-risk recommendations mainly related to the following: updating the project's feasibility study (to include more detailed information on the project's financial aspect and similar), preparation of handover reports when functionalities are put into production, completion of commenced activities addressing inconsistencies between accounting/controlling reporting and project reporting on project costs, completion of the analysis of all SimCorp-related financing, formal adoption of the instructions for project cost recording, more detailed record-keeping of activity status by project area and definition of project objectives. Recommendations labelled opportunity mainly related to possible improvements in project management in general, which could already apply to the SimCorp project.

Audit of the calculation of combined ratios (4_R_2020/SRe)

The audit was carried out to review and assess the appropriateness of combined ratio calculation, monitoring and reporting at the Company level. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the process reviewed in the area audited as GOOD. We made some recommendations related to the preparation and updating of internal acts governing the calculation of combined ratios. We also recommended that reporting of combined ratios for the Group and segments reflect those segments that are included in the plans, and that the appendices to the business policy and financial plan containing a glossary and calculation methods be updated. We made 4 recommendations, of which 1 was labelled medium-risk and 3 were labelled low-risk.

IFRS 9 project audit (5_R_2020/SRe)

The audit was carried out to review and assess the appropriateness of the implementation of SimCorp software support in the part relating to IFRS 9, as well as of planned development activities in view of IFRS 9 requirements (time aspect, financial aspect, human resources availability aspect, regulatory aspect) and of the implementation of planned functionalities in view of IFRS 9 requirements. Based on the audit processes carried out, we assessed the area audited as GOOD. We believe that the regulatory aspect is adequately covered and we did not identify any significant risks timewise, as the project was consistent with the planned timeline and activities. We made 2 recommendations: 1 was labelled lowrisk and related to the appointments of project managers upon changes in the project management team, as well as to the management of project changes, and 1 was labelled medium-risk and related to contracts with external providers. We also made 1 recommendation labelled opportunity, which

related to possible improvements in the management in one place of documentation and of the management board's resolutions.

Audit of the calculation of SCR – Sava Insurance Group and Sava Re (6_R_2020/SRe)

The audit was carried out to assess the appropriateness of the SCR calculation process as a whole, as well as of the input data approval, the calculation's methodological bases or regulatory compliance, and the related reporting. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the process reviewed in the area audited as GOOD, but nevertheless we made some recommendations related to the preparation of internal documentation and full alignment with certain requirements of the revised delegated regulation (EU), even if these, applicable only as of 1 January 2020, did not apply to the 2019 SCR calculation. We also made a recommendation that the methodology of quarterly SCR monitoring be formally established, as well as for input data approval to be further improved. We made 7 recommendations, of which 4 were labelled medium-risk, 1 was labelled low-risk and 2 were labelled opportunity.

Audit of operating costs (7_R_2020/SRe)

The audit was carried out to review and assess the procurement process in respect of compliance with cost management. Based on the processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the process reviewed in the area audited as ADEQUATE, which means that management is aware of the required monitoring and supervision, that procedures and responsibilities are roughly defined and that supervision is occasional. We made some recommendations related to updating the internal acts governing procurement, to potential full or partial IT support for the procurement process, to organisation of the procurement documentation archive and to the office of the management board and compliance reminding the substantive administrators to consistently observe the internal acts governing procurement. We made 9 recommendations, of which 7 were labelled medium-risk and 2 were labelled low-risk. Compared to the 2018 audit, the progress and improvements in the procurement process itself were insufficient, as development has been suspended, the various procurement phases are not traceable, no progress regarding IT support has been made and the applicable procurement rules provide for too many exceptions or are too vague.

