ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2021

Prepared by	Polonca Jug Mauko
Adopted by	company's management board
Consent by	supervisory board
Type of document	report
Department/unit	internal audit
Confidentiality level	confidential
Report number	2-2022/POR/PJM
Distribution list	company's management board
	company's supervisory board
	members
	company's members of the
	supervisory board's audit committee
	company's general meeting
Language versions	Slovenian, English
Prepared on	25 March 2022
Date of adoption at
management board meeting	29 March 2022
Date of adoption at the AC and	On 05/04/2022 by the AC and on
SB meetings	07/04/2022 by the SB

Ljubljana, February 2021

1	INTRODUCTION	3
	1.1 Organisational independence of the internal audit 3
2	ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL
	CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE	3
3	REVIEW OF THE IMPLEMENTATION OF THE 2021 ANNUAL WORK PLAN	4
4	SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED	6
5	OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY
	DEFICIENCIES AND IRREGULARITIES	13
6	STAFF, TRAINING AND OTHER ACTIVITIES	13
7	THE INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME	14

1 INTRODUCTION

The internal audit department prepared this Annual Report of the Internal Audit Department on Internal Auditing for 2021 pursuant to Article 165 of the Slovenian Insurance Act (ZZavar-1), the Internal Audit Policy of Sava Re d.d. (Sava Re or company), the strategy of the internal audit department (IAD) for 2021 and the annual work plan of the IAD for 2021.

This report includes:

a report on the organisational independence of the internal audit department;
an assessment of the effectiveness and efficiency of Sava Re's internal controls, risk management and corporate governance;
an overview of the implementation of the 2021 annual work plan;
a summary of the major conclusions of the internal audit engagements;
an overview of the implementation of recommendations to remedy weaknesses and irregularities;
an overview of the implementation of other IAD activities (employees, education and training);
a summary of the internal audit quality assurance and improvement programme.

1.1 Organisational independence of the internal audit

The IAD is an independent organisational unit that is functionally and organisationally separate from other Sava Re units. Administratively, it reports to Sava Re's management board, while functionally it reports to Sava Re's supervisory board and its audit committee. This ensures the autonomy and organisational independence of the IAD's activity.

Pursuant to the Slovenian Insurance Act and based on outsourcing agreements, Sava Re has been performing the key internal audit functions of Zavarovalnica Sava and Sava Pokojninska Družba since 1 February 2018. In 2019, pursuant to the Investment Funds and Management Companies Act (ZISDU-3), Sava Re signed a contract with Sava Infond, Družba za Upravljanje, under which the latter transferred the performance of the internal audit key function to Sava Re as of 1 January 2020 and for an indefinite period of time. In January 2021, pursuant to the Slovenian Insurance Act, Sava Re signed a contract with Življenjska Zavarovalnica Vita, under which the latter transferred the performance of the internal audit key function to Sava Re as of 22 January 2021 and for an indefinite period of time.

The IAD director Polonca Jug Mauko was appointed the internal audit function holder of Sava Re d.d., Zavarovalnica Sava d.d. and the Sava Insurance Group.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE

As holder of the internal audit key function, I assessed the effectiveness and efficiency of the system of internal controls and risk management in 2021 based on the internal audit engagements carried out. Internal auditing is a risk-based permanent and comprehensive supervision of a company's operations aimed at verifying and assessing whether the internal controls, risk management and corporate governance processes are adequate, that is, whether they ensure the achievement of key objectives. The internal control system is considered as a whole: it includes internal controls, risk management, and corporate and group governance processes to ensure the achievement of a company's key objectives. The audit engagements covered all key risks of the company.

Based on all tests carried out and methods used in individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is GOOD. It also believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business objectives, and that Sava Re's risk management was efficient, with the purpose of providing effective and economical operations. According to the IAD, there is still room for improvement regarding the operation of the system. The internal audit engagements revealed certain irregularities and deficiencies. The IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. This leads to greater efficiency of internal controls and enhances the regularity of operations.

Some irregularities and deficiencies were remedied before the deadlines. The recommendations made in the last quarter and those related to improving information technology require some extra time.

In the standard internal audit engagements, due consideration was given to potential instances of fraud and exposure as well as the potential vulnerability of IT support for operations. The internal control system in the areas audited has been implemented and functions to prevents the occurrence of fraud. In the audits, recommendations were also given for improving the IT system.

3 REVIEW OF THE IMPLEMENTATION OF THE 2021 ANNUAL WORK PLAN

In 2021, the IAD carried out internal audit engagements and other activities in accordance with its 2021 annual work plan.

