Pozavarovalnica Sava

Audit Report / Information • Apr 11, 2023

ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2022

Prepared by	Polonca Jug Mauko
Adopted by	company's management board
Consent by	supervisory board
Type of document	report
Department/unit	internal audit
Confidentiality level	confidential
Report number	6-2023/POR/PJM
Distribution list	company's management board
	company's supervisory board
	members
	company's members of the
	supervisory board's audit committee
	company's general meeting
	key function holders and DPO
Language versions	Slovenian, English
Prepared on	10 March 2023
Date of submission to the	13 March 2023
management board, AC and SB
Date of adoption at the	14 March 2023
management board session
Date of adoption at the AC and	On 21 March 2023 at the AC session
SB sessions	and on 22 March 2023 at the SB
	session

Ljubljana, March 2023

CONTENTS

	3
	3
	4
	6
	10
	11
IAD QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME	12
	INTRODUCTION 1.1 Organisational independence of the internal audit 3 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE REVIEW OF THE IMPLEMENTATION OF THE 2022 ANNUAL WORK PLAN SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY DEFICIENCIES AND IRREGULARITIES STAFF, TRAINING AND OTHER ACTIVITIES

1 INTRODUCTION

The internal audit department has prepared the Annual Report on Internal Auditing for 2022 pursuant to Article 165 of the Slovenian Insurance Act (ZZavar-1), the Internal Audit Policy of Sava Re d.d. (Sava Re), the Strategy of the Internal Audit Department (IAD) for 2020–2022 and the Annual Work Plan of the IAD for 2022.

This report includes:

• a report on the organisational independence of the internal audit department;
• an assessment of the effectiveness and efficiency of Sava Re's internal controls, risk management and corporate governance;
• an overview of the implementation of the 2022 annual work plan;
• a summary of the main conclusions of the internal audit engagements;
• an overview of the implementation of recommendations to remedy deficiencies and irregularities;
• an overview of the implementation of other IAD activities (employees, education and training);
• a summary of the internal audit quality assurance and improvement programme.

1.1 Organisational independence of the internal audit

The IAD is an independent organisational unit, functionally and organisationally separate from other units of Sava Re. Administratively, it reports to Sava Re's management board, whereas functionally it reports to Sava Re's supervisory board and its audit committee. This ensures the autonomy and organisational independence of the IAD's activity.

In accordance with the Slovenian Insurance Act and on the basis of outsourcing agreements, Sava Re d.d. has performed the key functions of internal audit for the following companies for an indefinite period: Zavarovalnica Sava d.d., Vita Življenjska Zavarovalnica d.d., Sava Pokojninska Družba d.d. and Sava Infond d.o.o.

The director of the IAD Polonca Jug Mauko was appointed as the internal audit key function holder of Sava Re d.d. and Zavarovalnica Sava d.d., as well as the internal audit key function holder at the level of the Sava Insurance Group.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE

As the internal audit key function holder, I have assessed the effectiveness and efficiency of the internal control system and risk management in 2022 based on the internal audit engagements carried out. Internal audit is a risk-based, continuous and comprehensive supervision of a company's operations with the objective of verifying and assessing whether the risk management, internal control and corporate governance processes are adequate and functioning in such a way as to ensure the achievement of the company's key goals. The internal control system is defined as the totality of the risk management, control and governance processes of the company and the Group that enable the achievement of the company's significant goals. The audit engagements covered all key risks of the company.

Based on all the tests carried out and methods used in the individual areas that we audited, the IAD considers that Sava Re's internal controls are adequate and that their reliability is GOOD. It also

believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business goals, and that Sava Re's risk management was efficient and aimed at ensuring effective and economical operations. According to the IAD, there is still room for improvement in the operation of the system. The internal audit engagements have identified certain irregularities and deficiencies, which the IAD has pointed out and made appropriate recommendations for their remedy to ensure further improvement of company's internal controls, risk management and corporate governance. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The IAD's recommendations have been actively implemented by those responsible. However, some additional time will be needed to implement the recommendations made in the last quarter of the year and those related to the improvement of information technology.

In the standard internal audit engagements, due consideration was given to potential instances of fraud and exposure, as well as the potential vulnerability of IT support to operations and ethical and sustainable behaviour. Internal control systems were in place in the areas audited and working to prevent the occurrence of fraud. The audits also resulted in recommendations for the improvement of the IT system.