Audit of the appropriateness of analyses of equity and debt securities returns in the SimCorp software (8_9_R_2020/SRe)

The audit was carried out to review and assess the appropriateness of planned SimCorp functionalities for monitoring the returns on equity and debt securities. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the process reviewed in the area audited as ADEQUATE. The "adequate" assessment relates to the appropriateness of planned SimCorp functionalities for monitoring the returns on equity and debt securities, as we were not able to review these functionalities in practice due to the delay in their implementation. However, given that planned SimCorp functionalities for monitoring the returns on equity and debt securities are appropriate, we believe that all functionalities are enabled within the performance measurement module that could, in the long run, represent a value added within integrated investment return monitoring. The key finding was the absence of a list of works already completed within the performance measurement module and sub-modules, as well as the absence of a description of the calculation methodology and its planned simplification. We accordingly made 1 recommendation labelled medium-risk to prepare a list of works already completed within the performance measurement module and sub-modules, as well as to document the calculation methodology and its planned simplification.

IFRS 17 project audit (10_R_2020/SRe)

The audit was carried out to review the appropriateness of the implementation of IFRS 17 and within this of planned development activities in view of IFRS 17 requirements (time aspect, financial aspect, human resources availability aspect, regulatory aspect). Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the process reviewed in the area audited as GOOD, as Sava Re is managing the IFRS 17 project in accordance with the applicable project management rules and it is also actively monitoring planned activities and their realisation, including the timeline, project costs and project risks, regularly informing the project council and management and supervisory boards on the progress made. We made 2 recommendations: 1 was related to contracts with external providers and was labelled medium-risk, and 1 was related to project costs and was labelled low-risk.

Audit of the liquidity management process (11_R_2020/SRe )

The audit was carried out to review and assess the management of risks related to the liquidity management process, cash flow allocation, accounting, appropriateness of software support and appropriateness of internal acts governing liquidity management. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the liquidity management process, cash flow allocation, accounting, appropriateness of software support and appropriateness of internal acts governing liquidity management as GOOD, which means that management has generally good control of operations and is aware of the required monitoring and supervision, that procedures and responsibilities are roughly defined, and that supervision is occasional. We made 4 recommendations labelled low-risk and related to the review of internal acts governing liquidity of the Company, preparation of a liquidity plan for the next year by the end of the current year, a description of the liquidity process, and inclusion of the monthly cash flow and liquidity plan into the monthly investment report presented at the college of investment managers. We also made 2 recommendations labelled opportunity.

Audit of the IT strategy (12_R_2020/SRe)

The audit was carried out to assess the appropriateness of the IT strategy in view of the Company's and Group's objectives. Our more detailed objectives were to establish whether the IT strategy was consistent with the Company's business objectives, whether the objectives and the related responsibilities were clearly communicated so that all could understand them and whether the strategic IT options were defined, structured and integrated in the business plans. Based on the audit processes carried out, we assessed the IT strategy document as ADEQUATE. The strategy of IT development in Sava Re does not exist as a separate document, and it is defined and implemented using the "'Strategy of development of IT in the Sava Insurance Group for 2020–2022" (IT strategy). With its objectives, the IT strategy fully follows the strategic objectives of the Sava Insurance Group. The majority of projects and activities launched to ensure the achievement of the strategic objectives are already under way. This mainly includes technical projects (core systems, SOC and similar), while the activities aimed at achieving the so-called 'soft' objectives are still not defined or are being implemented outside the context of the IT strategy, but no implementation plan is in place for the achievement of strategic objectives (high risk). No indicators of the achievement of key objectives provided for in the strategy are in place, either. We also made recommendations related to the process of designing the IT strategy. We made 4 recommendations, of which 1 was labelled high-risk, 2 were labelled medium-risk and 1 was labelled low-risk. Audit conclusions and the resulting recommendations have been fully implemented.

Audit of IT management – Vita, Življenjska Zavarovalnica (1_IR_2020/SRe)

The audit was carried out to review and assess the management of risks related to the IT management process in Vita, the effectiveness and efficiency of the IT management process, and the appropriateness of the IT management process and its consistency with good practices and IT management frameworks. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the (sub)processes reviewed in the area audited as GOOD. Our audit covered the following: the management of IT strategy, human resources, assets, costs, IT security, projects, business continuity, IT changes, service requests and incidents, the development and implementation of applications, and also the external suppliers. The reviewed IT management processes are carried out efficiently and within given technical and HR possibilities. A small deficiency identified by us was the documentation not updated (policies, rules, instructions, etc.), as certain documents were created in 2010 and 2013 but have not been updated since then.