A total of 34 audit engagements were carried out:

1) 1_R_2021/SRe Audit of integration procedures of external ASP.ins underwriting software;
2) 2_R_2021/SRe Audit of TBS TEAM 24 d.o.o.
3) 3_R_2021/SRe Audit of the project management system;
4) 4_R_2021/SRe Audit of the actuarial function;
5) 5_R_2021/SRe Audit of the claims recording process;
6) 6_R_2021/SRe Audit of the currency risk management process
7) 7_R_2021/SRe Audit of the process of implementing the SIMCORP application in subsidiaries;
8) 8_R_2021/SRe Audit of company's receivables management
9) 9_R_2021/SRe Audit of the IT management process COBIT 2019
10) 10_R_2021/SRe Continuous auditing part of the SOC (IT);
11) 1_SV_2021/SRe Consulting in the document archiving process
12) 2_SV_2021/SRe Consulting engagement in the review of outsourcing in Group companies cooperation with the compliance function
13) 3_SV_2021/SRe Consulting engagement of Group project management review;
14) 4_SV_2021/SRe IFRS 17 project audit;
15) 5_SV_2021/SRe Consulting engagement The project of implementing new software support for the reinsurance process;
16) 6_SV_2021/SRe Consulting in the project of implementation of business continuity management (BCM) in the Sava Insurance Group;
17) 7_SV_2021/SRe Informal consulting engagements;

18) 1_SOD_2021/SRe Audit of the IT management process COBIT 2019 –Illyria;
19) 2_SOD_2021/SRe Audit of the IT management process COBIT 2019 Illyria Life;
20) 3_SOD_2021/SRe Audit of IT controls in ASP.ins claims module and reporting Sava Neživotno Osiguranje, Serbia;
21) 4_SOD_2021/SRe Audit of the IT management process COBIT 2019 Sava Osiguranje, Montenegro;
22) 5_SOD_2021/SRe Audit of the IT management process COBIT 2019 Sava Životno Osiguranje, Serbia;
23) 6_SOD_2021/SRe Audit of the IT management process COBIT 2019 Sava Neživotno Osiguranje, Serbia;
24) 7_SOD_2021/SRe Audit of the IT management process COBIT 2019 Sava Osiguruvanje, North Macedonia;
25) 8_SOD_2021/SRe Audit of the IT management process COBIT 2019 Sava Penzijsko, North Macedonia;
26) 9_SOD_2021/SRe Audit of the investment process Sava Osiguruvanje, North Macedonia;
27) 10_SOD_2021/SRe Audit of the reinsurance process accounts, promptness and accuracy of reporting – Sava Osiguruvanje, North Macedonia;
28) 11_SOD_2021/SRe Group Audit collaboration subsidiaries Sava Osiguruvanje, North Macedonia;
29) 12_SOD_2021/SRe Group Audit collaboration subsidiaries Sava Penzijsko, North Macedonia;
30) 13_SOD_2021/SRe Group Audit collaboration subsidiaries Sava Osiguranje, Montenegro;
31) 14_SOD_2021/SRe Group Audit collaboration subsidiaries Sava Životno Osiguranje, Serbia;
32) 15_SOD_2021/SRe Group Audit collaboration subsidiaries Sava Neživotno Osiguranje, Serbia;
33) 16_SOD_2021/SRe Group Audit collaboration subsidiaries Illyria;
34) 17_SOD_2021/SRe Group Audit collaboration subsidiaries Illyria Life.

During the Covid-19 epidemic in Slovenia, when the extent of work from home increased, Sava Re and all its subsidiaries appointed a crisis management team also involving the IAD.

This means that we carried out all planned internal audit engagements and an additional internal audit engagement reviewing whether all statutory requirements for the use of the Simcorp application were complied with. We also carried out two additional consulting engagements at the request of stakeholders: Consulting in the process of harmonising the Group's IT documentation with data protection standards and regulatory requirements, reviewing the appropriateness of the digital signing process (Sava Penzisko Društvo a.d.) and consulting engagement on the adequacy of the SimCorp Dimension management protocol.

In total, 37 internal audit engagements were performed. Due to the ongoing Covid-19 epidemic in Slovenia and scheme of working partly from home, the majority of internal audit engagements were carried out partly on site and partly remotely, using the MS Teams tool.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

Based on risk ratings, the internal audit covered ongoing and comprehensive supervision over the operations of the company aimed at verifying and assessing whether the risk management processes, control procedures and corporate governance are adequate and function so as to facilitate achievement of the company's following important goals:

effective and efficient operation, including meeting the goals related to business and financial performance, and protecting assets against loss;
reliable, timely and transparent internal and external financial and non-financial reporting;
compliance with laws and other regulations, including internal rules;
the company's IT management supporting and contributing to strategy and goals;
assessing fraud risk and the method of addressing this risk by the company.

The IAD regularly reported on its work to the auditees, submitting reports to the company's management board for information, and conclusions and recommendations for approval. On the basis of feedback received from those responsible for the implementation of recommendations, it periodically reported on the implementation thereof to the management board, audit committee and the supervisory board.