3 REVIEW OF THE IMPLEMENTATION OF THE 2022 ANNUAL WORK PLAN

In 2022, the IAD carried out internal audit engagements and other activities in accordance with the Annual Work Plan of the IAD for 2022.

A total of 45 audit engagements were planned and carried out:

• 1) 1_R_2022/ SRe Audit of documentation management;
• 2) 2_R_2022/SRe Audit of the management process for access to information systems;
• 3) 3_R_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting);
• 4) 4_R_2022/SRe Audit of the planning process;
• 5) 5_R_2022/SRe Audit of the HR function;
• 6) 6_R_2022/ SRe Audit of the risk management function;
• 7) 7_R_2022/SRe Audit of the management of key external IT suppliers;
• 8) 8_R_2022/SRe Audit of project progress in the development of information support for reinsurance management– CORE ERP;
• 9) 9_R_2022/SRe Audit of the IT management process– COBIT 2019;
• 10) 10_R_2022/SRe Audit of the adequacy of outsourcing performance financial instruments management;
• 11) 11_R_2022/SRe Continuous audit IT;
• 12) 12_R_2022/SRe Audit of the actuarial function at the Group level;
• 13) 1_SV_2022/SRe Consulting engagement SimCorp software package compliance with legal and regulatory requirements;
• 14) 2_SV_2022/SRe Consulting engagement ESG implementation;
• 15) 3_SV_2022/SRe Review of the maturity of the IT management process COBIT 2019 in the Sava Insurance Group;

• 16) 4_SV_2022/SRe Consulting engagement procurement function;
• 17) 5_SV_2022/SRe Informal consulting engagements;
• 18) 1_SOD_2022/SRe Audit of the IT management process– COBIT 2019 Illyria;
• 19) 2_SOD_2022/SRe Audit of the IT management process– COBIT 2019 Illyria Life;
• 20) 3_SOD_2022/SRe Audit of the IT management process– COBIT 2019 SO MNE;
• 21) 4_SOD_2022/SRe Audit of the IT management process– COBIT 2019 SŽO;
• 22) 5_SOD_2022/SRe Audit of the IT management process– COBIT 2019 SNO;
• 23) 6_SOD_2022/SRe Audit of the IT management process– COBIT 2019 SO MKD;
• 24) 7_SOD_2022/SRe Audit of the IT management process– COBIT 2019 SPD MKD;
• 25) 8_SOD_2022/SRe Consulting engagement procurement function Illyria;
• 26) 9_SOD_2022/SRe Consulting engagement procurement function Illyria Life;
• 27) 10_SOD_2022/SRe Consulting engagement procurement function SNO;
• 28) 11_SOD_2022/SRe Consulting engagement procurement function SŽO;
• 29) 12_SOD_2022/SRe Consulting engagement procurement function SO MKD;
• 30) 13_SOD_2022/SRe Consulting engagement procurement function SPD MKD;
• 31) 14_SOD_2022/SRe Consulting engagement procurement function SO MNE;
• 32) 15_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – Illyria;
• 33) 16_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – Illyria Life;
• 34) 17_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – SNO;
• 35) 18_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – SŽO;
• 36) 19_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – SO MKD;
• 37) 20_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – SPD MKD;
• 38) 21_SOD_2022/SRe Audit of corporate governance, communication and reporting (internal and external reporting) – SO MNE;
• 39) 22_SOD_2022/SRe Group Audit collaboration subsidiaries SO MKD;
• 40) 23_SOD_2022/SRe Group Audit collaboration subsidiaries SPD MKD;
• 41) 24_SOD_2022/SRe Group Audit collaboration subsidiaries SO MNE;
• 42) 25_SOD_2022/SRe Group Audit collaboration subsidiaries SŽO;
• 43) 26_SOD_2022/SRe Group Audit collaboration subsidiaries SNO;
• 44) 27_SOD_2022/SRe Group Audit collaboration subsidiaries Illyria;
• 45) 28_SOD_2022/SRe Group Audit collaboration subsidiaries Illyria Life.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

On the basis of risk ratings, internal audit performed ongoing and comprehensive supervision of the company's operations to verify and assess whether the company's risk management processes, control procedures and corporate governance are adequate and work in such a way as to ensure the achievement of the company's following important goals:

• effective and efficient operations, including meeting business and financial performance targets, and safeguarding assets against loss;
• reliable, timely and transparent internal and external financial and non-financial reporting;
• compliance with laws and other regulations, including internal rules;
• the management of the company's IT to support the delivery of the company's strategy and goals;
• the assessment of the risk of fraud and how it is managed by the company.