Formal consulting engagement – The project of selecting new software support for the reinsurance process (1_SV_2020/SRe )

The consulting engagement was carried out to review and assess the appropriateness of project planning and implementation (up to the provider selection phase), the appropriateness of solution implementation planning (timeline, finances, human resources), the consistency of planned functionalities with the client's expectations/requests and the integration of the IAD's reinsurancerelated recommendations in the definition of planned functionalities. We examined internal acts and instructions, internal documents prepared before and during the implementation of the CORE ERP project and documentation on the implementation of the IAD's recommendations. Based on our findings while monitoring project implementation, we assessed project management as GOOD. The provider selection processes are transparent and appropriate, and providers are selected based on appropriate criteria. Planned implementation based on the blueprint (a detailed description of business processes in reinsurance and system requirements, including activities, events, milestones and deliverables) is reasonable and entails the lowest risk for project implementation. In certain phases, implementation of requests is slightly late due to external factors, but such delays are currently not jeopardising the project's milestones. Project risks are appropriately addressed, but we believe that the risk of implementation of the project as a whole should be monitored at the Sava Re level. Implementation of the Revolve project-related IAD recommendations was consistent with the plan. We made 1 recommendation labelled medium-risk related to project implementation.

Formal consulting engagement related to IT management 360° (2_SV_2020/SRe)

The consulting engagement was carried out to review and assess the effectiveness and efficiency of the IT management process against COBIT 2019 requirements to determine whether IT services were compliant with Sava Re's business requirements. We focused on the appropriateness of processes of the IT departments of Sava Re and Zavarovalnica Sava, given that Sava Re transferred a large portion of its IT area to Zavarovalnica Sava under a management contract, which ensures that complex tasks are carried out by skilled professionals aware of good practices and IT management frameworks. The basis for our audit was the IT management framework COBIT 2019. Based on our findings during the audit, we made recommendations that mainly related to the following: continued preparation of appropriate documentation based on control best practices of COBIT 2019, appropriate consideration of individual COBIT 2019 controls not yet implemented in Sava Re and connecting all IT management processes to allow for a clear understanding of all activities in Sava Re's IT department. We made 13 recommendations labelled medium-risk.

Informal consulting engagements (3_SV_2020/SRe)

Conducting reviews of some draft internal acts and contracts, making recommendations for improvements in operations or functioning of controls and cooperation in project teams.

Business continuity – Covid-19 (4_SV_2020/SRe)

The main objective of the non-standard consulting engagement was to monitor the work of the Sava Insurance Group's crisis management team, and to analyse actions and crisis response in Group companies after the outbreak of the Covid-19 pandemic. We also monitored how this crisis management team at the Group level guided crisis management teams in Group companies, as well as the preparation and implementation of common work procedures and protocols in Group companies. We made some suggestions for improvement of individual documents (the scenario of crisis plan implementation, the general and specific preventive measures in the event of pandemic), and we provided guidelines on standardisation of protocols and rules at the Group level (an opportunity).

Consulting for the introduction of "remote signing" in the Group (5_SV_2020-SRe)

The main objectives of the non-standard consulting engagement were to assess the possibilities for implementing legally compliant remote signing, and to provide guidelines on what is required for such remote signing and what to expect in 2020 and 2021 regarding the introduction of remote signing in the countries where Group companies are present. We focused on the currently used software solutions and offers from our contractors (uSign and ASP tools), which are used in Zavarovalnica Sava and Group companies in Serbia, and similar solutions available in the Group's markets (ePero (SETCCE) or ASP).

We provided guidelines for achieving the objective of implementing legally compliant remote signing and we recommend that the following activities be carried out in 2020 and 2021:

• defining business requirements for the introduction of secure remote signing;
• examining the possible implementation of an appropriate remote signing solution that would support qualified digital certificates and safe electronic signing;
• examining the possible use of qualified digital certificates of all issuers (in Slovenia and other EU members);
• providing appropriate conditions so that the service is not interrupted in the event of failure of infrastructure required for qualified certificates;
• adding the possibility of using electronic identities and qualified certificates included in ID documents (ID cards), which countries will start issuing in 2020 and 2021 (in Slovenia and other EU member states and other countries where we are present).