The IAD submitted a more detailed overview of the internal audit engagements with all conclusions, irregularities and recommendations to the management board, audit committee and the supervisory board via its quarterly reports.

The IAD assesses the adequacy and efficiency of the internal control system in relation to risks in accordance with Standard 2410.A1. In this, we use the following rating scale for assessing the internal control system, in accordance with the Sava Insurance Group's methodology:

VERY GOOD – The control system of the audited business/organisational unit is very good in every respect; the internal controls set up are strong; all key controls are operating and there are no deviations. Supervision is optimal. Risk is very low. There are no findings assessed as medium or high risk.

GOOD – The control system is generally good; minor weaknesses may be addressed by the head of any business function / organisational unit in the course of the business process. Management has good control of operations; authorisations and powers are observed. In case of deviations, immediate action follows and processes are improved continuously. Supervision is carried out regularly. The risk is low. 1 to 2 findings were assessed as medium risk; no findings were assess as high risk.

ADEQUATE – A combination of some weaknesses in the control system requires immediate corrective action by the head of the business area / organisational unit. The management is aware of the required monitoring and supervision; procedures and responsibilities are roughly defined. Supervision is carried out from time to time. The risk is medium. Most findings are assessed as medium risk.

NOT APPROPRIATE – Major weaknesses in the control system are undermining operations and must be immediately addressed by the head of the business area / organisational unit as a matter of priority. Supervision is not carried out according to defined processes but left to individuals. The risk is high. There are findings assessed as high risk.

INADEQUATE – There is a high degree of major irregularities (non-compliance, complete lack of controls), requiring complete reorganisation of the business function / organisational unit. There is no supervision. Risk is very high.

Despite the given scale and in view of the professional and ethical standards required of the certified internal auditor, part of the assessment of the internal control system remains the discretion of the certified internal auditor.

Below is a brief summary of the key conclusions in the audited areas in Sava Re (internal audit collaborations with subsidiaries are not included, since these engagements are presented in subsidiaries' annual internal audit reports).

Audit of integration procedures of external ASP.ins underwriting applications (1_R_2021/SRe)

The audit comprised an assessment of whether IT controls introduced in integration procedures of external underwriting applications at Sava Osiguranje Montenegro, Sava Osiguruvanje North Macedonia and Illyria Kosovo are adequate to ensure accuracy, availability, currency, quality and security of imported data. We carried out the review using the COBIT 2019 Information and Technology Governance Framework, specifically the DDS06 domain – Managed Business Process Controls. The audit comprised a review of integration procedures, their implementation, and methods for ensuring accuracy, availability, currency, quality and security of imported data in the above listed companies. Based on the audit procedures carried out, we assessed integration procedures as INADEQUATE.

We made six recommendations in the audit, three of which were labelled as high risk, two as medium and one as low. Risks that, if materialised, would result in a major impact on the company's operations and reputation (system breach, disclosure of personal and confidential data), were assessed as high.

Audit of TBS TEAM 24 d.o.o. (2_R_2021/SRe)

The audit comprised a review and assessment primarily in the areas of remedied irregularities and the operations of subsidiary TBS TEAM 24 d.o.o. during the Covid-19 pandemic in 2020, progress in the project of overhauling the company's information system and coordinated planning and reporting activities in line with the guidelines of the parent company Sava Re. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls in the areas audited as VERY GOOD.

We identified two improvement opportunities and made three recommendations, one labelled as medium risk and two as low. The recommendations pertain to examining options for eliminating the cost of leasing real estate, estimating the expenses for the preceding accounting period to ensure expenses are recognised in the appropriate financial year, and examining and assessing tax risks when working with service providers.

Audit of the project management system (3_R_2021/SRe)

The audit comprised a review and assessment of the effectiveness and efficiency of project management in the company, and a review of the management of strategic projects in the Sava Insurance Group. We focused on the appropriateness of the project management process for strategic projects at Sava Re d.d. in 2020 and their consistency with good practice in project management and project management frameworks.

Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls in the areas audited as GOOD.

Eight recommendations were made in total, one of which was labelled as medium risk, five as low and two as opportunities. The requirements pertain to appropriately specifying the requirements for storing project documentation, improving reporting and communication when working with external contractors, providing regular training on project management, and compiling a list of KPIs that will help project managers monitor projects.

Audit of the actuarial function (4_R_2021/SRe)

The audit comprised a review and assessment of the efficiency and effectiveness of the actuarial function in place from the aspects of compliance with the company's actuarial policy, appropriateness of actuarial models, accuracy and completeness, as well as authorisation of input data, and accuracy and completeness of output data. The audit was outsourced and carried out by an expert, Dr. Janez Komelj. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls in the areas audited as VERY GOOD. In total, we made three recommendations with low risk.