The IAD provided ongoing written reports to the auditees and submitted reports for information as well as conclusions and recommendations for adoption by the company's management board. It reported regularly on the implementation of these recommendations to the management board, audit committee and supervisory board based on feedback received from those responsible for the implementation of the recommendations.

The IAD provided a more detailed overview of the internal audit engagements, including conclusions, irregularities and recommendations, in its quarterly reports to the management board, the audit committee and the supervisory board.

The IAD assesses the adequacy, effectiveness and efficiency of the risk management and internal control system in accordance with standard 2410.A1. We use the following rating scale to assess the internal control system in accordance with the methodology of the Sava Insurance Group:

VERY GOOD – The control system of the audited organisational unit is very good in every respect; the internal controls in place are strong; all key controls are operating, and there are no deviations. Supervision is optimal. The risk is very low. There are no findings with a medium or high risk rating.

GOOD – The control system is generally good; minor weaknesses can be addressed by the head of each business function, area or organisational unit in the course of the business process. Management has good control of the business and ensures that responsibilities and authority are exercised. In the event of deviations, immediate action is taken, and procedures are continuously improved. Supervision is carried out regularly. The risk is low. One to two findings with a medium risk rating and no findings with a high risk rating.

ADEQUATE – A combination of some deficiencies in the control system requires immediate corrective action by the head of the organisational unit. Management is aware of the need for monitoring and supervision; procedures and responsibilities are broadly defined. Supervision is occasional. The risk is medium. Most findings are rated as medium risk.

INADEQUATE – Major deficiencies in the control system undermine operations and must be addressed immediately by the head of the organisational unit as a matter of priority. Supervision is not carried out according to formal written procedures and is left to individuals. The risk is high. There are findings rated as high risk.

UNSATISFACTORY – There is a high level of serious deficiencies (non-compliance with regulations, total lack of controls) requiring a complete reorganisation of the organisational unit. There is no supervision. The risk is very high.

Despite the above scale, given the required professional and ethical standards of the certified internal auditor, part of the assessment of the internal control system may remain in the domain of the certified internal auditor.

Below is a brief summary of the key conclusions in the audited areas in Sava Re (internal audit collaborations with subsidiaries are not included since these engagements are presented in subsidiaries' annual internal audit reports).

Audit of the company's documentation management (1_R_2022/SRe)

The audit included a review and assessment of the adequacy of the procedures for the implementation of electronic business with the provisions of the Electronic Identity and Trust Services Act (ZEISZ), with the internal rules and best practices for the digitisation of documentary material, trust services and the use of e-signatures, compliance with the sectoral legislation on the protection of documentary and archival material, and the management of the company's physical archives and documentation system (publication of, and access to the company's internal acts).

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the business area audited as ADEQUATE.

We made fourteen recommendations, of which ten were rated as medium risk, two as low risk and two as opportunities for improvement. The recommendations relate to the establishment of the archiving rules that will incorporate all the requirements of the ZVDAGA-A, UVDAG and PETZ, to establish a list of materials to be digitised together with a timetable for implementation, and to document all the procedures for collecting documentary material. An expert review of the procedures for collecting and storing, as well as selecting the older material should be carried out in cooperation with the Ljubljana Historical Archives. It should start by monitoring temperature and humidity, securing physical access where necessary and introducing a regular annual review of the implementation of key activities of the documentary material collection and storage process. We also recommended that the record keeping of contracts be regulated to ensure that all metadata in contracts is collected correctly, as well as the signing of such contracts to ensure that contracts are signed either by hand and properly digitised or with an electronic signature and fully digitised via incoming and outgoing mail and managed through the mDocs application.

Audit of the access to information systems management process (2_R_2022/SRe)

The audit included a review and assessment of the access to information systems management process against the user identity and logical access governance practice of the COBIT 2019 Information and Technology Governance Framework. Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the process audited as ADEQUATE.

We made four recommendations in the audit, of which one was rated as high risk, one as medium risk and two as opportunities. The risk that, if materialised, would result in a major impact on the company's operations and reputation (system breach, disclosure of personal and confidential data), was rated as high. We made a recommendation for the introduction of a user identity management process.