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO ELIMINATE WEAKNESSES AND IRREGULARITIES

The IAD periodically reports on the implementation of recommendations made and proposals given based on irregularities and weaknesses identified. From 1 January 2020 to 31 December 2020, we monitored the implementation of 111 recommendations, of which 95 applied to Sava Re and 16 to the audited subsidiaries. Based on the internal audits performed, we made 89 recommendations in 2020.

Of the 95 recommendations made to Sava Re, 55 have been implemented (of these 20 opportunities), while the deadline for the remaining 35 has not yet expired. For 4 recommendations, the deadline was

extended to 2021, while 1 was withdrawn based on a resolution of the management board. Of the 16 recommendations made to subsidiaries, 8 have been implemented, while the deadline for the remaining 8 has not yet expired.

As at 31 December 2020, 93% of recommendations with a deadline before that date and made at the Sava Insurance Group level were implemented. 7 auditor days were spent monitoring the implementation of recommendations in 2020.

6 STAFF, TRAINING AND OTHER ACTIVITIES

In 2020, the IAD had 10 employees. Of these, 6 were certified internal auditors, while 2 were certified information system auditors. The employees also hold the following licenses: CISA, CRISC, CISM, lead assessor for ISO 9001, ISO 22301, ISO/IEC 27001, 27018, ISO/IEC 20000, PCI DSS ASV, PCI DSS QSA, EIDAS, NPK security manager, certified public sector accountant, certified state internal auditor, internal assessor for ISO 9001, ISO 14001, ISO 45000 and IIA Quality Assessment.

We believe that the number and composition of our employees allow for the proper completion of planned activities, provided there are no extended unplanned absences and/or increased unplanned work.

In 2020, the IAD employees received training in various areas. In addition to the training organised by the Slovenian Institute of Auditors, ISACA, and Slovenian and Serbian institutes of internal auditors, an international workshop titled Risk-Based Auditing Masterclass, various in-house training events in ERM, compliance and internal audit, and international web-based seminars, we also regularly followed articles on current topics related to internal audit, (re)insurance, accounting, finance and taxes. We also organised a workshop for the Sava Insurance Group's internal auditors, where we presented the new internal audit methodology and new features of the audit software support (in three parts, as it was carried out using MS Teams).

In 2020, the IAD prepared the annual work plan of the IAD for 2021, as well as 4 quarterly internal audit reports for the periods October–December 2019, January–March 2020, April–June 2020 and July–September 2020, and also the 2019 annual report. We also reviewed the strategy of the internal audit department for 2020–2022 of Sava Re, and we found it to be appropriate and not requiring amendments.

The director of the IAD regularly took part in the meetings of the management board, supervisory board and its audit committee, risk management committee and executive meetings. The operations were also monitored through the review of the documents prepared for the meetings of the management board, the risk management committee and the executive meetings. Other activities also comprise the managing of the department.

The IAD was engaged in regular quarterly risk assessments at the Sava Insurance Group and Sava Re levels; it also contributed to the SFCR and RSR reports. Furthermore, it contributed to those parts of the 2021 planning process that relate to the IAD, and to the IAD section of the Sava Insurance Group's annual report.

Cooperation with the external auditor entailed coordination of work, monitoring of pre-audit and postaudit conclusions, and active participation at joint meetings.

Within IAD development, we further improved the activities related to the new software supporting the comprehensive internal audit process, also at the Group level, and designed the overall opinion

methodology at the level of Sava Re and at the Group level. In 2020, we introduced a Group internal audit in Slovenian Group companies and will introduce it in the remaining companies, including those outside the EU, in 2021.

The IAD provided technical assistance to internal auditors in subsidiaries related to methodology, implementation of software supporting the comprehensive internal audit process and the induction of new employees in subsidiaries, while key function holders also actively collaborated with each other.