Audit of the claims recording process (5_R_2021/SRe)

The audit comprised a review and assessment of the adequacy of the claims recording process. Based on the audit processes carried out, we assessed the area audited as GOOD; however, we pointed out operational risks, since the procedures currently in place are not compliant with internal rules, primarily due to the absence of internal software controls, but we made no recommendations, since new software support which should address this is already being implemented. In total, we made three recommendations medium with low risk. The recommendations pertain to defining processes and procedures, ensuring timely entry of reinsurance coverages in place in the system and setting up a claims register system providing information on the claims stuatus in the new software.

Audit of the currency risk management process (6_R_2021/SRe)

The audit comprised a review and assessment of the adequacy of the currency risk management process and focused on the appropriateness of currency risk management (information flow, operational and management controls in the process and sub-processes, calculations traceability and replicability, existence of audit trails on performed controls, existence of internal acts and their compliance with best practices, and compliance with these acts). Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the reviewed processes of the areas audited as GOOD.

We made six recommendations in the audit, three of which were labelled as medium risk and three as low. The recommendations pertain to formalising Excel files used for estimating the currency balance sheet, writing explanations on currency balance sheet estimates, preparing an internal act defining the criteria for explaining significant differences between the estimate and actual currency balance, introducing regular annual reviews of the company's currency matching rules, setting up a formal method of verifying delivered data to ensure chronological and substantive audit trails.

Audit of the process of implementation of the SIMCORP application in subsidiaries (7_R_2021/SRe)

The audit comprised a review and assessment of the appropriateness of the process of the SIMCORP application's implementation in Sava Re's subsidiaries, and the appropriateness of planning and execution of implementation activities (in terms of time, finance, availability of human resources, parent company's support). Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls in the areas audited as GOOD.

We made four recommendations in the audit, three of which were labelled as medium risk and one as an opportunity. The recommendations pertain to contractual relationships with subsidiaries regarding the use of the SimCorp application, approval of the SimCorp Dimension management protocol and the cost accounting model for the use of SimCorp in subsidiaries;

Audit of the company's receivables management (8_R_2021/SRe)

The audit comprised a review and assessment of the adequacy of risk management in the company's receivables management process, and a review of the appropriateness of internal acts on receivables management. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the processes reviewed in the areas audited as ADEQUATE.

We made seven recommendations in the audit, three of which were labelled as medium risk and four as low. The recommendations pertain to updating internal acts on receivables management, organising archives for data related to processing and collecting reinsurance receivables, ongoing monitoring and checking options for collection of long-overdue receivables, strengthening the verification of receivables accounts and upgrading reporting on reinsurance receivables.

Audit of the IT management process – COBIT 2019 (9_R_2021/SRe)

The audit comprised a review and assessment of compliance of the IT management process with regulations and legal requirements at the Sava Insurance Group level. A review and assessment of process compliance by subsidiaries and a review of good practices were also carried out. In our audit, we focused on the appropriateness of processes of the IT department, as well as IT of Zavarovalnica Sava d.d., given that Sava Re transferred, under a management contract, a large portion of its IT area to Zavarovalnica Sava, which ensures that complex tasks are carried out by skilled professionals aware of good practices and IT governance frameworks. The basis for our audit was the COBIT 2019 IT governance framework.

A comparison of assessments from 2020 and 2021 showed improvements in request management, IT system capacities, IT changes, projects, security, incidents and IT support for processes, and IT performance monitoring (COBIT 2019 controls BAI02, BAI04, BAI07, BAI11, DSS02, DSS05, DSS06, MEA01). We detected no deteriorations in the application of any COBIT 2019 controls.

Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the processes reviewed in the areas audited as ADEQUATE.

Seven recommendations were made in total, five of which were labelled as medium risk and two as low. Recommendations pertain primarily to organisational measures in the IT department and KPIs.

Continuous audit – part of the SOC supervisory body (IT) (10_R_2021/SRe)

The audit comprised continuous/regular monitoring of the the implementation of the security operations center (SOC) service in Sava Re and the Sava Insurance Group. SOC directly addresses and increases maturity level for Cobit 2019 management objective DSS05– Managed Security Services. The service was implemented by Zavarovalnica Sava's IT and was formally completed in July 2021. We monitored the project through the external contractor's B2Secure project portal. SOC has been operating stably; additional improvements and integrations are planned.

The audit also included a review the compliance if the IT documentation with the requirements of the ISO/IEC 27001:2013 standard on information security management, thus ensuring compliance with regulatory and internal requirements and best practices for information security management systems (ISMS). SIT and the IAD conducted a gap analysis, and supplemented SOC security policy documents; policy harmonisation is planned for all Group companies.