Audit of corporate governance, communication and reporting (internal and external reporting) (3_R_2022/SRe)

The audit included a review and assessment of the compliance of the implementation of the Group's corporate governance with the adopted policies, standards and upgrading to best practice

recommendations for all Group companies, the internal communication and the system of powers, the implementation of internal and external reporting and the performance of the duties of the Group's business function holders.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the area audited as GOOD.

A total of five risk management recommendations were issued, of which two were rated as medium risk, two as low risk and one as an opportunity. The recommendations relate to the consideration and appropriate placement of Group governance in the company's organisation.

Audit of the planning process (4_R_2022/SRe)

The audit included a review and assessment of the adequacy of risk management procedures in the planning process carried out in the strategic planning and controlling department.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the process audited as GOOD.

We made two recommendations which were rated as low risk, namely in relation to the updating of internal acts.

Audit of the HR function (5_R_2022/SRe)

The audit included a review and assessment of the effectiveness and efficiency of the HR function.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the process audited as ADEQUATE.

We made thirteen recommendations, of which five were rated as medium risk, five as low risk and three as opportunities for improvement. The recommendations relate to improving and developing the documentation management and work instructions in the HR process, increasing the efficiency of the software support used in the process, going paperless and archiving electronically, considering the introduction of 360° or similar appropriate methods for staff appraisal, ensuring compliance in the use of annual leave by staff, and carrying out activities to ensure that staff attend mandatory training courses.

Audit of the risk management function (6_R_2022/SRe)

The audit included a review and assessment of the company's and the Group's risk management system and a review and assessment of the development, testing and implementation of risk management models and methods (modelling development centre).

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as GOOD.

We made four recommendations, of which one was rated as medium risk, one as low risk and two as opportunities for improvement. The recommendations relate to the necessary revision of the internal acts of the area and to the review of the list of usernames regarding access to the risk assessment application.

Audit of management of key external IT suppliers (7_R_2022/SRe)

The audit covered the adequacy of the management of key external IT suppliers. The adequacy assessment of the management of key external IT suppliers was based on two best practices, one is ISACA's COBIT 2019 Information and Technology Governance Framework, and the other is an example of best practice from the ISO/IEC 20000 group of standards. In the course of the review, we also took into account the requirements of the Proposal for a Regulation on digital operational resilience for the

financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (DORA).

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the process audited as ADEQUATE.

We made six recommendations for improvement, of which three were rated as medium risk and three as low risk. The recommendations relate to risk rating in the area of IT service management where there is no written provision for an exit strategy, and there is also the need to consider the requirements of DORA and ISA regarding supplier reviews to monitor and evaluate the adequacy of service provision, and to carry out assessments based on a review of performance indicators.

Audit of project progress in the development of information support for reinsurance management – CORE ERP (8_R_2022/SRe)

The audit included a review and assessment of the effectiveness and efficiency of the project implementation in relation to the defined project goals and timeline, the adequacy of the planned development activities for the implementation of the software support for the reinsurance process (timeframe, financial aspect and human resources) and the adequacy of the implementation of the planned functionalities.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the project under review as ADEQUATE.

We made five recommendations, of which two were rated as medium risk (indicators, timeline), two as low risk (human resources, back-up migration plan) and one as an opportunity for improvement.

Audit of the IT management process – COBIT 2019 (9_R_2022/SRe)

The audit included a review and assessment of the maturity, effectiveness and efficiency of IT management processes defined in COBIT 2019 in the Evaluate, Direct and Monitor (EDM) domain. IT management is carried out in line with annual plans following an IT strategy linked to the company's strategy, which provides an appropriate framework for the implementation of IT activities. However, regular monitoring of IT activities needs to be further improved and reporting to all key stakeholders needs to be ensured. The other goals of the audit were to review and assess the maturity, effectiveness and efficiency of one or more IT management processes that have not yet reached the desired level of maturity defined in the Group's IT, including internal rules and compliance with sector-specific GDPR legislation, and to follow-up on the audit of 9_R_2021/SRe Audit of the IT management process – COBIT 2019. Our review also focused on the adequacy of the IT department's procedures.

On the basis of the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the reviewed processes of the area audited as ADEQUATE.