7 THE INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

The IAD performed a quality assessment of its activity in accordance with the requirements of standards. The assessment is conducted based on the quality assurance and improvement programme covering all aspects of the IAD's operation. The IAD director reports on the results of this programme to the management board and the audit committee of the supervisory board.

The external quality assessment of Sava Re's IAD in 2019 was carried out by Deloitte Revizija with the following auditing team as external assessors: Barbara Žibert Kralj, partner, authorised auditor responsible for quality control of the tasks performed; Katarina Kadunc, certified internal auditor, authorised auditor, FCC; and Urban Goršič, CIA, CFE as external assessor. Based on the processes carried out, the external assessment of Sava Re's internal audit activity confirmed its compliance with International Standards for the Professional Practice of Internal Auditing, Code of Professional Ethics of Internal Auditors and Code of Internal Auditing Principles. The internal audit maturity model of Deloitte showed that the majority of capabilities of Sava Re's internal audit were at the upper advanced or leading level of maturity.

In 2020, the IAD carried out a self-assessment of its activity in accordance with standards. The results confirmed compliance of the internal audit activity with the definition of internal auditing, standards and code of ethics. As regards certain sub-standards where full compliance has not been achieved yet, the IAD prepared an action plan for improvement, which it observes in its activity. In accordance with the internal audit guidelines, we amended the internal audit quality assurance and improvement programme to include statements of compliance of the internal audit with standards and the code of ethics, as well as disclosure and avoidance of conflicts of interests.

In early 2021, we sent the members of the management board, the supervisory board and its audit committee a questionnaire on their satisfaction with the internal audit (for the IA maturity model). The average of all scores based on the questionnaires returned was 3.8 out of 4. The management board sees the internal audit as an important component of the Company's risk management framework and believes the internal audit plays an important role in the Company.

Work methodology has been further improved, mainly in terms of the overall opinion and further development of the internal audit process in the Pentana application. In 2020, we also revised the internal audit methodology (Internal Audit Manual) at the Sava Re level, as well as at the level of Group companies.

In February 2021, we compiled and submitted the internal audit quality assurance and improvement programme to the audit committee, along with a self-assessment of our activity in 2020. We also checked our independence against an established checklist and we did not find our independence to have been breached or hindered during any of our audits. We also included a measurement of our performance in our annual work plan. At the same time, we are also monitoring the implementation

of recommendations proposed to the management board. The management board adopted all but one of the proposed recommendations, which was withdrawn.

As the director of the internal audit, I believe that the IAD's activity in 2020 was compliant with standards and that the annual work plan was very successfully achieved.