As part of the continuous auditing of IT, we also monitored the implementation of penetration tests.

Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls in the area audited as GOOD.

IFRS 17 project audit (4_SV_2021/SRe)

The audit comprised reviewing and assessing the appropriateness of the process of implementing IFRS 17 and, as part of this, the appropriateness of development activities planned in view of IFRS 17 requirements (in terms of time, finance, human resources availability and law) and reviewing changes since the last audit. In the annual plan, this audit was labelled as a consulting engagement of the IFRS 17 project, which we later, after consulting with auditees, changed into an assurance engagement and partly a follow-up on the IFRS 17 project audit 10_R_2020/SRe, in which two recommendations were given, which have both been implemented.

Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the processes reviewed in the areas audited as GOOD.

We made two recommendations in total, one labelled as low risk and one as an opportunity. The recommendation pertains to the review and appropriate organisation of RedMine requests.

Simcorp software package's compliance with legal and regulatory requireme nts (1_IR_2021/SRe)

We carried out an additional audit engagement relating to statutory requirements in the use of the software package Simcorp software package's compliance with legal and regulatory requirements.

The audit comprised a review of the compliance of the Simcorp Dimensions software package with the applicable regulations on bookkeeping and compiling financial reports, including the processes of development and of changes and functionalities management, which ensure adequate information protection. Based on the audit processes carried out, we assessed the effectiveness and efficiency and the system of internal controls of the reviewed processes of the areas audited as GOOD.

We believe that the development and management of changes to the audited software is compliant with the standards and recommendations of the Information Systems Audit and Control Association (ISACA), the ISO/IEC 27001 and ISO/IEC 27002 standards as well as best practices in information security. We believe that the audited software, designed to support bookkeeping and compiling of financial reports of investment and mutual pension funds is compliant with ZISDU-3 and by-laws, and that software functionalities are compliant with the General Data Protection Regulation (GDPR) and the current ZVOP.

We made a recommendation pertaining to the implementation of procedures for managing privileged users and their privileges labelled as medium risk.

Formal consulting engagement – consulting in the document archiving process (1_SV_2021/SRe)

The consulting engagement covered an overview of the established process of archiving the company's documentation and the preparation of a proposal for improvements in the archiving of documentation.

Four recommendations were made in total, one of which was labelled as medium risk, one as low and two as opportunities. The two recommendations related to drawing up internal rules on archiving and reviewing the register of contracts application. The opportunities pertain to setting up a development activity team for the implementation of the document system in the company and to reminding account administrators to attach contracts to invoices until software support is established.

Formal consulting engagement – consulting engagement on the review of outsourcing in Group companies (2_SV_2021/SRe)

The consulting engagement comprised reviewing the compliance of the outsourcing process in Group companies and documenting best outsourcing practices in the Sava Insurance Group.

Four recommendations were made in total, all labelled as medium risk. Two recommendations are overarching ones and pertain to updating internal outsourcing acts, setting up a register of outsourced operations in subsidiaries, and providing parent company support to subsidiaries in updating/implementing internal acts and the register of outsourced operations. Two recommendations pertain to the company: regarding subsidiaries' reporting to the parent company and setting up a complete register of outsourced operations.

Formal consulting engagement – consulting engagement of reviewing Group project management (3_SV_2021/SRe)

The consulting engagement comprised reviewing the effectiveness and efficiency of project management and documenting best project management practices in the Sava Insurance Group. We focused on the adequacy of the project management process in line with the existing requirements, rules and practices, which were applied in Group companies in 2020 and 2021, and their consistency with good practice in project management and project management frameworks. We also reviewed familiarity with project management instructions that companies received from Sava Re d.d. The review was done with the help of individual subsidiaries' internal auditors, who provided information on project management. In our audit of project management in the Group, we checked the processes of maintaining a standard approach to project management, initiating projects, managing stakeholder engagement, developing and maintaining a project plan, managing project quality and project risks, managing project resources and closing projects for projects managed in individual Group companies during the consulting engagement.

Nine recommendations were made in total, seven of which were labelled as medium risk and two as opportunities. The recommendations were given primarily in the view that it would be reasonable to improve information sharing/communication on project management requirements with all Group companies, and the provision of feedback on project implementation from companies' responsible persons to the holder of the project management function.

Formal consulting engagement – consulting engagement – project of implementing new software support for the reinsurance process (5_SV_2021/SRe)

The consulting engagement was carried out to review and assess the appropriateness of project planning and implementation, the appropriateness of solution implementation planning (timeline, finances, human resources), the consistency of planned functionalities with client's expectations/requests and the integration of IAD's reinsurance-related recommendations in the definition of planned functionalities.