We made ten recommendations for improvement in the area of IT service management, of which seven were rated as medium risk and three as low risk. The recommendations relate in particular to the continuation of the establishment of performance indicators based on best practices of COBIT 2019 controls, the proper consideration of specific COBIT 2019 controls not yet in place at Sava Re, and the integration of IT management processes to allow a clear understanding of all activities at Sava Re.

Audit of the adequacy of outsourcing performance – financial instruments management (10_R_2022/SRe)

The audit included a review and assessment of the compliance of the outsourcing performance in relation to the transfer of the management activities of part of the company's investment portfolio with legislation and best practice.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as GOOD.

We made two recommendations rated as low risk relating to the updating of internal acts.

Continuous auditing – IT (11_R_2022/SRe)

Continuous auditing included participation in the information security committee meetings, CORE ERP project team meetings, Sava Re's classification plan for the preparation of the new document management system and participation in the preparation of internal guidelines for the security verification of WEB applications. We conducted reviews of external IT security verification reports and reviewed the PCI DSS 4.0 requirements for sending a self-assessment questionnaire to the Sava Insurance Group companies.

We reviewed the Information Security Report for 2021, the Information Security Report – Q1 – 2022 and the Information Security Strategy for 2022–2027.

On the basis of the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the reviewed processes of the area audited as ADEQUATE.

Audit of the actuarial function at the Group level (12_R_2022/SRe)

A review and assessment of the functioning of the actuarial functions was carried out across almost all Group companies to achieve:

• operational compliance with the adopted internal acts relating to the actuarial function;
• adequacy of the models used in actuarial calculations in accordance with legislation and other guidance;
• correctness, completeness, accuracy and authorisation of input data;
• the completeness and accuracy of output data;
• an overview of the adequacy of IFRS and SII provisions.

The audits in the subsidiaries were carried out by an external expert, Mateja Keržič from Acturus d.o.o.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as GOOD. No recommendations were made in respect of Sava Re.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY DEFICIENCIES AND IRREGULARITIES

The IAD periodically reports on the status of the implementation of recommendations or proposals made following the identification of irregularities or deficiencies. Between 1 January and 31 December 2022, 119 recommendations were monitored. Based on the internal audits carried out, we made 68 recommendations in 2022.

Of the 119 recommendations, 63 have been implemented (of which 13 were opportunities), 41 are pending and 15 have had their deadline extended. At 31 December 2022, 100% of overdue recommendations were implemented.

6 STAFF, TRAINING AND OTHER ACTIVITIES

In 2022, the IAD had 10 staff. Of these, 6 were certified internal auditors and 2 were certified information systems auditors. The staff also hold the following licences: CISA, CRISC, CISM, CSX, lead assessor for ISO 9001, ISO 22301, ISO/IEC 27001, 27018, ISO/IEC 20000, PCI DSS ASV, PCI DSS QSA, EIDAS, NPK security manager, certified public sector accountant, certified state internal auditor, internal assessor for ISO 9001, ISO 14001, ISO 18001, ISO 45000 and IIA Quality Assessment.

I believe that the number and structure of the IAD staff will enable the proper fulfilment of planned activities, provided that there are no prolonged unplanned absences and/or increased unplanned workloads.

In 2022, IAD staff received training in various areas. In addition to the training organised by the Slovenian Institute of Auditors, ISACA and the Slovenian, Croatian and Serbian institutes of internal auditors, in-house training events in various areas, compliance and internal audit, and international web-based seminars, we also regularly followed articles on current topics related to the internal audit, (re)insurance, accounting, finance, taxes and sustainability. We also successfully conducted a workshop for the internal auditors of the Sava Insurance Group, where we presented the methodology for the overall opinion of the company, internal audit of cyber security, sustainability and new developments in reporting on software support for the comprehensive internal audit process.

In 2022, the IAD produced the Annual Work Plan of the IAD for 2023, the Strategy of the IAD for 2023– 2027, four quarterly internal audit reports for October–December 2021, January–March 2022, April– June 2022 and July–September 2022, and its 2021 annual report.

The director of IAD regularly attended the meetings of the management board, supervisory board and its audit committee, the risk management committee and the company's executive meetings. Operations were also monitored by reviewing the documents prepared for the meetings of the management board, the risk management committee and the executive meetings. Other activities include managing the department.

The IAD was involved in regular quarterly risk assessments at the Sava Insurance Group and Sava Re levels, and also contributed to the SFCR and RSR reports. It was also involved in the IAD-related parts of the 2023 planning process, and in the IAD-related section of the Sava Insurance Group's annual report.