Director of Internal Audit and Internal Audit Function Holder

Polonca Jug Mauko

Appendix 1: Glossary

Abbreviation	Meaning
ASP.ins	Application supporting the insurance underwriting processes in Sava Re's subsidiaries
CFE	Certified Fraud Examiner
CIA	Certified Internal Auditor
CISA	Certified Information System Auditor (upgraded with the Slovenian Institute of Auditors to PRIS certificate)
CISM	Certified Information Security Manager (required of a CISO; i.e. Chief Information Security Officer)
COBIT 2019	Information and Technology Governance Framework
CORE ERP/systems	Software solution for a key business process
CRISC	Certified in Risk and Information Systems Control
	REGULATION (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
EIDAS	identification and trust services for electronic transactions in the internal market and repealing Directive
	999/93/EC (lead assessor)
EU	European Union
IIA	Institute of Internal Auditors
INFOSEK	Annual conference of the company Palsit, the most important information security event in Slovenia
ISACA GLS	ISACA Global Leadership Summit
ISACA Slovenia	Information Systems Audit and Control Association of Slovenia
ISO 14001	Environmental management system, an international standard that exists to help manufacturing and service
	organisations manage environmental aspects of their operations
ISO 22301	Business continuity management system
ISO 45000	Occupational health and safety management system
ISO 9001	Quality management system
ISO/IEC 20000	Service management system
	Information security management system, an international standard about privacy in cloud computing services (Code of
ISO/IEC 27001, 27018	practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
IT	Information technology
	Microsoft Teams – a communication platform developed by Microsoft (for meeting, calling, video calling,
MS Teams	messaging, screen sharing, etc.)
IFRS	International Financial Reporting Standards
NPK Security manager	National vocational qualification SECURITY MANAGER
IA	Internal audit
SB	Supervisory board
P2P	Sava Re's internal peer-to-peer coaching
PCI DSS ASV	Payment Card Industry Data Security Standard Automatic Scanning Vendor
PCI DSS QSA	Payment Card Industry Data Security Standard Qualified Security Auditor
PJM	Polonca Jug Mauko
REP	Report
Q4	Fourth quarter
CMT ZSS	Sava Insurance Group's crisis management team
Revolve	Application supporting the reinsurance underwriting processes
AC	Audit committee
SCR	Solvency Capital Requirement
SIMCORP	Software support for integrated investment management, better investment decision-making and overview of
	operations in one system, also SimCorp
IAD	Internal audit department
SOC	Security operations centre
x_F_201x/company	Audit designation – follow-up audit
x_R_201x/company	Audit designation – standard audit
x_SOD_201x/company	Audit designation – advisory/participation in the audit of a subsidiary
x_SV_201x/company	Audit designation – consulting engagement
ZISDU-3	Investment Funds and Management Companies Act
ZZavar-1	Slovenian Insurance Act
	Companies of the Sava Insurance Group
SRe	Sava Re
ZS	Zavarovalnica Sava
SPD	Sava Pokojninska Družba
SIn	Sava Infond
SPDMKD	Sava Penzisko Društvo (North Macedonia)
SNOSr	Sava Neživotno Osiguranje (Serbia)
SŽOSr	Sava Životno Osiguranje (Serbia)
SOMKD	Sava Osiguruvanje Skopje (North Macedonia)
SOMNE	Sava Osiguranje (Montenegro)
Illy	Illyria (Kosovo)
ILife	Illyria Life (Kosovo)
TBS	TBS TEAM 24 d.o.o.
Vita	Vita, Življenjska Zavarovalnica, d.d.

OPINION OF THE SUPERVISORY BOARD ON THE ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2020

In 2020, Sava Re's internal audit department ("IAD") carried out audits in the areas set out in its annual work plan for 2020.

The audit objective pursued by the IAD was to assess whether internal controls and risk management processes in all major segments of the reinsurer's operations and governance were effective and efficient. The IAD assessed the appropriateness of internal controls for preventing fraud and the vulnerability of IT support for the Company's operations.

A total of 31 internal audit engagements were carried out in Sava Re and its subsidiaries in 2020, while the IAD also participated in audits in several Group companies, based on which the IAD issued 89 recommendations in total. The supervisory board finds that the IAD operated in line with the guidelines of the supervisory and management boards, contributing significantly with its recommendations to risk management in Sava Re and in the Sava Insurance Group.

Based on all tests carried out and methods used in individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is good. It also believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business objectives, and that Sava Re's risk management was efficient, with the purpose of providing effective and economical operations. Nevertheless, there remain opportunities to improve the functioning of the internal control system. The internal audit engagements revealed certain irregularities and deficiencies; the IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. The Company's management board is aware of the potential impacts that the identified breaches, irregularities and deficiencies may have on the achievement of the Company's key objectives, and it is therefore taking remedial action. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The supervisory board members monitored the effectiveness and efficiency of IAD activity through quarterly reports and the annual report of the IAD. They also took note of summary internal quality assessment of the IAD's activity. The assessment showed that the IAD's activity was compliant in all material aspects with the law and International Standards for the Professional Practice of Internal Auditing.

Based on the above, the supervisory board hereby gives its positive opinion on the "Annual report of the IAD on internal auditing for 2020".

Ljubljana, 24 March 2021

Supervisory Board of Sava Re Mateja Lovšin Herič, Chair

MATEJA LOVSIN HERIC Digitalno podpisal MATEJA LOVSIN HERIC Datum: 2021.04.09 12:24:21 +02'00'