The composition of project teams is appropriate and includes all interested parties. Project risks are appropriately addressed, potential mitigation measures are planned, persons responsible for taking measures and deadlines are specified. The status of the CORE ERP project is monitored by the project manager and the working group at regular meetings.

We made no recommendations for the existing state, however in the third and last phase of the CORE_ERP project, the focus must be on the risks related to the availability of human resources, which the project management appropriately listed as a project risk in the project charter, as it directly affects the risk of carrying out project activities in line with the timetable.

Formal consulting engagement – consulting in the project of implementing business continuity management (BCM) in the Sava Insurance Group (6_SV_2021/SRe)

The consulting engagement comprised alignment of the process of implementing business continuity management (BCM) with best practices and requirements of the ISO/IEC 22301:2019 standard, thus ensuring compliance with regulatory and internal requirements and best practices for business continuity management systems (BCMS).

Informal consulting engagements (7_SV_2021/SRe)

Reviewing some draft internal acts and contracts, making recommendations for improvements in operations and controls, and cooperating in project teams.

Formal consulting engagement – consulting in the process of harmonising the Group's IT documentation with data protection standards and regulatory requirements (8_SV_2021/SRe)

The consulting engagement comprised consulting in the process of harmonising the documentation of the IT department with ISO standards relating to IT to ensure that all security policy documents meet the requirements of the ISO/IEC 27001:2013 standard, thus ensuring compliance with regulatory and internal requirements and best practices for information security management systems (ISMS). A gap analysis will be conducted and security policy documentation will be updated to improve the implemented security controls and the management of data and information infrastructure.

Formal consulting engagement – review of the appropriateness of the digital signing process – Sava Penzisko Društvo a.d. (9_SV_2021/SRe)

The consulting engagement comprised providing an opinion on the adequacy of the remote signing process and procedures in Sava Penzisko Društvo a.d. Other objectives were to determine whether remote signing procedures are compliant with the law, whether remote signing procedures are adequately secure and whether an event resulting in the misuse of the system could result in the misuse of remote signing and what would be the consequences.

Formal consulting engagement – consulting engagement on the adequacy of the prepared SimCorp Dimension management protocol (10_SV_2021/SRe)

The consulting engagement comprised issuing an opinion on the appropriateness of the prepared SimCorp Dimension management protocol based on a non-standard audit (1_IR_2021/SRe Simcorp software package's compliance with legal and regulatory requirements). We also reviewed the document SimCorp Dimension management protocol. Other objectives were to determine whether the protocol was adequate in terms of IT system/service management, whether it was adequate as the SLA for centralised provision of services to other Group companies and whether it was prepared as a prescribed framework for those managing SimCorp Dimension at Sava Re d.d. and Zavarovalnica Sava d.d.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY DEFICIENCIES AND IRREGULARITIES

The IAD periodically reports on the implementation of recommendations made and proposals given based on irregularities and deficiencies identified. From 1 January to 31 December 2021, we monitored the implementation of 118 recommendations, of which 105 applied to Sava Re and 13 to the audited subsidiaries. Based on the internal audits performed, we made 71 recommendations in 2021.

Of the 105 recommendations made to Sava Re, 54 have been implemented (of these 10 opportunities), 48 remain pending, and 3 had its implementation deadline extended into 2022. Of the 13 recommendations made to subsidiaries, all 13 have been implemented (of these 2 opportunities).

As at 31 December 2021, 100% of overdue recommendations made at the Sava Insurance Group level were implemented. 7.75 auditor days were spent monitoring the implementation of recommendations in 2021.

6 STAFF, TRAINING AND OTHER ACTIVITIES

In 2021, the IAD had 10 employees. Of these, 6 were certified internal auditors, while 2 were certified information system auditors. The employees also hold the following licenses: CISA, CRISC, CISM, CSX, lead assessor for ISO 9001, ISO 22301, ISO/IEC 27001, 27018, ISO/IEC 20000, PCI DSS ASV, PCI DSS QSA, EIDAS, NPK security manager, certified public sector accountant, certified state internal auditor, internal assessor for ISO 9001, ISO 14001, ISO 18001, ISO 45000 and IIA Quality Assessment.

I believe that the number and composition of our employees allow for the proper completion of planned activities, provided there are no extended unplanned absences and/or increased unplanned work.

In 2021, the IAD employees received training in various areas. In addition to the training organised by the Slovenian Institute of Auditors, ISACA and Slovenian and Serbian institutes of internal auditors, the THEIIA Scaling New Heights international conference in Singapore, various in-house training events in ESG, compliance and internal audit, and international web-based seminars, we also regularly followed articles on current topics related to internal audit, (re)insurance, accounting, finance, taxes and sustainability. We also successfully conducted a workshop for Sava Insurance Group's internal auditors, where we presented the methodology for the overall opinion of the company, new developments in reporting and software support for the comprehensive internal audit process (carried out via MS Teams).