Cooperation with the external auditor included coordinating work, following-up pre-audit and postaudit conclusions, and participating actively in joint meetings.

As part of the development of the IAD in 2022, we further improved the activities related to the software support for the comprehensive internal audit process at the Sava Insurance Group level, completed the overall opinion methodology at the company and Group levels, and prepared the overall opinion for the company and the Group for 2022. We also updated our continuous auditing methodology, which we have been using since 2021. The Group Internal Audit process, introduced in all Sava Insurance Group companies in 2021, was further improved in 2022.

The IAS provided technical assistance to the subsidiaries' internal auditors in the areas of methodology, updating work programmes for individual internal audit engagements, providing software support for the comprehensive internal audit process and training new employees in the subsidiaries. All the Group's internal auditors met at least monthly, and there was active cooperation between the company's and Group's key function holders.

7 IAD QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

In accordance with the requirements of the standards, the IAD performed a quality assessment of its activities. These assessments are conducted on the basis of the quality assurance and improvement programme, which covers all aspects of the IAD's activities. The IAD director reports on the results of this programme to the management board and the supervisory board's audit committee.

In 2019, an external assessment of the quality of Sava Re's internal audit was performed by Deloitte Revizija d.o.o. with the following audit team: Barbara Žibert Kralj, partner, certified auditor, responsible for quality control of the tasks performed; Katarina Kadunc, certified internal auditor, certified auditor, FCC; and Urban Goršič, CIA, CFE, as external assessor. Based on the procedures carried out, the external assessment of Sava Re's internal audit activity confirmed that the internal audit complies with the International Standards for the Professional Practice of Internal Auditing, the Code of Ethics of Internal Auditors and the Code of Internal Auditing Principles. The Deloitte internal audit maturity model showed that the level of Sava Re's internal audit was in the upper part of the advanced level or a leading practice in most of the attributes.

In accordance with the standards, the IAD carried out a regular annual self-assessment of its activities in 2022. The results showed the compliance of internal audit activities with the definition of internal auditing, the standards and the code of ethics. In accordance with the internal audit guidelines, we amended the IAD quality assurance and improvement programme to include statements on the compliance of the internal auditor's activities with the standards and the code of ethics, and on the disclosure and avoidance of conflicts of interest.

In early 2023, we sent a questionnaire to the members of the management board, the supervisory board and its audit committee on their satisfaction with the internal audit function (for the internal audit maturity model). The average score of all returned questionnaires is 3.6 out of a maximum of 4. The management board sees the internal audit as an important component of the company's risk management framework and believes the internal audit plays an important role in the company.

The work methodology was further improved, mainly in relation to the overall opinion and the further development of the internal audit process in the Pentana application. We also updated our continuous audit methodology. In 2022, we also revised and updated the internal audit methodology (the Internal Audit Manual) at the level of Sava Re, as well as at the level of the internal audit methodologies of the Sava Insurance Group companies.

In March 2023, we prepared and submitted to the audit committee the Internal Audit Quality Improvement Programme of Sava Re d.d., together with a self-assessment of our work in 2022. We have also reviewed our independence against an established internal audit checklist and have not identified any audit in which our independence has been compromised or impaired. The IAD has also foreseen a performance assessment in its annual work plan. It also follows up on the implementation of the recommendations it makes to the management board. In 2022, all the proposed recommendations were adopted by resolution of the management board and submitted to those responsible for their implementation.

As director of internal audit, I believe that the activity of the IAD in 2022 was compliant with the standards and that the annual work plan was implemented very successfully.