In 2021, the IAD prepared its annual work plan for 2022, 4 quarterly internal audit reports (for October–December 2020, January–March 2021, April–June 2021 and July–September 2021) and the 2020 annual report. We also reviewed the strategy of the Sava Re internal audit department for 2020– 2022, and we found it to be appropriate and not requiring amendments.

The director of the IAD regularly took part in the meetings of the management board, supervisory board and its audit committee, risk management committee and the company's executive meetings. The operations were also monitored through the review of the documents prepared for the meetings of the management board, the risk management committee and the executive meetings. Other activities also comprise the managing of the department.

The IAD was engaged in regular quarterly risk assessments at the Sava Insurance Group and Sava Re levels; it also contributed to the SFCR and RSR reports. Furthermore, it contributed to those parts of

the 2022 planning process that relate to the IAD, and to the IAD section of the Sava Insurance Group's annual report.

Cooperation with the external auditor comprised coordination of work, monitoring of pre-audit and post-audit conclusions, and active participation at joint meetings.

As part of IAD development in 2021, we further improved the activities related to the software support for the comprehensive internal audit process, also at the Group level, and completed the overall opinion methodology at the company and Group levels. We also designed a concept for agile auditing in combination with continuous auditing already implemented in 2021. Group Internal Audit was introduced in all Sava Insurance Group companies in 2021.

The IAD provided technical assistance to internal auditors in subsidiaries related to methodology, updating of work programmes for individual internal audit engagements, provision of software support of the comprehensive internal audit process and the induction of new employees in subsidiaries. Meetings of all the Group's internal auditors are held at least once a month, while company and Group key function holders also actively collaborate with each other.

7 THE INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

The IAD performed a quality assessment of its operations in accordance with the requirements of the relevant standards. The assessment is conducted based on the quality assurance and improvement programme covering all aspects of the IAD's operation. The IAD director reports on the results of this programme to the management board and the supervisory board's audit committee.

The external quality assessment of Sava Re's IAD in 2019 was carried out by Deloitte Revizija with the following auditing team as external assessors: Barbara Žibert Kralj, partner, authorised auditor responsible for quality control of the tasks performed; Katarina Kadunc, certified internal auditor, authorised auditor, FCC; and Urban Goršič, CIA, CFE as external assessor. Based on the processes carried out, the external assessment of Sava Re's internal audit's activity confirmed its compliance with International Standards for the Professional Practice of Internal Auditing, the Code of Professional Ethics of Internal Auditors and the Code of Internal Auditing Principles. The internal audit maturity model of Deloitte showed that most capabilities of Sava Re's internal audit were at the upper advanced or leading level of maturity.

In 2021, the IAD also carried out a periodic annual self-assessment of its activity in accordance with standards. The results confirmed compliance of the internal audit activity with the definition of internal auditing, standards and the code of ethics. As regards certain sub-standards where full compliance has not been achieved yet, the IAD prepared an action plan for improvement, which it seeks to observe in its activity. In accordance with the internal audit guidelines, we amended the internal audit quality assurance and improvement programme to include statements of compliance of the internal audit with the standards, the code of ethics, as well as disclosure and avoidance of conflicts of interest.

In early 2022, we sent the members of the management board, the supervisory board and its audit committee a questionnaire on their satisfaction with the internal audit (for the IA maturity model). The average of all scores based on the questionnaires returned was 3.7 out of 4. The management board sees the internal audit as an important component of the company's risk management framework and believes the internal audit plays an important role in the company.

Work methodology has been further improved, mainly in terms of the overall opinion and further development of the internal audit process in the Pentana application. We also designed a concept for agile auditing in combination with continuous auditing already implemented in 2021. In 2021, we also revised the internal audit methodology (Internal Audit Manual) at the Sava Re level, as well as at the level of Group companies.

In March 2022, we compiled and submitted the Internal Audit Quality Improvement Programme of Sava Re d.d. to the to the audit committee along with a self-assessment of our work in 2021. We also checked our independence against an established checklist, and we did not find our independence to have been breached or hindered during any of our audits. We also included a measurement of our performance in our annual work plan. In addition, we are monitoring the implementation of recommendations proposed to the management board. In 2021, all proposed recommendations were adopted as resolutions by the management board and sent to the persons responsible for their implementation.

As the director of the internal audit, I believe that the IAD's activity in 2021 was compliant with the standards and that the annual work plan was very successfully achieved.

Director of Internal Audit and Internal Audit Function Holder

Polonca Jug Mauko

Appendix 1: Glossary

Abbreviation	Meaning
ASP.ins	Application supporting insurance underwriting processes in Sava Re subsidiaries
CFE	Certified Fraud Examiner
CIA	Certified Internal Auditor
CISA	Certified Information System Auditor (upgraded with the Slovenian Institute of Auditors to PRIS certificate)
CISM	Certified Information Security Manager required to become a Chief Information Security Officer (CISO)
COBIT 2019	Information and Technology Governance Framework
CORE ERP/systems	Software solution for a key business process
CRISC	Certified in Risk and Information Systems Control
	REGULATION (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
EIDAS	identification and trust services for electronic transactions in the internal market and repealing Directive
	999/93/EC
EU	European Union
IIA	Institute of Internal Auditors
ISACA Slovenia	Information Systems Audit and Control Association of Slovenia
ISO 14001	Environmental management system, an international standard that exists to help manufacturing and service
	organisations manage environmental aspects of their operations
ISO 22301	Business continuity management system
ISO 45000	Occupational health and safety management system
ISO 9001	Quality management system
ISO/IEC 20000	Service management system
ISO/IEC 27001, 27018	Information security management system, an international standard about privacy in cloud computing services (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII
	processors)
IT	Information technology
MS Teams	Microsoft Teams – a communication platform developed by Microsoft (for meeting, calling, video calling,
	messaging, screen sharing, etc.)
IFRS	International Financial Reporting Standards
IA	Internal audit
SB	Supervisory board
P2P	Sava Re's internal peer to peer coaching
PCI DSS ASV	Payment Card Industry Data Security Standard Automatic Scanning Vendor
PCI DSS QSA	Payment Card Industry Data Security Standard Qualified Security Auditor
PJM	Polonca Jug Mauko
REP	Report
Q4	Fourth quarter
AC	Audit committee
SIMCORP	Software support for integrated investment management, better investment decision-making and overview of operations in one system, also SimCorp
IAD	Internal audit department
SOC	Security operations centre
x_F_201x/company	Audit designation – follow-up audit
x_R_201x/company	Audit designation – standard audit
x_SOD_201x/company	Audit designation – consulting/collaboration in an audit of a subsidiary
x_SV_201x/company	Audit designation – consulting engagement
ZISDU-3	Investment Funds and Management Companies Act
ZZavar-1	Slovenian Insurance Act
	Companies of the Sava Insurance Group
SRe	Sava Re
ZS	Zavarovalnica Sava
SPD	Sava Pokojninska Družba

SIn	Sava Infond
SPDMKD	Sava Penzisko Društvo (North Macedonia)
SNOSr	Sava Neživotno Osiguranje (Serbia)
SŽOSr	Sava Životno Osiguranje (Serbia)
SOMKD	Sava Osiguruvanje Skopje (North Macedonia)
SOMNE	Sava Osiguranje (Montenegro)
Illy	Illyria (Kosovo)
ILife	Illyria Life (Kosovo)
TBS	TBS TEAM 24 d.o.o.
Vita	Vita, Življenjska Zavarovalnica, d.d.

OPINION OF THE SUPERVISORY BOARD ON THE ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2021

In 2021, Sava Re's internal audit department (the IAD) carried out audits in the areas set out in its annual work plan for 2021.

The audit objective pursued by the IAD was to assess whether internal controls and risk management processes in all major segments of the reinsurer's operations and governance were effective and efficient. The IAD assessed the appropriateness of internal controls for preventing fraud and the vulnerability of IT support for the company's operations.

A total of 37 internal audit engagements were carried out in Sava Re and its subsidiaries in 2021. In addition, the IAD collaborated in audits in several Group companies, based on which it issued 71 recommendations in total. The supervisory board finds that the IAD operated in line with the guidelines of the supervisory and management boards, contributing significantly with its recommendations to risk management in Sava Re and in the Sava Insurance Group.

Based on all tests carried out and methods used in individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is good. It also believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business objectives, and that Sava Re's risk management was efficient, with the purpose of providing effective and economical operations. Nevertheless, there remain opportunities to improve the functioning of the internal control system. The internal audit engagements revealed certain irregularities and deficiencies; the IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. The company's management board is aware of the potential impacts that the identified breaches, irregularities and deficiencies may have on the achievement of the company's key objectives, and it is therefore taking remedial action. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The supervisory board members monitored the effectiveness and efficiency of IAD activity through quarterly reports and the annual report of the IAD. They were submitted summaries of the internal quality assessments of the IAD. The assessment showed that the IAD's activity was compliant in all material respects with the law and International Standards for the Professional Practice of Internal Auditing.

Based on the above, the supervisory board hereby gives its positive opinion on the Annual Report of the IAD on Internal Auditing for 2021.

Ljubljana, 7 April 2022

Supervisory Board of Sava Re d.d. Chairman Davor Ivan Gjivoje jr

AI Terminal

Pozavarovalnica Sava

1987_rns_2022-05-23_6af556b0-887f-4654-83e3-4a14c2ba17a9.pdf