Director of Internal Audit and Internal Audit Function Holder

Polonca Jug Mauko

Appendix 1: Glossary

Abbreviation	Meaning
ASP.ins	Application to support insurance underwriting processes in Save Re subsidiaries
CFE	Certified Fraud Examiner
CIA	Certified Internal Auditor
	Certified Information System Auditor (upgraded with the Slovenian Institute of Auditing – PRIS certificate –
CISA	certified information system auditor)
	Certified Information Security Manager (this qualification makes you a CISO or Chief Information Security
CISM	Officer)
COBIT 2019	Information and Technology Governance Framework
CORE ERP/systems	Software solution for a key business process
CRISC	Certified in Risk and Information Systems Control
	REGULATION (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
EIDAS	identification and trust services for electronic transactions in the internal market and repealing Directive
	999/93/EC
EU	European Union
IIA	Institute of Internal Auditors
ISACA Slovenia	Information Systems Audit and Control Association of Slovenia
	International Standard for Environmental Management Systems, which covers the management of the
ISO 14001	environmental aspects of a production or service activity (Environmental Management System)
ISO 22301	Business continuity management system
ISO 45000	Occupational health and safety management system
ISO 9001	Quality management system
ISO/IEC 20000	Service management system
	Information security management system, an international standard about privacy in cloud computing services
ISO/IEC 27001, 27018	(Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII
	processors)
IT	Information technology
	Microsoft Teams – Microsoft's communications application (meetings, calls, video calls, messaging, screen
MS Teams	sharing, etc.)
IFRS	International Financial Reporting Standards
IA	Internal audit
SB	Supervisory board
P2P	Sava Re's internal peer-to-peer coaching
PCI DSS ASV	Payment Card Industry Data Security Standard Automatic Scanning Vendor
PCI DSS QSA	Payment Card Industry Data Security Standard Qualified Security Auditor
PJM	Polonca Jug Mauko
REP	Report
Q4	Fourth quarter
AC	Audit committee
	Software for an integrated asset management system, improved investment decisions and overview of the
SIMCORP	entire business operation in one system – including SimCorp
IAD	Internal audit department
SOC	Security operations centre
x_F_201x/company	Audit designation – follow-up audit
x_R_201x/company	Audit designation – standard audit
x_SOD_201x/company	Audit designation – consulting/collaboration in an audit of a subsidiary
x_SV_201x/company	Audit designation – consulting engagement
ZISDU-3	Investment Funds and Management Companies Act
ZZavar-1	Slovenian Insurance Act
	Companies of the Sava Insurance Group
SRe	Sava Re
ZS	Zavarovalnica Sava
SPD	Sava Pokojninska Družba
SIn	Sava Infond
SPDMKD	Sava Penzisko Društvo (North Macedonia)
SNOSr	Sava Neživotno Osiguranje (Serbia)
SŽOSr	Sava Životno Osiguranje (Serbia)
SOMKD	Sava Osiguruvanje (North Macedonia)
SOMNE	Sava Osiguranje (Montenegro)
Illy	Illyria (Kosovo)
ILife	Illyria Life (Kosovo)
TBS	TBS TEAM 24
Vita	Vita, Življenjska Zavarovalnica

OPINION OF THE SUPERVISORY BOARD ON THE ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2022

In 2022, Sava Re's internal audit department (the IAD) carried out audits in the areas set out in its annual work plan for 2022.

The audit objectives pursued by the IAD were to verify whether the risk management procedures were adequate and efficient, and whether the internal controls and governance procedures in the reinsurer's most important operating segments were effective and efficient. The IAD assessed the adequacy of internal controls to prevent fraud and the potential vulnerability of IT business support.

A total of 45 internal audit engagements were carried out in Sava Re and its subsidiaries in 2022. In addition, the IAD collaborated in audits in several Group companies, and proposed 68 recommendations based on the audit engagements carried out at Sava Re. The supervisory board finds that the IAD operated in line with the guidelines of the supervisory and management boards and, with its recommendations, made a significant contribution to the risk management of Sava Re and the Sava Insurance Group.

Based on all the tests carried out and the methods used in the individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is good. Furthermore, it believes that the governance of Sava Re is appropriate and is continuously improving in order to achieve major business goals, and that risks are effectively managed while striving for efficient and economical operations. Nevertheless, there are still opportunities to improve the functioning of the internal control system. The internal audit engagements revealed certain irregularities and deficiencies, and the IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. The company's management board is aware of the potential impact that the identified breaches, irregularities and deficiencies may have on the achievement of the company's key goals, and it is therefore taking remedial action. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The members of the supervisory board monitored the effectiveness and efficiency of the IAD activity through quarterly reports and the annual report of the IAD. They received summaries of the internal quality assessment of the function of the IAD. The assessment showed that the IAD's activity was compliant in all material respects with the law and International Standards for the Professional Practice of Internal Auditing.

Based on the above, the supervisory board hereby gives a positive opinion on the Annual Report of the IAD on Internal Auditing for 2022.

Ljubljana, 22 March 2023

Supervisory Board of Sava Re d.d.

Davor Ivan Gjivoje Jr Chairman